Final Report On Draft Guidelines On Internal Governance of Issuers of ARTs

EBA/GL/2024/06
06/06/2024
Final report on
EBA Guidelines
on the minimum content of the governance arrangements for
issuers of asset-referenced tokens
FINAL REPORT ON GUIDELINES ON THE MINIMUM CONTENT OF THE GOVERNANCE
ARRANGEMENTS FOR ISSUERS OF ASSET-REFERENCED TOKENS
Contents
1.Executive summary 4
2.Background and rationale 5
Legal Basis 10
3.Guidelines 11
Compliance and reporting obligations 12
Status of these guidelines 12
Reporting requirements 12
Subject matter, scope, and definitions 13
Subject matter 13
Scope of application 13
Addressees 13
Definitions 13
Implementation 14
Date of application 14
4. Guidelines 15
Title I - Application of the proportionality principle 15
Title II – Role and composition of the management body 16
1.Role and responsibilities of the management body 16
2.Management function of the management body 19
3.Supervisory function of the management body 19
Title III – Governance framework 20
4.Organisational framework and structure 20
5.Organisational framework in a group context 22
6.Outsourcing 22
Title IV – Risk culture and business conduct 23
7.Risk culture 23
8.Corporate values and code of conduct 24
Title V – Internal control framework and mechanisms 27
9.Internal control framework 27
10.Implementing an internal control framework 28
11.Risk management framework 28
12.Operational risk management and operational resilience 29
2
12.1New product, system and process approval 31

12.2ICT risk management 32
12.3Arrangements with third-party entities for operating the reserve of assets, for the investment
of the reserve assets, the custody of the reserve assets, or the distribution of the asset-referenced
tokens to the public 32
13.Internal control functions 35
13.1Heads of the internal control functions 35
13.2Independence of internal control functions 35
13.3Resources of internal control functions 36
14.Risk management function 36
14.1RMF’s role in risk strategy and decisions 37
14.2RMF’s role in material changes 37
14.3RMF’s role in identifying, measuring, assessing, managing, mitigating, monitoring and
reporting on risks 38
14.4RMF’s role in risk appetite and limits 38
14.5Head of the risk management function 39
15.Compliance function 39
16.Internal audit function 40
Title VI – Business continuity management 42
Title VII – Transparency 43
5.Accompanying documents 44
5.1Draft cost-benefit analysis / impact assessment 44
5.2Feedback on the public consultation 49
3
1. Executive summary
Sound internal governance arrangements are fundamental if issuers of asset reference tokens
(ARTs) are to operate well as part of the financial system. Regulation (EU) 2023/1114 sets out
governance requirements for issuers of ARTs and, in particular, stress the responsibility of the
management body to ensure sound governance arrangements, including a sound risk strategy, risk
culture and risk management framework.
To foster the implementation of sound internal governance arrangements, processes and
mechanisms within the EU for issuers of ARTs, in line with the requirements introduced by
Regulation (EU) 2023/2034, the European Banking Authority (EBA), in cooperation with the
European Securities and Market Authority (ESMA) and the European Central Bank, is mandated by
Article 34(13) of (EU) 2019/2034 to develop guidelines in this area. The guidelines apply to issuers
of ARTs as defined in Article 3(1)(10) of Regulation (EU) 2023/1114.
The guidelines specify the various governance provisions in Regulation (EU) 2023/1114, taking into
account the principle of proportionality, by specifying the requirements regarding the tasks,
responsibilities and functioning of the management body, and the organisation of issuers of ARTs.
The guidelines aim to ensure the sound management of all risks associated with the activities of
issuers of ARTs, such as ML-TF risks, operational risks, including fraud, cyber and compliance risks.
Furthermore, the provisions aim to provide for appropriate consumer and investor protection. Risks
need to be managed across all three lines of defence. While the business needs to manage its risks,
the guidelines stress the responsibilities of the second line of defence (the independent risk
management and compliance function) and the third line of defence (the internal audit function).
The Guidelines specify that all issuers of ARTs should have a permanent and effective compliance
function while, in line with the principle of proportionality, not all issuers are required to have a
risk management and an internal audit function but are still required to have respective policies
and procedures in place. Issuers of ARTs should also employ resources proportionate to the scale
of their activities and should always ensure continuity and regularity in the performance of their
activities. For that purpose, issuers of ARTs should establish a business continuity policy that aims
to ensure, in the case of an interruption to their systems and procedures, the performance of their
core activities related to the asset-referenced tokens.
The Guidelines on internal governance for issuers of ARTs take into account, as far as possible, the
framework for investment firms under Directive 2014/65/EU but are tailored to the specific
business model of issuers of ARTs and take into account the principle of proportionality.
The Next steps
These Guidelines apply from [3] months after the date of publication on the EBA’s website of the
guidelines in all EU official languages.
4
2. Background and rationale

1. While crypto assets can bring opportunities in terms of innovative digital services, alternative
payment instruments or new funding mechanisms for Union companies, the crypto assets
ecosystem is fast evolving and its interconnectedness with the traditional financial system is
also increasing, posing risks to crypto-asset activities to financial institutions, consumers,
investors and to the financial stability. Trust in the reliability of the financial system is crucial
for its proper functioning and a prerequisite if it is to contribute to the economy as a whole.
Consequently, effective internal governance arrangements are fundamental if entities
individually and the financial system they form are to operate well. Against this backdrop, and
to ensure the level playing field across the Union and cross sectoral consistency within the
financial sector, there is a clear need to address any gaps that may exist regarding the
implementation of sound internal governance arrangements by issuers of ARTs.
2. To ensure the effective management and oversight of issuers of ARTs by the management body,
to promote and foster a sound risk culture at issuers of ARTs and to enable competent
authorities to supervise and monitor the adequacy of internal governance arrangements,
issuers of ARTs should have robust governance arrangements, including a clear organisational
structure with well-defined, transparent and consistent lines of responsibility and effective
processes to identify, manage, monitor and report the risks to which they are or to which they
might be exposed to.
3. Internal governance includes all standards and principles for setting issuer of ARTs’ strategies
and risk management framework; how its business is organised; how responsibilities and
authority are defined and clearly allocated; how reporting lines are set up and what information
they convey; and how the internal control framework is organised and implemented, including
sound accounting and administrative procedures. Robust governance arrangements also
encompass ensuring operational resilience, including sound information and communication
technology systems and business continuity management; sound policies and procedures for
the use of third-party entities, including for operating the reserve of assets, the investment of
the reserve assets, the custody of the reserve assets and, where applicable, the distribution of
the asset-referenced tokens to the public.
4. In the same way, issuers of ARTs should take into account environmental, social and
governance (ESG) risk factors within their risk management framework. The consensus
mechanisms used for the validation of transactions in crypto-assets have, due to their energy
consumption, potentially material adverse impacts on the climate and other environment
aspects. In this regard, it should be ensured that any material adverse impact that they might
have on the climate, and any other material environment-related adverse impact, are
adequately identified and disclosed by issuers of ARTs.
5
5. ESG factors can also affect the risk profile of issuers of ARTs, its business model and the
acceptance of the ARTs. While climate and environmental factors are particularly relevant to
the activities and services of issuers of ARTs, other types of ESG factors such as tax
transparency, human rights, employment conditions are also relevant factors.
6. Combating money laundering and terrorist financing is also essential for maintaining the
stability and integrity of the financial system. Uncovering the involvement of an issuer of ARTs
in money laundering and terrorist financing might have an impact on the viability and trust of
the financial system. In this context, the guidelines clarify that identifying, managing and
mitigating ML/TF risks is part of issuers’ sound governance arrangements and risk management
framework.
7. While credit institutions are ‘obliged entities’ under Directive 2015/849/EU, (AMLD)1, issuers
of ART authorised under Article 21 Regulation (EU) 2023/1114 are not per se ‘obliged entities’
under that Directive. Nevertheless, the ML/TF risks posed by the issuer’s activities to the issuer
itself or to the sector are considered a ground for the refusal or for withdrawal of the
authorisation in accordance with Article 24 1(g) of Regulation (EU) 2023/1114. It is therefore
crucial that issuers of ARTs ensure the sound management of ML-TF risks on an ongoing basis
as part of the overall internal control framework. Issuers of ARTs have an important role to play
in identifying and tackling weaknesses in this area in collaboration with the authorities
competent for the prevention and fight against money laundering and terrorist financing.
8. The guidelines are intended to apply to all existing board structures without interfering with
the general allocation of competences in accordance with national company law or advocating
any particular structure. Accordingly, they should be applied irrespective of the board structure
used (unitary or dual board structure or another structure) and across Member States. Without
prejudice to applicable company law, in principle, the management body, as defined in Article
3(1)(27) of Regulation (EU) 2023/1114, should be understood as having management
(executive) and supervisory (non-executive) functions.
9. The terms ‘management body in its management function’ and ‘management body in its
supervisory function’ are used throughout these guidelines without referring to any specific
governance structure, and references to the management (executive) or supervisory (non-
executive) function should be understood as applying to the bodies or members of the
management body responsible for that function in accordance with national law.
10. For the purposes of these guidelines, any reference to the management body in its
management function should be understood as also including the members of the executive
body or the CEO, even if they have not been proposed or appointed as formal members of an
issuer of ARTs’ governing body or bodies under national law.
1
Directive 2015/849/EU of the European Parliament and of the Council of 20 May 2015 on preventing of the use of the
financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of
the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the
Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73-117
6
11. The management body is empowered to set the issuer of ARTs’ strategy, objectives and overall
direction, and oversees and monitors management decision-making. In its management
function, the management body directs the business of the issuer of ARTs. In its supervisory
function, the management body oversees and challenges the management function and
provides appropriate advice and challenge. The oversight roles include reviewing the
performance of the management function and the achievement of objectives, challenging the
strategy, and monitoring and scrutinising the systems that ensure the integrity of financial
information as well as the soundness and effectiveness of risk management and internal
controls.
12. Taking into consideration all the existing governance structures provided for by national laws,
competent authorities should ensure the effective and consistent application of the guidelines
in their jurisdictions in accordance with the rationale and objectives of the guidelines
themselves. For this purpose, competent authorities may clarify the governing bodies and
functions to which the tasks and responsibilities set forth in the guidelines pertain, where this
is appropriate to ensure the proper application of the guidelines in accordance with the
governance structures provided for under national company law.
13. Where a parent undertaking which is required to prepare consolidated financial statements in
accordance with Directive 2013/34/EU is an issuer of ARTs or where the group includes an
issuer of ARTs, additional guidelines are provided on the group application of governance
policies in a group context. It is fundamental that crypto groups2, have all risks under control
and a holistic view on all their risks.
14. The guidelines are consistent with the ‘three lines of defence’ model in identifying the functions
within issuers of ARTs responsible for addressing and managing risks. Issuers of ARTs should
establish and maintain a permanent and effective compliance function that operates
independently from the business it controls and, where appropriate taking into account the
application of the proportionality principle, establish and maintain risk management and
internal audit functions that operate independently. Where those functions are not
established, issuers of ARTs should ensure that the policies and procedures that they have
adopted and implemented regarding risk management and internal audit achieve the same
objectives.
15. The business lines, as part of the first line of defence, take risks and are directly and
permanently responsible for their operational management. For that purpose, business lines
should have appropriate processes and controls in place that aim to ensure risks are identified,
analysed, measured, monitored, managed and reported, and that the business activities are in
compliance with external and internal requirements. Not only business lines, but also other
functions or units, e.g. HR, legal or information and communication technology, are responsible
for managing their risks and having appropriate controls in place. Other functions or units that
2
A group of undertakings of which at least one is an Issuer of ARTs and which consists of a parent undertaking and its
subsidiaries as set out in Article 2 (11) if Directive 2013/34/EU or of undertakings that are related to each other as set out
in Article 22 of the same Directive.
7
are mainly exposed to operational and reputational risks must also be considered by the
compliance function and risk management function when forming an enterprise-wide holistic
view on all risks. All other functions or units should also be subject to monitoring and oversight
by the independent risk management function, where established, and by the compliance
function as part of a risk-based approach.
16. The independent risk management function, where established, and the independent
compliance function form the second line of defence. The risk management function facilitates
the implementation of a sound risk management framework throughout the issuer of ARTs and
is responsible for further identifying, monitoring, analysing, measuring, managing and
reporting risks and forming a holistic view of all risks on an individual and, where applicable,
consolidated basis. It challenges and assists in the implementation of risk management
measures by the business lines in order to ensure that the processes and controls in place in
the first line of defence are properly designed and effective. The compliance function monitors
compliance with legal requirements and internal policies, provides advice on compliance issues
to the management body and other relevant staff, and establishes policies and processes to
manage compliance risks and to ensure compliance. The compliance function and, where
established, the risk management function intervene as necessary to ensure the modification
of internal control and risk management systems within the first line of defence.
17. The internal audit function, where established as an independent third line of defence,
conducts risk-based and general audits and reviews the internal governance arrangements,
processes and mechanisms to ascertain that they are sound and effective, implemented and
consistently applied. The internal audit function is also in charge of the independent review of
the first two lines of defence including other internal functions, units and business lines.
Investment firms that do not establish an independent audit function must establish other
appropriate audit policies and procedures. In any case, the ultimate responsibility for audits
remains with the management body.
18. To ensure their proper functioning, all internal control functions need to perform their tasks
independently, have the appropriate financial and human resources and report directly to the
management body. Within all three lines of defence, appropriate internal control procedures,
mechanisms and processes should be designed, developed, maintained and evaluated under
the ultimate responsibility of the management body.
19. The requirements on governance arrangements applicable to issuers of ARTs under Regulation
(EU) 2023/1114 are very similar to the requirements under Directive 2013/36/EU (CRD), IFD
and MiFID to ensure a cross sectoral consistency. However, a proportionate approach is taken
for issuers of ARTs regarding the establishment of committees and control functions. Credit
institutions which offer or seek the admission to trading of asset-referenced tokens are also
subject to internal governance requirements under CRD. In accordance with Regulation (EU)
2023/1114, credit institutions that are issuers of ARTs should comply with the more specific or
stricter requirements in this area, ensuring compliance with both sets of requirements.
8
20. The guidelines and the principle of proportionality cannot change the minimum requirements
included in the Regulation (EU) 2023/1114. All provisions within the guidelines are subject to
the principle of proportionality, meaning that they are to be applied in a manner that is
appropriate, taking into account in particular the issuer of ARTs’ internal organisation and
nature, the volume of ARTs that will be offered to the public or admitted to trading, and the
complexity of its activities. However, the principle of proportionality does not mean that issuers
of ARTs are permitted to not meet certain requirements, i.e. requirements cannot be waived
unless MiCAR explicitly allows for such waivers when the underlying conditions are met.
21. The guidelines aim to establish a sound risk culture for issuers of ARTs. Risks should be taken
within a well-defined framework in line with the issuers of ARTs’ risk strategy. Risks regarding
the issuance of ARTs are also to be duly identified, assessed, appropriately managed and
monitored. The risk management function and compliance function should be closely involved
in the establishment of the applicable framework.
22. Issuers of ARTs should identify sources of operational risk and minimise those risks through the
development of appropriate systems, controls, and procedures. The guidelines further specify
that issuers of ARTs should have in place a well-documented assessment and management
system for operational risk with clear responsibilities assigned for this system. The framework
has been developed considering CRD and has been replicated for those issuers in a
proportionate manner. In addition, issuers of ART are subject to the DORA requirements and
should take the standards developed at international level on operational resilience into
account 3.
23. The guidelines also specify further the arrangements to put in place when relying on third-party
entities for operating the reserve of assets, for the investment of the reserve assets, the
custody of the reserve assets and, where applicable, the distribution of the asset-referenced
tokens to the public; these arrangements should cover the selection, risk assessment,
specification of relevant contractual arrangement and monitoring. Issuers of ARTs should also
have policies that define the principles, responsibilities, and processes in relation to the use of
those third-party entities.
24. Issuers of ARTs should establish a business continuity policy and plans to ensure, in the case of
an interruption of their ICT systems and procedures, the preservation of essential data and
functions and the maintenance of their activities or, where that is not possible, the timely
recovery of such data and functions and the timely resumption of their activities. While under
DORA, the ESAs have been mandated to specify further the components of the ICT business
continuity policy through regulatory products, the guidelines however further specify elements
on business continuity plans not related to ICT and provide more guidance on operational
resilience in line with MiCAR and international standards.
3
E.g. BCBS principles on operational resilience, March 2021
9
Legal Basis
25. Article 34 of MiCAR requires issuers to have robust governance arrangements, including a clear
organisational structure with well-defined, transparent, and consistent lines of responsibility,
processes and mechanisms.
26. To further harmonise issuers of ARTs’ internal governance arrangements, processes and
mechanisms within the EU, the EBA, in cooperation with the ESMA and the ECB, is mandated
under Article 34(13) of Regulation (EU) 2023/1114 to develop Guidelines on the minimum
content of the governance, in particular, with regard to:
- the monitoring tools regarding operational risk;
- the internal control mechanism for risk management, including with regard to the reliance
on third-party entities for operating the reserve of assets, and for the investment of the
reserve assets, the custody of the reserve assets and, where applicable, the distribution of
the asset-referenced tokens to the public;
- the business continuity policy and plans on ICT systems and procedures;
- the audits, including the minimum documentation to be used in the audit.
27. When issuing these guidelines, EBA has taken into account the provisions on governance
requirements in other Union legislative acts on financial services, including Directive
2014/65/EU. Where issuers of ARTs are credit institutions, subject to internal governance
requirements under Directive 2013/36/EU, they should comply with the requirements
thereunder and comply with Title I, Title V Sections 12. , 12.1, 12.2, 12.3 and Title VI and Title
VII when issuing ARTs.
28. In addition to such mandate as further specified under Title V, EBA is empowered to issue
guidelines addressed to competent authorities or financial market participants, pursuant to
Article 16 of its founding Regulations, with a view to establishing consistent, efficient and
effective supervisory practices within the ESFS, and to ensuring the common, uniform and
consistent application of Union law. On this basis, EBA considers also appropriate to issue
Guidelines specifying further the framework to have sound internal governance arrangements
in accordance with Article 34 of Regulation (EU) 2023/1114 in particular under the Titles I, II,
III, IV, VI and VII.
29. The guidelines should be read in conjunction with Regulation (EU) 2022/2254, the Joint EBA-
ESMA guidelines on the suitability members of the management body and qualifying holdings
for issuers of ARTs, the RTS on the minimum content of the governance arrangements on the
remuneration policy for issuers of significant ARTs, the RTS on conflicts of interests for issuers
of ARTs and the RTS on the minimum requirements for the design of stress testing programs
under Article 36(5)(c) of MiCAR.
10
3. Guidelines
EBA/GL/2024/06
06/06/2024
11
Compliance and reporting obligations
Status of these guidelines

