MiCA Compliance Checklist for Crypto-Asset Service Providers

MiCA Compliance Checklist for Crypto-Asset Service Providers

With the EU's final MiCA transitional arrangements expiring on 1 July 2026, every crypto-asset service provider (CASP) operating in the European Union must now hold — or be on a clear path to — full MiCA authorisation. For accountants and finance professionals advising these firms, the question has shifted from 'does MiCA apply?' to 'are we compliant, and can we prove it?'. This checklist sets out the core compliance areas under the Markets in Crypto-Assets Regulation, structured the way a competent authority or auditor would approach them. It is written for practitioners supporting CASPs in Ireland and across the EU, and for UK advisers whose clients have established EU entities.

1. Authorisation and Scope

Start by confirming the firm's regulatory perimeter is correctly mapped:

• Service mapping — identify which of MiCA's ten crypto-asset services the firm provides (custody, trading platform operation, exchange for funds, exchange for other crypto-assets, order execution, placing, reception and transmission, advice, portfolio management, transfer services). The authorisation must cover every service actually provided.
• Authorisation status — confirm the firm holds a CASP authorisation from its national competent authority (the Central Bank of Ireland for Irish firms), or qualifies for the simplified notification route available to credit institutions and certain other regulated entities.
• Transitional exposure — firms that relied on grandfathering should verify their national deadline. Ireland's 12-month transitional window closed on 30 December 2025; the longest national windows end on 1 July 2026. Operating beyond the deadline without authorisation is unauthorised business.
• Passporting notifications — where services are provided cross-border within the EU, check that passport notifications have been filed for each host member state.
• Token perimeter — confirm none of the assets handled are actually MiFID financial instruments, e-money tokens or asset-referenced tokens requiring different treatment.

2. Prudential Requirements and Own Funds

MiCA sets tiered minimum capital requirements depending on the services provided: €50,000 for lower-risk services such as advice and order reception, €125,000 for services including order execution and exchange activities, and €150,000 for custody, operating a trading platform and transfer services. The ongoing requirement is the higher of the relevant class minimum and one quarter of the preceding year's fixed overheads.

• Recalculate the fixed overheads requirement annually from audited figures and after any material change in the business.
• Confirm own funds are held in eligible form and monitored continuously, not just at year-end.
• Document the firm's prudential safeguards, including insurance policies where used to supplement own funds.
• Stress-test capital adequacy against volume declines and crypto market drawdowns — supervisors expect headroom above the floor, not capital at the minimum.

3. Safeguarding Client Assets

Safeguarding failures are the highest-profile risk in crypto, and MiCA's rules here are exacting. The checklist for client asset protection includes:

• Segregation — clients' crypto-assets and funds must be segregated from the firm's own assets, both legally and operationally, including on-chain separation of client wallets from proprietary wallets.
• No unauthorised use — client crypto-assets must not be used for the firm's own account without express consent and clear arrangements.
• Client money — client funds must be placed with a credit institution or central bank by the end of the business day following receipt.
• Reconciliations — implement and evidence regular reconciliations between internal ledger records, custodian statements and on-chain balances. This is where accountants add immediate value: design the reconciliation, define break-resolution procedures, and retain the audit trail.
• Key management — document private key generation, storage, access controls and recovery procedures, with segregation of duties so no single person can move client assets alone.

4. Governance, Systems and Outsourcing

Authorisation is granted to a firm with substance, and supervisors test that substance continuously:

• Management body members must meet fitness and probity standards, with documented assessments.
• Maintain a compliance function, risk management framework and internal audit arrangements proportionate to the firm's size and complexity.
• ICT resilience must meet the requirements of the Digital Operational Resilience Act (DORA), which applies to CASPs alongside MiCA — incident response, testing and third-party ICT risk management all need evidence.
• Outsourcing (including intra-group arrangements and cloud) must be governed by written agreements, with the firm retaining responsibility and the regulator retaining access.
• Maintain a wind-down plan enabling orderly exit without harming clients.

5. Conduct of Business, Disclosure and Market Abuse

MiCA imports familiar conduct standards into crypto markets:

• Act honestly, fairly and professionally in clients' best interests, with clear, fair and not misleading communications — marketing materials should be reviewed against this standard.
• Publish required disclosures, including pricing, costs and fees, and execution policies where relevant.
• Maintain a complaints-handling procedure that is free for clients, with records of complaints and outcomes.
• Identify, prevent, manage and disclose conflicts of interest.
• Comply with the market abuse regime: systems to detect and report suspected insider dealing and market manipulation, controls over inside information, and staff training.
• Ensure AML/CFT obligations are met in parallel — MiCA authorisation does not replace anti-money laundering compliance, and the EU's Transfer of Funds Regulation requires originator and beneficiary information to travel with crypto transfers.

Two practical points are worth emphasising on safeguarding. First, the reconciliation frequency should be proportionate to transaction volume — for an active exchange, daily reconciliation of client positions to on-chain and custodian balances is the supervisory expectation, not a quarterly exercise. Second, breaks must be aged, escalated and resolved under a documented procedure with clear ownership. When supervisors or auditors review safeguarding arrangements, an unexplained reconciling item that has sat unresolved for weeks tells them more about the control environment than any policy document. Accountants designing these processes should also ensure that the records would support an orderly return of client assets in a wind-down scenario, because that is ultimately what the safeguarding regime exists to protect.

6. Ongoing Reporting and the Accountant's Role

Compliance does not end at authorisation. CASPs face ongoing regulatory reporting, audited financial statements, notification obligations for material changes, and — from 1 January 2026 — tax transparency reporting under the OECD's Crypto-Asset Reporting Framework as implemented in the EU through DAC8, with first exchanges of 2026 data due in 2027. Finance teams should own a compliance calendar that integrates regulatory returns, safeguarding attestations, capital monitoring and tax reporting deadlines.

For practitioners, this is a growing service line: capital calculations, safeguarding reconciliations, internal audit co-source work, and pre-application reviews are all areas where accounting skills map directly onto MiCA obligations. Building that expertise through structured CPD is the fastest route to advising confidently in this space.

A final point on documentation culture: MiCA compliance is evidenced compliance. Supervisors do not assess intentions; they assess records. The firms that pass inspections comfortably are those whose finance and compliance functions maintain a living compliance register mapping each MiCA obligation to an owner, a control, and the evidence that the control operated. Building that register is an ideal first engagement for an accountant moving into this space — it forces a complete read of the firm's obligations and surfaces gaps before a supervisor does. It also creates the framework into which future regulatory change, such as new ESMA technical standards or the EU's evolving treatment of decentralised finance, can be slotted without starting from scratch.

Study with Learnsignal

If your clients are CASPs — or you want them to be — you need working knowledge of MiCA's authorisation, prudential and safeguarding rules before the July 2026 enforcement cliff. Learnsignal's online CPD courses for qualified accountants cover digital assets regulation in practical depth, with flexible learning that fits around client work. Build the compliance skill set your firm will be asked for this year.