knowledge 5 March 2025 |

Ireland as a Location for Crypto-Asset Service Providers 2025

MiCA brings crypto assets under a pan-EU regulatory framework that seeks to ensure increased transparency, investor protection and financial stability. It prescribes uniform requirements for the offering and admitting to trading of crypto-assets and for crypto-asset service providers (“CASPs”). These rules include transparency and disclosure requirements, authorisation and supervision requirements, requirements for the protection of holders of crypto-assets and the clients of CASPs, and measures to prevent market abuse such as insider dealing or market manipulation.

Under MiCA, CASPs require authorisation from a competent authority before providing crypto asset services in the EU. In Ireland, this means that those wishing to provide crypto-asset services are required to apply to the Central Bank of Ireland (the “CBI”) for authorisation as a CASP.

Impact on the Virtual Asset Service Provider (“VASP”) Regime

Since 2021, providers of virtual asset services in Ireland are designated persons under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. Prior to the CASP regime, such providers were required to register with the CBI for the purposes of Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) obligations.

MiCA establishes a more comprehensive financial services regulatory framework than the previous VASP regime. Therefore, while there are similarities between virtual asset services and crypto asset services, where an entity is providing virtual or crypto asset services from 30 December 2024, they require authorisation as a CASP, rather than as a VASP. The CBI has warned that, as the CASP regime is much broader than the VASP regime, holding VASP authorisation should not be seen as instructive on the potential success of a CASP application.

There is a transitional period for existing VASPs. Under this transitional period, existing Irish VASPs do not have passporting rights to offer services in other jurisdictions and are not able to passport services until they receive authorisation as a CASP. Furthermore, there is not a simplified authorisation procedure for VASPs seeking to become a CASP. All VASPs are required to submit an application for authorisation as a CASP, which should be decided upon by the end of the transitional period. If a VASP does not wish to apply for a CASP authorisation, they should commence winding down regulated activities. If the VASP’s CASP authorisation is unsuccessful, they will be expected to commence winding down upon notification of their unsuccessful application.

Scope of MiCA

Crypto-Assets

MiCA applies to crypto-assets which are defined as “a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology”¹. MiCA further defines a distributed ledger as “an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism”².

MiCA sets out three types of crypto-asset:

• Electronic money tokens (“EMTs”), which usually link to a single fiat currency (such as the Euro or US Dollar);
• Asset-referenced tokens (“ARTs”), which are a type of crypto-asset that is not an EMT and that purports to maintain a stable value by referencing another value, including one or more official currencies; and
• Crypto-assets other than EMTs or ARTs, such as utility tokens. Usually these are used to provide access to goods or services supplied by the issuer of the utility tokens.

EMTs and ARTs are sometimes together known as stablecoins. MiCA sets out specific requirements in respect of EMTs and ARTs, as they may have an impact on financial stability. Further information relating to these different types of crypto-assets can be found in our briefing (available here).

MiCA does not apply to crypto-assets that “are unique and not fungible with other crypto-assets”, i.e. non-fungible tokens (“NFTs”) or to crypto-assets that also qualify as one or more of:

• financial instruments as defined in MiFID II³;
• deposits, including structured deposits, as defined in the Deposit Guarantee Scheme Directive⁴;
• funds, except if they qualify as e-money tokens, as defined in the Payment Services Directive (“PSD2”)⁵;
• securitisation positions;
• non-life or life insurance products or reinsurance and retrocession contracts; or
• certain pension products, social security schemes and officially recognised occupational pension schemes.

Crypto-asset services

A crypto-asset service means any one of a list of services and activities relating to crypto-assets⁶:

• providing custody and administration of crypto-assets on behalf of clients;
• operation of a trading platform for crypto-assets;
• exchange of crypto-assets for funds;
• exchange of crypto-assets for other crypto-assets;
• execution of orders for crypto-assets on behalf of clients;
• placing of crypto-assets;
• reception and transmission of orders for crypto-assets on behalf of clients;
• providing advice on crypto-assets;
• providing portfolio management on crypto-assets;
• providing transfer services for crypto-assets on behalf of clients.

Why firms choose to be authorised in Ireland

Ireland is well positioned to take advantage of the opportunities in this developing sector.

Ireland is home to a substantial number of crypto firms, some home-grown and others drawn to Ireland by its active and thriving FinTech Sector.