1. This document contains guidelines issued pursuant to Article 16 of Regulation (EU) No
1093/20104. In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent
authorities as defined in Article 3(1) point (35)(a) of Regulation (EU) 2023/1114 to whom
guidelines apply and financial institutions must make every effort to comply with the guidelines.
2. Guidelines set the EBA view of appropriate supervisory practices within the European System
of Financial Supervision or of how Union law should be applied in a particular area. Competent
authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom guidelines apply
should comply by incorporating them into their practices as appropriate (e.g., by amending
their legal framework or their supervisory processes), including where guidelines are directed
primarily at financial institutions.
Reporting requirements
3. According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must notify
the EBA as to whether they comply or intend to comply with these guidelines, or otherwise
with reasons for non-compliance, by [dd.mm.yyyy]. In the absence of any notification by this
deadline, competent authorities will be considered by the EBA to be non-compliant.
Notifications should be sent by submitting the form available on the EBA website with the
reference ‘EBA/GL/2024/06’. Notifications should be submitted by persons with appropriate
authority to report compliance on behalf of their competent authorities. Any change in the
status of compliance must also be reported to EBA.
4. Notifications will be published on the EBA website, in line with Article 16(3).
4
Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a
European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing
Commission Decision 2009/78/EC, (OJ L 331, 15.12.2010, p.12).
12
Subject matter, scope, and definitions
Subject matter
5. These guidelines specify in accordance with Article 34(13) of Regulation (EU) 2023/1114 the
minimum content of the governance arrangements for issuers of ARTs in particular regarding
the monitoring tools for the risks 5 ; the business continuity plans; the internal control
mechanism; and the audits, including the minimum documentation to be used in the audits.
Scope of application
6. These Guidelines apply at authorisation and on an ongoing basis to competent authorities, as
defined in Article 3(1) point (35) (a) of Regulation (EU) 2023/1114, and to issuers of ARTs.
7. The guidelines apply to all issuers of ARTs, independently of their existing board structures.
8. Any reference to management body also includes issuers of ARTs that are legal persons
managed by a single natural person.
9. Issuers of ARTs should comply and competent authorities should ensure that issuers of ARTs
comply with these guidelines, including, where applicable, on a group wide basis.
Addressees
10. These Guidelines are addressed to competent authorities as defined in Article 3(1), point (35)(a)
of Regulation (EU) 2023/1114.
11. These Guidelines are also addressed to issuers of ARTs as defined in Article 3(1), point 10 of
Regulation (EU) 2023/1114, of ARTs as defined in Article 3(1), point 6 of that Regulation. Where
the issuer of ARTs is a credit institution, it should comply with Title I, Title V Sections 12, 12.1,
12.2, 12.3 and Title VI and Title VII in conjunction with the requirements set out under Directive
2013/36/EU and the EBA guidelines on internal governance6.
Definitions
12. Unless otherwise specified, terms used and defined under Regulation (EU) 2023/1114, Directive
2014/65/EU, the ‘EBA guidelines on internal governance arrangements for investment firms
5
Any reference to risks in these guidelines should include all risks to which issuers of ARTs are or may be exposed,
including money laundering and terrorist financing risks.
6
Guidelines on internal governance under Directive 2013/36/EU
13
under IFD7’ and Regulation (EU) 2022/2554, have the same meaning in these guidelines. In
addition, for the purposes of these guidelines, the following definitions apply:
means, the management body acting in its role of directing

Management body in its
effectively the issuer of ARTs and includes the persons who
management function
direct its business.
means, where established, the management body acting in its

Management body in its
role of overseeing and monitoring management decision-
supervisory function
making.
Group means a group as defined in Article 2 (11) if Directive

2013/34/EU8.
Operational risk means the operational risk as set out in Article 4(1)(52) of
Regulation (EU) 575/2013.
Operational resilience means the ability for an issuer of ARTs to deliver critical or
important functions through disruption.
Implementation
Date of application
13. These Guidelines apply from [3] months after the date of publication on the EBA’s website of
the guidelines in all EU official languages.
7
Guidelines on internal governance under Directive (EU) 2019/2034
8
Directive 2013/34/EU on the annual financial statements, consolidated financial statements and related reports of
certain types of undertakings
14
4. Guidelines
Title I - Application of the proportionality principle

14. Issuers of ARTs and competent authorities should have regard to the principle of
proportionality when applying and implementing these guidelines with a view to ensuring that
the governance arrangements are consistent with the individual risk profile of the issuer of
ARTs and the group, where applicable, commensurate with its size and internal organisation,
relevant to its business model, suitable for the nature, scale and complexity of its activities and
sufficient to effectively achieve the objectives of the relevant regulatory requirements and
provisions.
15. For the purpose of applying the principle of proportionality and to ensure the appropriate
implementation of the governance requirements of Regulation (EU) 2023/1114 as further
specified by these Guidelines, issuers of ARTs and competent authorities should take into
account the following criteria:
a. the size of the issuer of ARTs in terms of the balance sheet total;
b. the legal form of the issuer of ARTs;
c. whether the issuer of ARTs is listed or not;
d. the classification of the asset-referenced token issued as significant or non-significant

pursuant to Articles 43 and 44 and Articles 56 and 57 of Regulation (EU) 2023/1114
e. the specifics, volume and number of ARTs issued;
f. whether the ARTs issued are admitted to trading;
g. the consensus mechanism used to issue and validate the ARTs;
h. the nature and complexity of all business activities;
i. the type of authorised activities and the services performed;
j. whether cross borders activities are provided and the size of the operations in each
jurisdiction;
k. the size of the reserve of assets;
l. the type and complexity of the assets a token is referenced to;
m. whether the holders of ART are retail holders or not;
15
n. the use of third-party service providers;
o. the distribution channels used, including the ones provided by third-party service
providers; and
p. the existing information and communication technology (ICT) systems, including

business continuity measures and the use of ICT third-party entities as referred to in
paragraph 5, first subparagraph, point (h), Article 34 of Regulation (EU) 2023/1114.
16. Issuers of ARTs that are managed by a single natural person should have alternative
arrangements in place which ensure the sound and prudent management of such issuers and
the adequate consideration of governance arrangements including by providing for adequate
checks and balances in decision making.
Title II – Role and composition of the management body

1. Role and responsibilities of the management body
17. In accordance with Article 34 of Regulation (EU) 2023/1114, the management body of an issuer
of ARTs must define, oversee and is accountable for the implementation of sound governance
arrangements that ensure effective and prudent management of the issuer and the interest of
holders of ART including the segregation of duties and the identification, prevention and
management of conflicts of interest within the issuer of ARTs in accordance with Article 32 of
Regulation (EU) 2023/1114.
18. The duties of the management body should be clearly defined, distinguishing, where applicable,
between the duties of the management (executive) function and of the supervisory (non-
executive) function. The responsibilities and duties of the management body should be
described in a written document and duly approved by the management body. All members of
the management body should be fully aware of the structure and responsibilities of the
management body and, where applicable, of the division of tasks between different functions
of the management body.
19. Where applicable, the management body in its supervisory function and its management
function should interact effectively. Both functions should provide each other with sufficient
information to allow them to perform their respective roles. To have appropriate checks and
balances in place, decision-making within the management body should not be dominated by
a single member or a small subset of its members.
20. The management body’s responsibilities should include at least setting, approving, and
overseeing the implementation of:
16
a. the overall business strategy and the key policies of the issuer within the applicable
legal and regulatory framework, taking into account the issuer ’s long-term financial
interests and solvency and interest of the holders of ARTs.
b. the policies required under Article 34(5) of Regulation (EU) 2023/1114; such policies
should be consistent with the risk appetite and tolerance of the issuer and the
characteristics, the needs of the clients of the issuer of ARTs to whom they will be
offered and their prospective holders;
c. the organisation of the issuer for the issuance of ARTs specifying the skills, knowledge
and expertise required by staff and the necessary resources;
d. the overall risk strategy, the issuer’s risk appetite and its risk management framework,
including adequate policies and procedures, taking into account the macroeconomic
environment and the business cycle, and specifying the involvement of the
management body in risk management issues;
e. an adequate and effective internal control framework including a risk management

