Response to consultation on Guidelines on templates to assist competent authorities in performing their supervisory duties regarding issuers’ compliance under MiCAR

Go back

Question 1: Do you have any comments on template U 05.01 on how issuers should report on their own funds requirements? Do you have any comments on template U 05.02 on how issuers should report on the composition of their available own funds?

We understand the Guidelines and the Reporting Templates have been published by the EBA in order to tackle “data gaps, that left unaddressed, would impede the supervision of issuers’ compliance”. However, ADAN’s members have identified certain areas of concern which are worth sharing with the EBA. These concerns mainly revolve around three points, some of which were already expressed by certain market participants in the context of the Consultation Paper on the RTS on the use of ARTs and EMTs denominated in a non-EU currency as a means of exchange (hereafter, “Means of Exchange Consultation”). 

  1. Privacy and security of crypto-asset holders 

ADAN would like to express its concerns on the requirement for CASPs to report the name and surname of each and every EMT holder to the issuers. These concerns are valid both in relation to the Reporting Templates under the Guidelines and the reporting templates associated with the RTS and ITS drafted in the context of the Means of Exchange Consultation (hereafter, the “Art. 22 Reporting Templates” or Art. 22 Reporting Obligations). 

We understand that the EBA wishes CASPs to report the name and surname of each ART and EMT holder for the sole purpose of avoiding double counting, as part of the significance assessment (MiCA, art.22 for ARTs and non-EU EMTs, art. 43). 

However, the risks associated with such massive reporting do not outweigh the benefits associated with the prevention of double counting. Indeed, reporting the name and surname of each and every ART and EMT holder will NOT prevent double counting. This is because, in particular: 

  • there might be discrepancies on how CASPs report the name and surname of their clients, and issuers do not have the ability to identify whether a client with a similar name and surname is indeed the same person or not: and 
  • the data reported will necessarily be an estimate because of the number of holders holding ARTs or EMTs on self-hosted wallets. 

Double counting is therefore inevitable. As already underlined by several market participants in the context of the Means of Exchange Consultation, the reporting of personally identifiable information (PII) “serves no net benefit over a unique pseudonymous identifier and would create a honey pot of information which bad actors may seek to exploit”. Physical attacks on crypto-asset holders are not an isolated phenomenon and in addition to privacy concerns, we believe that it will be extremely dangerous to have nominative lists of crypto-asset holders across the entire Europe

Moreover, in the context of the Guidelines and for the significance assessment of EU-EMTs, the data point on the number of holders does not trigger any particular restriction on the use of EU-EMTs, since the concerns around monetary sovereignty and currency substitution effects do not apply in the context of EU EMTs. The information collected is purely informational, in the context of the significance assessment, therefore a certain margin of error should be considered acceptable.   

In order to address these concerns, we suggest a practical and simple solution to the EBA, which if adopted, would alleviate any concern in relation to privacy, while allowing the EBA to ensure a proper supervision of stablecoin issuers. 

This solution would consist in: 

  • For CAPSs, sending to issuers only the number of ARTs and EMTs holders, without any list of clients or even unique identifiers; 
  • Issuers receive these various data points and aggregate them; 
  • Issuers would correct double counting biases by a statistical cut, based on statistics on the number of “multi-banked” stablecoin holders in the EU; 
  • Based on the experience of CASPs, we believe a 20% cut would be appropriate to avoid double-counting bias. 

In order to refine this number, the CASP industry is willing to conduct regular pan-European surveys on crypto-asset holders to estimate the percentage of "multi-banked" stablecoin holders across multiple CASPs. It would then be sufficient to apply this percentage to the total number of stablecoin holders on each of the European CASPs to have an estimate of the number of holders of a given stablecoin. 

This rough estimate would be sufficient to have a broad estimate of the data point related to the number of holders, which is a very large number anyway (10 million), while preserving the privacy of crypto-asset holders. 

We urge the EBA to adopt this simple yet efficient solution to calculate the number of ARTs and EMTs holders across the European Union

Alternatively, we suggest a solution relying on unique anonymised identifiers. We further describe this alternative in Appendix I. 

 

  1. Business secrecy and confidentiality 

ADAN would like to underline that both the Reporting Templates and the Art. 22 Reporting Templates would entail sharing confidential and sensitive information from a commercial perspective to issuers, if (i) the name and surname of each holder and (ii) the retail / non-retail nature of the user would be shared with issuers. With the current EBA proposal,, issuers of ARTs and EMTs will be in possession of customers data from CASPs, and be able to identify common clients, creating potential commercial advantages. 

Indeed, issuers will possess the full list of each and every ART and EMT holder of each EU CASPs, where some issuers can be direct competitors of CASPs, or affiliates of CASPs competitors. Sharing this level of information to potential competitors seems unfair and disproportionate for CASPs. 

