An analysis of crypto regulatory & licensing frameworks in Europe




The growth of the cryptoassets market has captured the interest of the general public and regulators alike, leading to a development of regulatory frameworks across member states of the European Union and the European Economic Area. The European market in general is seen as underdeveloped in comparison to its American and Asian counterparts, but what it lacks in terms of investments and technical development, it makes up in the provision of sound and clear regulatory frameworks governing the industry.

Regulated jurisdictions are becoming the norm due to the perceived need for increased investor protection and legal clarity for the innovative crypto space. Past scandals and mishaps have pushed users towards seeking business relationships with service providers that are set up in reputable jurisdictions and are under regulatory obligations to provide services that are in line with applicable industry standards.

This comparative analysis seeks to highlight the applicable legal frameworks in the prevalent jurisdictions within Europe, with approaches ranges from mild amendments of existing frameworks to the creation of ad-hoc frameworks. The first countries to take steps towards addressing certain regulatory needs of the crypto industry were Luxembourg and Gibraltar, with Malta being the first European country to introduce a comprehensive, stand-alone regulatory framework regulating the conduct of service providers such as exchanges and brokers. The United Kingdom, with its fintech regulatory sandbox, has attracted a lot of positive criticism, and Estonia has gained its reputation for offering a seamless and quick experience for the set-up of crypto-oriented companies.

The analysis further serves to provide a clear depiction of the current status of the regulatory framework in the below-mentioned jurisdiction, any applicable eligibility criteria, and the pros and cons of each country’s framework. The study took into consideration the ease of set-up in the covered jurisdictions, as well as any applicable licensing requirements in those jurisdictions with an ad-hoc legal framework.

United Kingdom

While the UK has not enacted ad hoc legislation regulating cryptoassets, their legal standing may be determined primarily from the Final Report of the Cryptoassets Taskforce published in 2018. The Cryptoassets Taskforce is composed of HM Treasury, the Financial Conduct Authority (‘FCA’) and the Bank of England and its aim is to further the UK’s Fintech strategy by assessing the impact of cryptoassets and DLT in the UK and devise policies accordingly. The Taskforce Report defines a cryptoasset as “a cryptographically secured digital representation of value or contractual rights that uses some type of DLT and can be transferred, stored or traded electronically”. Cryptoassets are categorized into three types; exchange tokens, which are essentially cryptocurrencies which are “not issued or backed by a central bank or other central body” and “do not provide the types of rights or access provided by security or utility tokens, but are used as a means of exchange or for investment”. Security tokens provide certain rights to the holder and constitute a ‘specified investment’ under the Financial Services and Markets Act[1], and may also constitute transferable securities or financial instruments under the Markets in Financial Instruments Directive II (‘MiFID II’). The third type of cryptoasset is the utility token, which grants the holder access to products or services provided on a DLT platform.

Certain activities involving cryptoassets fall within the remit of existing regulation, such as the Financial Services and Markets Act, the Payment Services Regulations[2] and EU law. Cryptoassets used as a means of exchange do not fall within regulatory remits unless the cryptoassets constitute e-money, for example centrally issued utility tokens accepted by third parties as a means of exchange. Cryptoassets used to facilitate regulated payment services fall within the regulatory perimeter, and financial instruments that reference cryptoassets are also regulated and may constitute financial instruments under MiFID II. Direct investment is also a regulated activity if the cryptoasset is a security token or the investment is made by a regulated investment vehicle. ICOs are only regulated if security tokens are issued.

The FCA’s Guidance on Cryptoassets distinguishes between regulated and unregulated tokens; while security tokens and e-money tokens are regulated, other tokens such as utility tokens and exchange tokens do not fall within the regulatory landscape.

The FCA became the anti-money laundering and counter-terrorist financing (‘AML/CTF’) supervisor of cryptoasset businesses in the UK as of 10th January 2020, and existing businesses carrying on cryptoasset activity in the UK were required to comply with the Money Laundering, Terrorist Financing and Transfer of Funds[3] (‘MLRS’) as of such date. The activities which fall within the scope of regulation under the MLRS are exchanges including ATMS which allow the exchange of cryptoassets for money or vice versa, Peer to Peer Providers, issuers of new cryptoassets for example ICOs, and custodian wallet providers which safeguard or administer cryptoassets or private cryptographic keys on behalf of customers.

Any business which carried out cryptoasset activity prior to such date must comply with the MLRs, while new businesses starting operations after the date are required to register with the FCA prior to commencing operations. All businesses must submit applications for registration by the 10th of January 2021, after which date businesses who have failed to register will have to cease operations.

The Sandbox

The Financial Conduct Authority (FCA) has established the following initiatives with the aim of promoting and supporting innovation, while at the same time providing new opportunities for investors willing to participate in the crypto-assets sector:

  • Regulatory Sandbox
  • Direct Support
  • Advice Unit
  • Green Finance cohort engagement

The Regulatory Sandbox is a structured and controlled environment set up by the FCA, where firms willing to participate in the UK crypto-assets sector can apply and live-test their innovations under the regulator’s supervision. In this way, regulations can be created to meet the needs of the customers, investors and the innovators alike. In this way, the Sandbox aligns compliance with regulation whilst avoiding overregulating the sector, thus providing regulatory certainty which will attract the attention of potential applicants. It also attracts the attention of different players since the Sandbox offers protection to the customers, innovators, regulators and investors willing to partake in the industry, by operating in a safe and supervised environment. FinTech firms from other EU member states also use the Sandbox as a passporting mechanism for their business to the UK. EU firms may still apply to engage and operate in the Regulatory Sandbox, even in the event that the UK leaves the EU, although the passporting right conferred by membership within the EU may be potentially affected by Brexit.

