Study: Thinking a CASP License Covers Payments, Perps or Futures is a Major Mistake

Key Findings

• MiCA’s scope is limited to specific crypto-asset services. A CASP license does not provide a “full stack” authorization for all exchange activities; it specifically excludes services that fall under existing frameworks like PSD2 and MiFID II.

• Crypto derivatives are regulated as financial instruments. Perpetual futures, options, and dated futures are classified as financial instruments under MiFID II rather than crypto-assets under MiCA, requiring separate investment firm or trading venue authorizations.

• Handling fiat or e-money triggers payment regulations. Any platform offering fiat on/off-ramps, bank transfers, or crypto-funded card programs operates a payment service requiring a Payment Institution (PI) or Electronic Money Institution (EMI) license.

• Dual or triple licensing is the industry standard for major exchanges. Comprehensive platforms typically require a multi-entity, multi-license architecture (CASP + MiFID II + EMI) to legally offer their full suite of products in the EU.

The Myth: MiCA Covers the Full Stack of What a Crypto Exchange Does

The assumption is understandable. MiCA is comprehensive. It covers ten categories of crypto-asset services. Its scope extends to custody, exchange, execution, routing, advice, and portfolio management. For most retail crypto platforms, that covers a substantial portion of their business.

But “substantial” and “complete” are different things. The platforms most likely to discover a significant difference are not marginal operators. They are the ones running derivative products, enabling crypto-funded card payments, offering leveraged perpetual positions, or hosting prediction markets. These prediction markets have become a major trend for centralized exchanges (CEXes), yet they sit at a regulatory boundary that MiCA does not cross. Instead, they often fall under local iGaming regulatory frameworks. These are commercially significant product lines at major exchanges, and each one operates outside MiCA’s scope.

The regulation is specific about what it governs. Article 2(4) of MiCA explicitly excludes from its scope crypto-assets that qualify as financial instruments under Directive 2014/65/EU (MiFID II), deposits, funds as defined under the Payment Services Directive 2 (PSD2), and securitisation positions. These exclusions are not technical footnotes. They define the perimeter of MiCA’s authority. Anything falling on the other side of that perimeter requires authorization under a different framework entirely.

Where the CASP License Stops

Payment Services

MiCA authorizes the transfer of crypto-assets on behalf of clients, defined in Article 3(1)(26) as “providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another.” This is a crypto-native transfer service. It is not a payment service in the PSD2 sense.

The distinction matters enormously for platforms that want to offer crypto-funded card programs, fiat on/off-ramp integrations, direct bank transfers, or merchant payment acceptance in euros or other official currencies. Article 2(4)(c) excludes “funds” as defined in PSD2 from MiCA’s scope, except where they qualify as e-money tokens. 

A platform that receives fiat or e-money tokens (EMTs) from a user, holds them, and transmits them somewhere is operating a payment service. This requires either a payment institution license or an Electronic Money Institution (EMI) license under Directive (EU) 2015/2366 (PSD2), rather than just a Crypto-Asset Service Provider (CASP) authorization. Because EMTs are legally deemed to be electronic money, CASP transfer services do not cover EMTs unless the activity falls under the “intermediation” exclusion. 

A non-EMI CASP can transmit orders for EMTs only if the transaction stays within the CASP’s internal ecosystem or within a custodial account managed by an authorized licensed partner. If a service involves transmitting an order that triggers the transfer of an EMT to a third-party wallet or a private ledger, it constitutes the execution of a payment transaction or a money remittance service under PSD2/PSD3. Any CASP facilitating these external transfers after March 2026 must have its own EMI/PI license or use a licensed agent.

MiCA itself acknowledges this boundary. Article 70(4) states that crypto-asset service providers may themselves or through a third party provide payment services related to their crypto-asset service, but only where the provider or the third party is authorized to provide those services under PSD2. The regulation does not grant payment services capability through the back door. It requires that the capability be independently authorized.

For an exchange that wants to let users top up via SEPA transfer, settle redemptions in euros, or issue a branded debit card, a CASP license is a necessary piece of the structure. It is not sufficient.

Perpetuals and Futures

This is where the exposure tends to be sharpest for derivative-first platforms.

MiCA’s scope is defined around “crypto-assets,” which are digital representations of value or rights that can be transferred using distributed ledger technology. The regulation covers the services built around those assets: custody, trading on spot markets, exchange, execution of orders as well as routing of orders as a pure intermediary. What it does not cover is financial derivatives where the crypto-asset is the underlying instrument rather than the thing being traded.

