# Forensic MiCA CASP Licensing-Success Analysis

**Benchmark source:** supplied `CASPS.csv`, treated as the positive-control population of successful MiCA CASP authorisations / notifications.  
**Dataset size after cleaning:** 177 records.  
**Register context:** ESMA’s interim MiCA register consists of CSV files for white papers, ART issuers, EMT issuers, authorised CASPs and non-compliant entities, with data supplied by NCAs/EBA and weekly updates until formal IT integration; the ESMA page used for this analysis showed a last update of 24 April 2026.[S1]

## 1. Executive summary

The successful MiCA CASP population is not a homogeneous set of “crypto licences”. It is a mixed population of Article 63 CASP authorisations and Article 60 notifications by already regulated financial entities. That distinction is central. Germany’s 51 records, for example, are heavily skewed toward banks, brokers, investment firms and narrow service notifications/authorisations; Malta’s 12 records are heavily skewed toward broader crypto-native exchange platforms; the Netherlands has an early and active VASP/crypto-native conversion profile; Ireland and France show more selective, evidence-heavy process patterns. Volume is therefore not a proxy for low standards or high standards.

The pattern that separates higher-probability applicants from weak applicants is not “crypto-friendly jurisdiction”. It is whether the NCA can trust the applicant’s legal entity, local decision-making, AML/CFT framework, client-asset safeguarding, ICT/DORA resilience, outsourcing governance, product perimeter and evidence quality. ESMA’s authorisation briefing is explicit that there are no low-risk CASPs, and that elevated scrutiny should apply where risk factors such as size, complexity, cross-border activity, combination of services, outsourcing, group links, supervisory history and business-model novelty are present.[S3]

The positive-control population shows three visible routes to success:

1. **Existing regulated financial entity adding narrow or equivalent crypto services.** These entities often have pre-existing governance, risk, capital, compliance and supervisory relationships. Article 60 allows specific financial entities to notify equivalent crypto services, but the notification still requires a programme of operations, AML/CFT controls, ML/TF risk assessment, business continuity, ICT/security documentation, segregation procedures and custody policy where relevant.[S2]
2. **Clean VASP-to-MiCA conversion with local substance and implemented controls.** These firms tend to show moderate service scopes, recognisable domestic or EU operating history, and clearer alignment between product and service codes.
3. **Large crypto-native platform with broad scope, but enough resources, local substance and remediation capacity to satisfy scrutiny.** This route is visible in Malta, Luxembourg, Ireland, Austria and the Netherlands, but it carries higher host-NCA, investor-protection and supervisory-convergence risk.

Failure, delay and withdrawal are harder to observe because there is no public EU-wide rejection register. The negative dataset is therefore deliberately a weak-control set: public warnings, non-compliant-register signals, transition attrition, regulator statements about incomplete files, and thematic supervisory concerns. The strongest entity-level signals are MEXC in the Netherlands and LWEX in Slovakia: both are regulatory concern/non-authorised-operation cases, not proven rejected applications. AFM warned that MEXC was operating without the required licence in the Netherlands, actively targeting Dutch consumers and presenting uncertainty about legal entity/location; NBS said LWEX continued to provide crypto-asset services in Slovakia without appropriate authorisation and was entered under MiCA Article 110 into ESMA’s non-compliant register.[S6][S14]

The practical answer is blunt: weak applicants fail or stall because they ask the NCA to trust assertions. Successful applicants supply evidence. A CASP application is not a policy-writing exercise; it is a test of whether the business can operate exactly as described, under an identifiable EU entity, with real people, real systems, real capital, and auditable controls.

## 2. Benchmark dataset analysis

### 2.1 Jurisdiction distribution

|jurisdiction|record_count|first_date|latest_date|avg_service_breadth|broad_5plus_count|trading_platform_b_count|custody_a_count|likely_article60_count|
|---|---|---|---|---|---|---|---|---|
|DE|51|2025-01-17|2026-03-13|2.18|6|2|14|34|
|NL|23|2024-12-30|2026-02-12|3.22|2|3|17|1|
|FR|13|2025-05-23|2026-02-05|4.08|6|0|10|3|
|MT|12|2025-01-27|2026-02-13|5.67|10|3|11|1|
|IE|11|2025-06-25|2026-01-22|3.27|2|2|5|4|
|CY|10|2025-01-16|2026-03-02|4.9|4|1|9|4|
|AT|8|2025-04-09|2025-12-19|4.38|5|0|7|0|
|CZ|6|2026-02-11|2026-02-27|4.83|4|2|6|1|
|ES|6|2025-03-05|2026-03-27|3.67|1|0|6|5|
|LT|6|2025-05-13|2026-02-26|3.5|1|0|6|2|
|SK|6|2025-12-18|2026-01-15|4.83|4|0|6|0|
|FI|5|2025-07-02|2025-12-02|3.2|1|0|4|2|
|LI|5|2025-12-01|2026-03-13|2.6|0|0|3|5|
|LU|4|2025-02-07|2025-12-12|4.25|2|1|4|1|
|DK|3|2025-09-15|2026-01-15|4.33|1|0|2|1|
|SI|3|2025-09-20|2025-11-10|3.0|0|0|2|0|
|LV|2|2025-12-03|2025-12-10|4.0|1|0|2|0|
|BE|1|||2.0|0|0|1|1|
|BG|1|2025-12-22|2025-12-22|9.0|1|0|1|1|
|SE|1|2025-10-13|2025-10-13|6.0|1|0|1|0|

**Interpretation:** Germany dominates numerically, but the German cluster is not a simple crypto-native exchange cluster. It is heavily influenced by banks, brokers, asset managers and investment-firm-style service scopes. Malta has a much higher average service breadth and a concentration of broad crypto-native exchange models. The Netherlands combines early authorisations with a large crypto-native and retail/broker base. France, Ireland and Luxembourg appear more institutionally selective from the positive-control population.

