Table of Contents
Crypto has come a long way. From not being accepted as real money to now heavily regulated, businesses have an extended list of regulations to comply with. And it’s not a smooth ride.
From GDPR to MiCAR, and AML, the EU crypto regulation landscape is complex (much like the acronyms itself) and small-medium businesses face disproportionate hurdles. In such cases, there are only two options — comply with the regulations or, partner with a regulated entity and continue operating as normal.
The former requires heavy investments in establishing a comprehensive compliance framework, legal overheads, capital, and time. The latter however, takes away the unnecessary hassle and provides a straightforward solution.
To make compliance digestible, this blog will cover the three key regulatory updates and how it impacts business operations going forward.
Keeping up with crypto regulation and the business implications
Complying with the evolving crypto laws in-house isn’t feasible for most SMBs. Not only do they need to allocate a considerable amount of capital, it also takes away their focus from building and scaling business.
But before we get into the possible action plan, let’s check what the regulations entail.
Controlling, processing, and securing user data with GDPR
GDPR law is not limited to the EU. And it most certainly isn’t limited to crypto either.
However, it’s an essential element to the overarching European digital assets regulation and laws.
GDPR applies to businesses operating outside Europe as well if they happen to process personal data of EU citizens or residents. Failing to comply can result in significant penalties as fines can go up to €20 million or 4% of global annual revenue.
Coming into effect in 2018, GDPR focuses on protecting personal data. So to comply, businesses must implement strict privacy policies, collect user consent, ensure secure data processing, and allow individuals to access, correct, or delete their data.
Essentially the regulation grants individuals autonomy and holds businesses accountable for responsible data management. So data controllers and processors must implement necessary safeguards and must report data breaches to authorities and affected individuals.
Overall, businesses need to process:
- Identity verification data: e.g., name, ID numbers, and documents.
- Transaction data: e.g., payment details and transaction history.
- Account information: e.g., login credentials and account settings.
- Communication records: e.g., messages exchanged on business website.
- Service usage data: e.g., IP addresses, timestamps, and activity logs.
And they need to control:
- Technical data: e.g., device information, IP addresses, and browser type.
- Customer service interactions: e.g., support tickets and chat transcripts.
- Marketing preferences: e.g., communication opt-ins.
- Platform usage statistics: e.g., user behavior analytics.
So in the case of a crypto exchange wallet platform, they must collect and process user data to remain GDPR compliant. Depending on the user base, they can have anywhere from a couple of hundreds to thousands of data to process.
In such cases, they can partner with regulated financial entities equipped to handle regulatory compliance needs better.These user data will be collected and processed by the partner entity as well, as they happen to be the partner’s customers as well.
Which brings us to our next regulation — MiCAR. Without which crypto payments and exchange platforms will cease to operate in the EU.
Setting a unified crypto regulation framework in the EU with MiCAR
Until recently, the VASP license meant crypto companies could operate only in their home country. However, with the onset of MiCAR, it will lose validity as the regulation takes a more uniform, EU wide scope.
Coming into effect December 2024, MiCAR now encompasses all crypto assets and businesses must clearly list all the services they intend on providing.
However, like most crypto laws, this one’s not easy to implement for SMBs either. There’s a long list of documents businesses must submit. From business plan and shareholder details to proving the management body’s competence in handling service providing.
Furthermore, the crypto regulation now requires businesses to meet the higher prudential, governance, and operational standards. They must maintain financial reserves, meet minimum capital requirements, and safeguard client funds with regulated institutions.
Stablecoin issuers have to follow strict governance, financial reserves, and operational transparency rules. They must back issued tokens with sufficient reserve assets held with trust custodians and supported by capital buffers to avoid financial risks.
But there are also three important advantages.
One, MiCAR allows existing CASPs to operate across the EU based on passporting rights — simplifying cross border expansion with minimal administrative hassles. However, before they qualify for passporting, CASPS must acquire the licensing rights in their home country and notify national regulators before expanding to other EU states.
Two, it maintains market integrity based on the EU Market Abuse Regulation. The primary reason being to prevent insider trading, market manipulation, and improper disclosure.
Three, CASPs benefit from a transitional period so they can continue with operations as they prepare for MiCAR authorisation. However, businesses must check the period based on their country as the specifics may vary.
Overall, MiCAR aims to reduce legal uncertainty by adopting a more uniform approach to the digital assets regulation framework. Following on the theme of uniformity, AML directives are the next steps towards closing regulatory gaps within the EU member states.
Flexibility in uniformity with AMLD6 and AMLR
The AMLR (Anti-Money Laundering Regulation) and AMLD6 (Anti-Money Laundering Directives) together focus on further strengthening the AML efforts. AMLR lays down regulatory and supervisory frameworks and AMLD6 improves the criminal law measures, drilling down on the criminalization of money laundering.
Aimed at improving financial transparency, these regulations make it harder to exploit financial systems and hold individuals and entities accountable involved in money laundering.
Just as MiCAR unifies the digital assets regulation framework across the EU, AMLR sets uniform standards bringing consistency in financial and compliance processes. AMLD6 on the other hand provides flexibility in how states can enforce criminal sanctions.
Furthermore, AMLD6 also holds legal entities accountable for money laundering and companies may face severe penalties.
What implications does this have for businesses?
Businesses have a significant responsibility to amp up the compliance risk management efforts. They must conduct regular audits, adopt effective control systems, and train employees accordingly. Industries previously exempt from AML regulations will now have to comply with increased transaction transparency and follow KYC protocols.
Action plan for SMBs — managing regulations the smart way
Complying with regulations in the financial sector is necessary for businesses to operate. As complex as they are, they’re also essential for businesses.
It’s clear businesses need to beef up their crypto laws effort if they plan to continue operating. Whether it’s an exchange platform or an ecommerce website, incorporating crypto payment services comes with extra scrutiny from the EU regulators.
This blog only covered three of the more widely discussed regulations. But there are plenty more that businesses need to keep up with. There’s the Digital Operational Resilience Act (DORA) that aims to strengthen IT security in the European financial sector. And the DLT Pilot Regime Regulation that simplifies trading and settlement activities of financial instruments for distributed ledgers (DLT).
Managing crypto regulation and compliance is a resource heavy responsibility and most SMBs are not well-positioned to address it.
Luckily licensed entities such as Striga take on the heavy lifting. It’s built so businesses don’t need to go through the licensing process themselves and stay on top of the evolving regulations. No need to invest in complex compliance infrastructure and operational adjustments — simply partner up and launch.
Striga Crypto-native Banking as a Service:
Your path to building and launching financial products
Join the financial businesses that use Striga’s cloud platform to delight their customers and launch their own products without the complexities that come when dealing with core banking solutions’ relationships, licensing, compliance and payments methods.
EN 
FR