How MiCA Fits In (Panel Series 4 of 4) – E107 Artwork

The Encrypted Economy

The Encrypted Economy podcast explores the business, laws, regulation, and security relating to our most valuable digital data...whether financial assets, proprietary data or personal information. Join us each week as we delve into what makes up the new encrypted economy as well as the developments that are shaping our economies and world.

All Episodes

The Encrypted Economy

How MiCA Fits In (Panel Series 4 of 4) – E107

February 20, 2023 • Eric Hess • Season 1 • Episode 107

On this week’s episode of The Encrypted Economy, we have our final panel discussion on MiCA. We give an overview of current EU legislation and discuss achieving real viability and effectiveness with Markets in Crypto-Assets regulation. Be sure to subscribe to The Encrypted Economy for more insight into innovative regulatory frameworks in web 3.0.

Topics Covered:
· 3:30 Discussing ESMA and EBA and Their Roles Regarding MiCA
· 22:40 Understanding European Legislation
· 31:40 Will Regulators Become Even More Stringent?
· 33:30 The Scope of EBA in Regards to MiCA
· 37:00 What Regulations are Going to Impact MiCA?
· 53:00 Blacklisting Under New Regulation
· 1:12:00 Can an Asset Fall Under Both MiFID and MiCA?
· 1:17:00 Developments with the Data Act·
· 1:32:50 Discussing DORA and Product Liability
· 1:42:40 How Does PSD2 Factor into this?

Resource List:
· Alexandru’s LinkedIn
· Marina’s LinkedIn
· Francesco’s LinkedIn
· William’ s LinkedIn
· SLV Legal
· The European Crypto Initiative
· Crypto Policy Updates
· MiCA
· GDPR
· MiCA Overview and Categorization of Crypto Assets
· Digital Operational Resilience Act
· ESMA
· Transfer of funds regulation
· EU payment services directive PSD2
· The competing priorities facing U.S. crypto regulations

Follow The Encrypted Economy on your favorite platforms!
Twitter
LinkedIn
Instagram
Facebook

Eric: [00:00:00] So this is the final MiCA Panel series. Congrats for sticking with it to the end. Now, MiCA does not exist in the vacuum. It operates within other regulatory frameworks that govern digital assets and financial instruments A M L, data privacy, and Eu. And there's more regulation coming. The ability for the EU to ultimately emerge as a world leader for viable, regulated digital assets is not just dependent on MiCA, but how the other participants regulated under MiCA are able to navigate the overall regulatory framework Today, our panel drawn from the prior panels touches on existing and forthcoming regulation that impacts a space, notably aml, but also the data act.

Dora products liability regulation, Dora Cybersecurity. So clearly even with MiCA, the work is not done to achieve the right balance, not just impacting safety, but viability and effectiveness. So, my guests today, they're kind enough [00:01:00] to go through some of the structures, some of the players how regulations, directives, and guidance, all inter interrelate and how the mic process might have been a little bit different.

even amidst this, there's questions about how the US interacts with this new system. So joining for us this last final part, we have Alexandria Stanescu, Professor of S l V Legal in Romania. Francisco Patti professor of private law at the University Bacconi in Italy, marina Markezic, co-founder and executive director

of the European Crypto Initiative, and William O'Rorke, co-founder and partner at ORWL Avocats in France. So after this, I'm probably gonna take maybe a couple of weeks. But I do have panels for coming up that I'm planning. And crypto's getting a lot more complicated. So, I, I feel like these series can provide some additional depth that may be a single episode formats may not do as well with, unless, excluding like the marathon like treatment [00:02:00] podcast that go on for multiple hours.

I don't I'm not about to do that. At any rate thanks for making it this long. I've gotten a lot of great feedback on it, so I'm encouraged to keep going with the, with different panel series. Enjoy and use this as a reference. It's here for you. Thanks.

Welcome to The Encrypted Economy, a podcast exploring the business laws, regulation, security, and technologies relating to digital assets and data.

I am Eric Hess, founder of Hess Legal Counsel and your host. Join me on this journey exploring the reach of these transformative technologies.

Excited to have the panel assembled again to discuss the interaction of the regulatory framework of Under and Regulators in Europe with regards to MiCA.

So, welcome everybody for returning on the session. We have a lot to [00:03:00] chop through. Hopefully we're able to get it all. But the idea here is to we've learned about. MiCA and some of its key provisions. Now the question is how does it interact with the different regulatory authorities and how does it interact with some of the existing and future regulatory frameworks?

So obviously a developing story. So, I, I think maybe it'd be a good idea to start off with ES eczema's role and EBAs role, or is it called EBA or EBA? I don't know. With regards to MiCA,

Alexandru: the main point related to ESMA is that from apolitical perspective, MiCA enhances the functions that ESMA had previously in the, in, in the capital markets around Europe.

We know [00:04:00] ESMA is the, the guardian if want of MiFi and how MiFi the implements in Europe. But with MiCA, we see that ESMA is basically getting three more functions in the world of crypto. And I will go, we'll go one by one. Another point that I want to raise is the fact that from a political perspective, my take is that E B A did not want to touch crypto that much.

And we've seen this also in national regulators because the same. Issue, let's say, or division of powers between the monetary authority or the payment, which also takes care of the payments. In most of European countries, they did not want to touch what's [00:05:00] in the, in, in the crypto sphere, and then what was left there, but capital markets and esma, was the, a natural sort of institution to take a role of providing technical assistance in this specific field, which is now covered by MiCA.

So we see three functions, if you want based on MiCA. And we have this in title seven of the MiCA regulation. So I would divide it between ESMA providing technical expertise. That's the first one. And by technical expertise ESMA is mandated to, to build technical standards and standard forms and templates.

And I think this is important because all organizations and casts will be looking at what ESMA will be providing in terms of [00:06:00] standards for the for the licensing process. Also an important point is that they will draft a sort of template for legal opinions on the categorization of crypto assets.

And they would also need to create a sort of a test, a methodology for a test for the crypto assets to fill in. A category or another? So for us lawyers I think that, and for our clients I think it's very important if you wish, is a sort of the guidelines that SCC were providing on what's a security what's a crypto asset security as a matter of soft law, some guidelines on the website.[00:07:00]

So that's one. The second area is coordination. So in order, because this is a regulation, but we'll also have, and we'll talk about this later in, in this session national authorities will implement some part. They will customize some areas of the regulation within national legislation.

However, ESMA has a sort of a coordination rule among themselves among all these NCAs the national authorities. And this should foster a standardization at European level. That's one of the main reasons for this institution to be part of the whole regulation. What else do we have here?

NCA can also [00:08:00] request opinions on classifications for of crypto assets and exclusions of the scope. So again, ESMA will become a sort of Rule maker or interpretation maker in, in, in the space of crypto assets. And last point, which it's highly relevant to crypto asset providers and issuers, it'll have a function of a market watchdog, meaning that and we have, it's very clear in article 89 of the MiCA you will, you can, you can notify legalities and ESMA will be obliged to, to receive your complaint.

So they will be looking on illegalities in the space of crypto [00:09:00] assets. It also has interview intervention powers meaning that In case for a temporary period of time, in case there are some dangers related to token issue distribution, sale of crypto assets they can intervene. And the second cost for intervention would be the type of crypto assets if there are securities or if there are some activities that in practice could be dangerous.

And I'm underlying this point we discussed previously on defi. So I believe that from a broad interpretation, as I interpreted ESMA will in case they will see on the market. Interesting trends or dangerous trends related to crypto assets and defi. They could [00:10:00] intervene and stop the operations of some defi projects.

This is, full for thoughts. We haven't had this yet because MiCA is not yet into force, but I would dare to say that ESMA will have this power in the future. And last but not least the watchdog will also register the casts, which on a sort of a shame list, in case shade situations appear in practice.

There will be a sort of list like most regulators have. I can give you the example of the UK and other regulators across Europe, where in case of breaches of material breaches of the law. So those crypto access providers will be put on the list. On a list and [00:11:00] the public list at European level.

