Article 68
Governance arrangements
1.
Members of the management body of crypto-asset service providers shall be of sufficiently good repute and possess the appropriate knowledge, skills and experience, both individually and collectively, to perform their duties. In particular, members of the management body of crypto-asset service providers shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute. They shall also demonstrate that they are capable of committing sufficient time to effectively perform their duties.
2.
Shareholders and members, whether direct or indirect, that have qualifying holdings in crypto-asset service providers shall be of sufficiently good repute and, in particular, shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute.
3.
Where the influence exercised by the shareholders or members, whether direct or indirect, that have qualifying holdings in a crypto-asset service provider is likely to be prejudicial to the sound and prudent management of that crypto-asset service provider, competent authorities shall take appropriate measures to address those risks.
Such measures may include applications for judicial orders or the imposition of penalties against directors and those responsible for management, or the suspension of the exercise of the voting rights attaching to the shares held by the shareholders or members, whether direct or indirect, that have the qualifying holdings.
4.
Crypto-asset service providers shall adopt policies and procedures that are sufficiently effective to ensure compliance with this Regulation.
5.
Crypto-asset service providers shall employ personnel with the knowledge, skills and expertise necessary for the discharge of the responsibilities allocated to them, taking into account the scale, nature and range of crypto-asset services provided.
6.
The management body of crypto-asset service providers shall assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of this Title and take appropriate measures to address any deficiencies in that respect.
7.
Crypto-asset service providers shall take all reasonable steps to ensure continuity and regularity in the performance of their crypto-asset services. To that end, crypto-asset service providers shall employ appropriate and proportionate resources and procedures, including resilient and secure ICT systems as required by Regulation (EU) 2022/2554.
Crypto-asset service providers shall establish a business continuity policy, which shall include ICT business continuity plans as well as ICT response and recovery plans set up pursuant to Articles 11 and 12 of Regulation (EU) 2022/2554 that aim to ensure, in the case of an interruption to their ICT systems and procedures, the preservation of essential data and functions and the maintenance of crypto-asset services or, where that is not possible, the timely recovery of such data and functions and the timely resumption of crypto-asset services.
8.
Crypto-asset service providers shall have in place mechanisms, systems and procedures as required by Regulation (EU) 2022/2554, as well as effective procedures and arrangements for risk assessment, to comply with the provisions of national law transposing Directive (EU) 2015/849. They shall monitor and, on a regular basis, evaluate the adequacy and effectiveness of those mechanisms, systems and procedures, taking into account the scale, the nature and range of crypto-asset services provided, and shall take appropriate measures to address any deficiencies in that respect.
Crypto-asset service providers shall have systems and procedures to safeguard the availability, authenticity, integrity and confidentiality of data pursuant to Regulation (EU) 2022/2554.
9.
Crypto-asset service providers shall arrange for records to be kept of all crypto-asset services, activities, orders, and transactions undertaken by them. Those records shall be sufficient to enable competent authorities to fulfil their supervisory tasks and to take enforcement measures, and in particular to ascertain whether crypto-asset service providers have complied with all obligations including those with respect to clients or prospective clients and to the integrity of the market.
The records kept pursuant to the first subparagraph shall be provided to clients upon request and shall be kept for a period of five years and, where requested by the competent authority before five years have elapsed, for a period of up to seven years.
10.
ESMA shall develop draft regulatory technical standards to further specify:
(a)
the measures ensuring continuity and regularity in the performance of the crypto-asset services referred to in paragraph 7;
(b)
the records to be kept of all crypto-asset services, activities, orders and transactions undertaken referred to in paragraph 9.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.