FIG Top 5 at 5 - 13/03/2024

1. MiCA Updates:

1. Central Bank publishes its application form for authorisation as a CASP under MiCAR

In the second week of March 2025, the Central Bank of Ireland (“Central Bank”) published its application form (“CASP Authorisation Form”) for authorisation as a crypto-asset service provider (“CASP”) under Article 62 of Regulation (EU) 2023/1114 (“MiCAR”).

The CASP Authorisation Form is based on a draft version of the regulatory technical standards (“RTS”) under Article 62(5) of MiCAR, which sets out the information to be included in an application for authorisation as a CASP.

The submission of the CASP Authorisation Form follows on from successful completion of the key facts document (“KFD”) stage. For more information on the KFD stage, please see FIG Top 5 at 5 dated 28 November 2024. 

Once the KFD stage has been successfully completed, an applicant CASP will be invited by the Central Bank to formally submit the CASP Authorisation Form. A review of the completeness of the CASP Authorisation Form will be carried out by the Central Bank within 25 working days and any outstanding items are to be submitted within the timeframe set by the Central Bank.

Consumer Protection

Within the CASP Authorisation Form, the Central Bank highlights the importance of applicant CASPs’ familiarity with the updated addendum to the Consumer Protection Code 2012 and expects that firms embed a culture where consumer protection and good governance is central to all decision making.

ICT systems and related security arrangements

The CASP Authorisation Form notes that to support the authorisation application process, the Central Bank will utilise an IT Risk Questionnaire (“ITRQ”), which has been developed in line with the requirements of DORA (Regulation (EU) 2022/2554) and MiCAR, as the means of assessing an applicant’s compliance during the application stage for authorisation. The Central Bank will provide the ITRQ to each applicant firm as the end of the KFD stage together with additional guidance on its completion.

AML / CFT / Financial Sanctions

Applicant firms who are not currently registered as virtual asset service providers (“VASPs”) in Ireland must also complete the Central Bank’s anti-money laundering, counter-terrorist financing and financial sanctions pre-authorisation risk evaluation questionnaire.

Incomplete Application

In accordance with Article 63(3) of MiCAR, the Central Bank may refuse to review applications which remain incomplete after the expiry of the timeframe, specified by the Central Bank, in which to submit any outstanding items.

Assessment Stage

Once an application is considered to be complete,  the Central Bank will commence the 40 working day assessment of the application. Additional information may be requested from an applicant CASP and this will result in one suspension of the assessment period of no more than 20 working days.

Decision

The Central Bank will communicate its decision to the applicant CASP within five working days of its decision to either grant or refuse authorisation as a CASP.

Next Steps

The Central Bank advises potential CASP applicants to engage with the Central Bank in good time by email – CASPAuthorisations@centralbank.ie.

2. ESMA publishes official translations of guidelines on templates for explanations and opinions and the standardised test for crypto-assets under MiCA

On 10 March 2025, the European Securities and Markets Authority (“ESMA”) published the official translations of the European Supervisory Authorities (“ESAs”) guidelines (“Guidelines”) on templates for explanations and opinions, and the standardised test for crypto-assets, under the regulation on markets in crypto-assets (“MiCA”).

The ESAs published a final report on the Guidelines in December 2024, for more information, please see FIG Top 5 at 5 dated 12 December 2024.

Next Steps

The Guidelines will be applicable from 12 May 2025, being two months after the publication of the official translations by ESMA. Additionally, competent authorities must, by 12 May 2025, notify the European Banking Authority  (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”) or ESMA, as appropriate,  whether they comply or intend to comply with the Guidelines, or otherwise with reasons for non-compliance.

Financial market participants are not required to report whether or not they comply with the Guidelines.

2. Central Bank releases demographic analysis of PCF applications in 2024

On 10 March 2025, the Central Bank of Ireland (“Central Bank”) published its Demographics Analysis 2024 (“Analysis”) in respect of applications for pre-approval controlled function (“PCF”) roles within regulated firms.

The Analysis states that the data takes account of gender diversity, age and nationality, further noting that diversity is crucial in developing an effective culture that is driven by senior leaders.

