NCA supervisory powers · Information requests
NCA Supervisory Powers Information Requests — MiCA Guide
The information requests framework is the article you read carefully when the NCA's information request lands on your desk. It gives supervisors a broad toolkit — on-site inspections, document production orders, individual interviews, banking-record access, third-party records. How you respond to the first request often determines how the supervisory engagement unfolds.
MiCA's information requests framework is the supervisory-powers provision under MiCA Regulation (EU) 2023/1114 granting NCAs broad authority to obtain information, conduct on-site inspections, take statements from individuals, access banking and telecommunications records, and require submission of documents from CASPs and third parties as part of supervisory or enforcement processes.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | MiCA Regulation (EU) 2023/1114 the information requests framework + national-law transposition of supervisory powers |
| Information powers | Document production orders, electronic records, accounting records, internal communications, third-party records |
| On-site powers | Inspections at operator premises with reasonable notice; documents may be sealed pending review |
| Individual powers | Interviews of named individuals; statements may be taken; rights of legal representation apply |
| Banking record access | Direct access to operator banking records and counterparty banking records via court order or NCA-bank cooperation |
| Sanctions for non-cooperation | Article 109 administrative sanctions up to EUR 5M or 3% turnover; obstruction of justice considerations |
| Privilege protection | Legal professional privilege protects communications with external legal counsel; not internal compliance communications |
What the supervisory powers regime actually gives the NCA
The procedure sets out the supervisory toolkit available to NCAs for routine supervision and enforcement matters. The powers are broad — broader than many CASP operators realise until they receive their first substantial information request.
Information powers. NCAs can require production of documents, electronic records, accounting records, internal communications, customer records, transaction records, and any other information relevant to their supervisory mandate. The scope covers operator records and, with appropriate process, third-party records held by counterparties, banking partners, technology vendors, and others.
On-site inspection powers. NCAs can conduct on-site inspections at operator premises. Reasonable notice typically applies but can be dispensed with where there’s risk of evidence destruction. During on-site inspections, documents may be sealed pending review, electronic systems may be imaged for forensic analysis, and operator staff may be interviewed.
Individual interview powers. NCAs can require named individuals to provide statements. The interviews can cover both factual matters within the individual’s knowledge and the individual’s own conduct. Rights of legal representation apply, but the core obligation to attend and respond remains.
Banking and telecommunications access. Via court order in most member states (direct authority in some), NCAs can access operator banking records and counterparty banking records relevant to the supervisory matter. Telecommunications records — call logs, message metadata — face higher process thresholds but remain available in appropriate cases.
Third-party powers. Records held by third parties on behalf of the CASP — IT vendors, accounting firms, audit firms, legal counsel (subject to privilege), banking partners — can be obtained via direct request to the third party or via cooperation with relevant authorities.
The toolkit is comprehensive. NCAs that engage in substantial supervisory matter typically use multiple powers in coordinated workflow.
When the information requests framework powers get used
Routine supervision uses the information requests framework sparingly — periodic reporting reviews, scheduled inspections, standard information requests. The substantial uses come during:
Triggered supervisory engagement. Customer complaint patterns, market-event reactions, peer-supervisor referrals, whistleblower notifications trigger heightened supervisory attention. The information requests framework information requests follow.
Routine inspection cycles. Major CASPs face routine on-site inspections every 12-24 months. The inspections use the information requests framework powers on the document-production and interview sides.
Enforcement investigations. Where the supervisor has reason to suspect specific breaches, the information requests framework powers support evidence gathering for potential enforcement.
Cross-border coordination. Where issues span multiple member states, the information requests framework powers support information sharing and coordinated action across home-state and host-state NCAs.
M&A supervision. Qualifying-holdings notifications under Article 83 trigger the information requests framework information requests to acquirer and target.
Significant CASP supervision. CASPs designated significant under Article 85 face continuous heightened the information requests framework engagement.
The pattern: the information requests framework powers are tools the supervisor uses when something has triggered focused attention. The first request often signals more requests to come.
The information-request workflow
Standard supervisory information requests follow a recognisable workflow:
Initial letter. The NCA sends an information request describing the scope, the specific information required, and the response deadline. Initial requests typically allow 14-30 days for response. Complex requests may include schedule of documents and specific questions.
Acknowledgement. Operator acknowledges receipt and confirms the response timeline. If the timeline is unrealistic given request scope, request extension at this stage rather than defaulting.