Participation in the Sandbox is a four-step process, which involves:

  • Application
  • Authorisation
  • Testing
  • Exit

Eligibility Criteria

The FCA has also set up a list of criteria which needs to be satisfied for a firm to be considered eligible to apply to operate from the Regulatory Sandbox. The only institutions which shall be eligible to apply to operate in the Sandbox are those institutions which do not fall under any other authority except for the FCA. The criteria for eligibility include:

  • The intention for the innovation to operate in the UK market;
  • The innovation being offered is new or significantly different from other offerings in the market
  • The innovation offers benefits to consumers and promotes healthy competition in the market;
  • The innovation does not fit in the existing legal framework and thus needs added regulation;
  • The firm has set up a testing plan and clear objectives, with sufficient safeguards to protect consumers.


Any eligible firm, whether licensed or not, is allowed to partake in the Sandbox so long that it meets the eligibility criteria. Thus, the firm need not be a licensed entity to operate from within the Sandbox. This is so that any new firms can work on and test their innovations within a safe and regulated environment. The Sandbox itself does however grant authorisation for firms, tailored for each firm, to work within it through its cohorts. It sets out a list of cohorts or categories under which the firms can fall under according to their area of business. The firms are put in their respective cohorts after being chosen for testing depending on their sector, the size of the firm, and their location.

The Global Sandbox

The FCA, along with 11 other financial regulatory bodies, have also set up the Global Financial Innovation Network, which is based on the concept of a Global Sandbox. The main functions of the GFIN were set up, such functions including:

  • The function of the GFIN acting as a network for other regulators to collaborate and share experience of innovation in their respective markets;
  • The provision of a forum for joint policy work and discussions;
  • The provision of environment which could test cross-border solutions for firms.

Digital Sandbox – Covid-19 Pilot

The FCA will be piloting its digital sandbox in a bid to assist innovative firms facing challenges due to the coronavirus pandemic. The scope of the sandbox is to create a digital testing environment where firms will have access to data assets, regulatory support and an application programming interface (‘API’) or vendor marketplace where vendors can list their APIs. In turn, regulators may monitor the testing processes which enables the identification of areas which could potentially require further regulation. The FCA is currently accepting expressions of interest from both regulated and unregulated firms, and applications will be available in the coming months.


Cryptocurrency exchanges operating under the UK legal framework are generally subject to a registration requirement with the FCA. While there are no provisions specifically regulating the operation of such exchanges, the FCA guidance stipulated that entities offering services involving cryptoassets which fall within the remit of existing regulations for derivatives require authorization. Despite the lack of legal certainty, however, one can deduce that the operation of an exchange which only facilitates transactions involving exchange tokens such as Bitcoin and Ether, such activity is not regulated. Where fiat currency is involved in transactions, this might constitute the provision of payment services and thus thorough analysis would be required to determine whether the service constitutes a regulated activity.

United kingdom crypto regulation

Schedule a Free Consultation Call


In its regulation of blockchain and crypto-assets, Liechtenstein aims to not only facilitate innovation, but to implement legislation which will remain applicable for future technology generations. It is for this reason that the Blockchain Act is addressed to ‘transaction systems based on trustworthy technology’ (TT systems). Liechtenstein is setting higher standards in the crypto-industry by not only regulating it, but also enabling a holistic legal framework. The goal is to ensure user and service provider protection and building trust in digital frameworks.

Token and TT Service Provider Act

The Token and TT Service Provider Act (abbreviated as ‘TVTG’ in German) (‘the Act’) was passed by the Parliament of Liechtenstein on 3rd October 2019 and came into force on 1st January 2020. The scope of the Act is to regulate all transaction systems based on Trustworthy Technology, which is technology that ensures the integrity of tokens, the clear assignment of tokens to TT identifiers and the disposal over tokens. A token is defined in the Act as information on a TT system which represents claims or rights of memberships against a person, rights to property or other rights and which is assigned to one or more TT identifier. However, the Act does not distinguish between different types of tokens, and the legal classification of tokens depends on their individual characteristics.

The FMA issued a Factsheet on Initial Coin Offerings on 1st October 2018. In this Factsheet, it is being mentioned that, depending on their specification, tokens may constitute financial instruments subject to financial market laws. This may include tokens that have characteristics of equity securities or other investments. In all cases, the specific design and de facto function of the tokens are decisive. Activities relating to financial instruments require a license from the FMA and the issuance of such tokens might require the publication of a prospectus. AML/KYC obligations also depend on the specific design and function of the token.

The Blockchain Act applies TT Service Providers which are the following:

  • Token Issuer;
  • Token Generator;
  • TT Key Depositary;
  • TT Token Depositary;
  • TT Protector;
  • Physical Validator; and
  • TT Exchange Service Provider.

The Act establishes the civil law basis for tokens as well as the supervision of TT Service Providers, and the rights and obligations to which they are subject. The Blockchain Act applies to tokens which are generated or issued by a TT Service Provider with headquarters or place of residence in Liechtenstein, or where the parties to a private agreement explicitly declare in the agreement that the Act applies. Where the Act applies, a token is considered to be an asset located in Liechtenstein.

The provisions of the Act on supervision and registration are applicable to all TT Service Providers with headquarters or places of residence in Liechtenstein. TT Service Providers who wish to offer such services professionally must apply with the FMA to be included in the TT Service Provider Register before providing such services. This obligation is also imposed upon token issuers with headquarters or places of residence in Liechtenstein who issue tokens in their own name or on a non-professional basis in the name of a client if the tokens to be issued within a 12-month period are worth CHF 5 million or more.

In order to be registered, the TT Service Provider must satisfy a number of requirements, including:

  • Reliability;
  • Technical suitability;
  • Registered office or place of residence in Liechtenstein;
  • Satisfy the minimum capital requirement;
  • Suitable organizational structure with defined areas of responsibility and procedure for conflicts of interest;
  • Written internal procedures and control mechanisms; and
  • Obtain a license under the Trustees Act if the services of a TT Protector will be provided.