### 2.2 Service-code distribution

|service_code|service_name|count|share_pct|
|---|---|---|---|
|a|custody and administration of crypto-assets on behalf of clients|117|66.1|
|b|operation of a trading platform for crypto-assets|14|7.9|
|c|exchange of crypto-assets for funds|91|51.4|
|d|exchange of crypto-assets for other crypto-assets|77|43.5|
|e|execution of orders for crypto-assets on behalf of clients|92|52.0|
|f|placing of crypto-assets|18|10.2|
|g|reception and transmission of orders for crypto-assets on behalf of clients|53|29.9|
|h|advice on crypto-assets|21|11.9|
|i|portfolio management on crypto-assets|30|16.9|
|j|transfer services for crypto-assets on behalf of clients|107|60.5|

**Key observation:** custody (`a`) and transfer services (`j`) are the dominant rails, appearing in 117 and 107 records respectively. Trading platform (`b`) is rare, with only 14 records, and should be treated as a high-risk service because it brings order-book integrity, market abuse, operational resilience and conflicts-management issues. Advice (`h`) and portfolio management (`i`) are also relatively uncommon, reflecting suitability, conflict, competence and investment-process burdens.

### 2.3 Timing waves

|month|count|
|---|---|
|2024-12|4|
|2025-01|7|
|2025-02|2|
|2025-03|3|
|2025-04|7|
|2025-05|11|
|2025-06|9|
|2025-07|9|
|2025-08|6|
|2025-09|12|
|2025-10|16|
|2025-11|21|
|2025-12|42|
|2026-01|7|
|2026-02|12|
|2026-03|8|

**Wave pattern:** The early wave starts in the Netherlands on 30 December 2024 and in Malta/Germany in January 2025. The large numerical wave is late 2025, especially December 2025, which coincides with national transition pressure in several Member States. Lithuania’s central bank publicly stated that its transition period ended on 31 December 2025 and that provision of crypto services without a MiCA licence after that date would be illegal financial activity.[S10]

### 2.4 Business-model distribution

|likely_business_model|count|share_pct|
|---|---|---|
|exchange / broker with custody|85|48.0|
|exchange / broker without custody|46|26.0|
|trading platform / exchange-broker|13|7.3|
|payment-like / fintech crypto infrastructure|7|4.0|
|custody / transfer infrastructure|6|3.4|
|asset-management / portfolio service|6|3.4|
|neobank / fintech crypto module|4|2.3|
|institutional custody / bank custody|3|1.7|
|advice / portfolio management|3|1.7|
|fintech/payment infrastructure EMT issuer notification|1|0.6|
|EMI / EMT issuer crypto custody/transfer for own EMT|1|0.6|
|institutional custody / CSD|1|0.6|
|crypto service provider — model not fully observable|1|0.6|

**Caveat:** Business-model classification is inferred from legal names, commercial names, service codes, websites and comments in the CSV. It is not a legal determination. The cleaned benchmark table includes a confidence score and classification basis for every row.

### 2.5 Service-scope breadth

|scope_complexity|count|share_pct|
|---|---|---|
|narrow (1–2 services)|63|35.6|
|moderate (3–4 services)|62|35.0|
|broad (5–7 services)|47|26.6|
|very broad (8–10 services)|5|2.8|

**Interpretation:** 125 of 177 records are narrow or moderate scope. Only 5 records are very broad. This strongly supports a sequencing lesson: broad “everything at once” applications are the exception, not the norm, and tend to be associated with larger, better-resourced or already regulated applicants.

### 2.6 Common service combinations

|service_combination|count|scope_breadth|
|---|---|---|
|e|15|1|
|a c d j|14|4|
|a c d e g j|10|6|
|a j|10|2|
|g|9|1|
|a c d e j|9|5|
|a e j|7|3|
|a e g j|6|4|
|a c d f j|4|5|
|a c d e f g j|4|7|
|a c j|4|3|
|c|4|1|
|i|4|1|
|c d j|4|3|
|a e|3|2|
|e g h i|3|4|
|c d e|3|3|
|b|3|1|
|c d|3|2|
|a g j|3|3|

The most common single-service scope is execution of orders (`e`). The most common multi-service pattern is custody + exchange for funds + exchange for crypto + transfer (`a c d j`). This is the core retail exchange/broker custody bundle. The presence of `b` trading platform or `h/i` advice/portfolio generally increases application complexity and evidential burden.

## 3. Success-pattern analysis

### 3.1 What successful firms have in common

Across the positive-control population, successful applicants appear to share at least one of four credibility anchors:

- **Pre-existing regulation:** banks, investment firms, payment/EMI entities, market operators, CSDs or asset managers using Article 60 or adjacent supervisory status.
- **Recognisable VASP operating history:** established crypto-native firms converting from national regimes to MiCA, with at least enough AML, custody and operational history to make the NCA comfortable.
- **Narrow or coherent scope:** many approvals are one to four services, not full-stack platforms.
- **Entity/perimeter clarity:** the register names a specific legal entity, address, LEI/identifier and service scope. This matters because MiCA protection attaches to the authorised legal entity, not to a global brand or group.