Aside from Ireland’s position as a FinTech hub, there are a number of advantages to operating in Ireland, including:

• a strong regulatory framework with a credible and experienced regulator, the CBI, which promotes innovation through measures such as its Innovation Hub;
• a favourable passporting regime;
• a competitive tax regime, due to a combination of a 12.5% standard corporate tax rate for businesses with revenues less than €750 million per year and an exceptionally extensive and comprehensive set of double tax agreements; and
• access to a sophisticated financial services ecosystem with a deep pool of staff, managers, professional advisers and service providers including not only native English speakers but a sizeable international population.

CBI Authorisation Process

The CASP authorisation process in Ireland consists of two phases: (1) a pre-application engagement phase and (2) the formal application phase.

The CBI has stated that in general, based on its experience, the best prepared firms, willing to engage transparently in the authorisation process, proceed through the process more efficiently.

Key areas of focus for the CBI, in terms of the authorisation and supervision of CASPs, are:

• Independence and autonomy of the firm (within a group structure);
• Governance and accountability;
• Protection of client assets;
• Business model and financial resilience;
• Operational resilience;
• Ownership of the firm;
• Conflicts of interest;
• Crisis management;
• Conduct and transparency;
• AML/ CFT.

Pre-Application Engagement Phase

The first part of the pre-application engagement stage involves an introductory meeting during which the entity will present on their business model (a presentation is to be submitted to the CBI at least 10 days in advance of the meeting) and the CBI presents on the authorisation process and its supervisory expectations. Following the meeting, the CBI will communicate any issues identified that need to be addressed if the application is to proceed to the ‘Key Facts Document’ (“KFD”) stage.

The next part of the pre-application engagement stage is completion and submission of the KFD. The CBI has issued a Guidance Note on the KFD (available here).

The purpose of the KFD is two-fold:

• to facilitate the CBI in obtaining a clear, high-level understanding of the firm’s proposed business model, risks and governance arrangements; and
• to enable the CBI to identify, where possible, potentially material issues in respect of the firm’s proposal, at an early juncture, to allow timely feedback to be provided to the firm.

The KFD stage entails engagement with the CBI, and any feedback received from the CBI should be incorporated. The ability of firms to engage in robust discussions on their proposal at this stage will have a critical impact on the authorisation timeline. High quality KFD submissions will progress more efficiently.

Items to be covered in the KFD include:

• Details of the firm’s background e.g. the purpose of the authorisation and the reason(s) why the firm has selected Ireland as a location from which to carry out crypto-asset services;
• Business model, including details of the services to be provided, outsourcing arrangements and risk framework;
• Capital requirements, including financial projections for the first 3 years of operations post authorisation to demonstrate financial viability;
• Governance, including staffing arrangements, ownership and internal controls;
• AML / CFT measures in place;
• Conduct, complaint handling and conflicts of interest policies;
• Business continuity and wind-down arrangements;
• ICT systems and security, including ICT governance, organisation and risk management;
• Client asset arrangements, including segregation of client assets, safeguarding and oversight;
• Details of custody and administration of crypto-asset services, if applicable;
• Details of trading platform arrangements, if applicable;
• Details of arrangements for exchanging crypto-assets for funds or other crypto-assets, if applicable;
• Details of arrangements for executing orders for crypto-assets, if applicable;
• Details of arrangements for providing advice on crypto-assets or portfolio management of crypto-assets, if applicable; and
• Details of arrangements for providing transfer services for crypto-assets on behalf of clients, if applicable.

At the conclusion of the KFD stage, the CBI may provide feedback on further elements of the proposal that the CBI will require the firm to consider and reflect in the formal application, or the CBI may provide the firm with feedback on material item(s) which it deems necessary for the firm to consider and address before the firm submits a formal application.

Formal Application Phase

The subsequent phase of the authorisation process consists of the submission of the full application for CASP authorisation, which will be assessed by the CBI.

The initial review of completeness should take 25 working days. The CBI may require additional information following receipt of the submission, pursuant to which a final decision will be made by the CBI relating to authorisation.

Where the CBI believes an application to be incomplete, it can return the application to the firm with instructions for rectification within a certain timeframe. If the firm does not provide sufficient information within the timeframe the CBI may reject their application.

