Internal governance encompasses the standards and principles for establishing the strategies and risk management frameworks for issuers of Asset-Referenced Tokens (ARTs). This includes business operations, clear definitions of responsibilities and authority, reporting lines, and internal control frameworks, along with sound accounting and administrative procedures. Robust governance ensures operational resilience through effective ICT systems and business continuity management and includes policies for third-party entities involved in asset reserve operations, investments, custody, and token distribution.

The European Banking Authority (EBA) has been actively shaping the regulatory landscape for crypto assets, including ARTs, by publishing regulatory products on governance, conflicts of interest, and remuneration under MiCAR. The guidelines on governance arrangements specify the tasks, responsibilities, and organization of the management body and emphasize sound risk management across all three lines of defense. The final draft of Regulatory Technical Standards (RTS) on remuneration policy aims to ensure that remuneration policies promote sound risk management and maintain cross-sectoral consistency. The RTS on conflicts of interest outlines the requirements for policies and procedures to manage and disclose conflicts, especially those related to the reserve of assets, and considers the structure and activities of group entities.

Although credit institutions are classified as ‘obliged entities’ under Directive 2015/849/EU (AMLD), issuers of ARTs authorized under Article 21 of Regulation (EU) 2023/1114 are not automatically classified as such. However, ML/TF risks from their activities can justify the refusal or withdrawal of authorization under Article 24(1)(g) of Regulation (EU) 2023/1114. Thus, managing ML-TF risks is essential for issuers as part of their internal control framework. Issuers must identify and address weaknesses in collaboration with authorities responsible for preventing money laundering and terrorist financing.

1. Implementation

Date of application

These Guidelines apply from 3 months after the date of publication on the EBA’s website of the guidelines in all EU official languages.

2. Lines of Defence

The guidelines follow the ‘three lines of defense’ model to identify functions within issuers of ARTs responsible for risk management. Issuers must establish and maintain a permanent, effective compliance function that operates independently from the business it oversees. They should also, considering proportionality, establish and maintain independent risk management and internal audit functions. If these functions are not established, issuers must ensure their policies and procedures achieve the same objectives.

a. First Line of Defence

Business lines form the first line of defense, taking risks and being directly responsible for their operational management. They must implement processes and controls to ensure risks are identified, analyzed, measured, monitored, managed, and reported, ensuring compliance with external and internal requirements. Other functions, such as HR, legal, or ICT, are also responsible for managing their risks and maintaining controls. Compliance and risk management functions must consider these functions, especially those exposed to operational and reputational risks, to form a comprehensive view of all risks. All functions should be subject to monitoring and oversight by the independent risk management and compliance functions as part of a risk-based approach.

b. Second Line of Defence

The independent risk management and compliance functions form the second line of defense. The risk management function implements a robust risk management framework, identifying, monitoring, analyzing, measuring, managing, and reporting risks to form a holistic view of all risks. It assists business lines in implementing effective risk management measures. The compliance function monitors compliance with legal requirements and internal policies, advises the management body and relevant staff on compliance issues, and establishes policies and processes to manage compliance risks. Both functions ensure modifications to internal control and risk management systems within the first line of defense as necessary.

c. Third Line of Defence

The internal audit function, where established as an independent third line of defense, conducts risk-based and general audits, reviewing internal governance arrangements, processes, and mechanisms to ensure they are sound, effective, and consistently applied. This function independently reviews the first two lines of defense, including other internal functions, units, and business lines. Investment firms without an independent audit function must establish other appropriate audit policies and procedures. The ultimate responsibility for audits remains with the management body.

3. Governance Arrangements

The governance requirements for issuers of ARTs under Regulation (EU) 2023/1114 are similar to those under Directive 2013/36/EU (CRD), Investment Firm Directive (IFD), and Markets in Financial Instruments Directive (MiFID) to ensure consistency across sectors. However, a proportionate approach is adopted for issuers of ARTs regarding the establishment of committees and control functions. Credit institutions offering or seeking to trade ARTs are also subject to internal governance requirements under CRD. According to Regulation (EU) 2023/1114, credit institutions issuing ARTs must comply with the more specific or stricter requirements in this area to ensure adherence to both sets of requirements.