The following is a brief overview of some of the Central Bank's key findings:

• The rate of female applicants for some of the significant leadership roles within regulated firms has steadily increased from 16 per cent in 2012 to 34 per cent in 2024. This marks the first time that representation from females applicants has exceeded one-third.
• The greatest change in application composition was found in the credit union and insurance sectors, with female appointments accounting for 44% and 73% respectively;
• The gender balance for board level applications has improved, with female applications for these positions increasing to 32% in 2024 compared to 31% in 2023;
• Female representation in management level applications has also increased by 4% to 37%, when compared to 2023; and
• Females continue to be under represented in revenue generating roles. However, in 2024, 22% of incumbent role holders responsible for driving business revenue were female, representing an increase of 18% since 2023.

New firms seeking authorisation

The Analysis shows that  existing regulated firms continue to show higher levels of gender diversity than new firms seeking authorisation. In the foreword to the Analysis, Ms McMunn, Deputy Governor, Financial Regulation at the Central Bank, describes this as “a worrying trend” and advises that “new entrants building their leadership teams should also be considering their diversity, particularly given the benefits greater diversity can bring to decision making, risk management and an organisation’s long term success.”

More to be done

The Analysis acknowledges that progress has been made but that more must be done to encourage greater diversity in Irish regulated firms, with Ms McMunn noting that “firms with more diverse leadership teams are likely to be better run and this brings advantages for firms as well as the consumers whom they serve.” Importantly, Ms McMunn further stated that this will continue to be a priority for the Central Bank.

Governor Makhlouf – accelerating diversity

Separately, on 10 March 2025, Governor of the Central Bank, Gabriel Makhlouf published a blog post on accelerating diversity, in which, amongst other things, he discussed the Analysis. The Governor noted that for the Central Bank "diversity of thought is critical to ensure a range of perspectives are considered and evaluated to help policymakers, firms and businesses navigate their way through uncertainty.”

Noting the progress made, as evidenced by the Analysis, the Governor reiterated the point that much more needs to be done to ensure that the culture within regulated firms is sufficiently diverse and inclusive in order to support better run firms which he notes as being essential as regards consumer protection. The Governor emphasised that diversity, whether of gender, age, ethnicity, educational and professional background, is critical to developing an effective culture. 

3. ESAs publish opinion on the Commission’s rejection of draft RTS on subcontracting under DORA

On 7 March 2025, the  European Supervisory Authorities (“ESAs”) published an opinion (“Opinion”) on the European Commission’s (“Commission”) rejection of the draft regulatory technical standards (“RTS”) on subcontracting under DORA.

In January 2025, the Commission rejected the original draft RTS on subcontracting on the grounds that certain elements went beyond the powers conferred on the ESAs by DORA. The original draft RTS had specified further elements that financial entities were required to determine and assess when subcontracting ICT services that support critical functions under DORA. For more information, please see FIG Top 5 at 5 dated 6 February 2025. 

The Opinion sets out that the ESAs acknowledge that the amendments suggested by the Commission will ensure that the draft RTS are fully in line with the mandate under article 30(5) of DORA, namely, to “specify further the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions”.

The ESAs do not recommend any amendments to the Commission's proposed amendments. Further, the Opinion points out that financial entities are expected to adhere to the provisions relating to subcontractors under article 29(2) of DORA and to article 3(6) of the implementing technical standards on the register of information.

Finally, the Opinion notes that the drafting amendments proposed by the Commission do not imply a change in policy and, as such, are non-substantive changes.

Next Steps

The ESAs encourage the Commission to finalise the adoption of the RTS, as submitted to the ESAs, without further delay.

4. EBA consults on RTS under the EU’s AML / CFT regime

On 6 March 2025, the European Banking Authority (“EBA”) launched a consultation (“Consultation”) on four draft regulatory technical standards (“RTS”) in the context of the EBA’s response to the call for advice (“CfA”) of the European Commission (“Commission”) of 12 March 2024, on new mandates as regards the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (“AMLA”). The EBA’s response to the Commission’s CfA will inform the work of the AMLA.

The Consultation document sets out the EBA’s proposals as regards the following draft RTS, which were covered in the Commission’s CfA, as follows:

• draft RTS on the assessment and classification of the inherent and residual risk profile of obliged entities and the frequency at which such profile must be reviewed under article 40(2) of directive (EU) 2024/1640 (“MLD6”).

