Study: Why the Regulator Sees Your Compliance Team as a Single Brain

Key Findings

• MiCA Article 68(1) requires management body members to possess the appropriate knowledge, skills, and experience both individually and collectively. That word collectively describes a compliance organism, not a list of job titles;
• The joint EBA and ESMA suitability guidelines require demonstrable coverage of three knowledge domains across the full management body: traditional financial markets, DLT infrastructure and cybersecurity, and organizational governance;
• Each management body member must document their time commitment in writing, with annual and monthly indications, alongside a formal declaration of all other directorships held. A mismatch between role scope and committed hours is a direct red flag for the NCA;
• The three core internal control functions (compliance, risk assessment, internal audit) must each have a named owner, a direct reporting line to the management body, and verified structural independence from the business areas they oversee;
• A nominee director arrangement at a registered EU address does not satisfy the substance requirement. At least one director exercising real authority must be resident within the Union;
• Business continuity is a compliance obligation, not an IT task. Under MiCA and DORA, the Business Continuity Policy must be owned and maintained at the management body level.

Background: The Misread That Stalls Applications

When founders begin planning for CASP authorization, the conversation almost always arrives at the same moment: Do we need to hire a compliance officer? And an MLRO? Is that it?

The answer to both is yes. But treating those two appointments as the finish line is the most common misreading of what MiCA actually demands.

Regulators are not checking whether the org chart has the right job titles. They are assessing whether the management body, as a whole unit, has the knowledge architecture, the structural independence, and the documented operational depth to run a regulated financial institution. A MiCA license is not issued to a person. It is issued to an organism.

This distinction sits at the heart of why so many early-stage applications stall or require significant rework before a National Competent Authority (NCA) will grant authorization.

Collective Suitability and the Time Commitment Problem

Article 68(1) of MiCA is precise: management body members must possess the appropriate knowledge, skills, and experience both individually and collectively. The joint EBA and ESMA suitability guidelines make the mechanics explicit. The management body’s combined profile must demonstrably cover at least three areas:

• Traditional financial markets. Regulatory frameworks, investor protection obligations, market conduct rules, and the operational standards applicable to licensed financial service providers;
• DLT infrastructure and cybersecurity. Blockchain architecture, protocol-level risk, smart contract exposure, cybersecurity threat modelling, and the operational vulnerabilities specific to on-chain service delivery;
• Business strategy and organizational governance. Risk management design, internal control architecture, governance policy, and periodic review of compliance effectiveness.

No single person is expected to hold all three. The expectation, formalized through ESMA’s requirement for a collective suitability assessment, is that the team as a whole covers every domain without gaps. A management body drawn entirely from traditional finance, with no one capable of evaluating DLT infrastructure risk, is structurally incomplete before the application is filed. The reverse applies equally.

There is a second layer that catches applicants off guard. The right people must exist in practice, not just on paper. Each management body member must document, in writing, their minimum time commitment to the firm with both annual and monthly indications, alongside a formal declaration of all other executive and non-executive directorships currently held. ESMA’s draft regulatory technical standards on authorization are explicit on this point.

A non-executive with four other board seats and two additional compliance advisory relationships will face direct NCA scrutiny. A mismatch between the scope of the compliance role and the hours actually committed to it is a red flag, not a technicality. Early-stage firms that bring in experienced compliance figures on a part-time basis to strengthen an application should expect the NCA to do the arithmetic.

The Internal Control Structure the Regulator Will Interrogate

MiCA Articles 68(4), 68(5), and 68(6) require effective compliance policies, appropriately knowledgeable personnel at every level, and periodic management body review of whether those arrangements are working. ESMA’s draft RTS take this further by requiring firms to identify specific internal control functions and document three things for each: the reporting line to the management body, how the function maintains independence from the business area it oversees, and how it can access the management body on both a scheduled and emergency basis.

The three core areas are the compliance function, the risk assessment function, and the internal audit function. AML/CFT and business continuity are equally mandatory but treated as distinct pillars in the ESMA framework.

The independence requirement is where many applications reveal a structural flaw. A compliance function that reports to a Chief Operating Officer who also carries responsibility for revenue and commercial growth targets is not independent in the regulatory sense. A risk function embedded within the trading desk, which is supposed to monitor, does not meet the standard. The NCA will request the organizational chart and then ask who the compliance head reports to in practice, what their other responsibilities are, and what escalation rights they hold when a serious compliance risk is identified.

This architecture must be designed before the application is drafted, not retrofitted afterward.

Substance, Business Continuity, and Data Standards

Physical substance. The authorization application must document a physical place of effective management inside the EU. At least one director exercising real authority must be resident within the Union and accessible to the NCA of the home member state. A registered address supported by a nominee director arrangement does not satisfy this requirement. A director present in the EU for two weeks per quarter does not qualify as a resident in any meaningful regulatory sense. For firms headquartered outside the EU, the EU entity must function as a real decision-making unit.

Business continuity. Business continuity is widely treated as an IT responsibility. Under MiCA and the Digital Operational Resilience Act (DORA, Regulation EU 2022/2554), that framing is incorrect for any authorized CASP. The Business Continuity Policy must be owned and maintained by the management body. For firms operating on permissionless DLT (public blockchains such as Ethereum), ESMA’s second consultation paper introduced specific obligations: proactive client communication during service disruptions, a clear picture of how resumption will be managed, and full liability for losses arising from the firm’s own smart contracts. A compliance team that can only describe blockchain risk in general terms cannot draft or maintain a policy that meets this standard.

Data standards. CASPs operating trading platforms must use the Digital Token Identifier (DTI) standard for all record-keeping and NCA reporting. ISO 20022 messaging standards govern the transactional data format submitted to authorities. Pre- and post-trade transparency data must flow through non-discriminatory, machine-readable public channels. These are compliance obligations with a technical dimension. A firm that delegates them entirely to IT without compliance oversight of the specific data standards the RTS demands will face supervisory problems after authorization.

What This Means for Founders

The authorization application documents an institution that already exists. That is the mental model separating firms that move efficiently through the process from those that stall.

Three things determine whether a management body meets the MiCA standard:

• Collective knowledge coverage. The team, taken as a unit, must cover traditional financial markets expertise, DLT and cybersecurity proficiency, and organizational governance capability. Gaps in any domain are structural deficiencies;
• Documented structural independence. The compliance, risk, and audit functions must each have a named owner, a direct reporting line to the management body, and verified independence from the business areas they oversee. An org chart that routes compliance through a revenue-generating function will not survive NCA review;
• Real institutional substance. Time commitments must be genuine and documented. EU physical presence must reflect actual decision-making weight. Business continuity must be owned at the management body level. Data reporting must meet DTI and ISO 20022 standards from day one.

The CASP license application is the output. The compliance architecture is the foundation. Build the foundation first.