Article 5
Information on the internal control framework
1. The application for authorisation shall contain a comprehensive description of the applicant issuer’s internal control framework, including all of the following:
|
(a) |
a comprehensive description of the internal compliance function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 having sufficient authority, stature, resources and direct access to the management body; |
|
(b) |
a comprehensive description of the risk management framework, and of the risk management function where it is established, or where in accordance with proportionality in terms of size, complexity and risk profile, it is entrusted to a third-party provider, of the related third-party arrangements in accordance with Article 4(2); |
|
(c) |
a comprehensive description of the risk management systems and controls, explaining the applicant issuer’s strategy for identifying, assessing, monitoring, mitigating and reporting all risks the applicant issuer is or might be exposed to, including risks to the holders of an asset-referenced token, market, liquidity, concentration, operational, ICT, reputational, legal, conduct, compliance, ESG, money laundering and terrorism financing and strategic risks; |
|
(d) |
a comprehensive description of the internal audit function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 where that is established, or, where in accordance with proportionality in terms of size, complexity and risk profile of the activities of the issuer applicant, that mechanism has been entrusted to a third party provider, a comprehensive description of the arrangements with the third-party that shall include all of the elements referred to in Article 4(2), points (a) to (g) of this Regulation, as well as the name and contact details of the external auditor appointed; |
|
(e) |
an explanation of the governance arrangements implemented to ensure the separation and adequate segregation of duties of the business lines and units from the internal control functions as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114, and an explanation of the arrangements implemented to ensure the independence of the internal control functions, including through their direct access to the management body in its management and in its supervisory function. |
For the purposes of point (c), the description shall also include the applicant issuer’s risk appetite statement and its risk tolerance, including the envisaged procedures and measures to manage the identified risks within the risk appetite.
2. The application for authorisation shall contain a description of the arrangements and assigned ICT and human resources to ensure that the applicant issuer complies with Regulation (EU) 2022/2554, including all of the following information in relation to the applicant issuer’s ICT systems, protocols and tools:
|
(a) |
a detailed technical documentation including a description of the ICT risk management framework in accordance with Article 6(1) of Regulation (EU) 2022/2554, demonstrating the applicant issuer’s ability to address ICT risk rapidly, efficiently and comprehensively and to ensure a high level of digital operational resilience; |
|
(b) |
details showing that the applicant issuer maintains updated ICT systems, protocols and tools that are appropriate, reliable, equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and technologically resilient in accordance with Article 7 of Regulation (EU) 2022/2254; |
|
(c) |
a detailed description of the security policy demonstrating that the applicant issuer’s systems and procedures are capable to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers in accordance with Article 9(4) of Regulation (EU) 2022/2554; |
|
(d) |
a comprehensive description of the ICT process and systems showing the ability to provide the applicant issuer with reliable information and data to support data reporting requirements. |
3. The application for authorisation shall contain a description of the business continuity plan and policy ensuring the applicant issuer’s ability to operate on an ongoing basis and to limit losses in the event of severe business disruption. For that purpose, the business continuity plan shall include:
|
(a) |
the mapping of the essential data and functions; |
|
(b) |
an overview of available back-up and recovery systems; |
|
(c) |
a description of the availability of key staff in business continuity situations in accordance with Article 34(8) of Regulation (EU) 2023/1114 and Article 11(1) of Regulation (EU) 2022/2554. |
4. Where asset-referenced tokens are issued, stored and transferred using a proprietary DLT or similar technology operated by the applicant issuer or by a third party acting on its behalf, the application for authorisation shall demonstrate the functioning of the DLT or similar technology covering all the following:
|
(a) |
the description of the applicant issuer’s legal title towards the DLT or similar technology, whether it is right of property or other contractual relationships providing control of the distributed ledger technology or of the similar technology to the applicant issuer, irrespective of the circumstance that the DLT is operated by a different undertaking; |
|
(b) |
the name and contact details of the operator or operators of the DLT, if different from the applicant issuer; |
|
(c) |
the applicant issuer’s or third-party operator’s plan on risk identification, monitoring, assessment, mitigation, and prevention, also having regard to the potential spill-over to other crypto-assets issued, transferred or stored on that DLT and the related crypto-asset service providers, and the plan on the regular technological maintenance and update of the DLT or of similar technology; |
|
(d) |
a technical and security audit report on the consistency of the DLT functioning with quality standards in use in the market, and on the appropriateness and adequacy of the plans referred to in point (c); |
|
(e) |
in case the proprietary DLT is permissioned, a detailed description of the transparency mechanisms. |
5. Where cooperation arrangements between the applicant issuer and specific crypto-assets service providers are envisaged, the application for authorisation shall contain a detailed description of the crypto-asset service provider’s current internal control mechanisms and procedures ensuring compliance with the obligations in relation to the prevention of money laundering and terrorist financing under Directive (EU) 2015/849 and, where applicable, Regulation (EU) 2023/1113. Such detailed description shall include a forward-looking assessment of the continuous compliance with such obligation for the three-year time horizon of the applicant issuer’s business plan. Such description and forward-looking assessment prepared by the specific crypto-asset service provider may be exchanged by the competent authority with the competent authorities for anti-money laundering and counter-terrorist financing, financial intelligence units or other public bodies, in accordance with Article 20(2), second subparagraph, of Regulation (EU) 2023/1114.