What is the most common reason MiCA CASP applications are returned?

The most common reasons MiCA CASP applications are returned include white papers that contain generic risk factors without issuer-specific disclosure, incomplete technology descriptions lacking smart contract audit reports, and governance documentation that does not satisfy the ESMA suitability guidelines for management body members under Article 68.

Does MiCA apply to DeFi protocols?

MiCA does not apply to crypto-asset services provided in a fully decentralised manner without any intermediary (Article 4(3)). However, the bar for fully decentralised is high, protocols with admin keys, controlled governance, or front-end operators are likely within scope. ESMA guidance indicates that operating a front-end to a DeFi protocol constitutes providing a crypto-asset service.

How does MiCA interact with UK FCA regulation?

The UK has not implemented MiCA equivalence. A UK FCA-authorised firm operating in the EU requires standalone MiCA CASP authorisation, there is no passporting from the UK. Dual-regulated firms must maintain separate compliance frameworks for each regulator, coordinated but not identical.

What does MiCA require for crypto-asset custody?

MiCA Article 70 requires CASPs providing custody to segregate client assets from the CASP's own assets, maintain quarterly reports to the NCA, carry professional indemnity insurance or own funds to cover client asset loss, and make the CASP liable to clients for loss of crypto-assets resulting from malfunction or hacking unless caused by events outside the CASP's control.

MiCA in Practice: What the First Wave of CASP Applications Is Revealing, Arca Compliance

MiCA in Practice, The Gap Between the Regulation and Its Implementation

The Markets in Crypto-Assets Regulation has been fully in force since December 2024. More than six months into the new regime, the picture emerging from NCA supervisory dialogue, ESMA guidance publications, and the advisory work we are doing with CASP applicants is that the gap between what MiCA says and how firms are implementing it is wider than anticipated, and consistently wide in the same places.

This piece is not a summary of MiCA's requirements. That information is available in our CASP licensing guide. This is an analysis of what is actually happening in practice, which requirements are creating operational difficulty, where NCAs are applying unexpected rigour, and what the first cohort of authorisation decisions is revealing about how MiCA will be applied going forward.

The pattern we are seeing

Firms that read MiCA and built their compliance frameworks accordingly are now finding that the ESMA regulatory technical standards, the NCA-specific guidance, and the supervisory posture in practice impose materially higher standards than a straight reading of the Regulation suggested. The Regulation is a framework; the RTS and NCA guidance is where the real obligations live.

Governance and the Management Body, Higher Bar Than Most Expected

MiCA Article 68 requires that members of the management body have "sufficient good repute" and "sufficient knowledge, skills and experience" to perform their duties. ESMA has published guidelines on suitability assessment under MiCA that elaborate significantly on what this means in practice.

The suitability bar under MiCA is materially higher than many applicants anticipated. NCAs are assessing each proposed management body member individually against the ESMA criteria, not accepting self-certification or CV-based assertions. Several applications have been delayed because proposed management body members could not demonstrate crypto-asset-specific experience sufficient to meet Article 68.

What NCAs are scrutinising

Crypto-specific versus general financial services experience, having been a senior manager at a bank is not, on its own, sufficient to satisfy Article 68 for a CASP. NCAs are looking for demonstrated understanding of crypto-asset market structure, on-chain risk, and the specific regulatory regime.
Independence of non-executive directors, MiCA requires at least one-third of the management body to be independent. NCAs are applying this strictly and are challenging independence where NEDs have prior commercial relationships with the firm or its founders.
Collective competence, ESMA's guidelines introduce a collective competence requirement: the management body as a whole must cover a defined set of areas including technology, financial crime, risk management, and the specific crypto-asset services the CASP provides. A management body strong on finance but weak on technology will not satisfy the collective requirement.

Practical implication

Build your management body before you design your application, not after. The governance structure drives the application, not the other way around. If you need to recruit a NED with crypto-specific risk or technology credentials, the time to do that is six months before submission, not six weeks.

White Paper Review, What NCAs Are Sending Back

The white paper is the most returned document in the MiCA application process. NCAs are applying the ESMA RTS on white paper content with significant rigour, and the most common failure modes are consistent across jurisdictions.

Generic risk factors, boilerplate risk sections that list every conceivable risk without specificity are consistently challenged. NCAs want risk factors specific to the token, the issuer, and the market, with honest disclosure of the material risks rather than a comprehensive list designed to provide legal cover.
Incomplete technology description, the ESMA RTS requires a description of the technology underlying the crypto-asset, including the consensus mechanism, smart contract audits, and protocol-level risks. Applications describing the technology at a high level without providing audit reports or technical documentation are being returned.
Right of withdrawal mechanics not fully specified, MiCA Article 14's 14-day right of withdrawal for retail purchasers must be reflected not just in the white paper text but in the operational implementation. NCAs are asking how the right of withdrawal is exercised in practice, what the customer does, what the CASP does, and what happens to the tokens during the withdrawal period.
Missing ESMA notification timeline, white papers must be notified to the NCA at least 20 working days before publication. Several firms have published white papers without completing the notification process, triggering regulatory action.