### 3.2 Article 60 versus Article 63 as success routes

Article 60 is not a shortcut for any fintech with a licence. It is a notification regime for specified financial entities and equivalent services. Credit institutions may notify crypto services; CSDs may notify custody; investment firms may notify equivalent investment services; EMIs are limited to custody and transfer services for their own EMTs; UCITS managers/AIFMs may notify equivalent portfolio/advice/RTO services; market operators may notify trading platform operation.[S2]

This means that the positive-control register can overstate “new CASP licensing activity” where entries are actually notifications by existing regulated entities. It also means Article 60 applicants can still fail operationally if the notification is incomplete: Article 60 requires programme-of-operations, AML/CFT, ML/TF risk, BCP, ICT/security, segregation and custody-policy information, and the CASP cannot begin services while the notification is incomplete.[S2]

### 3.3 Jurisdiction patterns without lazy conclusions

- **Germany:** high activity, but much of the volume is regulated-financial-institution style and often narrow. The correct inference is not “BaFin is easy”; it is that Germany has a deep regulated banking/broker/custody ecosystem that can map crypto services onto existing governance.
- **Netherlands:** active and early, especially for crypto-native and broker models. AFM says even a best-case CASP licence takes at least five months, and longer where products/services are complex, high-risk or organisational changes are required.[S5]
- **France:** credible but delay-sensitive. AMF says original MiCA files are rarely complete and clarifications/substantial changes often cause additional delay.[S9]
- **Malta:** clearly active for broad crypto-native platforms, but supervisory-convergence credibility is not costless. Reuters reported ESMA’s peer review found MFSA’s process only partially met expectations in a reviewed case and recommended more scrutiny of business plans, conflicts, governance, IT systems and promotion of unregulated services.[S11]
- **Ireland:** not a shortcut. CBI requires VASPs to go through the full CASP application process; timelines depend on preparedness, application quality and robust engagement.[S7]
- **Lithuania:** strong fintech/payment context, but large legacy VASP attrition. Bank of Lithuania cited more than 370 declared crypto-service providers, only 120 actually operating, about 30 applications and 10 under assessment at the time of its notice.[S10]

### 3.4 Business-model success patterns

**Exchange / broker with custody.** Common but evidence-heavy. The NCA must trust AML, sanctions, Travel Rule/TFR, client asset segregation, wallet governance, complaints, marketing and conflicts controls. Approvals are plausible where the applicant is an established VASP or regulated financial firm and the service set is coherent.

**Trading platform.** Rare and higher risk. The applicant must demonstrate market integrity, order-book controls, operational resilience, fair access, conflict management, incident reporting and record-keeping. Broad exchange groups with `b` should expect elevated scrutiny.

**Custody / institutional custody.** Custody can be narrower but not easier. The due-diligence burden shifts to wallet architecture, private-key management, asset segregation, reconciliations, bankruptcy remoteness, incident response and outsourcing. ESMA’s transition statement also stresses that CASPs should not route custody through unauthorised third-country entities.[S4]

**Neobank / fintech crypto module.** Often stronger on customer operations and complaints, but vulnerable to perimeter blur: who is the CASP, who holds assets, who executes, what is outsourced, and whether marketing creates a false impression of MiCA protection.

**Bank/regulated-financial-entity crypto service.** Often high probability if narrow and equivalent. But crypto-specific controls still need to exist; Article 60 notification is not a waiver of AML, ICT, segregation or custody evidence.[S2]

**Advice / portfolio management.** Less common. The pain points are suitability, knowledge/competence, conflicts, remuneration, strategy governance, custody/execution dependencies and clear disclosure of crypto volatility.

## 4. Failure-pattern analysis

### 4.1 Negative / weak-control dataset

|case|jurisdiction_signal|evidence_level|observable_issue|do_not_overstate|
|---|---|---|---|---|
|MEXC Global / MEXC|Netherlands / EU cross-border targeting|Regulatory concern / adverse supervisory signal; non-authorised activity; not in CASPS.csv|AFM warning says MEXC was active as a CASP in the Netherlands without the required licence, targeted Dutch consumers, and the entity location/legal entity was unclear. Services identified by AFM included custody, exchange, RTO and trading platform.|Not evidence of a rejected MiCA application; evidence supports non-authorised operation/regulatory concern.|
|LWEX|Slovakia|ESMA non-compliant register signal via NBS; non-authorised activity|NBS stated LWEX continued to provide crypto-asset services in Slovakia without appropriate authorisation and was added under MiCA Article 110 to ESMA’s non-compliant entities register.|Not evidence of a rejected MiCA application; evidence supports non-compliant operation.|
|Italian non-compliant entities cohort|Italy / CONSOB|Aggregate non-compliant register signal; secondary public study based on ESMA register|LegalBison’s March 2026 register study reported 98 MiCA non-compliant entities, with 96 attributed to Italy’s CONSOB. Official CONSOB site was not accessible in this environment for full row-level verification.|Use only as aggregate weak-control evidence unless individual names are verified from the ESMA/CONSOB list.|
|Lithuania legacy VASP cohort not converted by transition deadline|Lithuania|Transitional-only / no final MiCA approval found at cohort level|Bank of Lithuania said about 30 companies had applied and 10 were under assessment while more than 370 declared crypto-asset services and 120 actually operated. CASPS.csv has 6 Lithuanian positive-control records.|This is cohort attrition evidence, not named rejection evidence.|
|French DASP cohort without MiCA authorisation by July 2026|France|Transitional-only / completion-risk cohort|AMF reminded DASPs that the transitional period ends 1 July 2026; complete files may take up to four months once complete, but original file versions are rarely complete and clarifications/substantial changes often cause delay.|Not a list of failed firms; it is a regulator signal on cohort-level application quality/timing risk.|
|Ireland VASP applicants that assume registration equals MiCA approval|Ireland|Delay/refusal-risk cohort|CBI says VASPs must go through the full CASP application process and will be robustly assessed; timeline depends on preparedness, application quality and robust engagement.|Not evidence of named refusal; it identifies a failure pattern from regulator process statements.|
|EU authorised CASP offering unregulated products on same platform|EU-wide / passporting|Regulatory concern / supervisory signal|ESMA warned of the halo effect where authorised CASPs offer regulated and unregulated products on the same platform, and told CASPs to clearly communicate regulatory status at every stage.|This is a pattern signal, not a named failed application.|
|Offshore / third-country group servicing EU clients through unauthorised entities|EU-wide|Regulatory concern / hard transition signal|ESMA’s April 2026 transition statement says entities outside the EU are not permitted, outside narrow reverse solicitation, to provide or solicit MiCA services to EU investors; unauthorised CASPs must have implemented wind-down plans by 1 July 2026.|This is a thematic risk class, not a named application outcome.|