Licensing obligations exist on a case-by-case basis, depending on the type of business model, functions, and relevant criteria of the token. Tokens used as a method of payment are not covered under the scope of the regulation, and thus do not have any special statutory licensing obligation.

Book-entry systems have also been accepted in Liechtenstein law, and book-entry securities in dematerialised form can be replaced by entry into a book-entry register. In this way, securities can be represented by means of a physical certificate, even if being used on a TT system.

Liechtenstein crypto regulation (1)


Estonia is considered to be very advanced in relation to the implementation of blockchain-based systems. It intends to support innovation in the financial and financial instrument industry by adopting a technologically-neutral approach towards these innovations, while creating new opportunities for issuers and investors alike.

Applicable Law

Estonia regulates cryptocurrencies in an open and technology-neutral manner, with the aim of facilitating innovation in the crypto-assets industry. Although crypto-assets do not have the same legal status as fiat currency in Estonia, they can be exchanged amongst persons or be used as a means of payment. There is no specific Act or Regulation in Estonia’s legal framework dealing explicitly with crypto-assets and cryptocurrencies. Because of this, the legal nature of cryptocurrencies in the Estonian legal system remains unsettled, so much so that the framework does not provide a clear definition of the term ‘cryptocurrency’. There is also no case law which indicates the position of cryptocurrencies in Estonian law and this could lead to some legal uncertainties for issuers.

Estonia’s crypto-asset industry depends heavily on the anti-money laundering (AML)/counter-financing terrorism (CFT) regulation recently enacted, and the Money Laundering and Terrorist Financing Prevention Act (‘MLTFPA’) is the main source of legislation. Amendments to the MLTFPA came into force on 10th March 2020 and compliance with new requirements was required as of 1st July 2020. The changes brought about by these amendments are mainly targeted towards cryptocurrency service providers and aim for stricter regulation and supervision by the FIU. The amendments introduced the definition of a virtual currency service, and rendered the MLTFPA applicable to virtual currency service providers. The Act now defines virtual currency wallet service as “a service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual currencies” and virtual currency exchange service as “a service with the help of which a person exchanges a virtual currency against a fiat currency or a fiat currency against a virtual currency or a virtual currency against another virtual currency”. Undertakings providing virtual currency services must request authorisation and obtain a virtual currency service provider license from the Financial Intelligence Unit (‘FIU’). Thus, the amendments brought crypto-to-crypto exchanges within the scope of regulation. 

Implementation of Decentralised Technology

The entire digital infrastructure found in Estonia is based on X-Road, which is an e-solution platform on which a full range of services are provided to both the public sector and the private sector. It is a decentralised and open-source database which connects multiple information systems across the country. However, even though X-Road is not a centralised network and uses cryptographic hash networks, it is not a system based on a blockchain. The Estonian government has still developed KSI, which is a blockchain platform, with the aim of eliminating system administrators and any breaches caused by hackers. It is currently being used for government data registries, such as in hospitals and courts, but this system has still not been applied to the private sector instead of X-Road. Many consider Estonia to be at the forefront of blockchain and decentralised technology due to projects like KSI and X-Road.

Position on ICOs and STOs

Currently there is no regulation classifying cryptoassets in Estonia, however the Estonian Financial Supervision and Resolution Authority (‘EFSA’) issued unofficial guidelines on virtual currencies and ICOs. These guidelines categorise ICOs into two:

  • Category 1: tokens that generate profit
  • Category 2:
    • Payment tokens
    • Charity tokens
    • Utility tokens

The EFSA has also specified that if a token falls under the definition of ‘security’ as stipulated in the Securities Markets Act the issuer is subject to certain legal obligations. The definition of security under the Securities Market Act includes shares, bonds, investment fund units and shares, money market instruments as well as derivatives. Where tokens are classified as securities, the offering may constitute an issuance of securities and might be subject to public offering requirements under the Securities Market Act, in which case a prospectus must be registered with the EFSA. This requirement is waived in any of the following cases:

  • An offer of securities is addressed solely to qualified investors;
  • An offer of securities is addressed to fewer than 150 persons per Contracting State, other than qualified investors;
  • An offer of securities is addressed to investors who acquire securities for a total consideration of at least €100,000 per investor, for each separate offer;
  • An offer of securities with a nominal value or book value of at least €100,000 per security; or
  • An offer of securities with a total consideration of less than €2,500,000 per all the Contracting States in total calculated in a one-year period of the offer of the securities.

We can thus conclude that the Estonian regime on crypto-assets is riddled with many regulatory gaps, which leave a lot of room for legal uncertainty. While Estonia is still more developed in terms of their implementation of blockchain and decentralised technology, they have not yet established a clear framework for crypto-currencies.

Estonia crypto regulation (1)


A new regime for Digital Asset Service Providers (DASPs) has been introduced in France which regulates entities offering services related to digital assets which are not financial securities or currencies, thus financial instruments are excluded from this regime. The French regulator which is in charge of regulating crypto-assets is the Autorité des Marchés Financiers (AMF).

Categorisation of Service Providers

Services are divided into 5 categories:

  1. Store digital assets or private cryptographic keys on behalf of third parties.
  2. Buy or sell digital assets against legal currencies.
  3. Exchange digital assets against other digital assets.
  4. Manage a trading platform for digital assets.
  5. Various services such as portfolio management of digital assets on behalf of third parties, advice to subscribers on digital assets and underwriting of digital assets.

The first two categories must be registered, while obtaining a licence for the rest of the categories is optional.