So those are, for me the main the main, the most important functions of Es. So let me ask a question. As to how ESMA interacts with the local regulators, what are the powers of the local regulator to interpret the provisions of MiCA without reliance on es? Is there some, yeah. What is the scope of their independence?

Eric: Francesco?

Francesco: Oh, that's a great question. And I think also for the American listeners, it's important to, to frame a bit the competences. So I, I say things that perhaps are obvious for Europeans, but we have to imagine that we have 27 countries. And so when we talk about esma, like the American equivalent is the s e c of course.

But and if you look at the functions, let's say like more in general, we have the same functions, which are investor protection and market stability. [00:12:00] Increase of the market, like as Alexandro, said. But of course, like we have also the national dimension of the member states, and we have 27 authorities for the financial markets.

So in every member states there is one authority and also an authority for the banking sector. And basically, The authority for the financial market refer to asthma. The authorities for the banking sector refer to EBA and the function of asthma and EBA is also a function of coordination.

Basically creating guidelines, creating indications also on, on technical issues, very technical issues. For instance if you have to understand what is a two au two authentication factor for the banking. Payment systems. You look at me there are opinions that then are taken by the different authorities of the national states and applied because without this kind of coordination, of course, every state would go in a [00:13:00] different direction.

And so the idea of European law is that at the first level, there is a control and an oversight of the national authorities. But all the national authorities need to be coordinated by ESMA and eba. And the second element, which I think is important is that. And we see it a lot in the MiCA.

If the element which is regulated, let's say overcomes the border of one country, which could be the case for instance, of significant stable coins or also cus that overcome a certain limit of market volume, then the oversight goes from the national level to the European level. So basically because it becomes like a phenomenon which is European in nature.

So, this is important. We have it always in a, at in the European union. But we have it also here in MiCA. What I think is really different in MiCA is that we have a lot [00:14:00] of references basically in MiCA to guidelines that will need to be adopted by these authorities. And this is something which is which is quite new.

So, it's a kind of delegation to this authorities on matters, which are, I would say, very technological in nature sometimes. And like we have it in the organization, internal organization of the. In the sense that EBA will indicate like best practices to custody, for example, for the custody. We have it also in the pilot regime, which is somehow connected to the crypto world, tokenization of assets.

Also, there like guidelines are needed and will be implemented. And so like at the first level, I would say legislation, there is this claim, which to me is untrue, but it, there is a claim of technological neutrality, but then basically the two authorities will provide guidelines and also coordination among different member states.

But of course, like what we were [00:15:00] referring to at the beginning is true. So every country has its own authority and there is a bit of arbitrage. Concerning the functioning of the authorities. And not every, of course, the risk is coordination. Every authority should apply the same parameters.

But of course, every authority is a bit different in the assessment. And so we have some authorities which are stricter, some which are less strict, and we saw it with other types of institutions. Digital banking payment services. There are certain countries that are considered a bit more friendly than others, and I expect that it will be a bit the same also for crypto asset service providers.

And of course, nobody knows exactly what will happen, but I think that also in this regard, there will be a bit of arbitrage. In any case, there is always the inter, the, let's say, sub national coordination and control, which is provided by ESMA and eba. Why the [00:16:00] two authorities? This perhaps is also not obvious for the United States.

It has been always the case, like there are some provisions which are more connected to the banking sector, or let's say banking activities. For instance, the custody. The emission of electronic money tokens. And so this undergo the competence of eba predominantly because they're considered closer to the competencies of the banking authorities.

Whereas other provisions which are closer to the financial market, words are considered under the competence of asthma. And of course, the two have to coordinate themself. And it, this is something which happens all the time also at a national level. For instance, in Italy, we have concept for financial markets, bank for the banking sector.

And often they issue some regulations together because they know that basically it's [00:17:00] the profiles are so connected that they have to act together in order to provide guidance to the operating parties.

William: I have a little additional question for all of you. Don't you believe that given that the first the first act of the regulation of crypto asset is a regulation like with this direct application the power or the freedom of interpretation at the national level, we all know that every regulators have his own practice, its own interpretation.

It's not it's not so different from one, one human buster than another. But don't you believe that? In the precise context of MiCA the freedom of interpretation at the national level will be reduced because we start with the regulation first, and not usually you have always directive a first directive, a second directive that can become at the end [00:18:00] after 10 years or 15 years regulation.

Now we're starting from day one with the regulation. And we know also that in the very innovative in the very innovative industry or innovative area, usually the European Union, like the European institution feel maybe more confident or lazy team to interpret and to, to push away the national the national power to interpret.

I don't know if my question is very clear, but. . You get it, Maya?

Marina: Yeah. Thank you. Your question is very clear. So maybe for the listeners, we usually have two main types of laws in the eu. One is a directive and one is a regulation. And here we have MiCA as a regulation, which will be directly applicable in the same time in all the countries in the, all the EU countries.

And I love the question because as you said, [00:19:00] it'll be something that will leave not a lot of room for interpretation. And we have observed this, that is something that is a trend in the European Union more many times where usually there would be a directive issued. Now we see a regulation.

It's also happening in some other I would say covering other topics in the eu and in this case maybe going also back to. To what was said before by Francesco. ESMA does have this I would say in a way, the right to issue the guidelines but also this technical standard that are in a way then later becoming a part of the law.

And they have, they're doing it right now. So this is the time where they're deciding on those topics. They will have additional 12 or 18 months to finalize [00:20:00] those. But in a way this is a second part or a technical part that we discuss within the MiCA process, and it's going to be very important.

As discussed before, we will have a guidance on the understanding of how the, a crypto assets are different from financial instruments, which is somewhere that might be different from all the member states. We'll also have more clarity on the. The, basically the understanding of the energy consumption of consensus mechanisms that might be limiting in the future will have more understanding of very I would say technical things.

Also, guidance on the reversal solicitation that we discussed later. So all those guidance’s will definitely be helpful for the national competent authorities deciding in the future, but also for all the projects that are going to work within MiCA.

Eric: In other words there's gonna be a [00:21:00] period of time where I guess the national states will have maybe more interpretive guidance until ESMA comes out with their directives.

Is that or more specific guidance?

Marina: Yes, they have. They issue two different types of documents. One are guidance that are really like literally guidance’s, but then the technical standards are the ones that in a way, become a part of the law and they need to be followed. So, both of those are usually now issued by esma and EBA is in collaboration with ESMA working on this.

But really the main agency here is going to be es

Eric: right. And is a directive the same as a guidance.

Marina: No. The guidance and the technical standards are issued by the agencies on this secondary process, the technical process. The other laws are at least how it works right now and how it work with MiCA.

And we'll discuss other of course, regulations and [00:22:00] directives. But usually the commission starts with the first draft and then it goes to the council with issues its own draft, and then the parliament issues its own draft. Then there's all those three institutions work together with within a trial log, as we call it.

And then the combination of those three drafts becomes the last one that is then later voted through the through the parliament, which is now the stage where MiCA is, we are waiting for this formal approval by the parliament until it's going to be publicly issued in the official journal of the European Union.

Eric: So I'll ask a question I can get away with, as an American lawyer, what's the difference between a directive and a regulation?

William: Okay. Now it's very interesting. I think it's quite unique to European Union. A regulation is something quite simple to understand. It's a low, like it's a low at the EU level.

So, it is it is directly [00:23:00] applied to the operator or to, to the individual. Of course, it's much more complicated in practice. But I will stop for the explanation of the regulation. Now's good? No, we're good. A directive is something quite different. It's the European institution say, okay, we should do that.

We should achieve this goal. For instance, in the fifth engineering directive, there is a provision that say you should register two kind of crypto asset services like crypto to fiat and custody, given the risk you should you should register this provider and you should subject them to the aml to the AML regulation.

But we give to the national to all the detail and all the way and the mean to achieve this goal are led to the national level. So the directive have to [00:24:00] be transposed into a French law, German, a Spanish law, an Italian, and of course with the directive you have much more difference from one mumba state to another.

Much, yeah.