Article 2(4)(a) removes from MiCA’s scope any crypto-asset that qualifies as a financial instrument under MiFID II. A perpetual futures contract on BTC/USD is not a crypto-asset. It is a derivative. It may settle in cryptocurrency, but the instrument itself, the contractual claim representing a leveraged position on the price of Bitcoin, is a financial instrument in the MiFID II sense. Operating a venue that allows EU clients to trade such instruments requires an investment firm authorization under MiFID II, or at minimum a trading venue authorization depending on the structure, not a CASP license.

Recital 97 of MiCA addresses this directly, noting that derivatives qualifying as financial instruments under MiFID II and whose underlying asset is a crypto-asset are subject to Regulation 596/2014 (the Market Abuse Regulation), not to MiCA. The market abuse provisions still reach the underlying crypto-asset. But the authorization framework for the derivative product itself sits under MiFID II.

Some exchanges attempt to structure perpetuals as crypto-to-crypto swap arrangements that they characterize as exchange services rather than derivatives. Regulators are familiar with this framing, and the classification question is ultimately one of substance over form. An instrument with leverage, a funding rate, and no delivery of the underlying asset is likely to face scrutiny as a derivative regardless of how it is labeled. The legal risk of getting this wrong is the provision of financial services without authorization.

Futures Contracts

The same analysis applies to dated futures. A futures contract obliging a counterparty to buy or sell an asset at a predetermined price on a future date is a financial instrument under MiFID II, specifically within the definitions covering derivatives on commodities, currencies, and other underlyings. Cryptocurrency futures, even where physically settled in BTC or ETH, are treated as financial instruments when they are traded on a multilateral basis.

Operating a trading platform for such instruments requires authorization as a regulated market, multilateral trading facility (MTF), or organized trading facility (OTF) under MiFID II. CASP authorization covers the operation of a trading platform for crypto-assets under Article 76 of MiCA, which defines a trading platform as a multilateral system bringing together multiple third-party purchasing and selling interests in crypto-assets, not derivatives on crypto-assets.

In practical terms, this means the CASP provides a venue where clients meet and trade with each other under clear operating rules defined and maintained by the CASP itself. The platform operator pools and matches client orders to facilitate price discovery rather than setting prices. The CASP does not take market risk, book trades on its own sheet, or deal on its own account. The only exception is matched principal trading, which the operator may engage in strictly with explicit client consent and monitoring by the competent authority.

Both frameworks impose strict limits on permitted trading models. Under MiFID II, multilateral trading facilities (MTFs) are entirely banned from executing client orders against proprietary capital or engaging in matched principal trading. Organized trading facilities (OTFs) are permitted to act as matched principals for specific instruments, such as bonds, structured finance products, emission allowances, and certain derivatives, but only with explicit client consent.

MiCA establishes similar restrictions for crypto-assets. Crypto-asset service providers cannot deal on their own account on the trading platforms they operate. MiCA allows matched principal trading as an exception, but only where the client has consented to the process. The provider must supply the competent authority with information explaining its use of matched principal trading. The competent authority then monitors the engagement to verify it continues to fall within the strict definition of matched principal trading and does not give rise to conflicts of interest between the provider and its clients.

Bitstamp, which holds MiCA authorization in Luxembourg under the Commission de Surveillance du Secteur Financier (CSSF), also holds a MiFID license permitting it to operate an MTF. That dual licensing structure is not an accident. It reflects the actual scope of the activity.

Why Operators Miss This

Several factors produce the misunderstanding.

First, the practical effect of pre-MiCA national VASP regimes varied significantly by jurisdiction and over time. While early registrations in some countries might have initially operated as a permissive baseline, regulators became increasingly stringent.

In Estonia, for example, the Financial Intelligence Unit (RAB) actively scrutinized the specific services provided by VASPs and investigated the provision of unlicensed financial services. By 2022, ahead of MiCA’s enactment, Estonia implemented strict amendments that explicitly banned the offering of futures and perpetuals under a VASP license. Operators received a short 60 to 90-day grace period to comply, which ultimately led to the mass revocation of thousands of licenses.

Second, the CASP register entries themselves are not always informative to founders reading them from the outside. An exchange listed as authorized for “operation of a trading platform” and “execution of orders” looks comprehensively authorized. Whether it is running derivatives products under a separate MiFID authorization requires reading beyond the CASP register entirely.