4. Conflicts of Interest Regarding Reserve Assets

The guidelines further detail the arrangements for relying on third-party entities for the operation, investment, and custody of reserve assets, as well as the distribution of ARTs to the public, where applicable. These arrangements should include selection, risk assessment, specification of relevant contractual agreements, and monitoring. Issuers of ARTs must also have policies that define the principles, responsibilities, and processes regarding the use of third-party entities.

5. Business Continuity Policy

Issuers of ARTs should establish a business continuity policy and plans to ensure the preservation of essential data and functions and the maintenance of their activities in the event of an interruption to their ICT systems and procedures. If maintaining activities is not possible, the policy should ensure the timely recovery of data and functions and the resumption of activities. While the Digital Operational Resilience Act (DORA) mandates the European Supervisory Authorities (ESAs) to further specify the components of the ICT business continuity policy through regulatory products, the guidelines provide additional elements on business continuity plans not related to ICT. They also offer more guidance on operational resilience in line with the MiCAR and international standards.

6. Principle of Proportionality

The guidelines and the principle of proportionality cannot alter the minimum requirements of Regulation (EU) 2023/1114. All provisions within the guidelines adhere to the principle of proportionality, meaning they are to be applied appropriately, considering the issuer of ARTs’ internal organization, the volume of ARTs offered to the public or admitted to trading, and the complexity of its activities. However, the principle of proportionality does not permit issuers to disregard any requirements unless MiCAR explicitly allows for such waivers under certain conditions.

i. Application of the Proportionality Principle

The guidelines and the principle of proportionality cannot alter the minimum requirements of Regulation (EU) 2023/1114. All provisions within the guidelines adhere to the principle of proportionality, meaning they are to be applied appropriately, considering the issuer of ARTs’ internal organization, the volume of ARTs offered to the public or admitted to trading, and the complexity of its activities. However, the principle of proportionality does not permit issuers to disregard any requirements unless MiCAR explicitly allows for such waivers under certain conditions.

Issuers of ARTs and competent authorities should consider the principle of proportionality when applying and implementing these guidelines. This is to ensure that governance arrangements are consistent with the individual risk profile of the issuer and, where applicable, the group. The arrangements should be proportional to the issuer's size and internal organization, relevant to its business model, and suitable for its activities' nature, scale, and complexity. They must effectively achieve the objectives of the relevant regulatory requirements and provisions.

Issuers of ARTs managed by a single natural person should have alternative arrangements in place to ensure sound and prudent management. These arrangements should include adequate checks and balances in decision-making.

7. Role and Composition of the Management Body

Role and Responsibilities of the Management Body

In accordance with Article 34 of Regulation (EU) 2023/1114, the management body of an issuer of ARTs must define, oversee, and be accountable for implementing sound governance arrangements. These arrangements should ensure effective and prudent management and protect ART holders' interests, including segregation of duties and managing conflicts of interest as required by Article 32 of Regulation (EU) 2023/1114.

The duties of the management body should be clearly defined, distinguishing between the management (executive) and supervisory (non-executive) functions where applicable. These responsibilities should be documented and approved by the management body. All members should be fully aware of the structure and division of tasks within the management body.

The supervisory and management functions should interact effectively, providing each other with sufficient information to perform their roles. Decision-making should not be dominated by a single member or a small subset, ensuring appropriate checks and balances.

The management body’s responsibilities should include at least setting, approving, and overseeing the implementation of:

“e. An adequate and effective internal control framework, including a risk management framework and well-functioning internal control mechanisms to ensure compliance with applicable regulatory requirements, including the management of reserve assets.

f. A remuneration policy for issuers of significant ARTs that is in line with Article 45(1) of Regulation (EU) 2023/1114.

g. The policies and procedures to identify, prevent, manage, and disclose conflicts of interest, in line with Article 32 of Regulation (EU) 2023/1114.

h. Arrangements that ensure the individual and collective suitability assessments of the management body are carried out effectively, that the composition of the management body is appropriate, and that the management body performs its functions effectively.”