Eric: Excellent. Okay. I appreciate,

Francesco: I wanna say something on this because like when you explain at university, like the sources of European law, you have to make this beginning distinction between directives and regulations. And the students ask, but why do you present directives if then it becomes a mess and every state goes in a different direction?

Cuz the differences are it depends a bit on the directive. So the first directives eighties, nineties, were really generic, just indicating some goals. And basically every member state could choose the way in which this goal was achieved. And sometimes it was even a bit, let's say, disputable, whether the goal was achieved or not.

And in fact, we have also cases, [00:25:00] Francisco,

Eric: you're breaking up a little bit.

Francesco: Okay. We have also cases of the commission against National States because the directive was not implemented properly in the last years. The directives are much more precisely written. There are provisions which are sometimes very similar to the.

To the ones of our regulation. But in many cases, they leave a bit of room to the member states or they give the possibility to choice between different options to the member states. And so going back to the question, like the students say, but if we want European integration, why do we have directly only regulation?

And the fact is that you don't have the political consensus to go directly with the regulation often. . And so you choose for this second best which is the directive, which then can create problems in implementation also, because every state implements with a different kind of law, let's call it.

Like sometimes it's for [00:26:00] instance a law as such. Sometimes it's an internal regulation. And so it's even difficult to find like the equivalent in other states if you're not familiar with the legal system. But this is very important for what we are saying because like we have seen it in the last episodes.

This MiCA regulation is very close to the MiFi. And in MiFi we don't have this complete arm monetization. And this means that there is an understanding of financial instrument, which is different in every member state, basically. And if we consider that there will be a lot of let's say nuances and uncertainties with respect to the.

Exact differentiation between financial instruments and utility tokens or crypto assets that are not financial instruments. I think that this will lead to problems. And remember the point was also raised by Alexandra at the beginning, and so there is the willingness at a European level and you [00:27:00] find it in a recital of the pilot regime Also to create a definition of basically security financial instrument, which can be exchanged on the D L t on the blockchain.

And this will probably be a definition that will also help starting from a different set of rules but will also help to define the scope of application of MiCA, in my opinion. But I agree on with my colleague and saying that we'll take time before we have all these clarifications.

Eric: So following up on that because there's also guidance, which is softer, like it doesn't go through the same process presumably as directive.

So are we likely to see more clarifications for the local authorities through subsequent directives, or are we more likely to see that through guidance?

Alexandru: If I may, so Eric Con, the [00:28:00] direct. For our listeners, you can put them aside. So directives on MiCA that will not have a European wide directive on crypto assets because, the big institutions, European institution already met as Marina was said, the commission, the council and the parliament.

So what we do expect from SMA is to issue these two types of deliverables. If you wish the technical standards, which are very much everybody will look on them and they will apply them in the national regulators. And then you have this guidance and I also expect a lot of guidance.

So in a way it'll be our sort of common. National authorities have this new channel to go towards [00:29:00] ESMA and ask on classification on a crypto asset if there's something borderline or very interpretative. And I do expect that I national authorities will go to esma and ESMA would be obliged in 15 days or so.

To come back with a reply on the classification of crypto assets. So imagine if ESMA will be receiving questions from 27 national authorities. We can, easily and quickly pile up a sort of doctrine or a technical doctrine on classification, on the type of test that we'll be using.

And of course, as the time goes by we will also have a sort of a judicial interpretation where the regulation will not be clear or National Courts will be put in a situation to [00:30:00] have a decision. They can also ask interpretation for the European Court of Justice because it's based on a regulation European-wide regulation.

And I'm pretty sure that national courts will go to the European Court of Justice for the demand prejudice here for a sort of an interpretation of specific points in the regulation. So yeah, we will have caseload and des my is very well positioned. I can tell you also from national regulations ex perspective and experience that I had in the past.

For borderline, if they have this channel, given that it's a regulation, they will go to ESMA and they'll ask, the questions. And so, we'll have more clarity across Europe. I can give you the success of the G D P R. So GDPR, the privacy regulation in Europe. [00:31:00] If we, it would have been a directive, I'm pretty sure that the standards across Europe would have been very different.

But by using regulation and a similar implementation across Europe I think that we look like a single block in terms of privacy guidelines. Yeah.

Eric: And so to the extent that there are those within ESMA that decide to take a more active approach with regards to the regulation of crypto assets under MiCA, what is their latitude through guidance to, in many ways, mold or shape or make the regime more stringent still.

Marina: ESMA and Eva, they have their own specific I would say roles, but they were also mandated by MiCA on what type of guidance they need to [00:32:00] provide. So when MiCA, we already know all the documents that they will need to write and provide are already there. So this is in a way, I would say their role.

And they have the freedom to, I would say, interpret it, of course, according to the law and their own powers. But they have the freedom to, to write those guidance’s and hopefully they're also discussing with different I would say, organizations and learn about the standards and how to operate how it'll technically be operated.

But it's already clear specifically on what type of guidance they need to write.

Eric: Okay. Moving on to EBA. I think Alexandria mentioned that EBA. Has a much more limited role than esma with regards to MiCA and by choice I think they can regulate significant stablecoin or e-money. They maintain a public register of [00:33:00] non-compliant casps.

It sounds like they really just want the stuff that's, the, we, I call it the high nail, when you're, higher than the other nails. They just want the big stuff. Is that the, who wants to define the scope of EBA or explain the scope of EBA with regards to MiCA?

Marina: I would say that from the beginning MiCA has different, four different goals and one is to preserve the financial stability of the European Union. So in this regard, I would say that, Everybody is really the one that is mostly connected to this goal. Of course, in the political process, is not directly involved because of those three institutions that we discussed before that are that are of course leading this process.

But at the same time, the commission it can ask any time [00:34:00] ABA or even the European Central Bank on guidance, on opinions. And I would say that, for example, the part we have where the stablecoin are. Are regulated in a way that there is a cap on how much how many transactions and how much transactions can happen daily within stablecoin that are used for payment.

I would say that this is directly linked to this goal, so to preserve the financial stability of the European Union. And in a way that's I would say also what is the most important for e ABA to look into. But as I mentioned before, all the guidelines that we have right now and technical standards that needs to be written by esma, they are written almost all of them in collaboration with eba.

So they are very tightly connected into working on this secondary technical.

William: Maybe j just to add two [00:35:00] two very little things. We already talk about it in the, I think it's the first episode of this podcast, but this this direct regulation from significant stable show by the European banking authority.

It's a weapon against like the Libra scenario that that, that have frightened a lot the European regulator at this time. Because we have to keep in mind that this provision was introduced. Into the reflection about MiCA in, in in 2019 if I'm not mistaken so much, much, much before from much time before the actual size of Tether or Binance dollar or what circular has become.

So, this is the first thing. And the other thing, it's a very interesting, that farm. It depends on off of the jurisdiction. But for instance, in front, and I [00:36:00] know it's the same in a lot of other country. About the crypto, given the fact that the crypto asset services was something quite like hard to define and nobody was trying to, it was complicated to regulate.

In a lot of country, the regulation have been split between the banking authority on one side and the financial in our side for something in France. Like when you are asking for registration, actually your application is shared with these two with these two already, which is something that, that is not actually very efficient that, that's creating a lot of complication and a lot of difficulties.

And I'm very glad that MiCA have a focus, like the regulation of crypto has set in the end of financial market authorities all over Europe. I think it'll help to have something clearer as a year level.

Eric: Excellent. So I think we're gonna move on [00:37:00] to trying to understand some of the new regulations that are going to impact MiCA in the future and those that are, would impact it in the near term.

The Europe recently approved a new anti-money laundering authority and anti-money laundering regulation, if I'm correct. Marina, do you want to. explain.

Marina: Yes, absolutely. So, I think we mentioned in the previous episodes before, but the European Commission in this mandate has been extremely active.

And what was also proposed was a whole package on a m l. That means that we have four different documents that were proposed. The first one was the a m L regulation that is basically a regulation that is preventing the use of the financial system for the purposes of anti-money laundering and terrorist financing.