Custody, The Most Demanding CASP Service Under MiCA

Providing custody and administration of crypto-assets is one of the ten CASP services and, in practice, the one that attracts the most intensive NCA scrutiny. MiCA Article 70 imposes specific obligations on CASPs providing custody, client asset segregation, quarterly reporting to the NCA, liability for loss of client crypto-assets, and professional indemnity insurance or own funds to cover liability.

The segregation requirement is operationally significant. CASPs must hold client crypto-assets in wallets or accounts that are clearly segregated from the CASP's own assets. On-chain, this means maintaining distinct wallet structures for client assets. Off-chain, it means maintaining records that allow client entitlements to be identified at all times, including in a wind-down scenario.

The liability question no one has fully resolved

MiCA Article 70(1)(e) makes CASPs providing custody liable to clients for any loss of crypto-assets resulting from a malfunction or hacking incident, "unless it can prove that the malfunction or hacking incident occurred due to events outside its control." The boundaries of what constitutes events outside the CASP's control are not yet settled. NCAs have not published definitive guidance, and the first litigation under this provision has not yet reached a final determination.

AML Under MiCA, Where the AMLA Regulation Changes Everything

MiCA incorporates AML obligations by reference to the existing EU AML framework. The EU AML Package, comprising the AMLA Regulation, the Sixth Anti-Money Laundering Directive (AMLD6), and the recast Transfer of Funds Regulation, will materially change the AML obligations of EU-regulated CASPs from 2026 onwards.

The Anti-Money Laundering Authority (AMLA) will have direct supervisory power over the highest-risk CASPs, those operating across multiple member states with large transaction volumes. For CASPs within AMLA's direct supervisory scope, the supervisory relationship shifts from the home state NCA to AMLA, with significant implications for how compliance frameworks are designed and how supervisory dialogue is managed.

Third-Country Equivalence and Reverse Solicitation, The Enforcement Risk

MiCA's third-country provisions are generating significant enforcement risk for non-EU CASPs that have underestimated their exposure. The reverse solicitation defence, allowing third-country CASPs to serve EU clients where the client initiated contact exclusively on their own initiative, is narrower in practice than many firms assumed when they chose not to seek CASP authorisation.

ESMA's guidance clarifies that any form of proactive outreach, advertising, social media targeted at EU users, partnership arrangements with EU entities, or referral programmes, undermines the reverse solicitation defence entirely for those clients reached by the outreach. The burden of demonstrating reverse solicitation is on the CASP, and the documentation required to support the defence is substantial.

Several NCAs have initiated enforcement actions against third-country CASPs providing services to EU clients without authorisation in the first half of 2026. The initial enforcement posture suggests NCAs will treat the reverse solicitation defence as unavailable unless the CASP can demonstrate, with contemporaneous records, that each EU client relationship began with genuine client-initiated contact.

Dual Regulation, Operating Under MiCA and the FCA Regime Simultaneously

For firms operating in both the UK and EU, the interaction between MiCA and the forthcoming FCA Part 4A cryptoasset regime is a central operational challenge. The UK has not implemented MiCA equivalence, which means a UK FCA-authorised firm operating in the EU requires standalone CASP authorisation. There is no passporting from UK to EU.

The compliance frameworks required by MiCA and by the FCA regime overlap substantially but are not identical. The differences, in white paper requirements, prudential minimums, custody obligations, and AML standards, mean that a single compliance framework cannot satisfy both regulators without specific adaptation for each. Dual-regulated firms need to maintain two regulatory relationships, two compliance frameworks that are coordinated but distinct, and two reporting lines to two separate supervisors.

The group structure question

The most common structure we see for dual-regulated crypto businesses is a UK entity (FCA-authorised) and a separate EU entity (MiCA CASP-authorised) under a common parent. This works operationally but creates inter-entity service agreements, transfer pricing considerations, and group-level governance requirements that must be planned from the outset, not retrofitted after both authorisations are obtained.

How Arca Compliance Can Help

Arca Compliance advises digital asset businesses through MiCA CASP authorisation and ongoing MiCA compliance, from jurisdiction selection and application management through to governance design, white paper review coordination, AML programme build, and supervisory dialogue support. We work alongside specialist EU cryptoasset legal counsel where formal legal opinions are required under MiCA.