Exploring Gaps in the EU's 'Most Comprehensive' Crypto LawExperts Say MiCA Could Boost EU's Security Landscape But Falls Short in Some Areas
A primary goal of the European Union's Markets in Crypto-Assets regulation is protecting investors from volatility such as the high-profile implosions of FTX and Terra Luna, but the protections of MiCA also extend to cybersecurity.
Following final approval from member national financial ministers, the regulation is set to come into effect beginning in July 2024 for provisions affecting stablecoins and in January 2025 for other crypto assets (see: EU Adopts Comprehensive Crypto Regulation).
The regulation says crypto asset service providers can be liable for losses stemming from cyberattacks, thefts or malfunctions; details anti-money laundering provisions that can limit hackers' ability to off-ramp stolen crypto; and comprises a travel rule to ensure traceability of crypto assets and prevent sanctioned addresses from carrying out unlawful transactions.
Industry experts have lauded the legislation as the "world's most comprehensive" crypto legislation, but it appears that MiCA may have gaps of its own.
MiCA is the result of years of study, discussion and debate, Ari Redbord, head of legal and government affairs at TRM Labs and former Department of Treasury executive, told Information Security Media Group.
"Many people forget, but MiCA was born out of the launch of Libra - Facebook's failed stablecoin project. The initial idea of Libra is that it would be a stablecoin tied to a basket of fiat currencies with access to hundreds of millions of users worldwide. This vision caused regulators globally, including throughout the EU, to move toward greater regulation in the crypto assets space," he said.
MiCA evolved beyond its initial vision. It requires crypto asset service providers to register with a member nation regulator, whose licensing will allow the providers to operate across the bloc. Providers will be required to present a white paper laying out various risks. Licensed crypto asset service providers also will be required under Europe's new AML law - approved in parallel with MiCA - to have anti-money laundering controls in place consistent with the Financial Action Task Force's standards. "This will mean that it will be harder for cybercriminals to convert stolen crypto to fiat," Redbord said.
"The reality today is that threat actors still need to convert crypto to traditional currencies in order to use it. Therefore, they are looking for off-ramps. As cryptocurrency firms in Europe build AML controls, off-ramping funds will be harder and harder. Cybercriminals may be able to use mixers, anonymity-enhanced coins, DeFi and other means to launder funds, but they still need off-ramps. That is where AML controls are most critical," Redbord said.
MiCA does not regulate decentralized finance institutions, alhtough exactly how decentralization is required before the exemption applies isn't fully settled.
"If a decentralized exchange isn’t made with free software and an open blockchain alone, and if there is also a critical middleman of some sort, then it's not really a DEX at all. Long story short, we probably shouldn't use the term DEX to describe any service or thing. It's either an action or it's a thing that has been misnamed," wrote Peter Van Valkenburgh, research director of CoinCenter, a crypto policy-focused nonprofit,
Redbord, quoting European Commission adviser and "father of MiCA" Peter Kerstens, added: Genuine DeFi is disintermediated software, which provides financial services such as lending and staking on the blockchain. But currently most companies are DeFi in name only. "Just because you call yourself a DeFi project doesn't necessarily mean you are one," he said.
The European Union, like the United States and jurisdictions around the world, is still trying to understand what regulation could and should look like in a truly decentralized space, Redbord said.
"It is one thing to require centralized exchanges to have AML and cyber controls in place. It is another to impose requirements on disintermediated software," he said.
The regulation states that "crypto asset service providers should also be held liable for any losses resulting from an incident related to information and communication technology, including an incident resulting from a cyberattack, theft or any malfunctions."
Laws are "only as good as the ability to enforce against violations," said Troy Leach, chief strategy officer at Cloud Security Alliance and a key developer of the PCI payment security standards.
"What I'm interested to see is whether the resulting custody policy is monitored and assessed for adequacy by regulatory oversight, and what does accountability look like for the first crypto asset service provider that suffers a cyberattack and loses crypto assets," he said.
MiCA could be a foundation for other regions of the world attempting to regulate crypto assets, Leach said. Regulators should guard against becoming prescriptive when developing rules that they stifle innovation, he said.
"The old adage is: 'The tighter one clenches their fist full of sand, the more likely they will lose additional grains of sand.' The same is true for regulation that is so restrictive. It prevents the next generation of security from being implemented against emerging threats," he said.
The U.S. is bogged down in the struggle of defining what the virtual asset is, Redbord said. "MiCA blew right by that stage, going right to how do we regulate, not who is going to regulate. And I think that was a real advantage," he said.