Internal review. Operator identifies responsive documents, conducts privilege review, prepares responsive materials. Privilege review is critical and should involve qualified counsel for any matter of substance.
Production. Responsive materials produced to the NCA, typically via secure portal or registered post. Production usually includes index of materials, privilege log identifying withheld documents, and cover letter explaining production scope.
Follow-up requests. NCAs typically iterate — initial production reviewed, follow-up requests issued for additional materials or clarification. The iteration cycle may run 2-6 rounds depending on matter complexity.
Closure or escalation. Matter closes with no further action, closes with supervisory note, or escalates to formal enforcement under Article 109.
Each stage matters. The real operator-side discipline is consistent — produce exactly what’s requested, manage privilege carefully, engage counsel throughout, document the supervisory engagement for internal records.
On-site inspections — what happens
On-site inspections are operationally disruptive but follow predictable patterns:
Notification. NCA notifies the operator of inspection scope, timing, and participating supervisors. Notice typically 1-4 weeks; can be shorter where risk of evidence destruction.
Pre-inspection preparation. Operator collects requested documents, prepares interview-room arrangements, briefs staff likely to be interviewed, engages counsel for on-site support.
Opening meeting. Senior management and lead supervisors meet to confirm inspection scope, agree practical arrangements, identify any preliminary concerns.
Document review. Supervisors review collected documents on-site, may request additional materials, may image electronic systems for off-site review.
Interviews. Named individuals interviewed by supervisors. Rights of legal representation apply; individuals can request adjournment for counsel attendance. Interviews may be recorded.
Closing meeting. Supervisors summarise initial findings, identify any immediate concerns, agree post-inspection follow-up timeline.
Post-inspection report. Supervisors produce written report identifying findings. Operator typically gets opportunity to comment before report finalised.
Action plan. Where the report identifies issues, operator prepares action plan with remediation timeline. Detailed action plans typically close matters; thin action plans trigger escalation.
The on-site inspection is a real operational event. Mature operators run inspection-readiness exercises annually to test their preparation. Reactive scrambling during actual inspections produces worse outcomes than rehearsed response.
Individual interviews — the substantive risk
Senior management interviews carry personal-risk dimensions that go beyond institutional-supervision matter.
Statements taken may be used in subsequent Article 109 enforcement against the individual. Personal liability — administrative fines up to EUR 700,000, individual bans from management positions in MiCA-authorised entities — can flow from inadequately-prepared statements.
The individual’s interests may diverge from the institutional interests. The institution wants to demonstrate cooperation and limit institutional liability; the individual wants to limit personal liability and preserve career prospects. Where the interests diverge, the individual needs separate counsel from institutional counsel.
Thorough interview preparation matters:
- Document review with counsel before the interview
- Understanding of the underlying matter under supervision
- Familiarity with operator records likely to be referenced
- Awareness of the scope of legal professional privilege
- Statement framing that’s accurate without volunteering beyond the question
- Plan for inability-to-recall responses (better than guessing)
The interview is not a routine conversation. Mature CASPs ensure senior management facing interviews has counsel-supported preparation and, where appropriate, individual counsel distinct from institutional counsel.
Legal professional privilege — what’s protected, what isn’t
Legal professional privilege protects communications with external legal counsel on legal-advice matters. The protection is real but narrower than operators sometimes assume.
Protected: Communications with external solicitors or barristers seeking or receiving legal advice on the underlying matter; counsel’s working papers and analysis; counsel’s advice memos; communications between operator and counsel for the dominant purpose of legal advice.
Not protected: Internal compliance communications (compliance officers are typically not external counsel); internal audit findings; business documents underlying the legal-advice request; communications with counsel that are primarily business rather than legal in character; counsel’s communications with third parties.
Borderline: Communications involving both legal and business advice; communications with in-house counsel where the in-house counsel role is mixed legal/business; communications with non-lawyer professional advisers; communications involving foreign-jurisdiction counsel.
Privilege review for document production is technical work that needs qualified counsel input. Operators that produce documents without proper privilege review lose privilege protection on affected materials — those materials become available in subsequent enforcement matters.
The discipline: classify documents for privilege at creation, not at production. Build privilege-aware document management. Engage counsel for privilege review before any material production.
