CASP record keeping · MiCA obligations
CASP Record Keeping Obligations — MiCA Compliance Guide
MiCA's record-keeping framework looks simple on the page. In practice it's the article that forces CASPs to rebuild their data infrastructure. Five-year minimum retention, full-transaction granularity, NCA-accessible format, communication records including chat logs. Here's what the record-keeping regime actually requires and what operators most often get wrong.
MiCA's record-keeping framework is the regulation establishing comprehensive record-keeping obligations for CASPs — requiring CASPs to maintain records of all crypto-asset services provided, transactions executed, orders received, and communications with clients and third parties for a minimum of five years from the date the record was made, extendable to seven years on competent authority request.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | MiCA Regulation (EU) 2023/1114 the record-keeping framework |
| Retention period | 5 years minimum; extendable to 7 years on NCA request |
| Coverage scope | All services, transactions, orders, communications with clients and third parties |
| Format requirement | Format that allows NCA to retrieve and process records without delay |
| Accessibility | Records must remain accessible throughout retention period, not just stored |
| Penalty for non-compliance | Administrative sanctions up to EUR 5M or 10% of annual turnover (MiCA Article 111) |
| Related provisions | Article 67 (own funds), Article 69 (general obligations), Article 75 (custody segregation) |
What the record-keeping regime actually requires
MiCA’s record-keeping framework is short on the page but expansive in operational implication. The text requires CASPs to keep records of “all services provided, transactions executed, orders received, and communications with clients and any third party” for a minimum of five years, extendable to seven years on competent authority request.
Each element of that scope unpacks into substantial infrastructure obligations.
Services provided — every crypto-asset service the CASP delivers must be documented. For exchange services, this means trade records. For custody, deposit and withdrawal records plus balance-state records. For order-execution services, order books and execution data. For advice services, the advice given and its delivery. For portfolio management, portfolio composition and decisions over time.
Transactions executed — full transaction-level granularity. Customer, counterparty (where applicable), asset, amount, price, timestamp, execution venue, fees. For each transaction not just summary records but the underlying data that demonstrates how the transaction was constructed, priced, and executed.
Orders received — order books, including unfilled orders, cancelled orders, modified orders. Time-stamped order receipt and any subsequent modifications. The audit trail from order receipt through execution or cancellation.
Communications with clients — this is the obligation most operators underestimate. Email correspondence, chat conversations (live chat, support tickets), recorded phone calls, structured messaging (Telegram, Signal where used for client communication). All client-facing communications in scope.
Communications with third parties — counterparties, settlement agents, liquidity providers, technology vendors, AML information-sharing partners. Communications about specific client matters or specific transactions fall in scope; general business correspondence less clearly.
The retrievability test — where infrastructure matters
The format requirement is the operational lever. Records must be kept “in a format that allows the competent authority to retrieve and process them without delay.”
This rules out several common storage approaches.
Bulk archive storage without indexing — JSON dumps in S3 Glacier without searchable indices fail the retrievability test. The NCA must be able to locate specific records by customer, by transaction, by date range, by asset. Without structured indexing, retrieval times exceed what NCAs accept.
Records dispersed across operational systems without consolidation — a CASP with transaction records in the trading engine, customer records in the CRM, communications in the support platform, AML records in the compliance tool, custody records in the custody system — and no unified record-retrieval capability — fails the practical test even if each component meets technical retention. NCAs ask for “all records related to customer X in the period Y” and expect a single coherent response.
Records in proprietary formats requiring vendor cooperation — records locked in a vendor’s proprietary database where extraction requires vendor cooperation create access risk. Best practice: data egress in standard formats (CSV, JSON, structured database exports) with documented retrieval procedures independent of vendor goodwill.
The infrastructure that passes the retrievability test is consolidated, indexed, queryable, and exportable. Most CASPs build this through a data-warehouse layer that ingests from operational systems and provides the NCA-facing retrieval interface. The build cost is real — typical infrastructure investment EUR 200-500k for a mid-tier CASP, more for larger operators.
Communications retention — the implementation gap
The communications retention obligation captures the broadest infrastructure gap in most CASP the record-keeping framework implementations.