framework and well-functioning internal control mechanisms to ensure compliance
with applicable regulatory requirements including with regard to the management of
reserve of assets;
f. a remuneration policy for issuers of significant ARTs that is in line with Article 45(1) of
Regulation (EU) 2023/11149;
g. the policies and procedures to identify, prevent, manage and disclose conflicts of
interest, in line with Article 32 of Regulation (EU) 2023/111410;
h. arrangements that aim to ensure that the individual and collective suitability
assessments of the management body are carried out effectively, that the composition
of the management body is appropriate, and that the management body performs its
functions effectively;
i. a risk culture in line with Title IV Section 7 which addresses the issuer of ARTs’ risk
awareness and risk-taking behaviour;
9
See the RTS on the minimum content of the governance arrangements on the remuneration policy for issuers of
significant ARTs in accordance with Article 45(7)(a) of Regulation (EU) 2023/1114.
10
See the RTS on conflict of interests under Article 32(5) of Regulation (EU) 2023/1114.
17
j. a corporate culture and values in line with Title IV Section 8 which foster responsible
and ethical behaviour, including a code of conduct or similar instrument;
k. arrangements that aim to ensure the integrity of the accounting and financial reporting
systems, including financial and operational controls and compliance with the law and
relevant standards.
21. When setting up, approving and overseeing the implementation of the aspects listed in
paragraph 20, the management body should ensure that the business model and governance
arrangements take into account all risks the issuer of ARTs is or might be exposed to and the
risks that they pose or might pose to others and to the environment. For that purpose, issuers
of ARTs should also take into account all relevant risk factors, including environmental, social
and governance risks factors (ESG) and consider the climate and other environmental impacts
caused by the energy consumption of the consensus and validation mechanisms used. Other
ESG risk factors that should be considered include legal risks in the area of contractual or labour
law, risks relating to potential human rights violations or other ESG risk factors that may affect
the country where a third-party service provider is located and its ability to provide the agreed
service levels.
22. The management body should oversee the process of disclosure, in particular as mandated by
Article 30 of Regulation (EU) 2023/1114, and communications with external stakeholders and
competent authorities.
23. All members of the management body should be informed about the overall activity, financial
and risk situation of the issuer of ARTs, taking into account the economic environment and
business cycle, and also about any decisions taken that have a major impact on the issuance of
ARTs or other material business activities.
24. A member of the management body may be responsible for an internal control function as
referred to in Title V, provided that the member does not have other mandates that would
compromise the member’s internal control activities and the independence of the internal
control function.
25. The management body should monitor, periodically review and address any weaknesses
identified regarding the implementation of processes, strategies and policies relating to the
responsibilities listed in this section. The governance framework and its implementation should
be reviewed and updated on a periodic basis, taking into account the proportionality principle,
as further specified in Title I. A deeper review should be carried out where material changes
affect the issuer of ARTs.
26. Where the issuers of ARTs are legal persons managed by a single natural person in accordance
with their constitutive rules and national laws, the references in these guidelines to a
management body should be construed as applying to the single person that is responsible for
implementing alternative arrangements to ensure the sound and prudent management of such
an issuer and the adequate consideration of governance arrangements.
18
2. Management function of the management body

27. The management body in its management function should actively engage in the business of
the issuer of ARTs and should take decisions on a sound and well-informed basis.
28. The management body in its management function, should be responsible for the
implementation of the strategies and policies set out by the management body and regularly
discuss the implementation and appropriateness of these strategies and policies with the
management body in its supervisory function. The operational implementation may be carried
out by the issuers of ARTs ’ management body.
29. Members of the management body in its management function should constructively challenge
and critically review propositions, explanations and information received by the staff when
exercising its judgement and taking decisions.
30. Where applicable, the management body in its management function, should regularly, timely
and comprehensively inform and report to the management body in its supervisory function all
relevant information necessary to perform their duties, including the risks and other
developments affecting the business of the issuer of ARTs, e.g. material decisions on business
activities, its organisation and underlying technologies, risks taken and compliance with the risk
appetite and strategy, ML-TF risks, ICT incidents and reporting, material operational risk losses,
liquidity and reserve of assets and their management.
3. Supervisory function of the management body

31. Without prejudice to the responsibilities assigned under the applicable national company law,
the management body in its supervisory function should:
a. oversee and monitor management decision-making and actions and provide effective
oversight of the management body in its management function, including monitoring
and scrutinising its individual and collective performance and the setting and
implementation of the issuer of ARTs’ strategy and objectives;
b. constructively challenge and critically review proposals and information provided by

members of the management body in its management function, as well as its decisions;
c. ensure and periodically assess the effectiveness of the issuers of ARTs’ governance
framework and take appropriate steps to address any identified deficiencies;
d. oversee and monitor that the issuer’s strategic objectives, organisational structure and
risk strategy, its risk appetite and risk management framework, as well as other policies
(e.g. investment policy on the reserve of assets) are implemented consistently;
e. monitor that the risk culture of the issuer of ARTs is implemented consistently;
19
f. oversee the implementation, the update and the effective application of policies and
procedures to identify, prevent, manage and disclose conflicts of interest, in
accordance with Article 32 of Regulation (EU) 2023/1114;11
g. oversee the integrity of financial information and reporting, and the internal control
framework, including an effective and sound risk management framework;
h. ensure that the heads of internal control functions are able to act independently and,
regardless of the responsibility to report to other internal bodies, business lines or
units, can raise concerns and warn the management body in its supervisory function
directly, where necessary, when adverse risk developments affect or may affect the
issuer of ARTs; and
i. set and monitor the implementation of the internal audit plan.
Title III – Governance framework

4. Organisational framework and structure
4.1 Organisational framework
32. The management body of an issuer of ARTs should ensure a suitable and transparent
organisational and operational structure for that issuer of ARTs and should have a written
description of it. The structure should promote and demonstrate the effective and prudent
management of the issuer of ARTs and the group, where applicable.
33. The management body should ensure that the internal control functions have the appropriate
financial and human resources as well as powers to effectively perform their role. As a
minimum, the compliance function should operate independently, including that there is an
appropriate segregation of duties. The reporting lines and the allocation of responsibilities
should be clear, well-defined, coherent, enforceable and duly documented. The documentation
should be updated as appropriate.
34. The structure of the issuer of ARTs should not impede the ability of the management body to
oversee and effectively manage its risks or the group, where applicable, is exposed to or the
ability of the competent authority to effectively supervise the issuer of ARTs.
35. The management body should assess whether and how material changes to the group’s
structure where applicable (e.g. setting up of new subsidiaries, mergers and acquisitions, selling
or winding-up parts of the group, or external developments) impact on the soundness of the
ART issuer organisational framework. Where weaknesses are identified, the management body
should make any necessary adjustments swiftly.
11
See the RTS on conflict of interests under Article 32(5) of Regulation (EU) 2023/1114.
20
4.2 Know your structure
36. The management body should fully know and understand the legal, organisational and
operational structure of the issuer of ARTs (‘know your structure’) and ensure that it is in line
with its approved business and risk strategy and risk appetite and covered by its risk
management framework.
37. The management body should ensure that the structure of an issuer of ARTs and, where
applicable, the structures within a group are clear, efficient and transparent to the staff,
shareholders and other stakeholders and to the competent authority.
38. The management body should guide the issuer of ARTs’ structure, its evolution and its
limitations and should ensure that the structure is justified and efficient and does not involve
undue or inappropriate complexity.
39. When setting up such structures, the management body should understand them and their
purpose and the particular risks associated with them and ensure that the internal control
functions are appropriately involved. Such structures should be approved and maintained only
when their purpose has been clearly defined and understood, and when the management body
is satisfied that all material risks, including reputational risks, have been identified, that all risks
can be managed effectively and appropriately reported, and that effective oversight has been
ensured. The more complex the organisational and operational structure, and the greater the
risks, the more intensive the oversight of the structure should be.
40. Issuer of ARTs should take into account in their decision-making the results of a risk assessment
performed to identify whether such structures could be used for a purpose connected with
ML/TF or other financial crime to ensure that the issuer or the sector is not exposed to serious
risk of ML/TF. To this end, issuers of ARTs should take into account as a minimum:
a. the extent to which the jurisdiction, in which the structure will be set up complies
effectively with EU and international standards on tax transparency, anti-money
laundering and countering the financing of terrorism;
b. the extent to which the structure serves an obvious economic and lawful purpose;
c. the extent to which the structure could be used to hide the identity of the ultimate
beneficial owner;
d. the extent to which the reason that leads to the possible setting-up of a structure
gives rise to concern;
e. whether the structure might impede appropriate oversight by the ART issuer’s
management body or the issuer’s ability to manage the related risk; and
21
f. whether the structure poses obstacles to effective supervision by competent au-

thorities.
41. In any case issuers of ARTs should not set up opaque structures or unnecessary complex
structures that have no clear economic rational or legal purpose, or structures that could raise
concerns that these might be created for a purpose connected with financial crime.
42. Issuers of ART should document their decisions and be able to justify their decisions to
competent authorities.
43. These structures and activities, including their compliance with legislation and professional
standards, should be subject to a regular review. Where an internal audit function is
established, it should perform the review on a risk-based approach.
5. Organisational framework in a group context

44. Where applicable, issuers of ARTs should ensure that governance arrangements, processes and
mechanisms are consistent and well-integrated on a group wide basis. To this end, issuers of
ARTs should ensure that their subsidiaries subject to Regulation (EU) 2023/1114 should
implement similar arrangements, processes and mechanisms to ensure robust governance
arrangements on a group wide basis. Competent functions within an issuer of ARTs and its
subsidiaries subject to Regulation (EU) 2023/1114 should interact and exchange data and
information as appropriate.
45. While policies and documentation may be included in separate documents, issuers of ARTs
should consider combining them or referring to them in a single governance framework
document.
6. Outsourcing12
46. The management body should approve and regularly review and update the outsourcing policy
of an issuer of ARTs, ensuring that appropriate changes are implemented in a timely manner.
47. The outsourcing policy should consider the impact of the use of the outsourcing on an issuer of
ARTs’ business and the risks it faces (such as operational risks, including legal, reputational risks,
and concentration risks).
48. The policy should include the reporting and monitoring arrangements to be implemented from
inception to the end of outsourcing arrangements (including the due diligence process and risk
assessment, the management and the monitoring of the arrangement, the termination,
contingency plans and exit strategies).
12
This section should be read in conjunction with Section 12.3 of these guidelines where applicable. Issuers of ARTs should
refer, to the extent applicable, to the EBA guidelines on outsourcing, taking into account the application of the principle
of proportionality.
22
49. The outsourcing of functions cannot result in the delegation of the management body’s
responsibilities. An issuer of ARTs remains fully responsible and accountable for all outsourced
services and activities and management decisions arising from them. Accordingly, the
outsourcing policy should make it clear that outsourcing does not relieve the issuer of ARTs of
its legal and regulatory obligations.
50. The policy should state that outsourcing arrangements, should not hinder effective on-site or
off-site supervision of the issuer of ARTs and should not contravene any supervisory restrictions
on services and activities. The policy should also cover intragroup outsourcing arrangements
and take into account any specific group circumstances where appropriate.
51. Issuers of ARTs should maintain at all times sufficient substance and not become ‘empty shells’
or ‘letter-box entities’. To this end, they should:
a. meet all the conditions of their authorisation at all times, including the manage-
ment body effectively carrying out its responsibilities as set out in Section I of these
guidelines;
b. retain a clear and transparent organisational framework and structure that ena-
bles them to ensure compliance with legal and regulatory requirements as re-
ferred to Section 4;
c. where operational tasks of internal control functions are outsourced, exercise ap-
propriate oversight and be able to manage the risks that are generated by the out-
sourcing of critical or important functions; and
d. have sufficient resources and capacities to ensure compliance with points

(a) to (c).
Title IV – Risk culture and business conduct

7. Risk culture
52. A sound, diligent and consistent risk culture should be a key element of issuers of ARTs effective
risk management and should enable these issuers to make sound and informed decisions that
are consistent with their risk strategy and risk appetite.
53. Issuers of ARTs should develop an integrated and enterprise wide risk culture, based on a full
understanding and holistic view of the risks they are or might be exposed to, including ESG
risks, the risks to holders of assets, to markets, operational risks, ML-FT risks, liquidity risks and
the risks linked to the investment of the assets of the reserve, the risk to the issuer of ARTs
itself and how they are managed, taking into account the issuer of ARTs’ risk tolerance, and the
conflicts of interest that may arise due to the interconnectedness of players in the crypto
ecosystem.
23
54. Issuers of ARTs should develop a risk culture through policies, communication and staff training
regarding the issuer of ARTs’ activities, strategy and risk profile, and should adapt
communication and staff training to take into account staff’s responsibilities regarding risk-
taking and risk management.
55. Staff should be fully aware of their responsibilities relating to risk management. Risk
management should not be confined to risk specialists or internal control functions. Business
lines or units, under the oversight of the management body, should be primarily responsible
for managing risks on a day-to-day basis in line with the issuers of ARTs’ policies, procedures
and controls, taking into account the issuer of ARTs’ risk tolerance and appetite.
56. A strong risk culture should include but is not necessarily limited to:
a. Tone from the top: the management body should be responsible for setting and
communicating the issuer’s core values and expectations. The behaviour of its
members should reflect these values. The management body should contribute to the
internal communication of core values and expectations to staff. Staff should act in
accordance with all applicable laws and regulations and promptly escalate observed
non-compliance within or outside the issuer (e.g. to the competent authority through
a whistleblowing process).
b. Accountability: relevant staff at all levels should know and understand the core values
of the issuer of ARTs and, to the extent necessary for their role and its risk tolerance
and appetite. They should be capable of performing their roles and be aware that they
will be held accountable for their actions in relation to the issuer of ARTs’ risk-taking
behaviour.
c. Effective communication and challenge: a sound risk culture should promote an

environment of open communication and effective challenge in which decision-
making processes encourage a broad range of views, allow for testing of current
practices, stimulate a constructive critical attitude among staff and promote an
environment of open and constructive engagement throughout the entire
organisation.
d. Incentives: appropriate incentives should play a key role in aligning risk-taking

behaviour with the issuer of ARTs’ risk profile and its long-term interests in particular
for issuers of significant ARTs.
8. Corporate values and code of conduct