  Article 40 of MLD6 requires supervisors to apply a risk-based approach to AML / CFT supervision and in that regard, are also required to adjust the frequency and intensity of supervision based on the money laundering or terrorism financing risk profile of each entity. In effect, supervisors must understand the relevant risks in their member state and how such risks affect in scope entities in light of each entity’s business model, operation and customer base. Article 40(2) requires the AMLA to develop a common methodology for these purposes.

• draft RTS on the risk assessment for the purpose of selection for direct supervision under article 12(7) of regulation (EU) 2024/1620 (“AMLA Regulation”).

  Article 5(2) of the AMLA Regulation sets out that the AMLA is to directly supervise selected entities that are credit institutions, financial institutions and groups of credit and financial institutions. Article 12(7) of the ALMA Regulation aims to complement article 12 of the AMLA Regulation as regards the selection of entities that will be directly supervised and specifies two stages in respect of the selection process, as follows:

  • the number of member states an entity is operating in; and
  • the level of risk of each eligible entity.
• draft RTS on customer due diligence (CDD) under article 28(1) of regulation (EU) 2024/1624 (“AML Regulation”).

  Article 28(1) of the AML Regulation requires the AMLA to harmonise CDD requirements by setting out which information entities must collect to perform standard CDD, simplified due diligence (“SDD”) and enhanced due diligence (“EDD”). This will deal with problems under the current framework stemming from differences in national transposition of the AML Directive’s CDD requirements.

• draft RTS on pecuniary sanctions, administrative measures and periodic penalty payments under article 53(10) of MLD6.

This relates to enforcement  and it addresses three areas as follows:

• the indicators to classify the level of gravity of breaches;
• the criteria for setting the level of pecuniary sanctions and applying administrative measures; and
• the methodology for the imposition of periodic penalty payments.

The draft RTS address supervisors and obliged entities that fall within the remit of the EBA. In developing its proposals in respect of the draft RTS, the EBA has stated that it was guided by the principles of a proportionate, risk-based approach that can be applied effectively by financial institutions and their AML / CFT supervisors and that also limits compliance costs.

Next Steps

The Consultation is open for feedback until 6 June 2025. During this time, the EBA has stated that it will also consult the European Data Protection Supervisor and the European Data Protection Board. Feedback received will be considered by the EBA when it is preparing its response to the Commission, which will be submitted on 31 October 2025.

5. ESMA revises prioritisation of 2025 deliverables

On 6 March 2025, the European Securities and Markets Authority (“ESMA”) published a letter (“Letter”), dated 3 March 2025, from Verena Ross, Chair of ESMA, to John Berrigan, Director General of the European Commission's (“Commission”) Directorate Financial Services, Financial Stability and Capital Markets Union.

The Letter references ESMA’s 2025 annual work programme (”AWP”), for more information please see FIG Top 5 at dated 10 October 2024, and states that ESMA recently carried out a review of the tasks and commitments contained in the AWP. On foot of that review, ESMA identified a number of deliverables in its planned work that could be deprioritised or postponed.

The Letter contains a schedule setting out deliverables to the Commission for 2025 that are being either postponed or deprioritised. Of note are the following:

• Elements of the MiFIR / MiFID Review
  • guidelines on communication methods to SME growth markets issuers when trading an instrument on another trading venue, which had an initial deadline of 1 June 2026, have been cancelled;
  • regulatory technical standards (“RTS”) on CTP incidents statistics reporting, which had an initial deadline of 1 September 2025, have been delayed by three months; and
  • RTS on order execution policies (best execution), which had an initial deadline of 29 December 2024, have been delayed by six months.
• Recurrent mandatory reports  - the 2025 MiCA annual report on market developments, which had an initial deadline of 31 December 2025, has been delayed by twelve months.

The Letter states that resources that are freed up will be diverted towards the highest priority workstreams, including:

• MiFID / MiFIR Review;
• T+1 project;
• supervisory responsibilities relating to consolidated tape providers, green bond verifiers and ESG Rating providers; and
• oversight powers under DORA.