Email archiving — corporate email systems often have retention policies that expire after 1-2 years. The framework requires 5 years minimum. Email archiving infrastructure (Microsoft Compliance Center, Google Vault, third-party archiving like Smarsh or Mimecast) must be configured with the retention period.
Live chat and support tickets — customer-service platforms (Intercom, Zendesk, Freshdesk) typically default to shorter retention. Configuration for 5-year retention is straightforward but often missed during implementation. Some platforms charge premium for extended retention.
Voice recordings — call-center platforms record customer calls but retention defaults vary. The framework requires the 5-year minimum. Larger operators often integrate AI-transcription of voice records to make them text-searchable for NCA retrievability.
Internal communications — Slack, Microsoft Teams, internal messaging. The scope question: which internal communications fall? The conservative answer is internal communications about specific client matters or specific transactions. The narrower answer is only customer-facing communications. Most CASPs adopt the conservative position and apply the record-keeping framework retention to internal channels that discuss client matters, while exempting purely operational/administrative channels.
Mobile messaging — Telegram, Signal, WhatsApp where used for client communication. The compliance gap here is substantive — these platforms typically don’t have enterprise archiving capabilities, and prohibiting their use is the only reliable way to ensure the record-keeping framework compliance. Several CASPs in 2025-2026 have received NCA findings for failure to retain client-facing mobile-messaging communications.
Cross-border storage and access
The record-keeping framework records can be stored geographically anywhere but must remain accessible to the EU NCA. The practical implementation question: where and how.
EU-resident storage is the lowest-friction approach. AWS Frankfurt, GCP Belgium, Azure Netherlands, or specialised EU compliance-archive providers. NCA access is direct with no cross-border legal complications. Most CASPs default to EU-resident storage for the record-keeping regime records as the simplest path.
Non-EU storage with adequate safeguards — records stored in US, UK, or other non-EU jurisdictions are permissible but require legal frameworks ensuring NCA access. EU-US Data Privacy Framework (DPF) for US storage. UK adequacy decision for UK storage. Standard Contractual Clauses (SCCs) for other jurisdictions. Documented procedures for retrieval timing (typical NCA expectation: 24-72 hours for routine requests, faster for supervisory urgency).
Multi-region storage with EU primary — some larger CASPs operate multi-region data architecture with primary records in the EU and replicated records elsewhere for operational resilience. This satisfies the record-keeping framework while providing operational redundancy.
The path to avoid: relying on consumer-grade non-EU storage without explicit access procedures, or assuming that “the records are stored, so we’re compliant” without testing whether retrieval actually works under NCA-grade time pressure.
The in the broader compliance architecture
The record-keeping framework sits alongside several related obligations that together define CASP record-keeping infrastructure.
Article 67 — own funds requirements create the audit-trail requirement for capital calculations. Records demonstrating capital adequacy at each reporting cycle.
Article 69 — general obligations include acting in clients’ best interests, fair-clear-not-misleading communications, conflicts of interest. The record-keeping framework records evidence compliance with Article 69 substantive obligations.
Article 75 — custody record-keeping is the custody-specific overlay on the record-keeping framework. Custody operations are subject to both — Article 75 specifies custody segregation, customer-balance reconciliation, and crypto-specific record types.
AMLR/AMLA record-keeping (separate retention obligations under EU anti-money-laundering rules) — typically 5 years from end of customer relationship, in some cases longer. Overlaps with the record-keeping framework scope for AML-relevant records but not identical.
TFR (Travel Rule) record-keeping — the EU Travel Rule for crypto-asset transfers requires retention of originator and beneficiary information. Overlaps with the record-keeping framework for transaction records but adds specific data-element requirements.
The compliance infrastructure question is whether to build a unified record-retention architecture covering all overlapping obligations, or maintain separate retention schedules per obligation. Most CASPs in practice build a unified architecture with metadata flags indicating which obligations apply to each record type — single technical infrastructure, multiple compliance frameworks routed through it.
