CASP withdrawal · Authorisation revocation
CASP Authorisation Withdrawal — MiCA Practitioner Guide
MiCA's withdrawal framework is the supervisory article most CASPs hope they never need. Withdrawal of authorisation — the supervisory tool of last resort. Grounds, procedural framework, customer-fund handling, cross-border NCA coordination. The article that defines the regulatory worst case and how to manage it.
MiCA's withdrawal framework is the provision under MiCA Regulation (EU) 2023/1114 governing withdrawal of CASP authorisation — establishing grounds for withdrawal (failure to commence services within 12 months, serious breaches of MiCA obligations, no longer meeting authorisation conditions), procedural requirements (notice, hearing, decision), customer-protection arrangements during wind-down, and cross-border NCA cooperation in supervisory enforcement.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | MiCA Regulation (EU) 2023/1114 the withdrawal framework |
| Withdrawal grounds | Failure to commence services within 12 months; serious or repeated MiCA breaches; no longer meeting authorisation conditions; failure to maintain own funds; fraud or AML failures |
| Procedural framework | Written notice, opportunity to be heard, reasoned decision, right of appeal |
| Customer-protection arrangements | Mandatory wind-down plan, customer-asset return, ongoing-services continuity, NCA monitoring |
| Cross-border coordination | Home-state NCA consults host-state NCAs in passport situations; ESMA notification |
| Public disclosure | Withdrawal published in ESMA register and home-state NCA register |
| Related provisions | Article 63 (initial authorisation), Article 84 (recovery and resolution), Article 109 (administrative sanctions) |
How the procedure works in practice
MiCA’s withdrawal framework is the supervisory article that ends a CASP’s regulatory life. Where Article 63 establishes the authorisation grant process, The MiCA framework governs the withdrawal process — the supervisory tool of last resort when an authorised CASP fails to maintain compliance with the regulatory framework.
The article addresses three primary withdrawal scenarios:
Failure to commence services within 12 months — operators that obtain authorisation but fail to actually launch services within 12 months face automatic withdrawal grounds. The provision exists to prevent “shelf authorisations” — entities obtaining authorisation as a placeholder without genuine operational intent.
Serious or repeated breaches of MiCA obligations — operators that operate but fail to maintain ongoing MiCA compliance face withdrawal as escalation from less-serious supervisory measures. Single material breach (major AML failure, customer-asset misappropriation) or pattern of repeated lesser breaches both qualify.
No longer meeting authorisation conditions — operators that operated initially under acceptable conditions but where the underlying authorisation basis no longer holds. Examples: substantial changes in beneficial ownership without proper notification, key-person departures leaving inadequate management, capital reduction below Article 67 floor.
Each ground has thorough procedural protections — withdrawal is not summary, requires due process, and offers appeal rights.
The procedural framework
The withdrawal framework incorporates standard EU administrative-law procedural protections:
Written notice — the NCA provides formal written notice of intent to withdraw, identifying the genuine grounds and the evidence supporting them. Notice must be sufficiently specific to enable detailed response.
Opportunity to be heard — the operator has the right to respond, present evidence, challenge the NCA’s underlying grounds. The opportunity is real — NCAs withdraw notice if thorough response identifies grounds-flaws or remediation paths.
Reasoned decision — if the NCA proceeds, the final decision must be reasoned, addressing the operator’s response and identifying the genuine basis for withdrawal.
Right of appeal — under member-state administrative law, typically to specialised financial-services tribunals or administrative courts. Appeal can include suspension of withdrawal effect pending determination, though courts grant suspension cautiously where customer-protection concerns are material.
The procedural framework is robust. Operators facing the withdrawal framework proceedings have genuine legal-defence options, particularly where the genuine grounds are contestable or where NCA evidence has gaps.
Customer-protection deployment
The real operational concern is customer protection. The framework includes:
Mandatory wind-down plan — the NCA approves a wind-down plan addressing customer-asset return, ongoing-services continuity, customer-data handling, contract termination procedures.
Customer-asset return — segregated customer crypto-assets (under Article 75) must be returned to customers. The wind-down plan defines transfer mechanisms, customer communication, dispute-resolution arrangements for any asset-attribution disputes.
Ongoing-services continuity — for extended periods during wind-down, customers may need ongoing services (executing pending orders, processing pending withdrawals, providing customer support). The wind-down plan addresses how these services continue and when they terminate.
NCA monitoring throughout wind-down — the NCA maintains supervisory engagement during wind-down with reporting requirements on customer-asset return progress, customer-complaint handling, operational continuity.
Successor-operator transitions — where customer relationships transition to other authorised operators, the wind-down plan addresses customer-data transfer (subject to GDPR), customer-consent requirements, regulatory notification.
The customer-protection framework is meaningfully the most operationally-demanding aspect. Operators should have genuine business-continuity infrastructure in place before any withdrawal scenario arises — meaningful customer-data infrastructure, segregated custody addresses, ongoing-services contracts with potential successor operators.
Cross-border implications
For passport-active operators, the withdrawal framework has substantial cross-border implications:
Automatic passport termination — passport rights derive from home-state authorisation under Article 65. Withdrawal terminates passport access automatically across all member states where the operator was passporting.
Home-state NCA notification obligations — the home-state NCA must notify host-state NCAs and ESMA. Notification triggers host-state customer-protection engagement.
Host-state engagement — host-state NCAs may engage in their own customer-protection measures, asset-freezing actions, or local enforcement. The coordination is typically through ESMA-mediated supervisory cooperation.
ESMA register update — the public ESMA register reflects withdrawal, with major implications for the operator’s market reputation across the EU.