The following outline the DASP categories under the French regime:

  • Category 1: Store digital assets or private cryptographic keys on behalf of third parties.
  • Category 2: Buy or sell digital assets against legal currencies.
  • Category 3: Exchange digital assets against other digital assets.
  • Category 4: Manage a trading platform for digital assets.
  • Category 5: Various services such as advice to subscribers on digital assets.
  • Category 6: Various services such as reception and transmission of orders on digital assets on behalf of third parties.
  • Category 7: Various services such as portfolio management on digital assets on behalf of third parties.

The distinction is drawn between Category 2 and 3, wherein exchanging digital assets against fiat currencies under Category 2 requires mandatory registration, whilst exchanging digital assets against other digital assets under Category 3 does not require registration.


Dealings which do not occur on an exchange take place over-the-counter (OTC), typically through brokers. Category 4 of the French framework envisages a broker-dealer service as the manager of the trading platform can engage its own capital.

Furthermore, a brokerage service is also envisaged under Categories 2 and 3 of the French framework. Reception and transmission of orders and portfolio management are provided under Category 5 of the French regime.

Licensing Requirements

With regards to services under Categories 1 and 2 which are subject to mandatory registration, the AMF must verify that senior managers and shareholders are of good repute and competence through obtaining documents such as identification, a Curriculum Vitae and a statement that they are not the subject of a criminal conviction or a prohibition to engage in an activity. The AMF must also verify that the DASP has AML/FT procedures in place. DASPs which apply for an optional licence must provide the AMF with documents such as identification, proof of competence and good repute of senior managers and shareholders and financial information.


The French regime stipulates various obligations which all licensed DASPs must fulfil. The French regime provides that DASPs must have adequate security and internal control systems, and a secure computer system.

The framework requires management of conflicts of interest and also requires communication of clear and accurate information to the client, with whom there must be a written agreement.

The French regime also stipulates specific obligations applicable to each category of services. For example, DASPs providing services under the first category must set out a safekeeping policy and ensure that digital assets kept on behalf of clients are returned without delay.

Under categories 2 and 3, DASPs must, namely, set out a non-discriminatory commercial policy, publish a firm price of the digital assets or the pricing method applicable to the digital assets, and publish the volumes and prices of the transactions completed. Under category 4, the framework sets out specific obligations when managing a trading platform for digital assets. Under the French regime, DASPs must set out functioning rules, ensure a fair competition, and publish the details of the orders and transactions completed on the platform.


In the event of non-compliance, the AMF may hand down sanctions and withdraw licenses. The AMF may also publish a “blacklist” of DASPs that do not comply with the regulations and may block websites offering fraudulent services in digital assets.

This optional nature provides a degree of flexibility on the one hand and security of the financial market on the other, however it could potentially pose certain risks. For example, reception and transmission of orders and portfolio management are equivalent to traditional brokerage services. When these services are unregulated, investors risk financial loss without the option of compensation.

France crypto regulation_1


DLT activities in Gibraltar are regulated under the DLT Regulatory Framework which came into force on January 1st 2018. Entities seeking to provide services involving the use of distributed ledger technology (DLT) for “storing or transmitting value belonging to others” must be licenced by the Gibraltar Financial Services Commission (GFSC). Thus, persons offering services such as cryptocurrency exchanging must be regulated in Gibraltar. The framework, however, is limited to the provision of such services; other activities which fall outside the remit of this definition, such as Initial Coin Offerings (ICOs), are currently not regulated. Security tokens fall within the remit of the definition of a security with regards to their promotion and sale, and therefore they are regulated; however, the offering of utility tokens and payment tokens are not captured by any regulatory framework.

The regulations are based on nine core principles which provide that DLT service providers must:

  1. Conduct their business with honesty and integrity.
  2. Pay due regard to the interests and needs of customers and communicate with them in a way that is fair, clear and not misleading.
  3. Maintain adequate financial and non-financial resources.
  4. Manage and control their business effectively, and conduct business with due skill, care and diligence; including having proper regard to risks to its business and customers.
  5. Have effective arrangements in place for the protection of customer assets and money when responsible for them.
  6. Have effective corporate governance arrangements.
  7. Ensure that all systems and security access protocols are maintained to appropriate high standards.
  8. Have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing.
  9. Be resilient and have contingency arrangements for the orderly and solvent wind down of its business.

The reason behind a principle-based approach is to allow flexibility and innovation in light of the fact that development is rampant in the sector, however this does not provide standardised legal certainty.

Licencing Process

In order to obtain a licence from the GFSC, prior to applying for a licence firms must first consult with the Risk and Innovation team to determine whether the proposed business plan falls within the remit of the DLT framework. Through this pre-application engagement, the GFSC advises the prospective applicants regarding the authorisation process and the application proposal.

Firms must then submit an initial application assessment against a fee of £2,000. At this stage, the GFC analyses the risks associated with the proposed business and the complexity category of the business by considering several factors such as:

  • The use of DLT;
  • Whether smart contracts will be employed;
  • Whether there will be provision of brokerage services;
  • The target market;
  • Interplay with other regulations such as the provision of other regulated or unregulated services;
  • Exposure to money laundering or financing of terrorism; and
  • The size of the proposed project.

Upon assessment, the GFSC categorizes the business into one of the three complexity categories and establishes the price for the full application accordingly.

The determination of the category is completely at the discretion of the GFSC on the basis of the factors mentioned above.

Once the fee is paid and the full application is submitted, the applicant will be required to deliver a presentation to show how they intend to comply with the GFSC’s requirements. The presentation must include details on the skills and experience of the business’s key people, the business plan and proposed product, financial projections, and the strategy which will be used to satisfy the nine core principles of the regulation. The application is then assessed, and the final decision is communicated to the applicant. Once the licence is granted, licenced DLT Providers must comply with all ongoing obligations.