57. The management body should develop, adopt, adhere to and promote high ethical and
professional standards, taking into account the specific needs and characteristics of the issuer
of the ARTs, and should ensure the implementation of such standards (through a code of
24
conduct or similar instrument). It should also oversee the adherence to these standards by
staff. Where applicable, the management body may adopt and implement the issuer of ARTs
group-wide standards or common standards released by associations or other relevant
organisations.
58. Issuers of ARTs should ensure that there is no discrimination towards staff based on gender,
race, colour, ethnic or social origin, genetic features, languages, religion or belief, political or
any other opinion, membership of a national minority, property, birth, disability, age or sexual
orientation.
59. The policies of issuers of significant ARTs should be gender-neutral13. This includes, but is not
limited to, remuneration, recruitment policies, career development and succession plans,
access to training and the ability to apply for internal vacancies. Issuers of ARTs should ensure
equal opportunities14 for all staff irrespective of their gender, including with regard to career
perspectives, and aim to improve representation of the underrepresented gender in positions
within the management body. Issuer of significant ARTs should monitor the trend in the gender
pay gap.
60. The standards implemented should aim to enhance the issuer of ARTs’ robust governance
arrangements and reducing the risk to which the firm is exposed, in particular operational and
reputational risks, which can have a considerable adverse impact on an issuer of ARTs
profitability and sustainability through fines, litigation costs, restrictions imposed by competent
authorities, other financial and criminal penalties, and the loss of brand value and investor
confidence.
61. The management body should have clear and documented policies for how these standards
should be met. These policies should:
a. remind staff that all the issuer’s of ARTs activities should be conducted in compliance
with the applicable law and with the issuer’s corporate values;
b. promote risk awareness through a strong risk culture in line with Title IV, Section 7,
conveying the management body’s expectation that activities will not go beyond the
defined risk appetite and limits defined by the issuer of ARTs and the respective
responsibilities of staff;
c. set out principles on and provide examples of acceptable and unacceptable behaviours
linked in particular to financial misreporting and misconduct, economic and financial
crime including but not limited to fraud, money laundering and terrorist financing
13
See the RTS on the minimum content of the governance arrangements on the remuneration policy for issuers of
significant ARTs in accordance with Article 45(7)(a) of Regulation (EU) 2023/1114;
14
See also Directive 2006/54/EC of the European Parliament and of the Council of 5 July 2006 on the implementation of
the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation.
25
(ML/TF), anti-trust practices, financial sanctions, bribery and corruption, market

manipulation, mis-selling and other violations of consumer protection laws, tax
offences, whether committed directly or indirectly;
d. clarify that in addition to complying with legal and regulatory requirements and
internal policies, staff are expected to conduct themselves with honesty and integrity
and perform their duties with due skill, care and diligence; and
e. ensure that staff are aware of the potential internal and external disciplinary actions,
legal actions and sanctions that may follow misconduct and unacceptable behaviours.
62. Issuers of ARTs should monitor compliance with such standards and ensure staff awareness,
e.g., by providing training.
26
Title V – Internal control framework and mechanisms

9. Internal control framework
63. Issuers of ARTs should develop and maintain a culture that encourages a positive attitude
towards risk control and compliance within the issuer and a robust and comprehensive internal
control framework. Under this framework, issuers of ARTs business lines or internal unit should
be responsible for managing the risks they incur in conducting their activities and should have
controls in place that aim to ensure compliance with internal and external requirements. As
part of this framework, issuers of ARTs should have a permanent and effective internal
compliance function with appropriate and sufficient authority, stature and access to the
management body to fulfil its mission, and a risk management framework. Where
proportionate, taking into account the criteria listed in Title I, issuers of ART should also have
an internal risk management and audit function. In any case, the issuer of ARTs should have
appropriate risk management and audit policies and procedures in place.
64. The internal control framework of the issuers of ARTs concerned should be adapted on an
individual basis to the specificity of its business, its complexity and the associated risks, taking
into account, where applicable, the group context. Within a group context, the issuer of ARTs
concerned should organise the exchange of the necessary information in a manner that ensures
that each management body, business line and internal unit, including each internal control
function, is able to carry out its duties.
65. The internal control framework should cover the whole organisation, including the
management body’s responsibilities and tasks, and the activities of all business lines and
internal units, including internal control functions, the use of third-party providers and
distribution channels.
66. The internal control framework of an issuer of ARTs should ensure:
a. effective and efficient operations including with regard to issuance of ARTs;
b. adequate identification, measurement and mitigation of risks including operational

risk and risk related to ICT in accordance with Regulation (EU) 2022/2554;
c. the reliability of financial and non-financial information reported both internally and
externally;
d. sound administrative and accounting procedures; and
e. compliance with laws, regulations, supervisory requirements and the issuer of ARTs
internal policies, processes, rules and decisions.
27
10. Implementing an internal control framework

67. The management body should be responsible for establishing and monitoring the adequacy
and effectiveness of the internal control framework, processes and mechanisms, and for
overseeing all business lines and internal units, including internal control functions (such as
compliance, risk management and internal audit functions where established). Issuer of ARTs
should establish, maintain and regularly update adequate written internal control policies,
mechanisms and procedures, which should be approved by the management body. Where no
risk management function is established, the management body should be responsible for
establishing, updating and monitoring adequate risk management procedures and policies.
68. An issuer of ARTs should have a clear, transparent and documented decision-making process
and a clear allocation of responsibilities and authority within its internal control framework,
including its business lines, internal units and internal control functions.
69. Issuers of ARTs should communicate these policies, mechanisms and procedures to all staff and
every time material changes have been made.
70. The internal control functions should verify that the policies, mechanisms and procedures set
out in the internal control framework are correctly implemented in their respective areas of
competence.
71. Internal control functions should regularly submit to the management body written reports on
major deficiencies that have been identified. These reports should include, for each new major
deficiency identified, the relevant risks involved, an impact assessment, recommendations and
corrective measures to be taken. The management body should follow up on the findings of
the internal control functions in a timely and effective manner and require adequate remedial
actions. A formal follow-up procedure on findings and corrective measures taken should be put
in place.
11. Risk management framework

72. As part of the overall internal control framework, issuers of ARTs should have a holistic issuer-
wide risk management framework extending across all their business lines and internal units,
including internal control functions, recognising fully the economic substance of all their risk
exposures including the risks the issuer of ARTs poses to itself, the holders of assets, operational
risks and risks resulting from the reserve of assets.
73. The risk management framework should enable the issuer of ARTs to make fully informed
decisions on all risks they are or might be exposed to including ICT risks in accordance with
Regulation (EU) 2022/2554 (DORA)15 and Section 12. The risk management framework should
encompass all risks, including actual risks and future risks that the issuer of ARTs may be
15
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational
resilience for the financial sector: Publications Office (europa.eu)
28
exposed to. Risks should be evaluated from the bottom up and from the top down, within and
across business lines or internal units using consistent terminology and compatible
methodologies throughout the issuer of ARTs and at a consolidated level where applicable. All
relevant risks should be encompassed in the risk management framework with appropriate
consideration given to both financial and non-financial risks, including concentration,
operational, ICT, reputational, legal, conduct and ESG risks. Consideration should also be given
to credit risk, market risk, concentration risk and liquidity risk resulting from the reserve assets.
74. An issuer of ARTs risk management framework should include policies, procedures, risk limits
and risk controls ensuring adequate, timely and continuous identification, measurement or
assessment, monitoring, management, mitigation and reporting of the risks at the business
line, internal units, issuer and group level, where applicable.
75. An issuer of ARTs risk management framework should provide specific guidance on the
implementation of risk strategies. This guidance should, where appropriate, establish and
maintain internal limits consistent with the issuer’s risk tolerance, risk appetite and be
commensurate with its sound operation, operational resilience, financial strength, liquidity
needs and strategic goals. An issuer of ARTs s risk profile should be kept within the established
limits. The risk management framework should ensure that, whenever breaches of risk limits
occur, there is a defined process to escalate and address them with an appropriate follow-up
procedure.
76. The risk management framework should be subject to independent internal review, e.g.,
performed by the internal audit function, and reassessed regularly against the issuer of ARTs
risk tolerance and risk appetite.
77. Regular and transparent reporting mechanisms should be established so that the management
body and all relevant units in the issuer of ARTs are provided with reports in a timely, accurate,
concise, understandable and meaningful manner and can share relevant information about the
identification, measurement or assessment, monitoring and management of risks. The
reporting framework should be well defined and documented.
78. Effective communication and awareness regarding risks and the risk strategy is crucial for the
whole risk management process, including the review and decision-making processes, and
helps preventing decisions that may unknowingly increase risk levels. Effective risk reporting
involves sound internal consideration and the communication of the risk strategy and relevant
risk data both horizontally across the issuer of ARTs and up and down the management chain.
12. Operational risk management and operational resilience

79. An issuer of ARTs should have an adequate operational risk management framework and
operational resilience framework. This includes effective policies and processes to:
a. identify, assess, evaluate, monitor, report and mitigate operational risk on a timely
basis; and
29
b. identify and protect themselves from threats and potential failures, respond and adapt
to, as well as recover and learn from, disruptive events to minimise their impact on
delivering critical or important functions16.
80. An issuer of ARTs management body should, as part of the risk management framework,
approve strategies, policies and processes for the management of operational risk and
operational resilience, including the risk appetite for operational risk framework and the risk
tolerance for disruption of critical or important functions 17 . Those strategies, policies and
processes should be periodically reviewed and updated as appropriate.
81. The management body ensures that these policies and processes are implemented effectively,
fully integrated into the issuer of ARTs’ overall risk management framework, including the risk
in relation of the use of third-party entities, and effectively communicated to relevant staff.
82. An issuer of ARTs should clearly assign the responsibilities for the assessment and management
system for operational risk and operational resilience.
83. An issuer of ARTs should identify its exposures to operational risk, track relevant operational
risk data, including material loss data, and perform scenario-analysis.
84. Issuer of ARTs should identify its critical operations, consistently with its operational resilience
approach, and map the people, technology, processes, data, facilities, third-parties, including
intragroup entities, and the interconnections and interdependencies among them that are
necessary for the delivery of critical or important functions in a business-as-usual situation and
through disruption.
85. The operational risk and operational resilience management framework should be subject to
regular reviews performed by internal or external auditors that possess the knowledge
necessary to carry out such reviews. The operational risk management framework and the
operational resilience framework should be structured with sufficient and adequate human and
technical resources. The issuer of ARTs’ operational risk assessment system and operational
resilience framework should be fully integrated into the risk management framework of the
issuer.
86. A system of reporting to management body that provides for adequate operational risk and
operational resilience reports from relevant functions within the issuer of ARTs should be
implemented. The issuer of ARTs should have in place procedures for taking appropriate actions
without delay, as relevant.
87. The issuer of ARTs should identify and assess the operational risk inherent to the issuer of ARTs
activities, processes and systems to make sure the inherent risks are well understood.
16
BCBS Principles for Operational Resilience, March 2021, https://www.bis.org/bcbs/publ/d516.pdf
17
Tolerance for disruption is the level of disruption from any type of operational risk an issuer is willing to accept given
a range of severe but plausible scenarios.
30
88. Considering Title I on the application of the principle of proportionality, issuer of ARTs should
identify, analyse and measure a range of scenarios, including low probability and high severity
events, some of which could result in severe operational risk losses. Inputs to the scenario
analysis include relevant internal and external loss data, information from self-assessments,
expert opinion, the internal control framework, forward-looking metrics, root-cause analyses
and the process framework, as appropriate. The scenario analysis process should be used to
develop a range of consequences of potential events, including impact assessments for risk
management purposes, supplementing other tools based on historical data or current risk
assessments.
89. Considering Title I, issuers of ARTs may use qualitative risk assessment approaches, while
issuers of significant ARTs should have a more sophisticated approach, including, where
available, the use of internal and external loss data to inform the scenario analysis.
12.1 New product, system and process approval

90. The issuer of ARTs should have policies and procedures for the assessment and approval of new
products, processes, and systems, including on the new issuance of ARTs and related processes
and systems.
91. The approval process should consider all the risks, including legal and ICT risks, in the launch of
new products and in the implementation of new processes and systems, and include risks
related to people, processes, systems and external events.
92. The approval process should also consider effects on the delivery of critical or important
functions and on their interconnections and interdependencies as well as changes to the issuers
of ARTs’ operational risk profile, including changes to the risk related to existing products or
activities, the necessary internal controls, risk management processes, and risk mitigation.
93. The issuer of ARTs should ensure the assessment of the evolution of risks associated with new
products, systems and processes over time throughout the full life cycle of a product, activities
or services.
94. The issuers of ART should have a strong internal control system in accordance with Title V also
with regard to new products, processes and systems to ensure that the issuer of ARTs has
efficient and effective operations; safeguard its reserve of assets; produce reliable information
and comply with applicable laws and regulations.
31
12.2 ICT risk management