### 4.2 What failed, delayed or uncertain cases have in common

The negative signals are not mostly “NCA dislikes crypto”. They are about control failure and perimeter failure:

- **Unclear legal entity and location.** AFM’s MEXC warning is a clean example of why this is fatal: if the regulator cannot determine which entity is serving local clients or how assets are handled, the application credibility collapses.[S6]
- **Unauthorised activity during transition.** ESMA’s 2026 statement says unauthorised CASPs must have implemented wind-down plans by 1 July 2026, and NCAs should take action against unauthorised provision after transition.[S4]
- **Incomplete or low-quality files.** AMF and CBI both tie timelines directly to application completeness, quality and the applicant’s ability to engage robustly.[S7][S9]
- **Weak local substance.** ESMA expects local decision-making power, sufficient in-country personnel and at least one executive management board member located in the authorising jurisdiction or nearby in small-state cases.[S3]
- **Outsourcing that blocks effective supervision.** ESMA says high levels of outsourcing, outsourcing of key functions and third-country outsourcing raise scrutiny; where outsourcing concerns prevent effective supervision, an application should be rejected.[S3]
- **MiCA-washing and product-perimeter confusion.** ESMA warned against the “halo effect” where regulated CASPs offer regulated and unregulated products on the same platform and clients may misunderstand which products are protected.[S12]

## 5. Comparative matrix: success vs failure

| Dimension | Successful / higher-probability pattern | Failed / delayed / uncertain pattern |
|---|---|---|
| Prior regulatory status | Bank, investment firm, EMI/PI, CSD, AIFM or clean VASP with supervisory history | Unregulated crypto-native shell or legacy VASP assuming registration equals MiCA approval |
| Jurisdiction strategy | Natural home-state nexus, local substance, model fit with NCA precedent | Jurisdiction shopping based on perceived speed; legal entity and service perimeter selected after product already live |
| Service scope | Narrow/moderate first, coherent with actual product | Broad all-services application, especially custody + trading platform + transfer + advice/portfolio |
| Governance | Identifiable local management, clear board/accountability, independent control functions | Nominee/local shell; decision-making at offshore/group level; no credible 3LoD |
| AML/CFT | Implemented blockchain analytics, sanctions, monitoring, Travel Rule, SOF/SOW and high-risk-client controls | Generic AML policy; no tuning/testing; weak wallet attribution; unclear Travel Rule go-live |
| Custody/safeguarding | Segregation, wallet controls, key management, reconciliations, incident response, bankruptcy analysis | Commingled assets, unclear private-key control, unauthorised third-country custodian, no reconciliation evidence |
| ICT/DORA | DORA-aligned ICT risk, incident reporting, BCP/DR tests, access controls, vendor oversight | Cloud/vendor dependency without exit; no test evidence; weak privileged access; no operational incident playbook |
| Financial resources | Own funds, loss scenarios, wind-down funding, capital and liquidity projections | Thin capital; optimistic projections; no operational-loss or wind-down funding plan |
| Business model risk | Products within MiCA perimeter, unregulated services segregated and disclosed | Staking/yield/lending/derivatives/offshore services mixed with authorised CASP claims |
| Application quality | Policies backed by logs, MI, screenshots, registers, board approvals and tested controls | Template pack; inconsistent website/ToS/application; late or contradictory NCA responses |

## 6. Ranked failure causes

### 6.1 Hard blockers

1. Unclear group structure, legal entity, booking model, UBO chain or EU/offshore service perimeter.
2. Weak local substance and decision-making outside the applicant entity.
3. Unfit or uncredible management; unresolved adverse supervisory or enforcement history.
4. AML/CFT deficiencies, especially sanctions, blockchain analytics, transaction monitoring, Travel Rule and high-risk customer controls.
5. Custody/safeguarding failure: no segregation evidence, weak key governance, no reconciliation or unauthorised third-country custody dependency.
6. ICT/DORA resilience gaps and critical outsourcing that prevents effective supervision.
7. Insufficient own funds, liquidity, insurance or wind-down funding.
8. Misleading marketing or MiCA-washing: using authorisation to imply protection for unregulated products.
9. Incomplete Article 60 notification or Article 63 application pack.
10. Live high-risk products inconsistent with the proposed regulated perimeter.

### 6.2 Major delay factors

- Applying for a broad service set from day one.
- Combining trading platform, custody, exchange, transfer and advice/portfolio services.
- High retail exposure and aggressive cross-border marketing.
- Large token universe with weak listing/delisting controls.
- Cross-border or third-country outsourcing of ICT, custody, compliance or operations.
- Complaints, conduct and marketing controls not implemented operationally.
- Travel Rule or sanctions controls not live.
- Data protection, records and outsourcing registers incomplete.
- Policies written but not evidenced through logs, MI, tests, reconciliations or board records.

### 6.3 Strategic mistakes

- Choosing jurisdiction for speed rather than substance, model fit and credibility.
- Treating MiCA as a legal form-filling exercise instead of an operating-model audit.
- Copying generic policy templates.
- Leaving the website/app/ToS inconsistent with the application perimeter.
- Keeping high-risk yield, lending, derivatives, staking or offshore services live for EU users while applying.
- Assuming former VASP registration means MiCA authorisation will follow.
- Assuming Article 60 notification is automatic.