8. Governance Framework

Organisational Framework and Structure

The management body of an ARTs issuer should ensure a suitable and transparent organizational and operational structure. This structure should be described in writing, promoting and demonstrating the effective and prudent management of the issuer and, where applicable, the group.

The management body should ensure that internal control functions have the appropriate financial and human resources, as well as the authority, to effectively perform their roles. At a minimum, the compliance function should operate independently, ensuring appropriate segregation of duties. Reporting lines and the allocation of responsibilities should be clear, well-defined, coherent, enforceable, and duly documented. This documentation should be updated as necessary.

The structure of the issuer of ARTs should not impede the ability of the management body to oversee and effectively manage the risks to which it, or the group, where applicable, is exposed. It should also not hinder the competent authority's ability to effectively supervise the issuer of ARTs.

The management body should assess the impact of material changes to the group’s structure, where applicable (e.g., setting up new subsidiaries, mergers and acquisitions, selling or winding up parts of the group, or external developments), on the soundness of the ART issuer's organizational framework. If weaknesses are identified, the management body should make the necessary adjustments promptly.

Know Your Structure

The management body should fully understand the legal, organizational, and operational structure of the issuer of ARTs ('know your structure') and ensure it aligns with the approved business and risk strategy, risk appetite, and risk management framework. The structure should be clear, efficient, and transparent to staff, shareholders, stakeholders, and the competent authority.

The management body should guide the structure's evolution and limitations, ensuring it is justified, efficient, and free from undue complexity. When establishing structures, the management body should understand their purpose and associated risks, involve internal control functions, and approve and maintain them only when purposes are clear, risks are managed, and effective oversight is ensured.

The complexity of the structure should correlate with the intensity of oversight. The more complex the structure, the greater the risks, and the more intensive the oversight should be.

Issuers of ARTs should assess whether structures could be used for ML/TF or other financial crimes to prevent exposing the issuer or sector to significant ML/TF risks. This assessment should consider the compliance of the jurisdiction with EU and international standards on tax transparency, anti-money laundering, and counter-terrorism financing; the economic and lawful purpose of the structure; the potential to obscure the identity of the ultimate beneficial owner; any concerns about setting up the structure; the structure's impact on oversight and risk management; and any obstacles to effective supervision by authorities. Issuers should avoid establishing opaque or unnecessarily complex structures without clear economic or legal purposes and must document and justify their decisions to competent authorities. All structures and activities should comply with legislation and professional standards and undergo regular reviews, with the internal audit function conducting risk-based reviews where established.

New Product, System, and Process Approval

The issuer of ARTs should establish policies and procedures for assessing and appraising new products, processes, and systems, including the new issuance of ARTs and related processes and systems.

The approval process should take into account all risks associated with the launch of new products and the implementation of new processes and systems. This includes legal and ICT risks, as well as risks related to people, processes, systems, and external events.

The approval process should also consider the effects on the delivery of critical or important functions, their interconnections and interdependencies, and any changes to the issuer of ARTs’ operational risk profile. This includes changes to risks related to existing products or activities, the necessary internal controls, risk management processes, and risk mitigation measures.

The issuer of ARTs should ensure the assessment of the evolution of risks associated with new products, systems, and processes over time throughout the full life cycle of the product, activities, or services.

The issuer of ARTs should have a robust internal control system, in accordance with Title V, to ensure efficient and effective operations, safeguard its reserve of assets, produce reliable information, and comply with applicable laws and regulations. This system should also apply to new products, processes, and systems.

9. ICT Risk Management

Issuers of ARTs should establish an ICT risk management framework in accordance with the requirements defined under Regulation (EU) 2022/2554. This framework should include an internal governance and control structure that ensures the effective and prudent management of ICT risks, aiming to achieve a high level of digital operational resilience.