95. Issuers of ARTs should establish an ICT risk management framework in line with the
requirements defined under Regulation (EU) 2022/2554. In this regard, issuers of ARTs should
have in place an internal governance and control framework that ensures an effective and
prudent management of ICT risks in order to achieve a high level of digital operational
resilience.18
12.3 Arrangements with third-party entities for operating the

reserve of assets, for the investment of the reserve assets, the
custody of the reserve assets, or the distribution of the asset-
referenced tokens to the public
96. The management body of an issuer of ARTs that has arrangements in place with third-party
entities for operating the reserve of assets, for the investment of the reserve assets, the
custody of the reserve assets, or, where applicable, for the distribution of the asset-referenced
tokens to the public or plans on entering into such arrangements should approve, regularly
review and update a policy on the requirements for operational reliance of these third-party
entities and ensure their implementation at an individual and, as applicable, group wide basis.
97. This policy should include the main phases of the life cycle of these third-party arrangements
and define the principles, responsibilities and processes in relation to the use of third-party. In
particular, the policy should cover at least:
a. the responsibilities of the management body including its involvement, as appropriate,

in the decision-making;
b. the involvement of business lines, internal control functions and other individuals in
respect of those arrangements;
c. the planning and structuring of third-party arrangements, including the definition of

business requirements regarding the use of third-parties.
d. risk identification, assessment and management in accordance with Section 11;
e. due diligence checks on prospective third-parties;
f. policies and procedures to identify, prevent, manage and disclose conflicts of interest,
in line with Article 32 of Regulation (EU) 2023/1114;
g. business continuity planning and exit strategies to ensure the issuer of ARTs’
operational resilience in the event of a failure or disruption at a third-party entity
18
Please refer to Regulation (EU) 2022/2554, OJ L 333, 27.12.2022, p. 1–79
32
impacting the provision of critical operations. The issuer of ARTs’ business continuity
and exit plans should assess the substitutability of the third-party entity that it uses for
critical operations, and other viable alternatives that may facilitate operational
resilience in the event of an outage at a third-party entity such as bringing the activity
back in-house;
h. the approval process of new arrangements;
i. the implementation, monitoring and management of those arrangements, including

the ongoing assessment of the third-party entities’ performance to ensure that the
relationship remains within the issuer of ARTs’ risk appetite and tolerance for
disruption of critical operations and core business lines;
j. the procedures for being notified and responding to changes to an arrangement by

third-party entities;
k. the independent review and audit of compliance with legal and regulatory
requirements and policies;
l. the renewal processes for arrangements with third-party entities;
m. the documentation and record-keeping; and
n. the exit strategies and termination processes, including a requirement for a

documented exit plan for each arrangement with a third-party entity, where such an
exit is considered possible, taking into account possible service interruptions or the
unexpected termination of an agreement.
98. Issuers of ARTs should assess the potential impact of arrangements with third-party entities on
their operational risk and operational resilience, in accordance with section 12, and should take
into account the assessment results when deciding, if a function should be performed by a
third-party entity and should take appropriate steps to avoid undue additional operational risks
before entering into these arrangements.
99. Within the risk assessment, issuer of ARTs should also take into account the expected benefits
and costs of the proposed arrangement, including weighing any risks that may be reduced or
better managed against any risks that may arise as a result of the proposed arrangement, taking
into account at least the measures implemented by the issuer of ARTs and by the service
provider to manage and mitigate those risks.
100. When carrying out the risk assessment prior to the reliance on third-party entity and during
ongoing monitoring of the third-party entity’s performance, issuer of ARTs should, at least:
a. identify and classify the relevant functions and related data and systems as regards
their sensitivity and criticality and required security measures;
33
b. conduct a thorough risk-based analysis of the functions and related data and systems
that are being considered for the arrangement and address the potential risks, in
particular the operational risks, including subcontracting, legal, ICT, compliance and
reputational risks, and the oversight limitations related to the countries where the
services are or may be provide;
c. consider the geographic dependencies and management of related risks. These risks
may relate to the economic, financial, political, legal and regulatory environment in the
jurisdiction(s) where the relevant service will be.
101. Before entering into an arrangement with a third-party and considering the risks, including
operational risks and counterparty risk, issuers of ARTs should ensure in their selection and
assessment process that the third-party entity is suitable.
102. Issuers of ARTs should ensure that the third-party entity has an adequate business
reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g.
human, IT, financial), the organisational structure and, if applicable, the required regulatory
authorisation(s) or registration(s) to perform the function in a reliable and professional manner
to meet its obligations over the duration of the draft contract.
103. Additional factors to be considered when conducting due diligence on a potential third-
party entity include, but are not limited to:
a. its business model, nature, scale, complexity, financial situation, ownership and group
structure;
b. the long-term relationships with the third-party entity that have already been assessed
and perform services for the issuer of ARTs;
c. the level of substitutability of the service and service provider including the ability to
exit the third-party arrangement and either transition to another service provider or
bring the critical service back in-house or the potential impact of such substitution on
the issuer of ARTs’ critical operations;
d. whether or not the third-party entity is supervised by competent authorities.
104. Issuers of ARTs should take appropriate steps to ensure that the third-party act in a manner
consistent with their values and code of conduct.
105. Issuers of ARTs should ensure at all times that the third party they use to distribute ARTs to
the public complies with the procedures ensuring the compliance with the obligations in
relation to the prevention of money laundering and terrorist financing under Directive (EU)
2015/849 and, where applicable, Regulation (EU) 2023/1113 on information accompanying
transfers of funds and certain crypto-assets. The third-party entity should in its internal control
systems ensure a continuous compliance with the obligations in relation to the prevention of
money laundering and terrorist financing under Directive (EU) 2015/849 and, where applicable,
34
Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-
assets.
13. Internal control functions

106. The internal control functions should include an effective and permanent internal
compliance function, and where appropriate and proportionate, taking into account the criteria
listed in Title I, a risk management function and an internal audit function. Where issuers of
ARTs do not establish and maintain a risk management function and an internal audit function,
they should be able to demonstrate upon request that the policies and procedures adopted
and implemented for an internal control framework effectively achieve the same outcome as
the guidelines provided in this Title V.
107. Issuers of significant ARTs are encouraged to establish internal risk management and
internal audit functions. Where the issuer of ARTs does not establish an internal risk
management function (RMF) or internal audit function (IAF), the responsibilities of these
functions as set out in these guidelines are with the management body, who may delegate the
operational tasks internally or externally to a third-party provider, e.g. in form of an outsourcing
arrangement19.
13.1 Heads of the internal control functions

108. Heads of internal control functions should be established at an adequate hierarchical level
that provides the head of the control function with the appropriate authority and stature
needed to fulfil his or her responsibilities. The head of compliance and, where established, the
heads of the risk management and internal audit functions should report and be directly
accountable to the management body, and their performance should be reviewed by the
management body.
109. Where necessary, the heads of internal control functions should be able to have access and
report directly to the management body in its supervisory function to raise concerns and warn
the supervisory function, where appropriate, when specific developments affect or may affect
the issuer of ARTs. This should not prevent the heads of internal control functions from
reporting within the regular reporting lines as well.
110. Issuers of ARTs should have documented processes in place to assign the position of the
head of an internal control function and for withdrawing his or her responsibilities. In any case,
the heads of internal control functions should not be removed without the prior approval of
the management body in its supervisory function where it is established.
13.2 Independence of internal control functions
19
The outsourcing of operational tasks of compliance may still be possible.
35
111. In order for the internal control functions to be regarded as operating independently, the
following conditions should be met:
a. their staff do not perform any operational tasks that fall within the scope of the
activities the internal control functions are intended to monitor and control unless it
is demonstrated that, in view of the criteria listed in Title I for the application of the
proportionality principle, the internal control functions continue to be effective. In that
case, issuer of ARTs should assess whether the effectiveness of their internal control
functions is compromised.
b. Where appropriate, they are organisationally separate from the activities they are
assigned to monitor and control;
c. the remuneration of the internal control functions staff should not be linked to the
performance of the activities the internal control function monitors and controls and
should not otherwise be likely to compromise the staff members’ objectivity20.
13.3 Resources of internal control functions

112. Internal control functions should have sufficient resources. Taking into account the
application of the proportionality principle as set out in Title I, they should have an adequate
number of qualified staff with adequate skills, knowledge and experience. Staff should remain
qualified on an ongoing basis and should receive training as necessary.
113. Internal control functions should have appropriate ICT systems and support at their
disposal, with access to the internal and external information necessary to meet their
responsibilities. They should have access to all necessary information regarding all business
lines and relevant risk-bearing subsidiaries, in particular those that can potentially generate
material risks for the issuer of ARTs.
14. Risk management function

114. Where established, the risk management function (RMF) should cover the whole issuer of
ARTs. The RMF should have sufficient authority, stature and resources, taking into account the
proportionality criteria listed in Title I, to implement risk policies and the risk management
framework as set out in Section 11.
115. The RMF should have, where necessary, direct access to the management body in its
supervisory function, where established.
20
See also the EBA guidelines on sound remuneration policies, available at https://www.eba.europa.eu/regulation-and-
policy/remuneration/guidelines-on-sound-remuneration-policies.
36
116. The RMF should have access to all business lines and other internal units that have the
potential to generate risk.
117. Staff within the RMF should possess sufficient knowledge, skills and experience in relation
to risk management techniques and procedures, and markets and products, and should have
access to regular training.
118. Where established, the RMF should be a central organisational feature of the issuer of
ARTs, structured so that it can implement risk policies and control the risk management
framework. The RMF should play a key role in ensuring that the issuer of ARTs has effective risk
management processes in place. The RMF should be actively involved in all material risk
management decisions. Where applicable, in a group, the RMF in the Union parent undertaking
should be able to deliver a group-wide holistic view on all risks and to ensure that the risk
strategy is complied with.
119. The RMF should provide relevant independent information, analyses and expert judgement
on risk exposures, and advice on proposals and risk decisions made by business lines or internal
units, and should inform the management body as to whether such information and advice is
consistent with the issuer of ARTs risk profile. The RMF may recommend improvements to the
risk management framework and corrective measures to remedy breaches of risk policies,
procedures and limits.
14.1 RMF’s role in risk strategy and decisions

120. The RMF’s involvement in decision-making processes should ensure that risk
considerations are taken into account appropriately. However, accountability for the decisions
taken should remain with the business and internal units, and ultimately the management
body.
14.2 RMF’s role in material changes

121. Before decisions on material changes to products, processes or systems or on exceptional
transactions are taken, the RMF should be involved in the evaluation of the impact of such
changes on the issuer of ARTs and should report its findings directly to the management body
before a decision is taken.
122. The RMF should evaluate how the risks identified could affect the issuer of ART’s ability to
manage its risk profile and the risks linked to the reserve of assets.
37
14.3 RMF’s role in identifying, measuring, assessing, managing,

mitigating, monitoring and reporting on risks
123. The RMF should ensure an appropriate implementation of the risk management framework
and that all risks are identified, assessed, measured, monitored, managed and properly
reported on by the relevant units of the issuer of ARTs.
124. The RMF should ensure that identification and assessment are not based only on
quantitative information or model outputs, but also take into account qualitative approaches.
The RMF should keep the management body informed of the assumptions used in, and the
potential shortcomings of, the risk quantification tools and methods, including models and
analysis.
125. The RMF should ensure that transactions with related parties are reviewed and that the
risks they pose for the issuer of ARTs are identified and adequately assessed.
126. The RMF should ensure that all identified risks are effectively monitored by the business or
internal units.
127. The RMF should regularly monitor the actual risk profile of the issuer of ARTs and scrutinise
it against the strategic goals and risk appetite and report the results to enable decision-making
by the management body in its management function and challenges by the management body
in its supervisory function.
128. The RMF should analyse trends and recognise new or emerging risks and increases in risk
arising from changing circumstances and conditions. It should also regularly review actual risk
outcomes against previous estimates (i.e. back testing) to assess and improve the accuracy and
effectiveness of the risk assessment methods and risk management process.
129. The RMF should evaluate possible ways to mitigate identified risks. Risk reporting to the
management body should include proposals for appropriate risk-mitigating actions.
14.4 RMF’s role in risk appetite and limits

130. The RMF should independently assess breaches of risk appetite or limits. The RMF should
inform the business or internal units concerned and the management body and recommend
possible remedies. The RMF should report directly to the management body in its supervisory
function when the breach is material, without prejudice for the RMF to report to other internal
functions.
131. The RMF should play a key role in ensuring that a decision on its recommendation is made
at the relevant level, complied with by the relevant business units and appropriately reported
to the management body and, where established, the risk committee.
38
14.5 Head of the risk management function

132. Where established, the head of the RMF should be responsible for providing
comprehensive and understandable information on risks and advising the management body,
enabling this body to understand the issuer of ARTs overall risk profile. Where no independent
function has been established, the responsibilities of the head of the risk management function
lie with the staff to whom the risk management procedures are entrusted or the members of
the management body directly.
133. The head of the RMF should have sufficient expertise, independence and seniority to
challenge decisions that affect an issuer of ARTs’ exposure to risks. Where the head of the RMF
is not a member of the management body, taking into account the principle of proportionality
as set out in Title I, issuer of ARTs should appoint an independent head of the RMF who has no
responsibilities for other functions and reports directly to the management body. Where it is
not proportionate to appoint a person who is dedicated only to the role of head of the RMF,
taking into account the principle of proportionality as set out in Title I, this function can be
combined with the head of the compliance function or can be performed by another senior
person, provided there is no conflict of interest between the tasks performed. In any case, this
person should have sufficient authority, stature and independence (e.g. head of legal).
134. The head of the RMF should be able to challenge decisions taken by the issuer’s
management and its management body, and the grounds for objections should be formally
documented. If an issuer of ARTs wishes to grant the head of the RMF the right to veto decisions
(e.g., a credit or investment decision or the setting of a limit) made at levels below the
management body, it should specify the scope of such a veto right, the escalation or appeal
procedures, and how the management body will be involved.
135. Issuers of ARTs should establish strengthened processes for the approval of decisions on
which the head of the RMF has expressed a negative view. In its supervisory function, the
management body should be able to communicate directly with the head of the RMF on key
risk issues, including developments that may be inconsistent with the issuer of ARTs’ risk
strategy and risk appetite and the head of the RMF should be able to directly report material
concerns to the management body in its management function.
15. Compliance function

136. Issuers of ARTs should establish a permanent and effective compliance function to manage
compliance risk and should appoint a person to be responsible for this function across all the
activities of entity (the compliance officer).
137. The role of compliance officer, taking into account the principle of proportionality as set
out in Title I, can be combined with the head of the RMF or, where it is not proportionate to
appoint a person who is dedicated only to this function, can be performed by another senior
39
person (e.g. head of legal), provided there is no conflict of interest between the tasks
performed.
138. Staff within the compliance function should possess sufficient knowledge, skills and
experience in relation to compliance and relevant procedures and should have access to regular
training.
139. The management body in its supervisory function should oversee the implementation of a
well-documented compliance policy, which should be communicated to all staff. Issuers of ARTs
should set up a process to regularly assess changes in the law and regulations applicable to its
activities.
140. The compliance function should advise the management body on measures to be taken to
ensure compliance with applicable laws, rules, regulations and standards, and should assess
the possible impact of any changes in the legal or regulatory environment on the issuer of ARTs’
activities and compliance framework.
141. The compliance function should ensure that compliance monitoring is carried out through
a structured and well-defined compliance monitoring programme and that the compliance
policy is observed. The compliance function should report to the management body and
communicate as appropriate with the RMF on the issuer of ARTs’ compliance risk and its
management. The compliance function and the RMF should cooperate and exchange
information as appropriate to perform their respective tasks. The findings of the compliance
function should be taken into account by the management body and the RMF in decision-
making processes.
142. Issuer of ARTs should take appropriate action against internal or external behaviour that
could facilitate or enable fraud or financial crime and breaches of discipline (e.g. breaches of
internal procedures or breaches of limits).
16. Internal audit function

