The global regulatory landscape for cryptocurrencies varies widely, from countries fully embracing the financial technology for its innovation and economic potential to those completely banning its use. This article examines the EU's approach to regulating stablecoins, emphasizing the role of auditors in security and risk assessments under these regulations.

What is MiCA?

In June 2023, the EU unveiled the final version of its "Markets in Crypto-Assets Regulation" (MiCA) legislation, aiming for uniformity across member states. MiCA's goals include legal clarity for crypto-assets, fostering innovation, protecting consumers, and mitigating financial instability risks. It sets out specific mandates for crypto issuers and service providers.

MiCA’s Scope

MiCA categorizes crypto assets into three main groups:

• E-money tokens: “a type of crypto-asset whose main purpose is to be used as a means of exchange and that purports to maintain a stable value by referring to the value of a fiat currency that is legal tender.”

• Asset-referenced tokens: “a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets.”

• Crypto-assets (other than the above): “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology.”

MiCA applies to entities involved in the issuance, public offering, and trading of crypto-assets within the EU. Specifically, MiCA regulation applies to the following two main groups of entities:

1. Stablecoin issuers, namely those handling single-fiat and multi-asset-referenced stablecoins.

2. Crypto-asset service providers (CASPs), which deal with the three above-mentioned crypto asset types.

Notably, NFTs, DeFi, and CBDCs fall outside MiCA's remit and will be addressed separately.

MiCA has been effective since mid-2023, with a comprehensive compliance deadline set for the end of 2024. However, issuers of e-money tokens and asset-referenced tokens must meet specific criteria by June 30, 2024. Providers that are already licenced under a national framework in the EU have until mid-2026 to comply.

MiCA’s Good

Targeted Regulatory Scope

MiCA selectively regulates stablecoins and conventional crypto service providers, avoiding broader Web3 sectors like DeFi and NFTs. This focus promotes integration with traditional financial systems, potentially easing the entry of more financial institutions into the Web3 domain.

Focus on User Protection

MiCA prioritizes user safety, mandating clear risk disclosures in stablecoin issuers' and crypto providers' whitepapers and communications.

The main requirements mandated by MiCA include:

• Detailed guidelines for crypto-asset whitepapers and marketing.
• Specifications for application content needed for issuing digital assets or crypto services.
• Defined rights for retail users, like withdrawal rights.
• Guidelines for governance and financial operations.
• Transparency, fairness, and honesty standards for issuers and providers.
• CASP-specific rules, including digital assets custody requirements and operational transparency.
• Defining the role and authority of national and EU-level regulatory bodies.

MiCA’s Limitations

Lack of Detailed Technical Requirements

MiCA provides a high-level framework without detailed technical specifications. This approach avoids stifling innovation but results in vague guidelines, for example concerning private key custody measures.

Overemphasis on Whitepapers

MiCA primarily mandates detailed whitepaper requirements, covering entity data, goals, risk disclosure, and management strategies. Despite these thorough requirements, real-world risks often stem from discrepancies between promises made in whitepapers and the actual project implementation, ranging from misinterpretations and accidental errors to intentional fraud, like exit scams.

Recommendations for Auditors

Pay Attention to Inconsistencies Between Whitepapers and Implementation

Auditors should scrutinize any discrepancies between what is described in the whitepapers and the actual project execution. While not every difference signals a risk, significant deviations must be reported in the audit findings for regulatory review and public awareness.

Consider Compliance Beyond MiCA

Though the text of MiCA is finalized and published, consultations are ongoing. The first consultation package was shared in July 2023, the second in October 2023, and the third is expected to be released in Q1 2024. This effort is led by the European Securities and Markets Authority (ESMA), in close cooperation with the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Central Bank (ECB). In the current technical standards, while there is a call for regular ICT, security, and business continuity evaluations, the documents lack detailed guidance on the scope, methods, or additional requirements.

It is fundamental to remember that MiCA is part of a broader normative framework: the Digital Finance Package. This has been developed to enhance EU competitiveness in the financial sector and to give consumers access to innovative financial products, while ensuring user protection and financial stability. The Digital Finance Package includes, in addition to MiCA, the “Digital Operational Resiliency Act” (DORA), the “Transfer of Funds Regulation” (TFR) and the “DLT Pilot Regime” for financial market infrastructures. All are related to the Web3 space to some extent, with MiCA, DORA and TFR applicable to existing crypto-assets issuers and service providers.

Conclusion

MiCA introduces a regulatory framework focused on stablecoins and traditional crypto services within the EU, emphasizing consumer protection but lacking detailed technical standards. Auditors should rigorously assess discrepancies between project whitepapers and actual implementations, highlighting any significant deviations for regulatory and public scrutiny. Moreover, auditors must navigate beyond MiCA, considering ongoing updates and the broader Digital Finance Package to ensure comprehensive compliance.