While we regret that CASPs must report such sensitive data to issuers and not directly to the EBA,  we would like to understand better why the EBA is requiring a breakdown between *retail* and *non-retail* users. Indeed, this information is quite sensitive for CASP and does not seem to be required in the context of MiCA, as both article 22 and article 43 only requires information on the number of holders and says nothing on whether these holders are professional or consumers. 

While we understand the full list of EMT holders is a required data point as part of the significance assessment, we are respectfully requesting the EBA to waive the reporting of the breakdown between retail and non retail users, which has no added value whatsoever in the context of the reporting obligations. This is valid for both the commented Reporting Templates and the Art. 22 Reporting Templates. 

  1. Harmonization of templates and reporting obligations

Both issuers and CASPs need to work with numerous RTS, guidelines, and particularly templates in order to comply with their quarterly reporting obligations under both these new EBA reporting guidelines and the previous reporting obligations under the means of exchange consultation. Having to evaluate both templates and instructions will significantly increase the compliance burden and costs and likely lead to human errors. We, therefore, suggest merging all reporting obligations in relation to ARTs and EMTs for issuers and CASPs in one single set of documents that include a single set of reporting templates and instructions. These templates and instructions should highlight which exact obligations apply to whom under what circumstances (e.g. the number of holders data point only applies to EU-currency denominated EMTs with an issue value higher than EUR 100 000 000).

Additionally, aligning both reference dates for both sets of reporting obligations will ensure that both issuers and CASPs will have an accurate overview of all the data points that will allow the issuer to report comprehensive data to their national competent authority. If the reporting obligations under the means of exchange consultation enter into application earlier, issuers will likely not yet have received the related data points from most of the CASPs, which will make their reporting less accurate and comprehensive. Therefore, we suggest setting the reporting reference date for all ART and EMT related reporting obligations to 30 June 2025.

 

Adan’s proposal

  • Proposal n°1:  adopt a simple and privacy protective solution for the reporting of the number of holders of ARTs and EMTs by relying on an aggregated number of holders, refined by a statistical cut based on industry surveys. 
  • Proposal n°2: rely on the suggested solution to report the number of holders  and waive the reporting of the data point on retail / non-retail users, which is confidential information not material for the purpose of the policy objectives pursued art. 22 and 43 of MiCA. 

 

Question 2: Do you have any comments on template U 06.00 on how issuers should report on their reserve of assets by maturity ladder?

Please refer to the areas of concern identified in Question 1

Question 3: To note, templates U 03.01 and U 03.02 in these guidelines are the same templates as templates S 03.01 and S 03.02 in the draft ITS under Article 22(7) of MiCAR, only the tokens in scope of the reporting is different. Do you have any comments on the extension of the scope, compared to the draft ITS, to EMTs referencing to EU currencies for these templates on the composition of the reserve of assets with these guidelines?

Please refer to the areas of concern identified in Question 1

Question 4: Do you have any comments on templates U 07.01, U 07.02 and U 07.03 on how issuers should report information needed to assess the significance criteria as specified in Articles 43 and 56 of MiCAR?

Please refer to the areas of concern identified in Question 1

Question 5: To note, templates U 01.00, U 02.00, U 04.01, U 04.02, U 04.03 and U 04.04 in these guidelines are the same templates as templates S 01.00, S 02.00, S 04.01, S 04.02, S 04.03 and S 04.04 in the draft ITS under Article 22(7) of MiCAR, only the tokens in scope of the reporting is different. Do you have any comments on the extension of the scope, compared to the draft ITS, to EMTs referencing to EU currencies for these templates related to number of holders; value of the token issued and size of the related reserve of assets; and information on transactions per day with these guidelines?

Please refer to the areas of concern identified in Question 1

Question 6: Do you have any comments on template U 09.04 on how CASPs should report to issuers the cross-border transactions that are associated as a means of exchange?

We would like to specifically underline that “transactions” and “means of exchange” transactions have not been defined in the EBA’s consultation paper, which creates legal uncertainty. While one can assume that “transactions” under these reporting obligations should have the same meaning as the definition of transactions in article 22(1) d of MiCA, this is not detailed in the consultation and there is no definition or reference of the meaning of “transactions”. CASPs who have not participated or followed the previous consultation in relation to Art. 22.6 and Art. 22.7 of MICA may report different types of “transactions”, which may create discrepancies in the reporting of EU-EMTs and the reporting of ARTs and non-EU EMTs used as a means of exchange. 

Question 7: To note, CASPs templates U 08.00, U 09.01, U 09.02, U 09.03 and U 10.00 in these guidelines are the same templates as templates S 06.00, S 07.01, S 07.02, S 07.04 and S 08.00 in the draft ITS under Article 22(7) of MiCAR, only the tokens in scope of the reporting is different. Do you have any comments on the extension of the scope, compared to the draft ITS, to EMTs referencing to EU currencies for these templates related to information on holders; information on transactions; and information on token held by the CASPs with these guidelines?