The Government of Gibraltar and the GFSC jointly issued a press release in February 2018 stating that legislation is currently being drafted for the regulation of tokens and services ancillary to such including sale and distribution, secondary market activities and provision of investment advice. The proposed regulations will include, namely, rules for disclosure of information to prospective token buyers and specific measures regarding AML/CFT. The bill was expected to be proposed to Parliament in the second quarter of 2018, however it has not yet been promulgated.

_Gibraltar crypto regulation

Schedule a Free Consultation Call


Switzerland’s outlook on cryptocurrencies is quite positive, with a dedicated ‘blockchain/ICO working group’ set up by the Swiss Federal Government to ensure that the country is kept abreast with developments in the sector. The Financial Market Supervisory Authority (FINMA) issued a series of statements with the intention of regulating the landscape, including the publication of guidelines on the regulation of ICOs in February 2018. Furthermore, the Swiss Federal Council launched a public consultation on the draft law titled ‘Federal Act on the Amendment of Federal Laws in light of the Developments regarding DLT’ in March 2019. However, as of yet, there is no ad hoc legislation which specifically regulates DLT assets.

The following analysis is based on the ‘Guidelines for enquiries regarding the regulatory framework for initial coin offerings (ICOs)’ issued by FINMA.

FINMA categorizes tokens into three categories, based on their underlying economic function:

  1. Payment tokens: tokens which are intended to be used, now or in the future, as a means of payment for acquiring goods or services or as a means of money or value transfer. Cryptocurrencies give rise to no claims on their issuer.
  2. Utility tokens: tokens which are intended to provide access digitally to an application or service by means of a blockchain-based infrastructure.
  3. Asset tokens: represent assets such as a debt or equity claim on the issuer. In terms of their economic function, therefore, these tokens are analogous to equities, bonds or derivatives. Tokens which enable physical assets to be traded on the blockchain also fall into this category.

A token may fall within more than one category; asset and utility tokens can also have characteristics of payment tokens. Such hybrid tokens would be subject to the requirements of both categories.

ICOs are subject to regulation based on whether the tokens on offer are classified as securities, based on the definition in the Financial Market Infrastructure Act; “standardised certificated or uncertificated securities, derivatives and intermediated securities, which are suitable for mass trading.” In order to be suitable for mass trading, securities must be publicly offered for sale in the same structure and denomination or are placed with more than 20 clients, insofar as they have not been created especially for individual counterparties. Derivatives are defined as “financial contracts whose value depends on one or several underlying assets and which are not cash transactions”. Although tokens are not classified as certificated securities, certain types of tokens can be classified as uncertificated securities, derivatives or intermediated securities. If tokens are classified as such, then they are subject to regulation under financial market law.

Payment tokens are not considered as securities since their function is one of payment and they do not have any characteristics pertaining to traditional securities. Utility tokens are also not classified as securities if their sole purpose is to grant digital access rights without having any features of an investment and no connection with capital markets. If the purpose or one of the purposes of a utility token is investment, then it is considered as a security. Asset tokens are considered as securities if they represent an uncertificated security or a derivative and are standardised and suitable for mass trading. Classification of a token as a security, however, is not automatic due to the flexible nature of tokens which allows various forms, for example hybrid tokens. Furthermore, the time of issuance of tokens has a bearing on this classification. Tokens issued during the fundraising phase of an ICO might constitute securities, while the same tokens might no longer be considered as such after funds have been raised.


Currently, there is no specific legislation regulating ICOs. Certain legislation might still be applicable depending on the particular type of token;

  • If the funds raised through an ICO are treated as deposits, a banking licence is required.
  • If the funds raised through an ICO are managed by third parties, then the provisions of the Collective Investment Schemes Act apply.
  • If payment tokens are issued through an ICO which can be transferred on a blockchain, at the time of the ICO or at a later date, then the provisions of AMLA apply. This imposes certain requirements such as establishing the identity of the beneficial owner, and affiliating to a self-regulatory organisation or being subject to supervision by FINMA.
  • If the tokens issued through an ICO constitute securities, then securities regulation applies, however under the Stock Exchange Act (SESTA) uncertificated securities are unregulated thus authorisation is not required.
  • If the tokens issued through an ICO are derivatives in the form of securities, then regulations apply and authorization as a bank or securities firm is required.
  • If the tokens issued through an ICO classify as equities or bonds, prospectus requirements may apply.

Service Providers

The following table outlines the legal obligations of different financial institutions:

Management of Tokens

If the service constitutes portfolio management under the Financial Institutions Act (FinIA), the service provider must obtain authorisation from FINMA and become affiliated to a supervisory body

Underwriting securities

Professionally* underwriting securities issued by third parties and offering them on the primary market requires authorization as a bank or securities firm

Issuing security tokens

Requires authorization as a bank or firm

Any person that trades professionally* in its own name for the account of clients with tokens that can be classified as securities also needs authorisation as a securities firm. Brokerage of security tokens

Requires authorization as a securities firm

Custody of tokens, transfer of tokens from custodian to client or transfer of tokens by custodian to a third party

Does not constitute trading

* Professional activity consists of managing accounts of more than 20 clients, or holding securities in custody for more than 20 clients.


Authorisation of operation of an exchange as a financial market infrastructure is only required if the tokens being traded are classified as securities, such as asset tokens. Non-security tokens such as payment tokens do not impose this requirement. If the exchange involves the trading of payment instruments, then the provisions of the Anti-Money Laundering Act (AMLA) apply.

Federal Act on the Amendment of Federal Laws in light of the Developments regarding DLT

The proposed legislation will regulate secondary markets for security tokens. One of the proposals is the introduction of ‘DLT securities’, a new class of uncertificated securities which will be subject to similar regulations as certificated securities, with the aim of enhancing the issuance and transfer of tokens which have similar characteristics to traditional instruments. Payment and utility tokens can also be classified as DLT securities if they represent a claim. Some of the requirements which will be imposed include registration of the DLT securities onto a DLT register, which must provide data integrity and functional safety.