## 7. Jurisdiction comparison

|jurisdiction|apparent_activity|apparent_strictness|best_fit|less_suitable_for|supervisory_pushback_risk|institutional_credibility|
|---|---|---|---|---|---|---|
|Germany|Highest record count; many banks, brokers, investment firms and narrow service notifications/authorisations|High|banks/investment firms, broker/RTO, custody infrastructure, institutional models|thin crypto-native shells seeking speed; broad retail exchange with offshore group|Medium-high for crypto-native broad scope; lower for existing regulated entities|High|
|Netherlands|Active early mover with crypto-native conversion and broker/exchange concentration|Medium-high|established VASPs, retail broker/exchange, custody/transfer platforms with complete file|complex high-risk or incomplete applications; unauthorised targeting|Medium-high; AFM says best case is still at least five months|High-medium|
|France|Credible mix of banks, institutional players and domestic crypto firms; later wave than NL/MT|High|banks, institutional custody, clean DASP conversions, serious retail apps with strong evidence|late/incomplete files or broad retail models without deep controls|High for weak files; credible for strong applicants|High|
|Malta|High concentration of global crypto-native exchanges and broad licences|Contested / under convergence scrutiny|large crypto-native exchanges with resources, local substance and remedial capacity|applicants relying on perceived speed or weak remediation; institutional clients sensitive to supervisory-convergence concerns|Medium locally, higher EU/host-NCA perception risk|Medium; improved if applicant evidence is strong|
|Ireland|Selective but high-profile global/fintech applicants; KFD-led pre-application process|High|global institutional, fintech, exchange groups with real Irish/EU operating model|thin staffing, opaque group or weak KFD|High if incomplete; moderate if transparent and prepared|High|
|Cyprus|Fintech/broker and investment-firm adjacent concentration; broad retail models present|Medium-high|broker/investment-app models, fintech platforms, established local CASPs|weak substance or broad retail product without controls|Medium|Medium|
|Austria|Established crypto-native exchanges and local VASP conversions; moderate-to-broad scopes|High-medium|established crypto brands with Austrian substance, broker/exchange/custody models|offshore group with weak local management|Medium-high|High-medium|
|Lithuania|Fintech/EMI/payment infrastructure plus VASP attrition signal|Medium-high|EMI/PI/payment-like crypto, fintech infrastructure, clean VASP conversion|mass legacy VASP without mature controls|High for late/non-applicant legacy VASPs|Medium-high|
|Luxembourg|Institutional custody/exchange; CSSF with CSD/bank and major platform examples|High|institutional custody, banks/CSDs, large exchange with serious Luxembourg substance|lightly staffed retail crypto app|High for weak substance|High|
|Spain|Bank-led with one strong domestic crypto-native example|High-medium|banks, regulated financial firms, domestic VASP with strong AML/custody|generic offshore retail exchange without Spain nexus|Medium-high|High-medium|
|Liechtenstein|Private bank/wealth/asset-management skew; narrower scopes|High-medium|private banking, wealth, custody/advice/portfolio, institutional clients|mass retail exchange seeking volume|Medium|High-medium|
|Other smaller represented jurisdictions|Czech, Slovakia, Finland, Denmark, Slovenia, Latvia, Belgium, Bulgaria, Sweden show emerging/specialised activity|Variable; do not infer lower standards from low volume|natural home-market applicants with real local substance and model fit|pure jurisdiction shopping|Uncertain; precedent base smaller|Variable|

**Ranking by apparent authorisation activity:** Germany, Netherlands, France, Malta, Ireland, Cyprus, Austria, then Czech/Spain/Lithuania/Slovakia, then Finland/Liechtenstein/Luxembourg and smaller represented jurisdictions.

**Ranking by institutional credibility from this dataset and supervisory signals:** Germany, France, Ireland and Luxembourg rank highest for institutional clients; Spain, Austria, Netherlands and Liechtenstein are also credible but model-dependent; Malta is active and experienced but carries visible supervisory-convergence perception risk after the ESMA peer-review controversy.

**Ranking by suitability for broad crypto-native retail exchange:** Malta, Netherlands, Austria, Cyprus, Ireland and Luxembourg have precedents, but the risk profile differs. Malta has the broadest concentration but also greater perception risk. Ireland/Luxembourg are credible but likely slower and more substance-heavy. Netherlands/Austria require strong file completeness and conduct/AML evidence.

## 8. Applicant archetypes

|archetype|example_profile|strengths|weaknesses|estimated_success_probability|timeline_risk|
|---|---|---|---|---|---|
|High-probability applicant|Existing bank, investment firm, EMI/PI or AIFM adding narrow equivalent crypto services|Existing governance, prudential controls, supervised management, capital, risk/compliance functions, local substance|Crypto-specific AML, custody, Travel Rule and DORA evidence may still be immature|80–90% if narrow and control evidence is live|Low to medium; incomplete Article 60 notification or non-equivalent services can still delay|
|Established VASP conversion|Clean legacy VASP with local team, live operating history, moderate service scope and no major adverse media|Operational crypto experience, existing customer base, known AML workflows, jurisdictional history|MiCA standard is higher than VASP registration; governance/substance and safeguarding evidence may be thin|65–80%|Medium; 5–9+ months depending on file completeness and service scope|
|Risky but possible broad crypto exchange|Large crypto-native exchange with custody, exchange, transfer, possible trading platform, broad passporting and offshore group links|Scale, technical capability, market recognition, resources to remediate|Retail exposure, complex group, offshore perimeter, product halo risk, market-integrity risk, custody risk|45–65%|High; 8–15+ months and possible narrowing|
|Custody / B2B infrastructure provider|Institutional custody, wallet infrastructure, settlement or transfer provider with B2B clients|Lower retail conduct risk; control-focused proposition; possible institutional governance standards|Custody is high-consequence; private-key, segregation, reconciliation, outsourcing and incident response must be impeccable|65–85% if institutional-only and evidence is strong|Medium; high if key functions outsourced or third-country custody involved|
|Fintech/neobank crypto module|Neobank, broker app, payment platform or investment app adding crypto execution/RTO/custody via own or partner stack|Existing customer controls, complaints handling, regulated culture, scalable ops|Perimeter blur, reliance on partners, marketing risk and dependency on unauthorised custody/execution providers|70–85% if narrow and partner model is clean|Medium; high if outsourcing chain is opaque|
|Weak applicant|Thin local entity with outsourced compliance, broad scope, no real local executives and template policies|Few; may have a simple product or low current volume|No substance, weak 3LoD, no evidence controls operate, poor AML/custody/ICT proof|15–35%|Very high; likely stall, withdrawal or refusal|
|Likely fail / stall applicant|Offshore-linked retail yield/leverage/staking/lending platform using MiCA status as marketing cover|May have revenue and user base|Unregulated products, offshore service leakage, misleading marketing, high retail harm, possible adverse history, custody commingling|<20% without radical remediation|Extreme; likely warning, wind-down or non-compliant-register risk|