As CASPs, we would like to reiterate the two concerns identified in ADAN’s answer, namely: 

  • Privacy: we urge the EBA to impose one of the privacy protective solutions detailed above, which would resolve
  • Competition and business secrecy: we urge the EBA to at least remove the data point on retail / non retail users in both the Art. 22 Reporting Obligations and the Reporting Templates under the Guidelines. This data point serves no net benefit for both the significance assessment and the identification of “means of exchange” transactions, while this is extremely sensitive data from a commercial perspective, disclosing whether a CASP has more retail or professional clients in its client base. 

Question 8: Do you have any other comments on the guidelines, the templates or instructions?

Please refer to the above points on (i) privacy of crypto-asset holders, (ii) business secrecy and (iii) common reporting templates and dates, as well as Appendix I including an alternative solution to report the number of holders. 

APPENDIX I: ALTERNATIVE SOLUTION TO CALCULATE THE NUMBER OF ARTs AND EMTs HOLDERS

We suggest the EBA an alternative solution, relying on (i) an existing and well known standard, both in the context of MiCA and MIFID, that is the CONCAT standard and (ii) cryptography, that is the SHA-256 function.

In order to tackle the privacy concerns as indicated above, and if and only if the EBA would not adopt the simple solution explained above, we are suggesting a pseudonymisation solution relying on cryptography which would preserve the privacy of EU crypto-asset holders. 

First of all, instead of providing the name and surname of each client, CASPs should rely on the CONCAT standard, which is an existing and known standard in the MIFID world, and which is also requested in the ESMA RTS on record-keeping by crypto-asset service providers. That would ensure that each CASP characterizes its client the exact same way, which would avoid issues with homonyms or duplicates. 

In order to preserve the privacy of crypto-asset holders, CASPs should be instructed to process the CONCAT through a standardized cryptographic function, such as the SHA-256 function. Then each CASP can report the name of each of its clients processed under the SHA-256 function. 

The issuers would therefore be in the possession of each and every holder, and he would just have to verify and delete the duplicates. Since the SHA-256 function cannot be retro-engineered, the privacy of crypto-asset holders would be preserved, even in case of a hack. 

Let's take an example below to describe how this process would work. 

In this example, there are only two holders of USDC in Europe: 

  • John Smith, born on January 1, 1990.
    • John’s Smith CONCAT is 19900101JOHN# SMITH and 
    • John Smith’s hashed CONCAT under the SHA-256 function is 777575475f250e5fe57df1fcec90952032a322814767eb3c1f7686e0a7e94b78
  • John Doe, born on July 1, 1991
    • John Doe’s CONCAT is 19910107JOHN# DOE## 
    • John Doe’s hashed CONCAT is d1e104268a1d604b8fddf57c992bce8fd22f51d7148ba5ac815d7440adabb4f2

John Smith and John Doe are customers of Binance and entered into “transactions” and / or “means of exchange transactions”. 

John Smith is also a customer of Coinbase and entered into “transactions” and / or “means of exchange transactions”

- Every quarter, Binance reports its stablecoin holders, which are: 

777575475f250e5fe57df1fcec90952032a322814767eb3c1f7686e0a7e94b78 (John Smith) ; and

d1e104268a1d604b8fddf57c992bce8fd22f51d7148ba5ac815d7440adabb4f2 (John Doe)

- every quarter, Coinbase reports its stablecoin holders, which is only 777575475f250e5fe57df1fcec90952032a322814767eb3c1f7686e0a7e94b78 (John Smith)

- Circle receives three USDC holders from Binance and Coinbase: 

From Binance

777575475f250e5fe57df1fcec90952032a322814767eb3c1f7686e0a7e94b78 (John Smith) ;

d1e104268a1d604b8fddf57c992bce8fd22f51d7148ba5ac815d7440adabb4f2 (John Doe)

From Coinbase

777575475f250e5fe57df1fcec90952032a322814767eb3c1f7686e0a7e94b78 (John Smith)

Circle checks and removes duplicates and reports two USDC holders, namely 777575475f250e5fe57df1fcec90952032a322814767eb3c1f7686e0a7e94b78 (John Smith) ; and

d1e104268a1d604b8fddf57c992bce8fd22f51d7148ba5ac815d7440adabb4f2 (John Doe) 

Circle reports the correct number of USDC holders in Europe, (2 and not 3), without revealing the first and last names of John Doe and John Smith. 

Nevertheless, we underline that this solution would not alleviate business secrecy concerns as a reporting template filled with hashed identifiers could be cross-referenced with another reporting template, allowing for the identification of common clients. 

 

This Consultation has been developed by Adan Members. Throughout this process, key stakeholders from the ecosystem, including major CASPs, issuers, and specialized law firms have participated, such as Binance, Circle, Coinhouse, Deloitte, Kramer Levin, Orwl, and SG Forge, among others.

This response is supported by the European Blockchain Association.

Upload files

Name of the organization

Adan