Implementation timeline for new CASPs
For new CASP authorisation applications, the record-keeping framework infrastructure must be substantively complete at the authorisation phase, not deferred to post-authorisation build-out. ESMA and NCAs increasingly test record-keeping infrastructure during the authorisation review — file submissions that promise to “build the record-keeping framework infrastructure after authorisation” face challenges.
Realistic implementation timeline: 6-9 months for a mid-tier CASP to build production-grade the record-keeping framework infrastructure. Components: data-warehouse layer for transaction and order records (8-12 weeks build), email archiving with 5-year retention (4-6 weeks configuration), customer-service platform retention configuration (2-4 weeks), voice-recording archiving (4-8 weeks), internal communications policy and Slack/Teams retention configuration (2-4 weeks), NCA-access procedures and documentation (4-6 weeks), integration testing across components (4-6 weeks).
Operators applying for authorisation should commit to the record-keeping framework build during the application phase rather than treating it as a post-grant operational task. The early commitment substantially reduces authorisation-review friction and prevents the 6-12 month gap between licence grant and full the record-keeping framework readiness that some operators have experienced.
Pitfalls and nuances
1 Treating the record-keeping framework as a back-office archive obligation
The common implementation mistake is to treat the record-keeping framework like a paper-records archive — store transactions in a data warehouse and assume compliance. The actual requirement is much more substantive: records must be retrievable in a format that allows NCA to process them without delay. This means structured, queryable, indexed data — not bulk JSON dumps in cold storage. Operators that defer infrastructure investment until NCA requests a record discover the retrieval gap at the worst possible time.
2 Underestimating the communications retention scope
The communications obligation captures more than transaction confirmations. Customer-service chat logs, complaint-handling email threads, internal Slack discussions about specific client matters, recorded support calls — all in scope. Operators with consumer-grade communication infrastructure (free Slack tier, no email archiving, ephemeral chat) face substantial gaps. Communications retention infrastructure is the most-frequently-rebuilt component implementation.
3 Confusing AML record-keeping with the record-keeping framework
AML record-keeping under EU AMLR/AMLA (and Travel Rule under TFR) has separate retention obligations — typically 5 years from end of customer relationship, in some cases longer. The record-keeping framework covers different records (all services, not just AML-relevant). Both obligations apply in parallel. Compliance infrastructure should treat them as overlapping but distinct retention schedules — not a unified 'compliance archive'.
4 Storing records outside accessible legal frameworks
Records can be stored geographically anywhere but must remain accessible to the EU NCA without delay. Non-EU cloud storage (AWS US, GCP Singapore) creates legal-access challenges that NCAs increasingly view critically. Best practice: EU-resident data storage with documented NCA-access procedures, or non-EU storage with explicit Standard Contractual Clauses and demonstrable retrieval capability. NCA requests for records frequently include format and timing specifications that test the storage architecture's flexibility.
Frequently asked questions
What records must a CASP retain under MiCA's record-keeping framework?
All records of services provided, transactions executed, orders received, and communications with clients and third parties. Scope includes onboarding records, transaction data, order books, customer-service interactions, and complaint files.
How long must CASPs retain the record-keeping framework records?
Five years minimum from the date the record was made. Competent authorities can extend to seven years on request. Some related obligations (AML records under AMLR) require longer retention separately.
Must the record-keeping framework records include chat and email communications?
Yes. The communications obligation covers all client and third-party communications including email, chat, voice (recorded calls), and structured messaging. Internal communications about specific client matters typically fall in scope.
Can the record-keeping framework records be stored outside the EU?
The records can be stored anywhere geographically but must remain accessible to the competent authority without delay. NCA access typically requires sub-24-hour retrieval. Non-EU storage requires legal frameworks ensuring access (e.g., DPF transfer mechanisms).
What is the difference between the record-keeping framework records and Article 75 custody records?
Article 68 covers all CASP services and communications. Article 75 specifically addresses custody record-keeping. Custody operations are subject to both — Article 75 sets custody-specific rules, Article 68 sets the general framework.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA) — Article 68 — regulation
- ESMA Technical Standards on CASP record-keeping (RTS) — regulator
- EBA Guidelines on AML/CFT record-keeping for CASPs — regulator