[00:38:00] It's really the most important one. Then we have the A M L directive that is proposal for establishing the mechanism that member states should put in place to prevent the use of the financial system for again anti money laundering and terrorist financing purposes. Finally, we have the A M L regulation the A M l act that is basically.

And the regulation that is creating an EU authority for anti-money laundering and countering the financing of terrorism. So this is something that was established and it's completely new. It's a new authority that we have not had before. All those three Documents, two regulations and a directive.

They are right now in the process. So, they have not been finalized yet. They were proposed by the commission. Now, for example, the A M L R, the A M R regulation has gone through the [00:39:00] second stage. So we have a new draft from the U p n from the council, and right now is been discussed in the parliament.

So, the trial locks have not started yet. So we anticipate another few months at least, of discussion around this regulation. It's very similar with the directive and also with the regulation that is establishing this new authority. The fourth one, the transfer of funds regulation that is basically talking about a traceability requirements for crypto assets.

This regulation existed before. What we did in the process, and that was mainly happening last year, was that specifically crypto assets and some other specifics that are linked to crypto assets and D l t were added to this transfer funds regulation. This is already finalized. That has been one of the, I would say, shortest processes, in the history of the European Union because of the [00:40:00] political situation in the eu looking into the war that is happening in.

Ukraine there was a pressure specifically looking into the sanctions. So, this is why this I would say expansion of this transfer funds regulation was happening very fast and it's already finalized. What is interesting is that transfer funds regulation is going to have the same timeline with the with MiCA.

So it means that it's going to be applicable in the same date that MiCA is because they are connected or they're referencing each other in the text. And also the definitions of crypto service providers and some other definitions are identical in those two documents. I would say unfortunately or fortunately, depending on this specific article, but which is not the case and we are observing now in the A M L R that [00:41:00] certain definitions might be a little bit different or they're just used in a different way for the purpose.

Maybe just the last comment when it comes to the new AML authority. . It's very interesting to observe the process of discussing how, what is going to be the final draft of the a l regulation because some of the I would say definitions and some of the theoretical terms and also how things are going to be run in the future depend on this agency.

So similarly, as we have ESMA and EBA discussing before, they will help write guidances and technical standards for understanding better, better MiCA and this technical part that will probably be very important for national competent authorities and also crypto service providers in the same way, we would also expect this a m l authority to be helping with understanding from about the A M L regulation, [00:42:00] but it's also being just formed at the same time.

So this is it's in a way quite confusing, but at the same time it is a big reform in the eu and I think that it's an also good opportunity to get more clarity on those topics. So this is how they are connected to MiCA. But what I would want to say is also that the all those three documents, they are talking very generally about a m l.

So crypto is just a small part of it, but it's very important for our understanding of how crypto specifically some defi applications will work in the future.

Eric: And so specifically wallet providers. What is the, how does transfer of funds regulation impact the responsibility of w wallet providers in the chain?

Because or even P2P transfers, like how would those transfers be captured by, [00:43:00] or not captured by the transfer of funds regulation?.

Marina: So as we had before in the financial regulation there is a certain information that needs to travel together with the transaction of this before fiat money. But now we have also virtual assets or crypto assets.

And there is this very clear rule that this information needs to travel when there is a transaction between crypto as a service providers or between crypto as a service providers. And an Unhosted wallet. So, a beneficiary. Or maybe somebody that is then being the one that is sending the decry assets to a crypto service provider.

The general rule is the peer-to-peer transactions are excluded from transfer funds regulation. What is not clear is what is a peer-to-peer transaction. And I know that many times when I was talking to different organizations and representatives, they were, oh yeah, of course [00:44:00] defi is the peer-to-peer transaction.

So defi is excluded. I'm not sure that this is so clear. I think that there are like many things to really. Take into consideration if we want to have a very clear understanding and clear answer here. First FADAF is something in an organization that is really important in this instances, and it's also referenced in the transfer funds regulation, A M L, and et cetera.

It's directly transposable of some of the faf recommendations in the T ffr which also was what happened in the past one that, especially the representatives of the European Parliament, they were saying that this is one of the most, again, ambitious tr implementation of the five F standards.

And what we have here, of course, is the definition of a CASP and or a definition of a vasp. Again, as we discussed [00:45:00] before as FAF does it. This is. In a way a regulation that needs to be applied by crypto service providers. And then we go back to the question, what is the crypto service provider?

Is an entity that is that is basically operating a company and offering services to the European Union Services of Custody. If this is a service provider, they would definitely need to comply with this regulation. But if in instances there would be a specific technology that would be a part of a, I would say more like a technical yeah, technical standard or technology used for this, that might be a different a different question.

But I think that here we need to learn more and even have, I would say, more clarity on how those words in this regulation are going to be interpreted. .

Eric: And [00:46:00] I think we talked about the scope and of MiCA as it relates to defi and also the I think that was what, paragraph 12 A that talks but para P provision 12 A or paragraph 12 A, but that also states that if you are a casp I think there's a presumption that if you're interacting with defi as a CASP or a centralized provider, you would still have to com that would still be subject to MiCA and presumably transfer of funds regulation.

In other words, a CASP that is interacting with Defi would not be able to say defi doesn't have these standards. The CASP would have to comply with the transfer of funds Regulation itself and its ability to interact with the Defi application might be limited because of the transfer of funds regulation.

Is that.

William: accurate? This provision in [00:47:00] me in my view are the most may, maybe one of the most important, one of the, of what happened on crypto regulation the last the last 12 months. But it'll maybe be it'll maybe become the provision like this rules this implementation of the travel rules from casp, not between casp between casp.

It makes sense actually, but from a CASP to a personal, like to, to a, an TED wallet above I think it's 1000 euro. It's something that, that can really change the way, in the coming years, it will, it'll. Maybe change the way the way we are using crypto right now because right now crypto is something that is within the financial intimidator.

And you can have an account like on Kong base, for instance, when you put your crypto. But you have always the ability to, to come and go between like centralized custodian and your ledger, for instance. So your personal wallet [00:48:00] and use defi and come back on con base and so on. But if the, if someone like Binance, Krak or con base need to check and to K y C, the people who are, the individuals who are receiving, I don't know, 200 euro euros of crypto asset, it means that there will be like a kind of a shift, like a separation, like a Chinese wall between the centralized crypto finance and the decentralized one.

But it's something that can really have a very. Huge impact at even the architecture of the crypto asset as we know it today. I know what you think about it, but

Alexandru: no, if I fully agree on what William is mentioning again, going through again, the biggest crypto exchanges some of them they do have ramp [00:49:00] towards P2P offerings.

It's like they create the possibility to do also the transactions p2p. And indeed I do predict the same as William, that there will be a sort of a segregation between the different type of business activities. Otherwise, you'll get a crypto exchange centralized crypto exchange providing some.

Let's say decentralized finance type of services, they might get into the impossibility to provide such services due to the T F R

Marina: maybe even further. I think what we have is an unprecedented situation where there is a lot of information that is public on the blockchain. And at the same time, we're going [00:50:00] to have to identify this user of self-hosted wallets.

This is the definition or the terminology that is now used in this document. Combining this information and of course the public information that is online, I think this is the problem is first that this is something that. It might become a security problem. So we are first if we think about T ffr, we will be encouraged to use hosted wallets.

Not self-hosted wallet, but hosted wallet, and when we will have a hosted wallet. A self-hosted wallet that will probably be one or just few because we will not of course, record and identify a lot of different wallets. So that might be a problem and all the transactions will be coming from this specific wallet.

The other thing is that for small companies and small service providers, it's going to be very burdensome to [00:51:00] comply with the standards themselves. So they will probably need to use some other service providers. And the third thing is that there are no many technical solutions for this service to be done.

And a lot of them this is also I would say a very European concern. Might not be based in Europe. So when we are going back to the GDPR and the concern of in about privacy, there's going to be a lot of this centers honeypots, I would say with data that if bridged or if not being compliant with GDPR could really cause enormous I wouldn't say even harm but really bridge of privacy and in a way human rights.