143. Where established, the internal audit function (IAF) should be independent and have
sufficient authority, stature and resources. In particular, issuers of ARTs should ensure that the
qualification of the IAF’s staff members and the IAF’s resources, in particular its auditing tools
and risk analysis methods, are adequate for the issuer of ARTs size and locations, and the
nature, scale and complexity of the risks associated with the issuer of ARTs’ business model,
activities, risk culture and risk appetite.
144. The IAF should be independent of the audited activities. Therefore, the IAF should not be
combined with other functions.
145. The IAF should, following a risk-based approach, independently review and provide
objective assurance of the compliance of all activities and units of an issuer of ARTs, including
40
the use of third-party entities, with the issuer of ARTs’ policies and procedures and with
external regulatory requirements.
146. The IAF should not be involved in designing, selecting, establishing or implementing specific
internal control policies, mechanisms, procedures or risk limits. However, this should not
prevent the management body in its management function from requesting input from internal
audit on matters relating to risk, internal controls and compliance with applicable rules.
147. The IAF should assess whether the issuer of ARTs’ internal control framework as set out in
Title V is both effective and efficient. In particular, the IAF should assess:
a. the appropriateness of the issuer of ARTs’ governance framework;
b. whether existing policies and procedures remain adequate and comply with legal and
regulatory requirements and with the risk strategy and risk appetite of the issuer of
ARTs;
c. the compliance of the procedures with the applicable laws and regulations and with
decisions of the management body;
d. whether the procedures are correctly and effectively implemented (e.g. compliance of
transactions, the level of risk effectively incurred, etc.); and
e. the adequacy, quality and effectiveness of the controls carried out and the reporting
conducted by the business units (first line of defence) and the risk management and
compliance functions.
148. The IAF should verify, in particular, the integrity of the processes ensuring the reliability of
the issuer of ARTs’ methods and techniques for risk quantification, including models. It should
also evaluate the quality and use of qualitative risk identification and assessment tools and the
risk mitigation measures taken.
149. The IAF should review the adequateness of the processes for the development of white
papers, their approval and the processes how ARTs are offered to the public.
150. The IAF should have unfettered issuer-wide access to all the records, documents,
information and buildings of the issuer of ARTs. This should include access to management
information systems and minutes of all committees and decision-making bodies.
151. The IAF should adhere to national and international professional standards. An example of
the professional standards referred to here is the standards established by the Institute of
Internal Auditors.
152. Internal audit work should be performed regularly in accordance with an audit plan and a
detailed audit programme following a risk-based approach.
41
153. An internal audit plan should be drawn up at least once a year on the basis of the annual
internal audit control objectives. The internal audit plan should be approved by the
management body.
154. All audit recommendations should be subject to a formal follow-up procedure by the
appropriate levels of management, communicated to the management body of the issuer of
ARTs and made available to the competent authority to ensure and report on their effective
and timely resolution.
Title VI – Business continuity management

155. Without prejudice to the applicable requirements under DORA, issuers of ARTs should
establish, as part of the implementation of their business continuity policy and plans
established in accordance with Article 34 (9) of Regulation (EU) 2023/1114, a sound business
continuity management and response and recovery plans to ensure their ability to operate on
an ongoing basis, to manage incidents that could disrupt the delivery of critical operations in
line with the issuer of ARTs’ risk appetite and tolerance for disruption, and to limit losses and
disruption to service provision in the event of severe business disruption. Issuers of ARTs may
establish a specific independent business continuity function taking into account the
proportionality criteria listed in Title I.
156. An issuer of ARTs relies on several critical resources (e.g. IT systems, including cloud
services, communication systems, core staff and buildings). The purpose of business continuity
management is to reduce the operational, financial, legal, reputational and other material
consequences arising from a disaster or extended interruption to these resources and
consequent disruption to the issuer of ARTs’ ordinary business procedures. Other risk
management measures might be intended to reduce the probability of such incidents or to
transfer their financial impact to third-parties (e.g. through insurance).
157. In order to establish a sound business continuity management plan, an issuer of ARTs
should carefully analyse risk factors for, and its exposure to, severe business disruptions and
assess (quantitatively and qualitatively) their potential impact, using internal and/or external
data and scenario analysis. This analysis should test the issuer of ARTs’ ability to deliver critical
operations through disruption and should cover all business lines and internal units, including
the RMF or risk management procedures, and should take into account their interdependency.
The results of the analysis should contribute to defining the issuer of ARTs recovery priorities
and objectives.
158. On the basis of the abovementioned analysis, an issuer of ARTs should put in place:
a. contingency and business continuity plans to ensure that the issuer of ARTs reacts
appropriately to emergencies and is able to deliver critical operations and maintain
essential data if there is disruption to its ordinary business procedures;
42
b. recovery plans for critical resources and critical or important functions21 to recover
from disruption and enable the issuer of ARTs to return to ordinary business
procedures in an appropriate timeframe. Any residual risk from potential business
disruptions should be consistent with the issuer of ARTs’ risk appetite;
c. for other activities, or where the continuity of critical essential functions is impossible
to ensure, issuers of ARTs should have in place procedures for the timely recovery of
data and functions and the timely resumption of their activities.
159. Contingency, business continuity and recovery plans should be documented and carefully
implemented. The documentation should be available within the business lines, internal units
and RMF for staff in charge of risk management procedures and should be stored on systems
that are physically separated and readily accessible in case of contingency. Appropriate training
should be provided. Plans should be regularly tested and updated. Any challenges or failures
occurring in the tests should be documented and analysed, with the plans reviewed
accordingly.
Title VII – Transparency

160. Strategies, policies and procedures should be communicated to all relevant staff
throughout the issuer of ARTs. Staff should understand and adhere to policies and procedures
pertaining to their duties and responsibilities.
161. Accordingly, the management body should inform and update the relevant staff about the
issuer of ARTs’ strategies and policies in a clear and consistent way, at least to the level needed
to carry out their particular duties. This may be done through written guidelines, manuals or
other means.
43
5. Accompanying documents
5.1 Draft cost-benefit analysis / impact assessment

Article 16(2) of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24
November 2010 establishing a European Supervisory Authority (European Banking Authority) (EBA
Regulation)22 provides that the EBA should carry out an analysis of ‘the potential related costs and
benefits’ of any guidelines it develops. This analysis presents the IA of the main policy options
included on the Guidelines on the minimum content of the governance arrangements for issuers
of asset-referenced tokens under MICAR.
Regulation (EU) No 2023/1114 sets out a new legal framework for issuers of ARTs laying down
governance arrangements requirements. Namely, issuers of ARTS should have robust governance
arrangements, including a clear organisational structure with well-defined, transparent and
consistent lines of responsibility and effective processes to identify, manage, monitor and report
the risks to which they are or to which they might be exposed to.
A. Problem identification
Regulation (EU) No 2023/1114 sets out governance arrangement requirements to be implemented
by issuers of ARTs. While crypto assets can bring opportunities in terms of innovative digital
services, their interconnectedness with the traditional financial system is also increasing, posing
risks to crypto-asset activities, financial institutions, consumers, investors and to the financial
stability. Trust in the reliability of the financial system is crucial for its proper functioning and a
prerequisite if it is to contribute to the economy as a whole.
Against this background, effective internal governance arrangements are fundamental if entities
individually and the financial system they form are to operate well. Against this backdrop, and to
ensure the level playing field across the Union and cross sectoral consistency within the financial
sector, there is a clear need to address any gaps that may exist regarding the implementation of
sound internal governance arrangements by issuers of ARTs.
B. Policy objectives
The Guidelines aim at further specifying the governance arrangements for issuers of ARTs tailored
to their business model and taking into account the application of the principle of proportionality
with the aim to foster harmonisation and to ensure level playing field across the EU and sound and
prudent management of the concerned supervised entities.
22
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010R1093
44
When issuing these guidelines, EBA shall take into account the provisions on governance
requirements in other Union legislative acts on financial services, including Directive 2014/65/EU.
C. Baseline scenario
In a baseline scenario, there would be no harmonisation of the governance arrangements to be
implemented by issuers of ARTs that are not authorised as credit institutions. Credit institutions
that intend to issue or issue ARTs are already subject to stricter governance requirements under
Directive 2013/36/EU. The uneven playing field between issuers of ARTs would ultimately result in
diverging approaches.
The costs and benefits of the underlying Regulation are not assessed within this impact assessment.
D. Options considered, Cost-Benefit Analysis, Preferred options

Section D presents the main policy options discussed and the decisions made during the drafting of
the Guidelines. Advantages and disadvantages of the policy options and the preferred options
resulting from this analysis are assessed below.
Policy issue 1: Distinguishing between the different types of issuers (issuers that are credit
institutions and the other legal entities that are not authorised as credit institutions)
The EBA considered two policy options as to the development of the mandate conferred by
Regulation (EU) No 2023/1114.
Option 1: Not distinguishing between different type of issuers (credit institution and other legal
persons that are not credit institutions);
Option 2: Distinguishing between different type of issuers (credit institution and other legal
persons that are not credit institutions)
Option 1 envisages applying the same guidelines to all the entities, whether they credit institutions
or not, but does not take into account that credit institutions are already subject to stricter
requirements under Directive 2013/36/EU and therefore have already the governance
arrangements in place, even if these arrangements should also be adapted to the issuance of ARTs.
Option 2 has the advantage of taking into account this distinction between entities. For the entities
other than credit institutions, the guidelines further specify the requirements to put in place in
order to harmonise the practices and create a level playing field.
In the light of the above, Option 2 ensures to achieve the pursued goal of efficient rulemaking and
avoidance of uneven level playing field. At the same time this approach allows to appropriately
reflect the differences between the different types of issuers. In addition, Option 2 allows a more
orderly drafting of these Guidelines with benefits in terms of legal clarity and ensure consistency
between different types of regulatory products.
45
Option 2 has therefore been chosen as the preferred option.
Policy issue 2: Consistency with the existing cross-sectoral regulation (IFD and MiFID)
The cross-sectoral harmonisation and the achievement of the highest consistency with MiFID as
referred to in the mandate under Article 34(13) of MiCAR and with IFD isa policy objective of these
guidelines. For this purpose, two policy options have been considered.
Option 1: develop the Guidelines via cross-references to the EBA Guidelines for investment firms
under IFD and the MiFID framework;
Option 2: develop the Guidelines by taking into account the EBA Guidelines for investment firms
under IFD and the MiFID framework and tailoring them to the specificities of issuers of ARTs.
Both Options 1 and 2 ensure consistency with the investment firm framework. Option 1 has the
advantage of the highest alignment with the investment firm framework, which is already known
by the market operators and by the CAs. As the overlap between investment firms and issuers of
ARTs is not expected to be large, this advantage is not particularly prominent. Option 2 on the other
hand has the advantage of having a full set of guidance in one document while taking into account
crypto assets activities and in the particular the issuance of ARTs.
Option 2 has been chosen as the preferred option.
Policy issue 3: Guidelines on operational risk and operational resilience, the use of third-party
entities and business continuity plans;
Option 1: develop specific set of Guidelines tailored to issuers of ARTs;
Option 2: develop specific Guidelines by taking into account the requirements in other regulatory
frameworks in particular CRD for operational risk, DORA for digital operational resilience, Basel for
operational resilience and DORA and EBAs guidelines on outsourcing for business continuity plans
to ensure cross sectoral consistency.
Regulation (EU) 2023/1114 contains requirements to further specify the minimum content on the
monitoring tools regarding operational risk; the internal control mechanism for risk management,
including with regard to the reliance on third-party entities for operating the reserve of assets, and
for the investment of the reserve assets, the custody of the reserve assets and, where applicable,
the distribution of the asset-referenced tokens to the public; and the business continuity policy and
plans.
While the Guidelines provided follow in general the approach taken by the CRD to ensure a level
playing field regarding operational risk management, additional guidelines have been provided
46
regarding operational resilience in line with Basel standards on operational resilience and with the
use of third-party entities. A specific framework has also been defined regarding digital operational
resilience and ICT business continuity plans under DORA by inserting cross references to DORA,
since issuers of ARTs are within the scope of application.
While Option 1 would ensure taking into account the specificities of the business of issuers of ARTs,
Option 2 has the advantage of both ensuring cross sectoral consistency while taking into account
crypto asset activities specificities.
Option 2 has been chosen as the preferred option.
Policy issue 4: Additional guidelines on internal control framework and the three lines of defense;
Option 1: requiring issuers of ARTs to set up three independent functions (compliance, risk
management and internal audit functions)
Option 2: establishing a more proportionate approach, also to be consistent with the MiFID
framework: issuers of ARTs should set up a permanent and effective compliance function; are not
required to set up an internal risk management function, where justified, but should implement
policies and processes to achieve the same objectives; should have a sound and effective internal
control framework.
Option 1 is more conservative but does not lead to greater sectoral consistencies and is not
proportionate. It would cause additional costs to establish a sound internal control framework and
to ensure the independence of the internal control functions.
Option 2 on the other hand would create consistency between the MiFID and IFD frameworks. By
implementing policies and processes to achieve the same objectives, issuers of ARTs would still
benefit from an effective framework, which would lead to a better alignment of the risk profile with
risk appetite as set by the management body.
Therefore Option 2 was retained.
Policy issue 5: Guidelines on third party risk management including outsourcing;
Option 1: provide no further guidance.
Option 2: develop specific guidelines as part of sound governance arrangements by taking into
account the requirements in other regulatory frameworks (MiFID in particular).
Option 1 allows ARTs issuers to develop their own internal frameworks on third party risk
management and outsourcing. At the same time, this approach may create inconsistencies as there
have been already developed regulatory requirements for credit Institutions that potentially issue
47
ARTs. In addition, MiCAR article 73, provides specific requirements on outsourcing activities or
services only for CASPs.
Option 2 bridges the gap and ensures regulatory consistency on third party risk management and
outsourcing as part of sound governance arrangements. In particular, financial sector regulations
e.g. MiFID, CRD and IFD define such requirements for the use of outsourcing and third party risk
management. Thus, Option 2 secures a level playing field among the different financial institution
types which potentially issue ARTs.
Therefore, Option 2 has been chosen as the preferred option.
E. Cost-benefit analysis
Overall, the guidelines are assessed to bring more benefits than costs to the main stakeholders (See
table 1). The guidelines are proportionate and tailored to the issuers of ARTs’ business model and
take into account that some of the issuers may be authorised as credit institutions therefore already
subject to strict requirement on governance arrangements.
Table 1. Costs and benefits of the guidelines
Stakeholders Costs Benefits
ART issuers that are Cost of compliance, due to the need Clarity of requirements, leading to
not authorised as to fulfil the requirements if not better and sounder management of
credit institutions previously applied the issuer of ARTs, as well as
harmonisation within the EU and
consistency across sectors. The
guidelines are proportionate to the
issuers of ARTs business model,
ensuring that the specifics of their
business is taken into account.
Clients of ART None Increased confidence in the issuers

issuers of ARTs and the financial system
48
5.2 Feedback on the public consultation

