Fit and Proper for CASPs: Who Can Run a MiCA-Licensed Firm

MiCA licences firms, but it assesses people

A common misread of MiCA authorisation is that it is a test of the firm — its capital, its policies, its technology. It is also, unavoidably, a test of the people. Before a national competent authority authorises a CASP, it has to be satisfied that the firm will be run soundly — and “run soundly” is a function of who is on the management body and who stands behind the firm’s significant shareholdings.

This is the fitness-and-probity dimension of a CASP application. A firm can have a clean capital position, a well-drafted governance file, and strong technology, and still stall because a proposed director cannot evidence good repute or because the ownership chain behind a controlling stake is opaque.

Who gets assessed

Two groups fall within the suitability assessment:

1. The management body — the directors and senior managers who direct the CASP’s business. They are assessed both individually and collectively.

2. Qualifying holders — the natural persons behind significant shareholdings or other forms of control over the CASP. The principle is that influence over a regulated firm should rest with suitable people, so the people who can shape the firm’s direction are themselves assessed.

A founder-operated CASP where the founder is both the controlling shareholder and the CEO is assessed in both capacities.

The four tests applied to the management body

Suitability for the management body breaks into four assessment areas:

1. Good repute

Each member must be of good repute — meaning there is no record indicating the contrary. The regulator examines relevant criminal history, prior regulatory findings and sanctions, and financial-integrity issues such as personal insolvency, director disqualification, or a history of failed regulated firms. Good repute is evidenced, typically through criminal-record certificates and disclosure declarations — not simply asserted.

2. Knowledge, skills, and experience

Members must have — individually to the extent appropriate, and collectively as a body — knowledge, skills, and experience adequate to understand the CASP’s activities, including the main risks. For a crypto-asset firm those risks are specific: custody and key-management risk, market-abuse risk on a trading venue, ICT and operational-resilience risk, AML/CFT typologies particular to crypto. A board with no member who can credibly understand and challenge those risks does not meet the bar.

3. Honesty, integrity, and independence of mind

Members must act with honesty and integrity, and with sufficient independence of mind to assess and challenge the decisions of the management body and to oversee management effectively. A board that cannot challenge a dominant founder is a governance weakness the supervisor looks for.

4. Time commitment

Each member must be able to commit sufficient time to perform their functions. A director who sits on many unrelated boards, or a senior manager who is plainly running other businesses full-time, raises a time-commitment question. The supervisor expects the time arithmetic to add up.

The collective dimension

Beyond each individual, the management body as a whole must have adequate knowledge, skills, and experience. A board can be collectively suitable even if no single member covers everything — provided the mix covers the firm’s activities and risks. The diagnostic is whether, taken together, the board can run the firm and oversee its risks.

This is why board composition is a design decision at application stage, not an afterthought. A board that is all commercial founders with no compliance, risk, or financial-services depth has a collective-suitability gap.

Qualifying shareholders — the part applicants forget

Applicants concentrate on directors and frequently under-prepare the qualifying-shareholder assessment. The people behind significant stakes in the CASP are assessed so that control of a regulated firm rests with suitable people.

In practice this means:

• The ownership chain must be transparent — the regulator follows it to the natural persons at the top
• Those persons are assessed for good repute and integrity
• Source of funds is often required — the regulator wants to understand where the capital behind a significant stake came from

An opaque structure — layered holding companies, nominee shareholders, a controller who cannot or will not evidence source of funds — can stall an application even where the management body is strong.

What a clean fitness-and-probity file contains

For each assessed person, a clean file typically includes:

1. A completed fitness-and-probity questionnaire in the regulator’s format
2. A full CV with no unexplained gaps
3. Criminal-record evidence (certificates of good conduct) from relevant jurisdictions
4. Disclosure of any prior regulatory findings, disqualifications, or insolvencies — with explanation
5. References, where the regulator requires them
6. For qualifying holders: ownership-chain documentation and source-of-funds evidence

The single most useful principle: disclose proactively. A disclosed and explained issue — an old, minor, resolved matter — is almost always survivable. The same issue, undisclosed and then discovered by the regulator, becomes a credibility problem that can sink the application.

Working with counsel on the suitability file

The diagnostic for counsel: ask whether they can identify, for the proposed board and ownership structure, where the suitability risks are — collective-competence gaps, time-commitment concerns, ownership-chain opacity — before filing. Counsel that treats fitness-and-probity as a forms exercise has under-scoped it. The firms in our index with relevant authorisation experience are listed below.