Managing the supervisory engagement
The information requests framework engagements are not adversarial by default — they’re part of normal supervisory practice. But they can become adversarial quickly where operator responses are inadequate.
Principles for managing significant the information requests framework engagement:
Engage qualified counsel from the first material request. External counsel with regulatory-defence experience provides perspective that internal compliance teams typically cannot.
Produce exactly what is requested. No more, no less. Over-production expands supervisor information set; under-production triggers escalation.
Manage privilege carefully. Document privilege classification, conduct privilege review before production, preserve privilege through proper handling.
Document the engagement internally. Internal records of supervisor communications, decisions made, advice received become important if the matter escalates.
Brief senior management appropriately. Senior management should understand the matter, the supervisor’s apparent concern, the operator’s response strategy. Where individual interviews are likely, ensure individuals have proper preparation.
Plan for escalation paths. Some matters close with cooperation; others escalate to Article 109 enforcement. Plan response for both paths from the start.
The real operator-side test: whether the response improves or worsens the supervisor’s view of operator governance and conduct. Thoughtful responses build supervisor confidence; defensive or evasive responses erode it.
When the engagement escalates
Where the supervisor concludes material breaches occurred, the matter escalates to formal enforcement under Article 109. The information gathered powers becomes evidence in the enforcement process.
At escalation, the operator-side framework changes. The supervisor’s role shifts from information-gathering to formal enforcement. The operator needs enforcement-defence counsel rather than compliance-engagement counsel. Penalties (fines, bans, supervisory measures) become realistic outcomes rather than theoretical risks.
The escalation point is the principal decision-making moment. Operators that have managed the information requests framework engagement well have visibility into the supervisor’s concerns and can engage proactively before formal enforcement starts. Operators that have managed engagement poorly often face escalation as surprise.
Build the supervisory-engagement workflow before you need it. The information requests framework powers are substantial; the operator-side discipline to respond to them is substantive. The first information request is not the time to start building that discipline.
Pitfalls and nuances
1 Treating the first information request as routine
First information requests often look administrative — produce these records, confirm these facts. But the request pattern reveals the supervisor's underlying concern. Operators that produce information without analysing the underlying concern lose visibility into where the engagement is heading. Engage counsel from the first request; respond with awareness of context, not just literal compliance.
2 Producing more than is requested
Anxiety often produces over-production — operators send more documents than the NCA asked for, hoping to demonstrate transparency. Over-production expands the supervisor's information set, potentially raises new concerns not in the original scope, and signals organisational anxiety. Produce exactly what is requested; let the supervisor ask for more if needed.
3 Inadequate privilege protection in document review
Legal professional privilege protects communications with external legal counsel on legal-advice matters. Document review for production requires careful identification of privileged communications and proper withholding. Operators that produce privileged materials lose privilege protection — affected materials become available in subsequent enforcement. Privilege review by qualified counsel before production matters.
4 Letting senior management testify unprepared
NCA interviews of senior management are not routine conversations. Statements may be used in enforcement, including against the individual personally under Article 109. Preparation with counsel — facts review, statement framing, anticipating questions, understanding privilege scope — before any interview is the discipline.
Frequently asked questions
What can NCAs actually compel?
Production of documents and electronic records, on-site inspection at operator premises, interviews of named individuals, access to banking records via court order, third-party record requests. The toolkit covers most operational information the NCA might need.
Does legal professional privilege apply?
Yes for communications with external legal counsel on legal-advice matters. Not for internal compliance communications, internal audit findings, or business documents. The privilege protects legal-advice content but doesn't shield the underlying facts being advised on.
What happens if a CASP refuses to comply?
Article 109 sanctions apply — administrative fines up to EUR 5 million or 3% of turnover. Repeated or substantial non-cooperation can trigger Article 64 authorisation withdrawal. Individual managers may face personal sanctions and bans.
Can the NCA interview senior management directly?
Yes. The information requests framework permits taking statements from individuals named in the supervisory matter. Rights of legal representation apply. Statements may be used in subsequent enforcement, so careful preparation with counsel matters.
Does the information requests framework apply across borders?
Yes for CASPs operating cross-border via passport. The home-state NCA leads but coordinates with host-state NCAs and ESMA. International cooperation extends the information requests framework powers to non-EU information sources via MoU networks.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA) — Article 89 — regulation
- ESMA Guidelines on supervisory practice — regulator
- EBA Guidelines on supervisory information requests — regulator