## 9. Red-flag checklist

|rank|type|red_flag|regulatory_concern|remediation|
|---|---|---|---|---|
|1|Hard blocker|Unclear legal entity, group structure, UBO chain or offshore service perimeter|NCA cannot determine who is responsible, whether EU entity controls the business, or whether unauthorised group entities continue servicing EU clients|Produce group chart, service-flow map, UBO evidence, intra-group contracts, booking model and EU/offshore perimeter controls before contact|
|2|Hard blocker|Weak local substance and decision-making outside home Member State/EU|Authorised shell cannot operate autonomously or be effectively supervised|Appoint real local executives/key functions, delegate authority, relocate decision-making, evidence local MI and governance cadence|
|3|Hard blocker|AML/CFT framework exists on paper but is not implemented/tested|Crypto ML/TF risk is high; NCAs expect transaction monitoring, sanctions, Travel Rule and risk assessment evidence|Implement tooling, tune scenarios, run back-testing, document SAR/STR process, CDD/EDD samples and Travel Rule testing|
|4|Hard blocker|Custody/safeguarding model cannot evidence segregation, wallet governance or reconciliation|Client asset loss/insolvency risk; inability to protect clients or demonstrate control over keys and assets|Define wallet taxonomy, key ceremony, reconciliation, access controls, loss scenarios, bankruptcy analysis and approved outsourcing model|
|5|Hard blocker|Critical ICT/custody/compliance functions outsourced to third countries or group entities without supervision rights|NCA cannot effectively supervise; DORA and MiCA outsourcing expectations not met|Build outsourcing register, EU supervisory access clauses, audit rights, exit plans, sub-outsourcing controls and EU-based control owners|
|6|Major delay factor|Broad scope from day one: custody + exchange + trading platform + transfer + advice/portfolio|Complexity multiplies conduct, AML, market integrity, custody and ICT risk|Narrow initial scope; phase b/h/i/f services only after operating controls are live and evidenced|
|7|Major delay factor|Retail mass-market model with unclear complaints handling, disclosures and product suitability|High consumer-harm risk; vulnerable to MiCA-washing and misleading marketing|Build conduct pack: disclosures, complaints, risk warnings, vulnerable-customer approach, marketing approval and product governance|
|8|Major delay factor|Policies are generic and not connected to systems, logs, MI and staff accountability|Applicant describes controls but cannot evidence operation|Replace templates with workflow-specific procedures; include screenshots, registers, sample reports, test results and board MI|
|9|Strategic mistake|Jurisdiction-shopping based only on perceived speed|Creates credibility risk; host NCAs and institutional clients may challenge passporting quality|Choose jurisdiction with real substance, natural business nexus and NCA familiarity with the model|
|10|Strategic mistake|Website, app, terms and application perimeter do not match|Regulator sees misleading perimeter and unregulated service bleed-through|Clean public-facing materials before pre-application: legal entity, services, countries, unregulated products and risk warnings|

## 10. Application-readiness scorecard

Use the scorecard as a gating tool, not as a cosmetic internal rating. Any hard blocker should cap the total score even if the applicant scores well elsewhere.