The application form needs to cover the following:

• the name, including the legal name and any other commercial name used, the legal entity identifier of the firm, the website operated by that provider, a contact email address, a contact telephone number and its physical address;
• the legal form of the firm;
• the articles of association of the firm, where applicable;
• a programme of operations, setting out the types of crypto-asset services that the firm intends to provide, including where and how those services are to be marketed;
• proof that the firm meets the requirements for prudential safeguards set out in Article 67 of MiCA;
• a description of the firm’s governance arrangements;
• proof that members of the management body of the firm are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage that provider;
• the identity of any shareholders and members, whether direct or indirect, that have qualifying holdings in the firm and the amounts of those holdings, as well as proof that those persons are of sufficiently good repute;
• a description of the firm’s internal control mechanisms, policies and procedures to identify, assess and manage risks, including money laundering and terrorist financing risks, and business continuity plan;
• new CASPs or existing VASPs who are changing their business model or AML/CFT framework must complete the ‘Anti-Money Laundering, Countering the Financing of Terrorism and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire’ (available here);
• the technical documentation of the ICT systems and security arrangements, and a description thereof in non-technical language;
• a description of the procedure for the segregation of clients’ crypto-assets and funds;
• a description of the firm’s complaints-handling procedures;
• where the firm intends to provide custody and administration of crypto-assets on behalf of clients, a description of the custody and administration policy;
• where the firm intends to operate a trading platform for crypto-assets, a description of the operating rules of the trading platform and of the procedure and system to detect market abuse;
• where the firm intends to exchange crypto-assets for funds or other crypto-assets, a description of the commercial policy, which shall be non-discriminatory, governing the relationship with clients as well as a description of the methodology for determining the price of the crypto-assets that the firm proposes to exchange for funds or other crypto-assets;
• where the firm intends to execute orders for crypto-assets on behalf of clients, a description of the execution policy;
• where the firm intends to provide advice on crypto-assets or portfolio management of crypto-assets, proof that the natural persons giving advice on behalf of the firm or managing portfolios on behalf of the firm have the necessary knowledge and expertise to fulfil their obligations;
• where the firm intends to provide transfer services for crypto-assets on behalf of clients, information on the manner in which such transfer services will be provided;
• where the firm intends to provide services on a cross-border basis within the EU, details of the countries in which services will be provided and “all other activities proposed to be provided” by the firm; and
• the type of crypto-asset to which the crypto-asset service relates.

The application form is available here

Assessment Phase

Following the submission of a formal application, the CBI will raise queries it deems relevant to the completion of the process. The CBI has indicated the assessment of the complete application will take up to 40 working days. Additional information can be requested from the firm, which can pause the CBI’s assessment period for no more than one block of 20 days.

Further guidance on applying to the CBI for authorisation as a regulated entity is available in the CBI’s document entitled “Guidance on expectations for applicants seeking authorisation from the Central Bank of Ireland to operate as a regulated Firm” (available here).

CBI Expectations

The CBI (in its “MiCAR Authorisation and Supervision Expectations” document, available here) has indicated that its MiCA “risk appetite” will be applied on a firm-by-firm basis, operating a high authorisation threshold guided by 4 key principles:

• Utility and Customer Base: The CBI is highly sceptical of CASP business models where unbacked crypto-assets are heavily marketed, offered, and distributed to retail investors for speculative purposes.
• Firm Failure: MiCA introduces some guardrails for consumers and investors but does not eliminate the possibility of firm failure. The CBI has acknowledged that a zero-failure risk appetite is not feasible.
• Transparency: Firms must be fully transparent about all MiCA activities they intend to undertake, both initially and in the medium to long term.
• No Predetermined Authorisation Assessments: Firms currently providing crypto services in Ireland must clearly demonstrate to the CBI that they meet all new MiCA requirements.

The CBI has outlined engagement principles for firms to adhere to during the application process:

• Transparency: Firms must act in a fully transparent and open manner with respect to their MiCA global and EU strategy, both from day one and in so far as is possible in the medium to long-term. This includes making it clear when information is not available.
• Supervisability: If the CBI identifies obstacles to a firm operating in an independent and autonomous manner which would inhibit supervisability, it will not be authorised.
• Preparedness: Firms must be resourced to engage with the CBI in a robust and timely manner on all aspects of an application throughout the authorisation process.
• Cooperation: Firms should be open and cooperative in all of their dealings with the CBI.