Summary of key issues and the EBA’s response
The EBA published its consultation paper on 20 October 2023 and received overall 8 responses; 7
of them were published, while the other has been submitted on a confidential basis. The
consultation concerned the whole draft guidelines on the minimum content of the governance
arrangements for issuers of asset-referenced tokens.
The main comments received challenged the nature of the guidelines, which – according to some
respondents – should be more prescriptive or compulsory in some cases. One respondent suggests
that the guidelines should rely primarily on the significance of ARTs instead of factoring all the
criteria.
In addition, some respondents suggest that the criteria on principle of proportionality should be
more flexible and, in some cases, the Guidelines should include more clarification or concrete
examples on how to apply those criteria.
Finally, some respondents require more clarification on the risk management functions. In
particular, there were some comments regarding the framework of dedicated control functions
and the applicable outsourcing regime of control functions.
A detailed analysis of the comments received is included in the feedback table below.
49
FINAL REPORT ON EBA GUIDELINES ON INTERNAL GOVERNANCE FOR ISSUERS OF ARTS
Summary of responses to the consultation and the EBA’s analysis
Amendments to
Comments Summary of responses received EBA analysis
the proposals
General comments
Title I (par.14) already clarifies that all provisions

within the guidelines are subject to the principle of
proportionality, meaning that they are to be applied
One respondent suggests that the principle of
Proportionality: Documentation in a manner that is appropriate, taking into account in
proportionality should be applied to the No change
requirements particular the issuer of ARTs’ internal organisation
documentation requirements.
and nature, the volume of ARTs that will be offered to
the public or admitted to trading, and the complexity
of its activities.
The consequences are specified in Article 16 of the

EBA Founding Regulation. Within 2 months of the
issuance of guidelines, each competent authority
shall confirm whether it complies or intends to
comply with that guideline. In the event that a
One respondent suggests that potential competent authority does not comply or does not
consequences should be clarified if CAs declare intend to comply, it shall inform EBA, stating its
Comply or explain procedure No change
themselves as non-compliant with the proposed reasons. EBA shall publish the fact that a competent
framework. authority does not comply with that guideline and
may also decide, on a case-by-case basis, to publish
the reasons provided by the competent authority for
not complying with that guideline. In any case,
competent authorities (and financial institutions)
shall make every effort to comply with the guidelines.
50
Amendments to
the proposals
Responses to questions in Consultation Paper EBA/CP/2023/23
Q1. Is the background section

providing the needed context
with regard to the mandate to
issue GL on internal
Governance under MiCAR?
General comments One respondent suggests that the “Background and “Background and rationale” provides the general
rationale” section should be considered as context explanation and context for the issuance of the
No change
only and not as an invitation for CAs or controlling Guidelines, they do not themselves form part of the
bodies to impose stricter rules than those in MiCAR. Guidelines that will be implemented by CAs.
3. Background and rationale One respondent suggests that guidelines should not
go beyond the requirements for identification and
Para. 4
disclosures of climate related adverse impacts set
ESG Risk factors out in MiCA. In particular, MiCA does not outline a Articles 19(1)(h) of MiCA introduces disclosure
disclosure requirement for the “measures taken to requirements related to principal adverse impacts on
reduce the impact caused” on the climate and other the climate and other environment-related adverse
environmental aspects by the consensus impacts of the consensus mechanism used to issue
mechanism used for the validation of transactions. asset referenced tokens, as part of the white papers.
In this context, the respondent suggests the Article 19(11) requires ESMA, in cooperation with
Guidelines amended
following rewording of para. 4: EBA, to develop draft regulatory technical standards
on the content, methodologies and presentation of
“In the same way, issuers of ARTs should take into information referred to in respect of the sustainability
account environmental, social and governance indicators in relation to adverse impacts on the
(ESG) risk factors within their risk management climate and other environment‐related adverse
framework. The consensus mechanisms used for the impacts. The guidelines have been clarified.
validation of transactions in crypto-assets have, due
to their energy consumption, potentially material
adverse impacts on the climate and other
environment aspects. In this regard, it should be
51
Amendments to
the proposals
ensured that any material adverse impact that they
might have on the climate, and any other material
environment-related adverse impact, are
adequately identified and disclosed by issuers of
ARTs, together with any relevant information on
measures taken to reduce the impact caused, if
available.”
Q2. Is the subject matter,

scope, and definitions section
appropriate and sufficiently
clear?
General comment Risk management is already referred to in MiCAR.

One respondent suggests that the definition of
Guidelines specify in detail the risk management
commonly understood concepts of the financial
framework and internal control functions (including
industry (e.g., compliance, risk management…) No change
the compliance function). Those concepts are
should be either redefined or refer to already
deemed sufficiently clear and it is beyond the scope
existing definitions.
of the guidelines to define commonly used concepts.
Definition of operational The definition is based on the 2022 Basel Committee

resilience One respondent suggests that more clarity on the on Banking Supervision's Principles for operational
No change
definition of operational resilience is needed. resilience and the Principles for the sound
management of operational risk.
Q3. Is the Title on

proportionality appropriate
and sufficiently clear?
Para. 15
One respondent suggests that principle of The principle of proportionality is a general principle No change
Proportionality proportionality should be turned into an obligation of law and also referred to in MiCAR that also applies
52
Amendments to
the proposals
to avoid over-regulation and overly strict to the EBA Guidelines. It entails, that all provisions are
requirements. applied in a proportionate way.
Similarly, the same respondent suggests that the
elements to consider when establishing the level of
proportionality must always be taken into
consideration to avoid discrepancies between the
various regulators.
The governance arrangements should be appropriate

and proportionate to the nature, scale and
complexity of the risks inherent in the business model
and the activities of the issuer of ARTs.
This section further specifies how to take into account
One respondent suggests that the guidelines should criteria for the application of the proportionality
rely primarily on the significance of ARTs (i.e., principle.
significant or non-significant) instead of factoring all This is not an exhaustive list, and an issuer of ARTs No change
the criteria listed in Title I to avoid downward biased may also consider a combination of these criteria.
evaluation. When applying these criteria, issuers of ARTs should
also be able to demonstrate to their CA that they are
relevant to their businesses.
The criteria listed further specify the principle of
proportionality, are non-exhaustive and fully relevant
to issuers of ARTs.
One respondent suggests that a de minimis

threshold should be included for small issuers of The criteria listed further specify the principle of
ARTs. This would encourage/incentivise innovation proportionality, are non-exhaustive and fully relevant No change
without increasing risks or reducing consumer to issuers of ARTs.
protection or financial stability.
53
Amendments to
the proposals
One respondent suggests a more flexible approach

of the proportionality criteria. In particular,
paragraph 15 (j) provides for the issuers of ARTs to
take into account whether cross borders activities
are provided and the size of the operations in each
jurisdiction. It may be challenging for issuers of ARTs
to determine the size of operations in each
jurisdiction once the crypto asset enters a White paper for asset-referenced tokens must
secondary market. In this context, the following contain information about the offer to the public of
amendment of para. 15 is proposed: the asset-referenced token or its admission to
No change
“For the purpose of applying the principle of trading. Therefore, the issuer of ARTs should already
proportionality and to ensure the appropriate be aware of those jurisdictions where it provides
implementation of the governance requirements of activities.
Regulation (EU) 2023/1114 as further specified by
these Guidelines, issuers of ARTs and competent
authorities should take into account the following
criteria: j. whether cross borders activities are
provided and the size of the operations in each
jurisdiction, provided that this is operationally
feasible to estimate”
One respondent suggests that para. 15 (l) (i.e. the

volume of reserve assets) should be expanded to The comment has been accommodated. Guidelines amended
include the quality of such assets.
One respondent suggests that a new

proportionality criterion should be introduced to
determine whether the ART refers to direct
The comment has been accommodated. Guidelines amended
ownership of an asset, e.g. a physical asset (such as
gold), or whether it secures a financial claim against
the issuer of the token.
54
Amendments to
the proposals
One respondent suggests that concrete examples or The criteria listed further specify the principle of
criteria should be included for applying proportionality, but cannot provide specific examples No change
proportionality in diverse scenarios. for its application in diverse scenarios-
Pursuant to Article 16 of MiCAR, issuers of ART could

be either any legal person or other undertaking that
Para. 16 is established in the Union and has been authorised
One respondent suggests that further clarification
in accordance with Article 21, or a credit institution
Composition of the ART issuer would be needed with regard to this reference, as
that complies with Article 17. In this respect, MiCAR No change
management body by a single Article 34 of MICAR seems to prefigure a collegial
does not predefines the composition of the
natural person management body.
management body of the legal person or undertaking,
which would be specified by the applicable national
company law.
As requested by Article 34(13) of MiCAR, the

One respondent suggests that a de minimis guidelines take into account, with the necessary
threshold should be introduced (including a adjustments, the provisions on governance
combination of quantitative and qualitative criteria arrangements in Directive 2014/65/E and the
No change
merits) in connection with the requirements Guidelines on internal governance (EBA/GL/2021/14)
applicable to management bodies of issuers of ARTs to ensure a level playing field. In addition, para. 16
composed of a single natural person. refers to “single natural person” in single managed
firm .
Q4. Are the provisions in Title II

regarding the management
body appropriate and
sufficiently clear?
Para. 24 The Guidelines do not impose mandatory

One respondent suggests that the principle of requirements which are not in MICA, but rather they No change
proportionality should not be reinforced in such a specify those requirements and their application.
55
Amendments to
the proposals
way that it could be used to interpreted that this
paragraph is mandatory (which is not, by its nature).
Para. 31 Guidelines specify that they are intended to apply to

all existing board structures without interfering with
Supervisory function of the
the general allocation of competences in accordance
management body
with national company law or advocating any
particular structure. Accordingly, they should be
applied irrespective of the board structure used
(unitary or dual board structure or another structure)
and across Member States.
One respondent seeks clarification as to whether The guidelines further specify that the terms
the supervisory function of the management body ‘management body in its management function’ and
includes the possible existence of a separate ‘management body in its supervisory function’ are
supervisory body. This is particularly relevant for used throughout these guidelines without referring to No change
companies which adhere to a two-tier system any specific governance structure, and references to
where the management body and supervisory the management (executive) or supervisory (non-
board are separated. executive) function should be understood as applying
to the bodies or members of the management body
responsible for that function in accordance with
national law.
When implementing these guidelines, competent
authorities should take into account national
company law and specify, where necessary, to which
body or members of the management body these
functions are allocated.
One respondent suggests that a minimum number MiCAR does not impose such a requirement but
Independent members of the of independent members of the management body requires that the Management body must be No change
management body should be introduced, especially for large ART suitable. For issuers, such a requirement would not be
issuers. in line with the principle of proportionality as issuers
56
Amendments to
the proposals
are not expected to have the same size and
complexity of credit institutions. Therefore, the
guidelines do not impose a minimum number of
independent directors.
Q5. Are the provisions in Title

III regarding the governance
framework appropriate and
sufficiently clear?

One respondent suggests that paragraph 38 should guidelines take into account, with the necessary
Para. 38 be more prescriptive about the complexity of the adjustments, the provisions on governance
organization and should prohibit over-complexity in arrangements under Directive 2014/65/EU and in the No change
view of the contextual elements of the issuers of Guidelines on internal governance (EBA/GL/2021/14)
ARTs. under Directive (EU) 2019/2034 to ensure a level
playing field.

guidelines take into account, with the necessary
One respondent suggests that the type of decisions
adjustments, the provisions on governance
subject to this requirement should be specified to
Para. 40 arrangements under Directive 2014/65/EU and in the No change
avoid unjustly affecting the management body's
Guidelines on internal governance (EBA/GL/2021/14)
right to manage the company.
under Directive (EU) 2019/2034 to ensure a level
playing field.
One respondent suggests that the documentation

This paragraph is not drafted as an option. Those
of decision making should be an obligation, not an No change
decisions should be documented.
option.
57
Amendments to
the proposals

One respondent suggests that this paragraph adjustments, the provisions on governance
Para. 41 should set a minimum frequency for the review of arrangements under Directive 2014/65/EU and in the No change
the organisation, no more than once a year. Guidelines on internal governance (EBA/GL/2021/14)
playing field.
One respondent suggests that the principle of

proportionality should be applied in this section. If
the business activities of the subsidiaries are of a As specified in the guidelines, this section applies to
Para. 42 and para. 43 issuers of ARTs and their subsidiaries subject to
different nature/sector, a uniform group
5. Organisational framework in application does not make sense. MiCAR. In addition, the guidelines specify that all No change
a group context provisions within the guidelines are subject to the
The rules on applicable requirements to the group principle of proportionality.
level should be based on proportionality and on the
nature of the business of other group members.