So, I think, we'll, we really need to see how this will is going to evolve in the future.,

Eric: right? Because it's not only the requirement to collect the information, now that you have the information, it's toxic to you because [00:52:00] it's a risk it's, if you're a breach, you're, you have a honeypot, now you have to comply with gdpr.

So oftentimes when you're thinking about, if I have to retain this information, you have to think in terms of what obligations does that then now create under other aspects of EU law with regards to the security of that?

Marina: Yeah, because the information that are corrected are basically the name of the beneficiary the, some other information.

Of course the address right now. , A lot of people are using this word as anonymity, but there is no anonymity in the crypto space. We have this pseudonymity that when the public address that is public, of course can be connect, can be connected to another information we can identify this this person.

And so it'll be very easy for any potential yes misuse of this information.

Eric: So a lot of defi protocols leverage a, I guess a blacklist. [00:53:00] So you know, if they, if a wallet comes to interact with them they'll run the wallet address against a blacklist to make sure it's not a blacklisted wallet and then they'll permit it to go through what's to become of blacklisting under transfer of funds regulation.

Is that a also nice to have , you still have to collect the information. Like to what extent does I?

Francesco: think that here we have to be clear because like also today, the cusp use this technologies which can detect blacklisted country according to the fafa. And also wallets that were blacklisted by and so this chain analysis, which basically is made by some defi project, as we know, is made also by, by s normally.

For instance, yesterday I spoke to an Italian an Italian guy who works in the compliance. He explained me a bit. But things that I already know new but basically this will not change so much. So, I think that [00:54:00] the problem here is really the identification of the Unhosted wallet that that will be made.

And here we have to understand whether there will be technologies that basically made the life of the casts easier. There are solutions that are discussed at many levels or if this will bring an additional an additional element of cost for the casts. And then there is of course the problem of privacy which is very big.

Although I think there will be always a component that will remain, let's say, outside of the control, so to say, of other people. But my feeling is that all this regulation go in the direction of controlling the financial flaws on chain. This is the goal. And so we have to be aware of it.

It's a fight that one can one can begin. And but I think that in the end it's something which will be there [00:55:00] tomorrow in the blockchain. And like one of the elements of AML at every level is that if you try to hide, then you are considered someone who potentially isn't breach.

And of course, privacy is very important. But this clash that we have between privacy protection, which is very strong in the eu and aml kyc, which is very penetrant in understanding the goals the reasons, and also private information of people. It's something which in the end, the already exists.

And unfortunately it will, it'll impact also on the blockchain at a given.

Marina: Maybe one discussion just to add, is that in, in a way with fiat, in real world, we do have cash and that is at least to a certain extent, there is a possibility to anonymously transact with cash. We might not have this when it comes to crypto and even some of the [00:56:00] drafts of the transfer funds regulation and also, we were discussing or having a lower cap when this this regulation will need to be observed.

Then when we compare it to, let's say when used by other institutions within Fiat. So, in a way there was a discussion about technical naturality in this case and why this cap would be lower in instances of crypto assets. And as Francesco said before, I think the fight against anti laundering and country terrorist financing is very important.

And ideally, All this information that is publicly available that companies like Chain Analysis and Elliptic are using. They would also be very helpful into tracing this illegal activities. And we have seen that in many cases in the past. That was a very successful usage of this I [00:57:00] would say interpretation of the information’s.

Maybe I would just stop for a little bit in the A M L R. There is one of the most important articles, the Article 53. As I said before, a M R regulation. Now we have two drafts, the commission one, and council one. The Article 53 talks about measures to mitigate risks deriving from anonymous instruments, so the anonymous accounts and barrier shares in barrier share warrants.

This article talks about credit institutions, financial institutions, and crypto as a service providers shall be prohibited from keeping anonymous accounts, anonymous buzz books, anonymous self-deposit boxes, anon anonymity, enhancing coins, and anonymous crypto asset wallets, as well as any account otherwise allowing for the anonymization of the customer account.

Hold. So, this, again it's just the [00:58:00] final text is publicly available within this council draft. But what is important is, again, how do we interpret those and how do we interpret the anonymous crypto asset wallet? So again, Most of them are non-anonymous, are pseudonym, and are they the same as Caso wallets that were used in trustful funds regulation, or they were thinking about maybe something else.

And I think this is where all this very diesel , important things are, there still needs to be clarity around that. We still needs to understand the interpretation around that. But it all goes in a direction where anything that might be leading to anonymous transactions or anonymous anonymity, enhancing coins will be prohibited under dysregulation.

Eric: So I think we're [00:59:00] gonna have to do another episode just on developments in the A M L R regulation. William? Yes,

William: Rick. I just precise. I'm, of course I'm volunteer for another episode, but no, I'm kidding. But, Yeah, actually it's what the regulator already I've already implemented in the guideline and the practice.

For instance, of course I know more precisely what happened in France, but I'm sure it's precise everywhere. In Europe, for instance in the applic, in the GSP application, where we are working on, it's in, in practice, it's gravitated to, to sell or to allow like purchases of selling of autonomous coin.

For instance, cash. Because in this situation, actually the regulator never [01:00:00] said that it's private on Dolo because it's not. But they have, they ask for such level of suspicious activity report and due diligence on, on the am on Thel side, that it's not practicable, it's not possible to offer this kind of services when you're regulated and on the side of the.

Account me. I understand that the regulators don't for the regulation, and the regulators, of course do not tolerate something like a Swiss bank account in crypto. It's not possible to have an account somewhere, which is not linked to a proper and a consistent k i c as it is expected by the regulation.

So, I'm not really, I'm not really surprised that it's that this, that it's figure in in MiCA. And I think it's something that is far, that makes sense on my opinion.

Alexandru: Just to complicate a bit, the things quite [01:01:00] recently, European Court of Justice issued a decision on the ultimate beneficial owner, and we can draw some, some analogies or even something applicable.

I, I haven't put, the two together yet, but On that matter, on declaring the ultimate beneficial owner within a country for the, the agencies like in Romania, requested by the trade registry, it should not be mandatory towards receiving incorporating, for example. So the European Court of Justice is saying basically that also privacy matters.

And unless that's critical for someone to know the ultimate beneficial owner of an account of a company, [01:02:00] then this information should not be, dispersed and shared like his information, which does not have personal information because it is. It is, it's a lot of personal information.

That is, it. It'll be required to be shared within the frame of the T F R that someone might even consider if this is privacy by design, which again, it's another important principle at European level in relation to privacy and GDPR. So is this regulation, pushing towards privacy by design, it doesn't look like fortunately, and Marina might tell us more, but I don't think that this will be the final version of the regulation and privacy [01:03:00] matters should be taken more into account.

Marina: Maybe just an answer to that. We see that was agreed within the council draft. And usually we what we see is that the Parliament draft is the most I would say harsh when it comes to crypto. So if that was already accepted in this council draft, I would say that might probably be also in the Parliament draft, which has had two out of three and might be even then in the final regulation.

But of course, it's all discussion around the compromises within those institutions.

William: Yeah, just to, to bonds like to complete what you say. I, actually, I do not agree. I understand what you say because I think, like philosophically around this table and in crypto, we are very attached and we are [01:04:00] very keen on the privacy and on the tool that can allow us to preserve our privacy.

It is the purpose of the cryptocurrency. It's even in the name of cryptocurrency. But legally I'm. 100% sure that first of all, the am like something that is the privacy will need to adapt to, to the and not the opposite. And on the view of the regulation and on the view, actually on the society the goal is not to achieve anonymity or to have tools that preserve privacy as much as possible.

The goal is just that the operator collect data, share it with a relevant person. the police, the tax administration, and so on, and keep the confidentiality, the data. So for me like all the purpose of the ml of the ML regulation and the chair fair rule and so [01:05:00] on, is to, is it's precisely to collect data, not every data, but a lot of very sensitive data and to keep it confidential except when the law requires you to share it with a relevant person.

So I'm not sure that the TFA regulation, for instance, will evolve in a sense that is in favor of, Privacy by design concept or something like this. I just believe that the, even the personal data authority will just, ask the cap to, to do as much as possible to save guards data and to ensure confidentiality, but to continue to collect as much data.