Counterparty notification — payment processors, banking partners, B2B suppliers, technology vendors all typically have contractual provisions triggered by regulatory authorisation loss. Required notification and renegotiation typically follows.
The versus Article 109 sanctions
The withdrawal framework withdrawal is distinct from Article 109 administrative sanctions:
Article 109 sanctions — penalty actions for breaches: fines (up to higher of EUR 5M, 3% of turnover, or 2x gain/avoided loss), individual bans, public statements, supervisory measures like restriction of services. Multiple sanctions can be combined.
the withdrawal framework — the most serious supervisory action: complete loss of authorisation and operating right. The operator can no longer provide regulated crypto-asset services.
Both can be applied for the same conduct. Serious MiCA breaches often trigger Article 109 sanctions on the individuals (key persons, board members) plus the withdrawal framework of the operating entity.
The combined consequences can be career-ending for affected individuals and terminal for the operating entity. Real compliance investment is the only meaningful protection against this scenario.
Operational preparation — what every CASP should do
Even operators not currently facing the withdrawal framework risk should maintain ongoing preparation:
Business-continuity-plan infrastructure — meaningful customer-data infrastructure enabling rapid transition, segregated custody addresses, ongoing-services contracts with potential successor operators.
Documentation infrastructure — thorough compliance documentation that would survive supervisory scrutiny in any future enforcement scenario. Documentation gaps that aren’t material in normal operations become exposed grounds-analysis.
Key-person succession — adequate succession planning so departures don’t trigger the withdrawal framework grounds.
Capital-maintenance monitoring — proactive monitoring of Article 67 own-funds adequacy with early-warning thresholds well above the regulatory minimum.
Beneficial-ownership-change procedures — detailed procedures for any material changes in beneficial ownership ensuring proper Article 83 notifications occur.
The substantive preparation isn’t about expecting the withdrawal framework to arise — it’s about maintaining the operational and documentation infrastructure that demonstrates ongoing compliance and provides legal-defence options if any supervisory engagement does arise.
The in the broader supervisory framework
The withdrawal framework sits within MiCA’s escalating supervisory framework:
- Article 109 — administrative sanctions: primary penalty tool for breaches
- the withdrawal framework — withdrawal of authorisation: most serious supervisory action
- Article 84 — recovery and resolution: framework for managing failing CASPs
- Title VI (Articles 86-92) — market abuse: specific enforcement framework for market-abuse violations
- Article 95 — supervisory cooperation: cross-border NCA coordination
The withdrawal framework is the article supervisors invoke when other measures have failed or when the genuine grounds are sufficiently serious to skip lesser supervisory tools. The meaningful procedural protections mean withdrawal is not arbitrary, but the operator’s legal-defence position depends entirely on the quality of compliance documentation and operational infrastructure built well before any supervisory engagement.
Pitfalls and nuances
1 Treating the 12-month commencement deadline as soft
the withdrawal framework grounds include failure to commence services within 12 months of authorisation grant. Some operators treat the 12-month clock as informal, planning to commence operations whenever ready. The deadline is hard — NCAs have invoked the withdrawal framework against operators that obtained authorisation but failed to launch within the period. Operators uncertain about commencement timing should communicate with the NCA proactively rather than letting the deadline pass silently.
2 Missing the customer-protection deployment planning
If the withdrawal framework is triggered, operators face mandatory wind-down obligations including customer-asset return and ongoing-services continuity. Operators without genuine business-continuity-plan infrastructure (segregated custody addresses, customer-data infrastructure for transition, ongoing-services contracts with successor operators) face operational chaos under wind-down pressure. The infrastructure should exist before any withdrawal scenario, not built reactively.
3 Underestimating cross-border ramifications
Withdrawal terminates passport rights across all member states where the operator was passporting. Host-state NCAs may have additional customer-protection requirements, asset-freezing powers, or local enforcement actions. Operators with substantial cross-border passport activity face multiple NCA engagements during wind-down. The coordination overhead is meaningful.
4 Ignoring the public-disclosure reputational impact
the withdrawal framework is publicly disclosed in ESMA register and home-state NCA register. Beyond the regulatory loss, reputational damage to affiliated entities, key persons, and broader corporate group is substantial and durable. Key persons subject to withdrawal-associated supervisory findings may face individual fit-and-proper implications for future financial-services roles.
Frequently asked questions
What are grounds for MiCA's withdrawal framework?
Failure to commence services within 12 months of authorisation, serious or repeated MiCA breaches, no longer meeting authorisation conditions, failure to maintain Article 67 own funds, fraud or material AML failures.
Can a CASP appeal the withdrawal framework?
Yes. The withdrawal framework requires written notice with reasons, opportunity to be heard, reasoned decision, and right of appeal under member-state administrative law. The procedural protections mirror standard EU financial-services supervisory frameworks.
What happens to customer assets when a CASP authorisation is withdrawn?
The withdrawal framework requires customer-protection arrangements — mandatory wind-down plan, customer-asset return, ongoing-services continuity, NCA monitoring. Customer assets are not part of operator insolvency estate under Article 75 segregation.
Does the withdrawal framework affect cross-border passport rights?
Yes — passport rights derive from home-state authorisation. Withdrawal terminates passport access automatically. Home-state NCA must notify host-state NCAs and ESMA. Passport-receiving member states then engage in their own customer-protection measures.
What is the difference between the withdrawal framework and Article 109 sanctions?
Article 109 sanctions are penalty actions — fines, bans, supervisory measures. The withdrawal framework withdrawal is loss of authorisation entirely. Both can apply for the same conduct; withdrawal is the more serious.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA) — Article 64 — regulation
- ESMA Technical Standards on CASP supervisory cooperation — regulator
- EBA Guidelines on CASP authorisation procedures — regulator