IV – Risk culture and business
conduct appropriate and
sufficiently clear?
Guidelines cannot impose mandatory requirements

One respondent suggests that these paragraphs
Para. 46 and para. 47 which are not in MiCAR, but rather they specify those No change
should be more directive.
requirements.
Para. 49 One respondent suggests that Article 49 should be

Guidelines cannot impose mandatory requirements
compulsory for all issuers of ARTs. Consequently,
Corporate values and code of which are not in MICA, but rather they specify those No change
para. 53 should impose the existence of clear and
conduct requirements.
adequate policies.
58
Amendments to
the proposals
One respondent suggests the adoption of As requested by Article 34(13) of MiCAR, the
international industry standards, such as ISO 9001 guidelines take into account, with the necessary
Quality Management System, ISO 37301 adjustments, the provisions on governance
Compliance Management Systems, etc. Such arrangements under Directive 2014/65/EU and in the
standards include risk and process-based Guidelines on internal governance (EBA/GL/2021/14) No change
approaches and are helpful tools, like DORA. under Directive (EU) 2019/2034 to ensure a level
Furthermore, the internal audit requirements of playing field. Also, the wording is broad enough to
these standards could contribute to the capture future standards which might be issued by
implementation of internal control functions. professional associations in the sector.
Q7. Are the provisions in Title V

– Internal control framework
and mechanisms appropriate
One respondent suggests that a requirement should

General – Disclosure of a Risk Article 21 of MiCA does not impose such a
be included for issuers of ARTs to draft publicly No change
management policy requirement.
available document expressing its risk appetite.
One respondent suggests that this section should

offer more flexible and simplified approaches for
SMEs acting as issuers of ARTs (e.g. simplified risk The guidelines specify that all provisions within the
Proportionality – SME acting as
assessment procedures, tailored internal control guidelines are subject to the principle of No change
ARTs users
mechanisms, and flexible reporting requirements). proportionality.
Guidelines may recommend tools or methodologies
suitable for SMEs for these purposes.

Title V One respondent considers that the provisions in guidelines take into account, with the necessary
Internal control framework and Title V are overly prescriptive, particularly in the adjustments, the provisions on governance No change
mechanisms case of smaller issuers of ARTs. arrangements under Directive 2014/65/EU and in the
59
Amendments to
the proposals
under Directive (EU) 2019/2034, to ensure a level
playing field.
One respondent suggests that it should be clarified

whether the control function is a requirement for a
stand-alone function in parallel with internal audit Guidelines already specify that internal control
(if existent) or if the control function can be functions comprise compliance, risk management
managed within managerial functions and their and internal audit functions, where established, and
responsibility to supervise compliance and with they specify their different roles and interactions No change
processes that predict a different set of checks. within the issuer of ARTs. The only obligation is that
the internal audit function is independent, where
In this respect, this respondent suggests providing a established.
descriptive definition of the control function and its
relationship with internal audit.
One respondent suggests that this paragraph

It is deemed sufficiently clear that the internal control
should be more prescriptive. The design of the
Para. 58 framework should ensure all the elements listed in No change
internal control framework should guarantee that
this paragraph.
all elements quoted in Para. 58 are present.
One respondent suggests that this paragraph

should be rephrased to avoid any doubt about the
It is deemed sufficiently clear that the management
obligation for management body to apply all the
Para. 59 body should be responsible for all the elements No change
elements quoted. Proportionality applies to the
quoted in this paragraph.
complexity of the task, but not to the existence of
the task itself.
One respondent suggests that the risk management As requested by Article 34(13) of MiCAR, the
should be limited to identify risks in the market. guidelines take into account, with the necessary
Para. 65 Going beyond this diverts resources into adjustments, the provisions on governance No change
speculation and potentially reduces the focus on arrangements under Directive 2014/65/EU and in the
existing risks. Guidelines on internal governance (EBA/GL/2021/14)
60
Amendments to
the proposals
playing field.

One respondent suggests that these paragraphs
arrangements the provisions on governance
Para. 67 and 68 should be more prescriptive in connection with the No change
arrangements under Directive 2014/65/EU and in the
escalation processes.
under Directive (EU) 2019/2034, to ensure a level
playing field.

One respondent considers that this paragraph could
lead to imposing an internal or external auditor to
all issuers of ARTs. The respondent wonders
Para. 77 arrangements under Directive 2014/65/EU and in the No change
whether this is in line with the principle of
proportionality, especially in case of starting ART
programs.
playing field.
Pursuant to the BIS Principles for the Sound

One respondent suggests that this paragraph Management of Operational Risk, for credit
should be rephrased to better define the staff who institutions, senior management should ensure the
are required to understand the risks inherent to the identification and assessment of the operational risk
Para. 79 activities of the issuers of ARTs. Otherwise, it could inherent in all material products, activities, processes No change
lead to extreme situations where all the staff must and systems to make sure the inherent risks and
understand all the operational risks involved, which incentives are well understood and that an
does not exist in traditional finance. appropriate level of operational risk training is
available at all levels throughout the organisation.
61
Amendments to
the proposals

One respondent suggests this paragraph should be adjustments, the provisions on governance
Para. 82 more prescriptive, and it should refer to the arrangements under Directive 2014/65/EU and in the No change
principle of proportionality. Guidelines on internal governance (EBA/GL/2021/14)
playing field.
Pursuant to Article 37.3 of MiCA, the reserve assets

Para. 88 to 96 shall be held in custody by either a crypto-asset
service provider providing custody and
10.4 Arrangements with third- administration of crypto-assets on behalf of clients,
party entities for operating the One respondent suggests that professional storage
(where the reserve assets take the form of crypto-
reserve of assets, for the companies should be permitted as third-party
assets), credit institutions (for all types of reserve
investment of the reserve entities for the custody of reserve assets in the form No change
assets) or an investment firm authorised to provide
assets, the custody of the of physical commodities such as gold or energy (oil
the ancillary service of safekeeping and
reserve assets, or the or gas).
administration of financial instruments (where the
distribution of the asset- reserve assets are financial instruments). Guidelines
referenced tokens to the public cannot expand the type of entities which may provide
this service under MiCA.
One respondent suggests that this section should be

Paragraph 98 already refers to the outsourcing of the
reviewed to include the outsourcing of internal No change
risk management function and audit function.
control functions.
One respondent suggests that little to no restriction Para. 98: Where the issuer of ARTs does not establish
Para. 98 should be imposed on outsourcing of specialized an internal risk management function (RMF) or
functions, provided the responsibility and the internal audit function (IAF), the responsibilities of No change
Outsourcing of control
control of such functions are evidenced by the these functions as set out in these guidelines are with
functions
management body. the management body, who may delegate the
operational tasks internally or externally to a third-
62
Amendments to
the proposals
party provider, e.g. in form of an outsourcing
arrangement.
There are no restrictions regarding outsourcing the
control functions. However, issuers of ARTs need to
be able to reintegrate the outsourced functions if
needed and ensure that sufficient resources are
available to appropriately support and ensure the
performance of the responsibilities of the
management body, including overseeing the risks and
managing the outsourcing arrangements.
Consequently, outsourcing must not lead to a
situation where an issuer of ARTs becomes an ‘empty
shell’ or ‘letter-box entities’ that lacks the substance
to remain authorised.
The risk management function may be assumed by a

dedicated function or by the management body of
the issuer of ARTs. Therefore, the allocation of the risk
Para. 105 to para. 126 One respondent suggests that the risk management
management policy will very much depend on
policy should be allocated to a dedicated risk No change
12. Risk management function whether there is a dedicated RMF or not. It should
management function.
nevertheless be clarified that the approval of the risk
management policy is part of the management body’s
responsibilities.
The Guidelines specify that all issuers of ARTs should

have a permanent and effective compliance function
Some respondents suggests that all issuers of ARTs while, in line with the principle of proportionality, not
No change
should establish a risk management function. all issuers are required to have a risk management
and an internal audit function but are still required to
have respective policies and procedures in place.
63
Amendments to
the proposals
Pursuant to Para. 124 “Where it is not proportionate

One respondent suggests that more clarification is to appoint a person who is dedicated only to the role
needed that based on the proportionality principle of head of the RMF, taking into account the principle
and criteria, any other individual in a senior position of proportionality as set out in Title I, this function can
of the issuers of ARTs (such as the Head of Legal or be combined with the head of the compliance function
Head of Compliance, provided there is no conflict of or can be performed by another senior person, No change
interests and is independent form other functions) provided there is no conflict of interest between the
would be able to supervise and assess the issuers of tasks performed.”
ARTs’ potential vulnerability to risks and address
those in an efficient manner. The Guidelines already include that risk management
functions can be performed by other senior staff.
The Guidelines specify that all issuers of ARTs should

One respondent suggests that this section should have a permanent and effective compliance function
impose more stringent requirements to significant while, in line with the principle of proportionality, not
No change
issuers of ARTs to ensure consistency with the all issuers are required to have a risk management
principle of proportionality. and an internal audit function but are still required to
have respective policies and procedures in place.
According to Para. 171, option 2 has been chosen on

One respondent suggests that significant issuers of internal control framework and the three lines of
ARTs should operate internal audit function when defence, consequently issuers of ARTs are not obliged
certain conditions - to be explicitly defined - are to operate independent internal audit function (in
met. line with the principle of proportionality).
For those issuers of ARTs which do not establish a In any case, as specified in para. 9 7 of the guidelines, No change
risk management and internal audit function, GL on issuers of ARTs should be able to demonstrate upon
suitability assessment should set more stringent request that they have policies and procedures
criteria on the knowledge and experience of adopted and implemented for an internal control
auditing directors. framework effectively achieve the same outcome as
the guidelines provided in Title V therein. Senior staff
responsible for internal audit should be able in nay
64
Amendments to
the proposals
case to demonstrate knowledge and experience in
this field
Para. 98: Where the issuer of ARTs does not establish

an internal risk management function (RMF) or
internal audit function (IAF), the responsibilities of
these functions as set out in these guidelines are with
the management body, who may delegate the
105- 127 One respondent suggests that the compliance and operational tasks internally or externally to a third-
the risk management functions should be allowed party provider, e.g. in form of an outsourcing
Compliance and risk to be outsourced. If not outsourced, these functions Guidelines amended
arrangement.
management functions – should be managed by the management body the
Outsourcing issuers of ARTs. The operational tasks of the compliance function
should also be allowed to be outsourced just as RMF
and IAF.
The comment has been accommodated.

VI – Business continuity
management appropriate and
sufficiently clear?
Paragraph 146: “Issuers of ARTs may establish a

specific independent business continuity function
One respondent suggests that a reference to the
taking into account the proportionality criteria listed
principle of proportionality should be included with
in Title I.”
General respect to the business continuity management, No change
especially for standalone issuers of ARTs that are Additional references/rules needed?
early in their lifecycle.
The paragraph already contains reference to the
principle of proportionality.
65
Amendments to
the proposals

VII – Transparency appropriate
66
FINAL REPORT ON DRAFT GUIDELINES ON THE MINIMUM CONTENT OF THE GOVERNANCE
67

Final Report On Draft Guidelines On Internal Governance of Issuers of ARTs

Uploaded by

Copyright:

Available Formats

Final Report On Draft Guidelines On Internal Governance of Issuers of ARTs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Final Report On Draft Guidelines On Internal Governance of Issuers of ARTs

Uploaded by

Copyright:

Available Formats

EBA/GL/2024/06

12.1New product, system and process approval 31

The Next steps

2. Background and rationale

Compliance and reporting obligations

Status of these guidelines

Subject matter, scope, and definitions

means, the management body acting in its role of directing

means, where established, the management body acting in its

Group means a group as defined in Article 2 (11) if Directive

Title I - Application of the proportionality principle

b. the legal form of the issuer of ARTs;

c. whether the issuer of ARTs is listed or not;

d. the classification of the asset-referenced token issued as significant or non-significant

e. the specifics, volume and number of ARTs issued;

f. whether the ARTs issued are admitted to trading;

g. the consensus mechanism used to issue and validate the ARTs;

h. the nature and complexity of all business activities;

i. the type of authorised activities and the services performed;

k. the size of the reserve of assets;

l. the type and complexity of the assets a token is referenced to;

m. whether the holders of ART are retail holders or not;

n. the use of third-party service providers;

p. the existing information and communication technology (ICT) systems, including

Title II – Role and composition of the management body

e. an adequate and effective internal control framework including a risk management

2. Management function of the management body

3. Supervisory function of the management body

b. constructively challenge and critically review proposals and information provided by

i. set and monitor the implementation of the internal audit plan.

Title III – Governance framework

4.1 Organisational framework

4.2 Know your structure

f. whether the structure poses obstacles to effective supervision by competent au-

5. Organisational framework in a group context

d. have sufficient resources and capacities to ensure compliance with points

Title IV – Risk culture and business conduct

c. Effective communication and challenge: a sound risk culture should promote an

d. Incentives: appropriate incentives should play a key role in aligning risk-taking

8. Corporate values and code of conduct

(ML/TF), anti-trust practices, financial sanctions, bribery and corruption, market

Title V – Internal control framework and mechanisms

66. The internal control framework of an issuer of ARTs should ensure:

a. effective and efficient operations including with regard to issuance of ARTs;

b. adequate identification, measurement and mitigation of risks including operational

d. sound administrative and accounting procedures; and

10. Implementing an internal control framework

11. Risk management framework

12. Operational risk management and operational resilience

12.1 New product, system and process approval

12.2 ICT risk management

12.3 Arrangements with third-party entities for operating the

a. the responsibilities of the management body including its involvement, as appropriate,

c. the planning and structuring of third-party arrangements, including the definition of

d. risk identification, assessment and management in accordance with Section 11;

e. due diligence checks on prospective third-parties;

h. the approval process of new arrangements;

i. the implementation, monitoring and management of those arrangements, including

j. the procedures for being notified and responding to changes to an arrangement by