Alexandru: No, I, again we're lawyers. We're into this field and we, we encourage compliance. However, what does it mean in practice? It means that like in a couple of years, nobody will be able to have an unregistered treasurer [01:06:00] or a ledger. Yes.

William: think this is the concept, like the goal of the tariff rules is to sacrifice the ed

Ted financial system or unused asset. You will be able to keep it under your mares and or to give it end by end from, I don't know, in your family, but the relation between the centralized regulated crypto finance and the earn unregulated crypto activity will be more and more complicated in the coming years.

And I think it's perfectly assumed by and it's perfectly okay in the head of the regulators, policymaker. And so

Alexandru: some of my clients would of course say that, then why don't we forbid cash? That would be the, the simplest counterargument. But then again then again, [01:07:00] The universe of crypto assets will be so expanded with, ecosystems that some of the, those crypto assets, utility tokens will not pose, per se, a problem of anti-money laundering.

What I would've, if I were a regulator at European level legislator maybe. Okay. Significant stable coins or transactions related to st significant stable, co significant e iani tokens and significant asset reference tokens. Those, could be within the realm, but Okay.

The debate, it's interesting, but I, this is how I would have drafted because, it's a bit of a, it's a bit too much in, in my view. Yeah.

Eric: It sounds like it's going to be hard [01:08:00] for institutions to or cast to interact with defi. Unless you have two different forms of defi.

One that's more like c defi, like central, centralized, decentralized finance, which actually facilitates that. And then maybe even within the same protocol, you have one that's more p2p. So the, you do your trans, once you define what P2P is you can, you have the freedom to do those transactions, but then when you want to integrate it in with a regulated provider, whether through, cent trading on a decentralized platform or a defi or otherwise, you may have to choose whether or not you want to be to do that transaction.

Based on the information that's already been collected on you, you might, there might be a swap and they say we can do it with this party, but you need to [01:09:00] disclose, or you can do it with this party. Maybe it's not as much volume or whatever, but it doesn't have to be disclosed. And I don't know that's a vision that I think we might come to in the us as well.

Ultimately but.,

Marina: yeah. What's happening and we see already some of the defi in a way services are going into the pro version so like working with institutions it's already happening today and the others are merely infrastructure in a way that also have different front ends that are not coming from the same entity.

And so, it's basically an ecosystem. And I would say that there is a danger for this front ends too, because what we discussed with regulators and just like doing an analogy, for example for illegal, I don't know, casinos that happened in the past. All these entities that would need to have alliance and didn't [01:10:00] the in, in the past it happened that the front ends were shut down.

So that might unfortunately also be something that is happening. But I would just go back to this discussion before. I think two, two things are important again, looking into are the rules that we have today stricter than the rules that we have in aml in the financial system. So, with Fiat and why do we have cash and it's possible to trade with cash today?

And what is going to happen with this? I would say a privacy right in the future. Also looking into the, this idea of the digital euro, now there's a lot of activities within the digital euro we expect. documentation to be issued very soon. And the number one concern of the European Union citizens within the for the digital Euro was privacy.

So how are we going to in a way design this, the [01:11:00] system also technically in a way that it would preserve privacy? And we know that European citizens are very much concerned about it, especially specific countries and me member states. So I think that this is going to be a continuous discussion in the future.

And also looking into what kind of burden, so the really the compliance burden that companies and also small startups will need to have versus something that could be done also by different maybe organizations that are involved or authorities that are involved in the looking into.

Maybe compliance. So what is the burden that this company has versus what is something that, again, could be leveraged just by using the public information that is on the blockchain?

Eric: We'll we still have a little bit to chop through, so we'll leave am m l for [01:12:00] now. Again, probably end up doing a, another deep dive on it as the new laws start to get closer.

With regards to method there's obviously a division between the assets that are covered by method and the assets that are covered under MiCA. Is it possible that any crypto could fall under both.

Marina: I would say by definition not, but there could be the changes of what a crypto is could change so rapidly that in one, one week it could be something, and the next week it could be something else. But the by definition that should not happen.

Eric: But you could issue it under MiCA and then subsequently find out that you should have issued it or an authority will say, no, this is actually should have been issued under method as a financial instrument.

Is that [01:13:00] correct? So, I think.

Marina: we had a really long discussion around white papers and how crypto assets were issued. And of course, there is not much clarity of what specifically is a crypto asset, even when we think that things could be clearer with a non-fungible tokens, we can issue them, but in, in instance, some I don't know, bring on, on, on similar national Competition and authorities might think this is a financial instrument, not even a crypto asset.

So that might happen of course, but

Eric: if an asset is issued, and I know I'm asking a question that may not T b d right to be determined, but once an asset is issued with the white paper and I guess it's been filed, it doesn't actually have to be necessarily approved. I guess a national authority or even potentially esma.[01:14:00]

Could advise the pro, the issuer that they need to register as a financial instrument. In other words, maybe based on the opinion of council, they issued it as a utility token or an asset reference token. Leave this e money out of it because that seems less likely, although maybe not.

And then once they're alive, I suppose there is still a risk that they could be reclassified even despite having initially proceeded under the grounds that they were either an asset reference token or a utility token.

Alexandru: Yeah, that's very possible. That's very, this can happen. And this is what basically Eric, this is Recalling us from the recent history of the US market, right?

[01:15:00] You issue a token, which is a utility token, and then the ACC reclassifies it as a security. I think that the European level, we are trying to create two universes, but they have a confluence towards the new brave world of asset tokenization or tokenization of shares or bonds. So if we want to, to differentiate them on one side, whatever is going to be issued on D L T and it's a security especially, and bonds shares you'd have the D L T pilot regime and the method.

To rule the rules. Yeah. If you are into the [01:16:00] asset reference tokens or utility coins issuance, we will have MiCA with its rules. Those are the two universes. Now, when can these universes collide? As previously mentioned, probably when what you're issuing at the beginning was not a financial instrument or becomes a financial instrument.

Theoretically they are a bit, they, from the hierarchy here of the, and the separation between European regulations this looks this shouldn't not happen, at least in.

Eric: All right. So now I, since we have more ground to cover and I guess limited time let's turn to the data act.

[01:17:00] And the, and which directly impacts smart contracts. And Marina, do you want to, tell us about, where the data act is today., how it impacts smart contracts and how it interacts with MiCA.

Marina: Yes. So the data act is basically in a process where it's still discussed within those institutions and it's not finalized yet.

It's not going to be finalized for a certain amount of time. So we still have few months within which this might be shaping. But usually it's just aimed to regulate data mostly within the AI word. But there is a specific article that talks specifically about smart contracts. There was also a research on which this data was data Act was issued.

And I know that we were discussing with some of the researchers that were working on it, but really it was aimed as a ai and this part we've just [01:18:00] introduced there. So, we have. This Article 30 that talks about essential requirements regarding smart contracts for data sharing. And why this is very important is that most of the smart contracts that we know today, and of course that are used within all these applications defy crypto assets et cetera, they are designed in a specific way.

And I think that the listeners didn't know a lot about smart contracts. But what is important is that, of course, depending on how it is designed, but it's continuity over time. And some of them. C cannot be updated or changed. So, the problem in a way with this article is that I will just read it.

The vendor of an application using smart contract, or in the absence of thereof, the person who's trade, business, or profession involves the deployment of a smart contract. So that means maybe also just a developer for others [01:19:00] in the context of an agreement to make data available shall comply with the following essential requirements.

And one of the requirements besides their robustness and access control is also the safe termination and interruption. So basically, it needs to ensure that a mechanism exists to terminate the continued execution of transaction. And the smart contract include internal functions, which can reset or instructions instruct the contract to stop or interrupt the operation to avoid future executions.

I think this is very important for, I would say all the whole ecosystem. And what is also important that. to a certain extent, also linked to some acts that we're going to discuss later. The basic question is do the crypto as a service providers need to comply with [01:20:00] this? Or also developers that might be just working, by themselves working on open source code and deployed on the internet, and then could be used by some others.