|category|weight|strong_evidence|weak_evidence|hard_blocker_cap|
|---|---|---|---|---|
|Governance and substance|12|EU/home-state executive management with real decision rights; at least one locally available executive; documented board MI and challenge; clear 3LoD; local compliance/risk capacity|Nominee directors; management decisions outside the EU; thin branch; no time-commitment evidence; unclear senior manager accountability|Caps at 60 if key management/substance is not credible; caps at 50 if decision-making is demonstrably outside the authorised entity|
|AML/CFT and financial crime|14|Implemented AML risk assessment; CDD/EDD; sanctions screening; blockchain analytics; transaction monitoring scenarios; SAR/STR escalation; Travel Rule/TFR procedure; SOF/SOW for high-risk clients|Policy-only framework; no tuning/testing; poor high-risk-country controls; unclear wallet attribution; no Travel Rule go-live evidence|Caps at 55 for untested AML stack; caps at 45 for unresolved AML enforcement or no transaction monitoring|
|Custody and safeguarding|14|Client asset segregation; wallet architecture; key ceremony; multi-sig/HSM/MPC controls; reconciliation; incident response; bankruptcy-remoteness analysis; approved custody outsourcer if outsourced|Commingled wallets; no reconciliation; unclear private-key access; reliance on unauthorised third-country custodian; no loss/insolvency playbook|Caps at 45 for inability to evidence segregation or private-key governance|
|ICT / DORA and operational resilience|12|DORA-aligned ICT risk framework; asset inventory; access control; vulnerability/pen-test programme; incident reporting; BCP/DR testing; resilience KPIs; secure SDLC|Cloud/vendor dependence without exit; no test evidence; informal incident process; weak privileged access; no BCP exercises|Caps at 60 if DORA roadmap is unimplemented; caps at 50 for critical cyber gaps|
|Outsourcing and third-party governance|8|Complete outsourcing register; criticality assessment; due diligence; sub-outsourcing controls; audit/access rights; exit plans; group-service SLAs; EU supervisory access|Unclear group outsourcing; offshore operations hidden as support; no exit plan; no evidence of oversight of compliance/ICT/custody vendors|Caps at 55 if outsourcing prevents effective NCA supervision|
|Financial resources and prudential resilience|8|Own-funds calculation; insurance where relevant; liquidity and runway; stress/pessimistic business plan; operational loss scenarios; wind-down funding|Optimistic revenue plan only; no loss scenario; thin capitalisation; no evidence of insurance/own funds|Caps at 60 for insufficient own funds; caps at 55 if wind-down cannot be funded|
|Service-scope realism|8|Services tightly mapped to actual product; narrow/moderate first submission unless mature; clear dependencies between custody/exchange/RTO/transfer/advice|All-services application; trading platform plus custody plus transfer from day one; no operational evidence for services not yet live|No hard cap, but broad unproven scope should usually cap total at 75 until narrowed|
|Product perimeter and marketing clarity|8|Website, app, ToS, risk disclosures and application scope align; unregulated products segregated; no MiCA halo effect; no offshore links marketed to EU users|Marketing promises not in licence; staking/lending/derivatives/yield mixed with CASP services; unclear legal entity on website|Caps at 50 for misleading marketing or active unauthorised EU solicitation|
|Regulatory history and fit-and-proper|8|Clean supervisory history; adverse media register; criminal/sanctions checks; competence matrix; board and key-function holder CVs; remediation of prior issues|Unresolved enforcement; opaque UBOs; adverse media not addressed; key persons lack crypto/financial-regulatory competence|Caps at 50 for unresolved enforcement/adverse supervisory history; caps at 40 for opaque UBOs|
|Documentation and evidence quality|8|Complete application index; policies tied to procedures and MI; live screenshots/logs/testing; board approvals; regulatory correspondence tracker; clear gap remediation plan|Template policy pack; inconsistent charts; missing annexes; no proof controls operate; late or contradictory responses|Caps at 65 for incomplete pack; Article 60 notification cannot start while incomplete|

**Score interpretation:**

- **85–100:** High-probability applicant, assuming no unresolved hard blocker.
- **70–84:** Viable but remediation required before formal submission.
- **55–69:** High delay risk; pre-application only after targeted remediation.
- **40–54:** Likely stall, withdrawal or refusal unless scope is narrowed and controls are rebuilt.
- **Below 40:** Do not apply; the application will waste time, fees and credibility.

## 11. Practical MiCA CASP application success playbook

### 11.1 What successful applicants likely did right

- Chose a jurisdiction where they had real substance or a credible business nexus.
- Submitted a service scope that matched the operating model rather than the ambition slide.
- Built evidence packs, not just policies.
- Mapped Article 60 eligibility or Article 63 authorisation clearly.
- Demonstrated who runs the EU entity and how group influence is controlled.
- Proved AML/CFT, sanctions, Travel Rule and transaction monitoring were live.
- Proved client-asset safeguarding and custody operations through reconciliations and wallet governance.
- Aligned website, app, ToS, disclosures and legal entity perimeter before submission.
- Prepared for iterative NCA questions and transparent pre-application engagement.

### 11.2 What failed applicants likely underestimated

- The regulator is not reviewing a pitch deck; it is testing operational truth.
- A former VASP registration is not a MiCA authorisation.
- A regulated group brand does not solve crypto custody, Travel Rule or blockchain analytics.
- A policy template is not evidence.
- A local director is not local substance.
- A broad licence increases questions exponentially.
- Offshore group links are not neutral; they are a core supervisory risk.

### 11.3 What should be ready before submission

1. Programme of operations, service-by-service perimeter map and country/passporting plan.
2. Legal entity, group, UBO, intra-group service and booking-model pack.
3. Board, senior management, key function holder, time-commitment and fit-and-proper pack.
4. AML/CFT and financial-crime evidence: risk assessment, CDD/EDD, sanctions, transaction monitoring, Travel Rule, blockchain analytics, SAR/STR, high-risk client controls.
5. Custody/safeguarding evidence: wallet architecture, key governance, client-asset segregation, reconciliations, incident response, insolvency analysis.
6. ICT/DORA pack: ICT risk framework, incident reporting, BCP/DR testing, access controls, cyber testing, vendor risk, outsourcing register.
7. Conduct and consumer pack: complaints, disclosures, marketing approvals, conflicts, product governance and unregulated-product segregation.
8. Financial resources pack: own funds, capital, liquidity, loss scenarios, insurance and wind-down funding.
9. Control-evidence appendix: screenshots, logs, MI, test results, board minutes, reconciliations, policy approvals, outsourcing due diligence and remediation tracker.

### 11.4 Recommended sequencing

- **Narrow first.** Apply for the smallest scope that supports the real launch model.
- **Add services later.** Treat trading platform, advice, portfolio management and placing as second-phase services unless already operationally mature.
- **Separate regulated and unregulated products.** No MiCA halo effect, no unclear staking/yield/lending/derivative positioning.
- **Clean website and marketing before contact.** The NCA will compare the application against public materials.
- **Pre-application meeting.** Use it to test perimeter, service code mapping, Article 60 eligibility and evidence expectations.
- **Regulator-ready governance pack.** The applicant must show who is accountable, where decisions are made and how control functions challenge the business.