The CBI has also outlined 9 high level expectations of firms seeking authorisation:

• Governance and Accountability: Firms must demonstrate substance and autonomy in Ireland, led by a local crypto-competent executive and board with a strong grasp of the local regulatory environment. Firms must maintain robust local governance and risk management arrangements.
• Conflicts of Interest: Firms must ensure no risks are posed to customer interests through conflicts of interest and implement a robust system to identify and remedy conflicts promptly.
• Protection of Client Assets: The local firm must have full control of all client assets with robust segregation, reconciliation, and prompt access to reserves to meet redemption demands.
• Ownership: Firms must provide a full, transparent view of direct and indirect shareholders and any party that can influence the firm.
• Business Model and Financial Resilience: Firms must maintain a board-approved business strategy demonstrating the viability and sustainability of the business model, reflecting vulnerabilities from the product offering.
• AML/CTF: Firms must demonstrate strong risk management practices and internal controls to comply with Irish legislation.
• Operational Resilience: Firms must ensure continuity and regularity in service performance.
• Crisis Management: Firms must maintain detailed plans for an orderly wind-down of activities and timely redemption of customer funds without causing undue economic harm.
• Conduct and Transparency: Firms must demonstrate how customer interests are secured and how the suitability of their product offering is proactively assessed according to customer risk tolerance.

Authorisation Timeline

Article 63 of MiCA sets out the following timeline in relation to CASP authorisation applications, which the CBI must adhere to as part of the formal application phase:

 

Steps to be taken by CBI	Timeline
Acknowledge receipt of application in writing	Promptly and in any event within five working days of receipt of an application
Assess whether the application is complete by checking that the required information has been submitted	Within 25 working days of receipt of an application. Where the application is not complete, the CBI shall set a deadline by which the firm is to provide any missing information
Notify the firm once an application is complete*	Promptly
Assess whether the firm complies with the requirements and adopt a fully reasoned decision granting or refusing an authorisation as a CASP	Within 40 working days from the date of receipt of a complete application**
Notify the firm of the CBI’s decision after deciding to grant or refuse authorisation	Within five working days of the date of the decision
*The CBI may deem an application to be incomplete at this stage. In that event, they will notify the firm of the information required to complete their application, and give a timeframe for submission of that information. The CBI reserves the right to review the application where the firm is still missing information at the expiry of the timeline.  ** The CBI may, during the assessment period and no later than on the 20th working day of that period, request any further information that is necessary to complete the assessment. This can result in a maximum of one suspension period of no more than 20 days.

Consequences of Registration – AML/CFT

As noted above, the CASP regime is intended to supersede the old VASP designation. This means that CASPs will be required to carry out the AML/CFT obligations, including:

• carrying out a money laundering risk assessment of their business and their customers;
• undertaking customer due diligence of their customers;
• carrying out ongoing monitoring of customers and customer transactions;
• filing Suspicious Transaction Reports (“STRs”) with Financial Intelligence Unit (“FIU”) Ireland and the Revenue Commissioner in instances where money laundering or terrorist financing is known or suspected;
• maintaining and implementing AML/CFT policies, procedures and controls;
• retaining appropriate records; and
• providing AML/CFT training to all staff on an ongoing basis.

DORA

Firms operating in this space should be aware of the DORA standards which have come into force across Europe, with the aim of strengthening the ability of financial firms to withstand cyber-related disruptions and threats, manage ICT risk, report incidents and carry out resilience testing. You can read more about the regulation in our briefing (available here).

Addendum to the Consumer Protection Code 2012

The Consumer Protection Code 2012 has been amended to account for the provision of “MiCAR” services. These changes aim to ensure consumer protection in the areas of information requirements, KYC rules, advertising, and errors and complaint resolution, amongst others. The Consumer Protection Code 2012 is currently under review and a revised code is expected to be published in 2025.

How Can McCann FitzGerald LLP Help?

McCann FitzGerald LLP is a premier law firm in Ireland and advises on the full range of legal, tax and compliance activities to be undertaken by CASPs in Ireland. We have experience in guiding applicants through a variety of CBI authorisation processes, including CASP / VASP registration, and in helping clients to comply with their legal obligations, once authorised. If you are considering applying for authorisation as a CASP in Ireland, please contact us for further information as to how we can help.