What would be the consequence here? And I think that maybe the connection would be we might discuss about it later, but with the product liability directive and also the Cyber Resilience Act, those are again, just documents that are now in discussion in Brussels. Not finalized yet, but I think that there's been a lot of discussion in the last year also going into the case of tornado cash and looking into very clearly, I would say the American practice and understanding of code being speed.

There's nothing similar that we have in Europe, I would say at least not in the same way and not interpreted in the same way. But I think that we have certain provisions that might be very similar in [01:21:00] just trying to understand what would be, again, the role of a developer in this ecosystem and what would be the liability, especially in the open source part, because I think that's a big part of the crypto ecosystem is open source.

And that is also quite rare if you think about software in general. This today,

Eric: Yeah. So that's obviously a huge issue for Defi because basically it requires you tell me, but it sounds like it, it mandates administrative access to facilitate it. It's, under what circumstances can it be, a mechanism to terminate?

How does that get enforced? What somebody has to take some sort of action in order to enforce it. And then once you open the door to that, then you open the door to all kinds of regulations. Or, once you acknowledge that there is that power, then you [01:22:00] know, you can basically, nation states can apply all sorts of judgments to it and now make what was decentralized finance?

Not decentralized. One of the things that, when you look at like the Celsius bankruptcy for example, it was one of the more efficient bankruptcies that they had a lot of collateral, I believe, locked in and die, and they had to fund it in order to get it released.

And the bankruptcy laws really didn't apply to it. You could argue but how? And so that deterministic aspect of it, it is something that anybody who would put money into that smart contract would rely upon. But now if you inject this outside control where, you know, there, there needs to be this mechanism to terminate the execution, presumably that could also open the door to bankruptcy courts, basically saying you can terminate the, [01:23:00] there's a mechanism to terminate the continued execution of transactions.

Bankruptcy court's gonna send an order pursuant to the data act. Is that a possibility or do you see that there's not or are there provisions that would protect against that in, in contemplation? . I

Marina: think that even before it was mentioned by Alexandra, if we think into consideration GDPR, for example, there is a right to be forgotten.

And so if there is a private information in this continuously running software code, how do you apply the right to be forgotten here? And I think that might be in a way also the thinking behind that. But at the same time, we discussed before the in a way has self-hosted wallet thing.

Now we're discussing another crucial element of the whole like crypto ecosystem, which is a smart contract. And if we come up with the rules that are going to limit its use or [01:24:00] really change the nature of those like building blocks of crypto, I'm just like asking myself how is this going to continue?

In a way are we going to be again, just going into direction on of maybe private DLTs or something that is going to be completely run and designed bylaws. And unfortunately not taking into consideration the advantages that we have today with something that is so revolutionary as permission is blockchain.

In, in the ideal world, of course there. Time for the regulators, for the whole ecosystem and the community to understand what are those specific elements, building blocks, and also positive aspects of this technology that we can use and embrace and maybe in a different way address certain in a way principles, laws that we have already from before.

[01:25:00] And that's in a way I think the role of all of us then, there's not many lawyers that do understand how this technology works, but at the same time, they do understand the laws and we are the ones that are interpreting it, with the projects that you said before.

And Alexandria, you talk to the developers and you say, oh, this is happening. And, it's really hard to understand how all those this works. But if this is going to be and that would. In a way put in the final draft. I would say that this is pretty, pretty detrimental to the whole ecosystem.

And also, what is happening with all these laws that are different from MiCA is that when you do discuss with the regulators and also with the policy people about MiCA they need to know what is crypto, because it's all about crypto. In MiCA, this part is, has only one article.

So there's, there are people that are really [01:26:00] specialized in data research and data policy. And they would need to get on and understand the whole complexity of what a smart contract is. And

Marina: think that that's in a way very important, very infor, very important to do. And not only on the financial regulation, but we see that it's coming into all these elements that that the technology basically develops.

Eric: So it's interesting on the data act point, on the smart contract, it actually reminds me a bit of the encryption wars in the us. So originally the Department of Defense wanted to regulate wanted encryption to come underneath. I think the warp powers or basically they wanted to regulate the export of encryption.

So that's why people were jumping on planes with code on their shirt and ah, I'm violating it. But and actually one thing that was interesting is the sponsor of that legislation was a senator from Delaware, known as Joe Biden. [01:27:00] Part of this was they wanted to build a back door so that the government could come in and would have a decryption key.

This is something that still gets brought up from time to time within encryption. Keep, the oddity of that is that encryption is to make, the whole purpose of the encryption is to ensure that there aren't back doors. It's to make sure that it's a private key and you have a reliance on the fact that key is gonna be shared.

And that key alone is going to what's facilitate the decrypting of the data. That's the essence of it. That reliance upon the sanctity of that relationship. But then if the government has a backdoor, then all of a sudden now you're building a vulnerability directly into encryption. You know the who so who would have that backdoor?

Maybe a contractor who's coding that backdoor or others. There's actually been cases in the US where some government employees in different states were [01:28:00] using I think I gotta remember the case. I covered it in a past podcast with Riana Pfefferkorn about the encrypt is encryption safe from the government.

But there was an actual case where there was an abuse of power by somebody within the police that had access to this information and was using it for their own purposes. And there was a case brought up and it's, I guess I'll link to it in the show notes. But the those are the kinds of abuses.

One is what you anticipate within the realm of government, but then there's also the fact that you're now creating a vulnerability. And there are gonna be people who. If it's legislated, if it's mandated, they're gonna know that vulnerability exists and they'll seek to leverage it, whether under the guise of, an authority or even more nefarious by hacking or as a government contractor servicing it.

So, it, it raises in many ways the exact same questions to the extent that you're now mandating these mechanisms. They become a prime target because [01:29:00] by definition everybody knows that smart contract is gonna have that back door. So that creates a vulnerability. , everybody has this notion we would only use it under certain circumstances.

No, but that mandate exists and so again, it's not It's not like a decentralized finance platform with a smart contract isn't gonna have some mechanism to some sort of break last mechanism. But to the extent it's mandated and to the extent that it's under, you open the door to government regulation of that.

I think you,

Alexandru: you lose the idea of trustless.

Eric: Yeah, at the end, yeah.

Marina: It's not trustless. Maybe just a common year. I, there has been a lot of regulation in the EU currently around the platforms, so what is the platform for, is the definition very broadly discussed? And then under this, what is the privacy of information?

So, is this encryption even possible because of this? I [01:30:00] would say notion of protecting, child abuse, et cetera. There was also this idea that encryption 100% encryption should not be allowed just because of those worst use cases that could happen. And in this case, we have a kind of a combination also with what discussed before.

It's not only information privacy, but it's also financial privacy. And as you mentioned, many times we see that these rules that that are in way applied. They might go into the opposite direction of the best practice from the security point of view. And this is also why we are in a way building this the systems because the security it's very high compared to others.

So yeah, very much. I would say there's a big line between those that you mentioned in the past and between what is happening at the moment here.

Alexandru: , and if I may recall one more comment on my side [01:31:00] in relation to privacy and the right to be forgotten when the right to be for, so this is not an absolute right.

When it was first mediated created at European level, I think that nobody took into account that decentralized systems will be born. So in this regard, As a matter of fact, GDPR entered into force in 2007 if I or two, 2010. I don't recall now the date, but in any case, Satoshi came a bit, and what we've seen in crypto came a bit afterwards.

What I want to say with that is that the right to be forgotten in a decentralized work cannot work seamlessly. That's why, all the projects that I've looked [01:32:00] at in the crypto defi space with relation to privacy policy more than providing a very good disclaimer saying that, whatever you throw out there in the decentralized.

Cannot be protective protected hundred percent by privacy rules. More than that, it's also an objective inability to do so because we are in a decentralized world on the internet. Whatever you do theoretically at least there is a web domain owner who can erase that information.

But on the blockchain once it started nobody can stop unless you do a fork or something, which is not practical for privacy purposes.