Third, many platforms offer derivatives on crypto-assets to non-EU clients, and EU clients make up a minority of users. The assumption is that the EU exposure is manageable. But the reverse solicitation rules discussed in earlier installments of this series apply equally to unauthorized derivative services. A platform marketing leveraged BTC perpetuals to global clients while simultaneously applying for a CASP license for its EU spot trading product may find that the two activities interact in ways the compliance team did not anticipate.

The Regulatory Junctions

Three regulatory frameworks converge around most full-service crypto exchanges:

MiCA governs spot trading, custody, transfer services, exchange, execution of orders, reception and transmission of orders, advice, and portfolio management on crypto-assets. The CASP license is required and sufficient for these activities when provided to EU clients.

PSD2 and the EMI regime govern payment services involving fiat. Any activity involving the receipt, holding, or transmission of euro-denominated or other official currency funds requires either a payment institution license (for payment initiation and money transmission) or an EMI license (where the platform stores fiat value electronically as a claim redeemable at par). An exchange that allows users to fund accounts by bank transfer and withdraw in euros is, at minimum, touching a payment service. Whether that requires PSD2 authorization depends on the specific flow and structure, but the question must be assessed deliberately, not assumed away.

MiFID II governs derivatives. Futures, perpetuals, options, and CFDs on crypto-assets are financial instruments. Operating venues for their trading, or providing investment advice and portfolio management in relation to them, requires MiFID II authorization. The specific authorization type, investment firm, regulated market, MTF, depends on the business model.

Platforms operating across all three categories need a structure that maps each product line to its authorizing framework. That is a multi-license, multi-entity architecture in some cases, not a single CASP application.

What the Compliance Gap Looks Like in Practice

Consider an exchange that:

• Offers spot BTC/EUR trading (CASP: exchange of crypto-assets for funds)
• Allows SEPA deposits and euro withdrawals (payment service, potentially PSD2)
• Runs BTC perpetual contracts with up to 20x leverage (derivative product, potentially MiFID II)
• Offers a crypto-backed Visa card that spends euro balances (payment institution capability, PSD2/EMI)

A CASP authorization, standing alone, covers the first item with reasonable confidence. The other three sit at the boundary. Whether they require independent authorizations, whether they can be structured as ancillary to the main crypto business, or whether they must be routed through licensed third parties are fact-specific questions. They are not questions the CASP license answers.

This is exactly the type of analysis regulators will apply when reviewing a business model during the authorization process. The application requires a programme of operations under Article 62(2)(d) of MiCA, which must set out the types of crypto-asset services the applicant intends to provide, including where and how those services are to be marketed. A business model that includes derivatives or payment services must address those elements in the application. Operators who treat the CASP application as covering the full scope of their business risk having the NCA identify the gap before they do, at the worst possible moment in the authorization process.

The Operational Consequence

For platforms already operating in the EU under grandfathering provisions that expire July 1, 2026, the regulatory gap has an immediate timeline consequence. A VASP registration does not solve the payment services problem any more than a CASP license will. These questions do not disappear with MiCA authorization; they persist and become more visible to regulators whose supervisory tools now match the formal authorization framework.

For platforms currently designing their EU market entry structure, the sequence matters. Mapping each product line to its authorizing framework comes before choosing the jurisdiction for the CASP application. The jurisdiction choice affects the CASP, but it also affects the feasibility of layering PSD2 and MiFID II authorizations on the same entity or within the same group.

Getting the architecture wrong is fixable. But it tends to be expensive to fix after authorization, and it tends to surface at the moment the platform is growing fast enough that the regulators start paying attention.

Key Takeaways

• The CASP License is Necessary but Often Insufficient: While MiCA covers spot trading and custody, it leaves a significant operational gap for platforms whose business models rely on leveraged positions or fiat payment integrations.

• MiFID II Governs the Derivatives Market: Because MiCA explicitly excludes “financial instruments,” operators providing perpetuals or futures must obtain MiFID II authorization. Labeling these products as “swaps” will not shield them from regulatory scrutiny.

• Payment Services Require Independent Authorization: MiCA authorizes the transfer of crypto-assets but not “funds” as defined by PSD2. Receipt and transmission of fiat or e-money tokens require a dedicated PI or EMI license.

• Substance Over Form Dictates Compliance: Regulators assess the actual control and economic reality of a service rather than its technological label. Any instrument with leverage and a funding rate is likely to be treated as a derivative regardless of how it is marketed.

• The Regulatory Transition Period is Narrow: With grandfathering provisions for many VASPs expiring by July 1, 2026, operators must urgently map their product lines to the correct authorizing frameworks to avoid the risk of mass license revocations.