## 12. Appendix: methodology, assumptions and data gaps

### 12.1 Data cleaning methodology

- Trimmed whitespace, including non-breaking spaces.
- Normalised competent authority labels where source formatting varied.
- Filled home jurisdiction from `ae_homeMemberState`, falling back to `ae_lei_cou_code` where home Member State was blank.
- Parsed service codes both from explicit letter prefixes and from service-description text. This was necessary because several rows had malformed service-code text without leading letters.
- Split passporting countries on pipe delimiters and normalised country codes.
- Parsed dates as day/month/year and exported ISO dates.
- Classified likely entity type, business model and regulatory pathway using observable register fields, comments and conservative heuristics.
- Assigned a confidence score. Explicit Article 60 comments and clear regulated-financial-entity names receive higher confidence; service-only inferences receive lower confidence.

### 12.2 Important assumptions

- A record in `CASPS.csv` is treated as positive-control evidence of authorisation or notification, but not as evidence that the firm is low risk or free of later supervisory concerns.
- Article 60 classifications are “likely” unless the CSV comments explicitly state Article 60 or the entity type is very clear from legal name and service scope.
- Business-model classifications are operational inferences, not legal opinions.
- Passporting scope is measured from `ac_serviceCode_cou`, but absence of country codes is treated as unknown/blank rather than no passporting right.

### 12.3 Unresolved data gaps

- No public EU-wide list of rejected, withdrawn or failed CASP applications was located.
- ESMA’s non-compliant entities CSV is referenced on ESMA’s register page, but this analysis uses official NCA warnings plus a secondary register study for aggregate non-compliant counts where direct row-level extraction was not available.
- For most entities, public registers do not expose board composition, compliance staffing, custody technical architecture, AML tooling, DORA maturity, outsourcing contracts or NCA question history. These are therefore inferred from observable proxies and regulatory expectations, not asserted as facts.
- Some text in the supplied CSV contains replacement characters from source encoding problems; these were preserved rather than silently corrected.

## 13. Artifact index

- `mica_casp_cleaned_benchmark.csv` — full cleaned benchmark table with classifications and confidence scores.
- `mica_casp_summary_by_jurisdiction.csv` — counts and model/service-scope indicators by jurisdiction.
- `mica_casp_summary_by_nca.csv` — counts and indicators by competent authority.
- `mica_casp_summary_by_service.csv` — frequency of each MiCA service code.
- `mica_casp_service_combinations.csv` — common service-code bundles.
- `mica_casp_timing_monthly.csv` / `mica_casp_timing_quarterly.csv` — timing waves.
- `mica_casp_summary_by_business_model.csv` — inferred business model distribution.
- `mica_casp_failure_weak_control_dataset.csv` — negative/weak-control dataset with evidence level and caveats.
- `mica_casp_red_flag_checklist.csv` — practical red flags and remediation.
- `mica_casp_readiness_scorecard.csv` — 0–100 scoring model.
- `mica_casp_applicant_archetypes.csv` — applicant archetype matrix.
- `mica_casp_jurisdiction_findings.csv` — jurisdiction suitability matrix.
- `chart_casp_by_jurisdiction.png`, `chart_casp_by_service.png`, `chart_casp_timeline_monthly.png`, `chart_casp_scope_breadth.png` — chart outputs.

## Sources

[S1] ESMA MiCA Interim Register — https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica  
[S2] ESMA Article 60, MiCA Single Rulebook — https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mica/article-60-provision-crypto-asset-services  
[S3] ESMA Supervisory Briefing on Authorisation of CASPs under MiCA — https://www.esma.europa.eu/sites/default/files/2025-01/ESMA75-453128700-1263_Supervisory_Briefing_on_Authorisation_of_CASPs.pdf  
[S4] ESMA Statement on the End of Transitional Periods under MiCA — https://www.esma.europa.eu/sites/default/files/2026-04/ESMA75-113276571-1679_Statement_on_the_end_of_transitional_periods_under_MiCA.pdf  
[S5] AFM CASP Licence — https://www.afm.nl/en/sector/cryptopartijen/vereisten-en-vergunningen/casp-vergunning  
[S6] AFM Warning against MEXC — https://www.afm.nl/en/sector/actueel/2025/sep/mr-mexc-waarschuwing  
[S7] Central Bank of Ireland MiCAR FAQs — https://www.centralbank.ie/regulation/markets-in-crypto-assets-regulation/micar---frequently-asked-questions  
[S8] Central Bank of Ireland CASP Key Facts Document Guidance — https://www.centralbank.ie/docs/default-source/regulation/micar/guidance-note-crypto-asset-service-providers-key-facts-document.pdf  
[S9] AMF Reminder on DASP Transitional Period — https://www.amf-france.org/en/news-publications/news/amf-reminds-digital-asset-service-providers-transitional-period-allowing-them-continue-providing  
[S10] Bank of Lithuania Wind-down Notice — https://www.lb.lt/en/news/lietuvos-bankas-crypto-asset-service-providers-that-do-not-intend-to-continue-their-operations-must-ensure-smooth-winding-down  
[S11] Reuters, ESMA criticism of Malta licensing process — https://www.reuters.com/legal/government/eu-regulator-criticises-maltas-crypto-licensing-process-2025-07-10/  
[S12] ESMA, Unregulated products offered by regulated crypto entities — https://www.esma.europa.eu/press-news/esma-news/investors-should-consider-risks-unregulated-products-offered-regulated-crypto  
[S13] Reuters, ESMA warning about misleading customers — https://www.reuters.com/sustainability/boards-policy-regulation/european-securities-regulator-warns-about-crypto-firms-misleading-customers-2025-07-11/  
[S14] NBS, LWEX in ESMA non-compliant register — https://nbs.sk/aktuality/lwex-v-esma-registri-nevyhovujucich-subjektov/  
[S15] LegalBison ESMA register study — https://legalbison.com/blog/mica-esma-register-study-february-2026/  
[S16] EBA/ESAs crypto warning — https://www.eba.europa.eu/publications-and-media/press-releases/eu-supervisory-authorities-warn-consumers-risks-and-limited-protection-certain-crypto-assets-and