Eric: Shifting now to Dora and the Cyber Resilience Act [01:33:00] security the, now Dora, I believe, digital Operational Resilience Act. That's that. Will be, that will be implemented later than MiCA, right?

It's still in development or do you think it would be implemented before MiCA?

Marina: From, the information I have will be implemented before MiCA, so it was discussed at the same time more or less and has been, I think politically agreed upon was less of a problem to agree within these institutions regarding Dora.

Eric: And is Dora a and what's the interrelation between Dora and the Cyber Resilience Act?

Marina: So in a way they are I would say connected. What is happening with the Cyber Resilience Act is that it's just being discussed right now and it helps in [01:34:00] understanding of what are the designs that will need to take into consideration.

So how to design a software. It's also br very broad understanding of what Cyberresilience Act applies to So what are the centers, how to design it in order for it to be compliant with Cyber Resilience Act. Maybe I can mention the product liability directive too. So just to add a little bit of complexity here.

But they are again, in a similar process when it comes to the legislative process in the eu, so being discussed with different institutions and this product liability directive is really old. It's really coming from like 1985. It's been used as one of the first laws that has also been defining all this freedoms that we have in European Union.

So the [01:35:00] freedom of trade, the freedom of movement, and of course exchange of good. In this cases, there is a kind of a same la level playing field on what is going to be their liability for production of certain products. And what is specifically here is that when it comes to the product liability directive, now it's again, updated specifically taking into consideration software.

So that was literally not included yet. But right now, this is the discussion and one part of it is again coming back to the smart contract. How, what would be the liability of. Of a person or also an entity when it comes to smart contract that might have a malware. And I think in this case the worst-case scenario would be that [01:36:00] it could lead to developers or smart contract being liable for any undo damages caused by their code.

So they could also be held liable for loss or corruption of data not used exclusively for professional purposes. Basically the damages that we're describing this product liability directive, but were specifically also aimed as. Misuse of data. And maybe just for our listeners this is important because in this case it provides this strict no fault liability for damages that were caused by this product.

So in this case, smart contract, which means that it's regardless of fault. So of course in this case, we can also think about AI and specific AI enabled product that would be covered by those rules and the harms that might come out of it. I [01:37:00] think that, at least in Europe, the kind of sense is that AI brings a lot of fear and the idea is we need to limit the.

The harm that of course AI could have, but and produced, but at the same time, of course I would say that crypto, we need to be very clear. Crypto, d l t are not specifically mentioned in those neither the product liability directive or the Cyber Resilience Act. But it's just an interpretation from how software is been in a way described and used here as a product.

So that is that is basically what they say and possibly possible manufacturers will in a way also remain responsible for software updates and cybersecurity vulnerabilities. And in this case, they are connected to the Cyber Resilience Act. [01:38:00]

Alexandru: If I may, Eric fully agree on Marita's point For our listeners, I think it's important to note that Dora applies to the financial sector and by reference, and it's part of MiCA as well.

Crypto asset providers and especially exchanges, will need to have the same mechanism put in place for I c t cybersecurity risks as if they were in the financial sector. I think it's Article 61, which mentions specifically Dora. So while Dora was created for this modernization of the capital markets in Europe and is mainly dedicated to the financial sector MiCA legislators decision makers [01:39:00] decided that to incorporate it by reference It should apply also in the context of MiCA.

Eric: The notion of a, of the products li let me restart that question. So the products liability directive today covers software or it's under discussion that it will cover software.

Marina: The product liability directive is in the process of being updated to literally cover software. So there will be additional wording added for it to cover software.

Eric: Interesting. So in terms of malware, if a smart contract incorporates other code or relies on another service, the, and that service has malware in it, could [01:40:00] the. , could that protocol be liable for that malware that it incorporates into its service?

Marina: Yeah, there is a whole part in this law and also there's a lot of questions around how to be responsible for certain parts that were not developed by this specific manufacturer or maybe just a person.

So there are all the rules where we need to look into to which extent one person would be responsible for something that happened with a part of the software that was not developed within this manufacturer. So I think there were like also analogies to what happened in the past. For example, if there was a product that was built by many parts, and of course one was not.

Also produced by this specific manufacturer. There are also very interesting parts in this directive that look about think about [01:41:00] the exclusion. So, when for example there's going to be the right amount of novelty. So looking into the development of a specific area, for example, software, or we can really think about I don't know crypto or blockchain dot in this case, if there is not enough knowledge in this space and this area is really novel, that could be one of the use cases where it could be exempt.

So this is, this could be one of the exemptions and I hope that could be one that, that some of the blockchain projects could

Eric: use.

Wow. Certainly if you're a casp, it doesn't stop there. , there's a lot of other things you have to consider. And obviously for any crypto projects operating in the eu, and the [01:42:00] data act doesn't have an exemption for decentralized finance, does it?

Marina: No, to my knowledge, no. It's really just this specific article and to be honest as you see right now there are many do documents and many laws have been discussed at the moment, and I'm not really sure how much they are maybe aligned with each other, but not directly.

It's just that it really requires a broader understanding of what a specific, I dunno, software provider or service provider or even infrastructure does and how it works in order for understand how is this all linked together.

Eric: Okay. This is very helpful. Actually, maybe before we go I don't know if it was captured in something else, but the EU payment services directive P S [01:43:00] D two how does that factor into all of this?

Into

Marina: MiCA? I know there's going to be a revision of the PS two and there, but I don't know a lot about it, so I'm not sure I can give more clarity on this at the moment.

Alexandru: On PSD two, the idea was to provide the sort of an, the open banking at European level, and we might envisage some sort of creation of payment tokens that might look like the definition of payment services.

But it's not only the nature of the token, but who's providing the IT as well, because the PS two [01:44:00] introduces two new types of players, the payment initiation service providers and the ones who are providing information on payments. Unless token issuers or Crypto asset service provider will work as payment provider MiCA will be out of the PS two realm.

However, if a sort of, I do see synergies when a cusp will we've seen this like a fin in FinTech. On one side you can pay by fiat. On the other side, you can pay by crypto. So those type of players will need to take care on also on the MiCA, but also on the PS two

application.

Eric: [01:45:00] Great.

So, we're at time. Exactly. Thanks so much for coming on this podcast and walking through not only MiCA, but how it interacts with other regulations and directives. In place or under discussion in the eu? Certainly not. It's certainly an area where if you're gonna practice an eu, you need an EU attorney, right?

But it should be helpful for us projects that are contemplating and even us lawyers who are thinking about, Hey, how does what we're doing in the US interact with MiCA and vice versa? This was a great discussion. Thanks so much for coming on. Before we break on this, is there anything that, in this discussion that maybe I missed that was an important qualifier or something to consider in, in light of the whole interacting statutory regime [01:46:00] or interaction with the regulators?

Alexandru: I believe that we covered a lot and as a final thought, Eric we would like to, to, to thank you for, guiding us towards this through this kaleidoscope of EU law slash crypto MiCA. We had a lot of fun. And, my, my advice to your listeners is don't feel discouraged because they should be discouraged.

The amount of information or the amount of new regulations coming in is true that Europe, it's at the turning point when basically it modernizes its capital markets and payments infrastructure. So there are, there will be plenty of opportunities and we will have guidance across various areas which are currently fastly [01:47:00] developing.

Despite the inflation of documents, I'm pretty sure that the Europeans will find a way to, to be pioneers in this field.

Marina: I will also add that looking into really as a broad picture we have this definition as a crypto asset. That is a completely new definition that was never regulated before on the EU level.

And I think that is very much I mean it's not that burdensome as we have seen in the previous episodes. As financial regulation. And I think that could be enough to support an industry in Europe. As Alexander said, not, don't be discouraged, but at the same time, the devils in the details.

So, saying, defi is not regulated. I think it's just too general. We need to look into those specific rules that we have in MiCA, of course. And I would say that that one of the most important is definitely going to be the AML for all [01:48:00] those entities or infrastructure.

Eric: Great. So again, thanks so much for joining and we'll break here.

Thank you so much.