Another proposal is the introduction of a new licence category for ‘DLT trading facilities’ which allow multilateral trading of DLT securities between market participants and non-discretionary conclusion of contracts. DLT trading facilities will require licencing from FINMA. Unlike traditional financial market infrastructures such as stock exchanges, a DLT trading facility must also admit natural persons and unregulated legal persons, apart from regulated firms. Licencing requirements are similar for those of stock exchanges, however only DLT securities and tokens that do not classify as securities, such as payment and utility tokens, can be traded. DLT securities admitted to a DLT trading facility are still subject to insider trading and market manipulation rules in the same way as securities admitted to traditional trading venues. Another key proposal is related to bankruptcy, whereby cryptoassets in the custody of a bank can be segregated from the bankruptcy assets.

The draft Act was passed to parliament for approval, and promulgation was expected in January 2020. However, legislators flagged certain issues including possible ramifications on data protection as well as the uncertainty related to the creation of the Ombudsman Office, and this combined with growing concerns regarding the Coronavirus pandemic, brought the legislative process to a halt. However, discussions continued in May 2020 and further developments may be expected.

Switzerland crypto regulation


In February 2018, the German Federal Financial Supervisory Authority (BaFin) published an advisory letter on the ‘Supervisory classification of tokens or cryptocurrencies underlying “initial coin offerings” (ICOs) as financial instruments in the field of securities supervision’, with the aim or providing some clarity on the relevant legal implications. BaFin subsequently published an article titled ‘Blockchain Technology—Thoughts on Regulation’ which provides some clarity with regards to the classification of different tokens and pertinent regulation. The article provides the following definitions for the three identified classes of tokens:

  • Payment tokens: used as a mean of payment, usually have no other function or limited functions beyond payment.
  • Securities tokens: Represent membership rights or shares involving assets in the issuer’s future revenues, similar to equities and debt instruments.
  • Utility tokens: use is limited to the issuer’s network to purchase goods or services.

On the 2nd March 2020, BaFin issued a memorandum on the treatment of cryptocurrencies under the newly enacted ‘Act on the Implementation of the Amendment Directive to the Fourth EU Money Laundering Directive’ which came into force in December 2019.

Classification of Cryptoassets as Financial Instruments

A new category of cryptoassets was included in the definition of financial instruments under the German Banking Act (Kreditwesengesetz – KWG). Cryptoassets are now defined as digital representations of value that have not been issued or guaranteed by any central bank or public body, and that do not have the legal status of a currency or money, but that can be transmitted, stored or traded electronically by natural or legal persons on the basis of an agreement as exchange or payment or which serve investment purposes. Cryptoassets can be transferred, stored and traded electronically. This broad definition incorporates payment tokens as well as security tokens. Prior to such amendments, payment tokens were considered as units of account. Security tokens do not constitute securities under the German Deposit Act and thus the pertinent requirements under the German Banking Act are not applicable, however security tokens are still subject to the requirements of the Prospectus Regulation and MiFID II.

The definition excludes e-money as well as certain monetary values within the definition of the German Payment Services Supervision Act (ZAG). Utility tokens are also excluded from the definition as BaFin states that pure electronic vouchers used to obtain goods or services do not constitute cryptoassets. However, it is unclear whether certain utility tokens may fall within the remit of such definition.


Cryptocurrencies are generally classified as financial instruments under the German Banking Act, and thus service providers who offer the exchange of virtual currencies for legal tender and vice versa, or for other digital assets, are considered as financial service institutions and thus are subject to AML obligations.

Custody of Cryptoassets

The amendments introduced a new regulated financial service, the Crypto Custody Business, which is now a licensable activity. The German Banking Act defines the custody of cryptoassets as the custody, management and safeguarding of cryptoassets or private cryptographic keys that serve to hold, store and transfer cryptoassets for others.

The provision of services of either custody, management or safeguarding requires a license as a Crypto Custody Business. The memorandum further defines each service, with custody being defined as the safekeeping of cryptoassets for others. This primarily includes service providers who store their customers’ cryptoassets in a collective inventory without the customers themselves being aware of the cryptographic keys used. Management is defined as the ongoing exercise of rights arising from cryptoassets. Safeguarding is defined as both the digital storage of the private cryptographic keys of third parties and the storage or physical data carriers on which such keys are stored. The mere provision of storage space such as cloud storage and the manufacture or sale of hardware or software used to safeguard cryptoassets or private cryptographic keys is excluded from this definition.

Firms which were already offering such custody services are required to apply for a license by 30th November 2020, while firms seeking to offer such services must obtain a license first.

Regulatory Overlap

Cryptoassets may qualify as other types of financial instruments, and thus might be subject to other licensing requirements. In such case, the overlapping licensing requirements supervene over the licensing requirement of Crypto Custody Businesses. Thus, the particular characteristics of tokens must be carefully scrutinized to determine the applicable legal classification and pertinent requirements at law. This is particularly relevant with regard to security tokens.

Germany crypto regulation


There are currently no specific laws regulating the cryptocurrencies industry in Luxembourg. The reason behind this is that the government of Luxembourg was previously reluctant to include cryptocurrency regulations into their framework, as they were regarded as very volatile and not an actual currency. That being said, Luxembourg’s legislative attitude has developed into quite a progressive one, and the government has come up with incentives to support the development of the crypto industry in Luxembourg.

The CSSF & Licensing Obligations

The Commission de Surveillance du Secteur Financier (the CSSF) is the financial regulator of Luxembourg and is tasked with the regulation of cryptocurrencies and any type of financial instrument in Luxembourg falls under the scope of the CSSF. Thus, the cryptocurrency service providers are bound by the same rules and requirements as other financial instruments, with such rules including AML/CFT reporting regulations, among other rules. The provision of any type of financial services must be licensed with the CSSF. ICOs are also subject to the current existing laws regulating financial instruments, namely the AML/CFT regulations.

