Understanding Crypto – Custody Under MiCA: Control, Responsibility, and Compliance
Custody has long been seen as a technical issue centred on private keys, wallet security, and infrastructure design. The EU’s Markets in Crypto-Assets Regulation (“MiCA”) takes crypto-custody further. It is defined by control, safeguarding, and liability, not technology alone. Crypto-Asset Service Providers (“CASPs”) must balance cryptographic security with governance, compliance, and accountability.
Custody under MiCA is defined as: “safekeeping or controlling, on behalf of clients, of crypto-assets or of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys”. Custodians are responsible for protecting, segregating, reconciling, and recording crypto-assets accurately.
Under MiCA, custody is not just about who holds the private keys. The definition covers both the safekeeping and control over crypto-assets. A person can exercise control by initiating, approving, blocking, or otherwise influencing transactions. This can include shared-key setups, multi-party computation (MPC) arrangements, or smart contracts with administrative privileges. Even powers reserved for recovery or emergency interventions can be scrutinised. Labels, disclaimers, or contractual arrangements carry little weight if, in practice, a person retains control over the custody of crypto-assets.
Execution, settlement, or principal trading models should be assessed carefully. Pre-funding mechanisms, netting arrangements, and temporary control over clients’ crypto-assets may trigger custody authorisation requirements. CASPs should map each stage of the transaction lifecycle to identify and mitigate potential regulatory risk. The assessment should also consider operational exceptions, fail-safes, and contingency measures that could inadvertently lead to control over clients’ crypto-assets.
Staking involves locking up crypto-assets to earn rewards – comparable to a fixed-term deposit in traditional finance. Intermediaries typically offer staking services to EU/EEA clients by staking crypto-assets, on their behalf, for a fee or share of the staking rewards. ESMA clarified that providing staking services in this way is considered ancillary to custody since the intermediary effectively controls access to clients’ crypto-assets. As a result, custody authorisation under MiCA is necessary.
MiCA is also specific on sub-custody arrangements. A CASP can only delegate custody functions to another EU third-party CASP. This ensures that custody functions remain strictly within the EU regulatory perimeter. Delegation does not shift ultimate responsibility. CASPs remain accountable for oversight, due diligence, and the ability to intervene with the delegate whenever necessary.
Operational design and internal controls play a critical role in custody compliance. How a CASP structures workflows, authorisations, and rights can create or mitigate custody risk. In practice, CASPs must understand where control, access, or influence over clients’ crypto-assets arise – and ensure that regulatory permissions and governance protocols reflect that reality.