Cryptocurrency service providers thus require a payment institution license granted under the Payment Services Directive EU 2015/2366 or an electronic money institution license granted under the E-money Directive 2009/110/EC.before they can trade or provide exchange services. This authorisation may be obtained from the CSSF. The crypto trading platforms Bitstamp and bitFlyer were granted a payment institution license by the CSSF while the electronic money platform Snapswap was granted an electronic money institution license. The main advantage of obtaining either of these licenses is that service providers may operate in the European Economic Area due to the EU passporting system.

Despite the movement towards integrating cryptocurrencies into Luxembourg’s legislation, there still remains a lot of uncertainty with regards to the implementation of cryptocurrencies into the finance industry. Cryptocurrencies have only quite recently been accepted as a means of payment in Luxembourg but are still not classified as legal tender. They are recognised only as an intangible asset, and not as an actual currency. The CSSF also seems quite wary of the investments in ICOs, STOs and virtual tokens, and has issued multiple warnings with regards to them. The reasoning behind these warnings was because these assets are not backed by any central bank, thus lack regulation, certain business models lack transparency, and most cryptocurrencies are highly volatile.

Bill 7363

This Bill, which was issued in February 2019, sought to amend the 2001 law which regulated the circulation of securities in Luxembourg. The aim of the new law is to provide more transparency and added legal certainty to financial market participants, whilst reducing workmanship by removing intermediaries. The amendments set out facilitate the use of blockchain in the financial services sector, namely in the transfer of securities. The amendments now allow the account holders to record their securities in an electronic recording mechanism, including in a distributed electronic database such as blockchain.

The Bill acknowledges that a token stored in a blockchain represents a security, and thus proof of the possession of the token is also proof of the holding of a security. That being said, holding tokens on a blockchain platform as a security does not limit the applicability of the 2001 law relating to traditional securities, including certain principles pertaining fungibility, location, validity and enforceability of collateral arrangements. The Bill also does not seek to regulate ICOs or STOs. This is because the amendment only governs the circulation and the holding of securities on a blockchain.

Taxation Matters

Cryptocurrencies are considered as an intangible asset in Luxembourg, and therefore are taxed as such. Any revenue, expenses and costs generated by cryptocurrencies need to be determined in Euros with legal tender. Income of cryptocurrencies resulting from activities including mining, operation of online stock exchange, and vending machines of virtual currencies fall under the definition of commercial income, thus becoming taxed as commercial activities.

Funding Regime for Tokens

Many investors are seeking to set up an AIF in Luxembourg to store their tokens or cryptocurrencies. This is mostly because AIFs with funds that are under the threshold of €100,000,000 are subsequently not regulated in Luxembourg under the AIMFD. This means that such AIFs do not need a custodian, an auditor, a regulated manager and a bank account in Luxembourg. The AIF may also start operating without the consent of the CSSF, as they are not required to have prior approval of the regulator.

Unregulated alternative funds can be set up in Luxembourg as a Special Limited Partnership under the AIMFD. The SLP is formed by a General Partner, who must be the person who founded the SLP, and a Limited Partner, who is required to be a professional investor as in the definition of MiFiD II. An SLP can invest in any type of asset, including equities, bonds, loans, hedge funding, liquid instruments, etc. SLPs are also fully tax and VAT exempt.

In the process of setting up an AIF, a document needs to be prepared containing information related to the project details and timelines, the amount of capital required, the type of financial instrument to be used, such as virtual tokens, and the dividends to be paid to investors per token.

Alternatively, a token may also be structured in a way to quality as a unit in an investment fund, and represent a unit in a collective investment undertaking.

Luxembourg crypto regulation


The Maltese landscape is regulated by three principal acts;

  • The Virtual Financial Assets Act;
  • The Innovative Technology Arrangements and Services Act; and
  • The Malta Digital Innovation Authority Act.

The Maltese Virtual Financial Assets Act (VFAA) regulates Virtual Financial Assets (VFAs) which are defined as any form of digital medium recordation that is used as a digital medium of exchange, unit of account, or store of value and that is not electronic money, a financial instrument or a virtual token. The Malta Financial Services Authority (MFSA) is the competent authority which regulates VFA service providers.

The VFA Act stipulates that all VFA service providers must obtain a licence from the MFSA. The Second Schedule to the VFAA lists all licensable VFA services:

  1. Reception and Transmission of Orders;
  2. Execution of orders on behalf of other persons;
  3. Dealing on own account;
  4. Portfolio management;
  5. Custodian or Nominee Services;
  6. Investment Advice;
  7. Placing of VFAs; and
  8. The operation of a VFA exchange.

The VFA Rulebook issued by the MFSA lists the 4 classes of licenses which a prospective service provider must obtain:

  • Class 1: Licence holders authorised to receive and transmit orders and/ or provide investment advice in relation to one or more virtual financial assets and/ or the placing of virtual financial assets. Class 1 Licence Holders are not authorised to hold or control clients’ assets or money.
  • Class 2: Licence holders authorised to provide any VFA service but not to operate a VFA exchange or deal for their own account. Class 2 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA service.
  • Class 3: Licence holders authorised to provide any VFA service but not to operate a VFA exchange. Class 3 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA service.
  • Class 4: Licence holders authorised to provide any VFA service. Class 4 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA service.

Licensing Requirements

Applicants seeking to obtain a licence under the VFA Act must undergo the fitness and properness test. The assessment is applicable to qualifying shareholders, beneficial owners, directors, senior managers, the MLRO and compliance officers. The test is based on integrity, solvency, and competence. Chapter 3 of the VFA rulebook also stipulates initial capital requirements for each class of VFA Service Providers.

The VFA Rulebook stipulates that Service Providers must have risk management policies and procedures in place, and a risk management function which implements such policy. Licence Holders must also ensure that IT infrastructures ensure privacy and confidentiality, and security of stored data.

The framework also requires management of conflicts of interest, with the MFSA Rulebook expressly requiring a conflict of interest policy to be in place. The VFA Rulebook requires execution policies to provide the best possible results for clients who must be provided with adequate information on such policy.

The VFA Rulebook also stipulates specific requirements for different classes of licenses. For example, where a license holder is authorised to hold or control clients’ assets the Licence Holder must hold such assets in segregated accounts, among other obligations. Under Class 4, the framework sets out specific obligations when managing a trading platform for digital assets or VFAs. For example, it sets out obligations to ensure pre-trade and post-trade transparency. Pre-trade obligations include publishing current bid and offer prices, while post-trade obligations include publishing the price, volume and time of the transactions. Licence Holders must also issue clear and transparent bye-laws, similar to the functioning rules required under the French framework.


The VFAA defines Initial Virtual Financial Asset Offering (IVFAO) as “a method of raising funds whereby an issuer is issuing virtual financial assets and is offering them in exchange for funds”. Thus, under the Maltese framework, an IVFAO is the equivalent of an ICO. Chapter 2 of the VFA Rulebook issued by the MFSA provides the requirements and obligations which issuers of IVFAOs in or from within Malta must adhere to, which will be outlined hereunder.

General Requirements

An issuer must be a legal person duly formed in Malta, whose business must be managed according to the dual control principle; whereby at least two individuals direct or manage the business. The issuer must commence the IVFAO within 6 months from the date of registration of the whitepaper with the MFSA. Prior to the IVFAO, the Financial Instrument Test must be carried out in order to determine whether the DLT asset qualifies as a Virtual Financial Asset (VFA). An issuer must also draw up a compliance certificate and an AML/CFT Report on an annual basis. A Board of Administration must also be appointed which must monitor the issuer’s business. Furthermore, an issuer must appoint the following functionaries:

  • A Systems Auditor (where required);
  • A VFA Agent;
  • A Custodian;
  • An Auditor; and
  • a Money Laundering Reporting Officer (‘MLRO’).

Registration Process

In order to offer VFAs to the public in or from within Malta, the Issuer must register a whitepaper with the MFSA which complies with the requirements set out in the VFAA. The process for registration consists of the following steps:

  1. Financial Instrument Test
  2. Appointment of a VFA Agent
  3. Fit and Proper Test carried out by VFA Agent on the issuer
  4. Establishing a Cyber-Security Framework & secure I.T. infrastructure
  5. Drawing up of whitepaper & smart contracts disclosure
  6. Submitting the following documents to the MFSA:
    1. Whitepaper and any supplementary documentation signed by the Board of Administration;
    2. Copy of the Financial Instrument Test signed by the Board of Administration and endorsed by the VFA Agent;
    3. Confirmation from the Systems Auditor that the Issuer’s Innovative Technology Arrangement complies with MDIA guidelines;
    4. Annual audited Accounts for each of the last three (3) financial years, and/or if the Issuer is part of a Group – the consolidated accounts of the Group;
    5. Certified copy of constitutional documents; and
    6. Payment of whitepaper registration fees of €8,000.

Ongoing Obligations

The Issuer is subject to certain ongoing obligations, including:

  • Record Keeping for a minimum of 5 years which records must be accessible to the MFSA;
  • Annual filing of the following documents to the MFSA:
    • the Annual Compliance Statement submitted by VFA Agent on behalf of the Issuer;
    • the Audited Financial Statements; and
    • the Auditor Report.
  • Once the IVFAO is complete, the Issuer must draw up an Annual Compliance Statement and pay the Annual Supervisory Fees.

The Regulatory Sandbox

The MFSA has recently issued a set of Regulations which contain the initiative to implement a Regulatory Sandbox in the Maltese legal framework with the aim of supporting sustainable financial innovation and reducing regulatory uncertainty in the Maltese FinTech industry. The Regulations lists a number of principles upon which the Regulatory Sandbox is being based, which include the following:

  • Fostering innovation;
  • Ensuring effective investor and consumer protection;
  • Enhancing the firm’s understanding of regulatory expectations;
  • Knowledge sharing.

There are many advantages which applicants may benefit from participating in the Sandbox. Such advantages include:

  • Testing and offering an innovation in a safe and contained space;
  • Safeguards both the consumer and the service provider;
  • Provides an open dialogue between the Authority and the firm;
  • Authority can regulate to meet the needs and wants of both the service provider and the consumer, without overregulating;
  • Firms are highly supervised by Authority, thus posing less risks.

Malta crypto regulation


It is clear that Europe has the lead when it comes to the promulgation of sector-specific legislation covering the crypto space. While there is no clear favourite when it comes to the ‘best’ jurisdiction in which to set up one’s operations, countries like Liechtenstein and Malta with their unique and ad-hoc frameworks tend to be better options for those companies seeking legal clarity and separation from traditional frameworks that may not be a perfect fit for the services they are looking to provide. 

BCA Solutions (BCAS) is well-placed to provide professional assistance in selecting the right jurisdiction for the set-up of your operations and the provision of services, with a team made up of regulatory and technical experts that have ample experience in relation to the blockchain and crypto industries. With offices in Malta, Liechtenstein, and Singapore, BCAS has the right solution for most business activities undertaken in relation to the crypto-space, and has worked with industry giants over the past few years. Get in touch today for a free consultation call. 

[1] Financial Services and Markets Act (2000) (Regulated Activities) Order (RAO).

[2] Payment Services Regulations 2017 (PSR).

[3] Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017


Cryptocurrency Regulation