In the consultation package, ESMA is seeking input on four sets of proposed rules and guidelines, covering:

• Detection and reporting of suspected market abuse in cryptoassets (RTS).
• Policies and procedures, including the rights of clients, for cryptoasset transfer services (Guidelines).
• Suitability requirements for certain cryptoasset services and format of the periodic statement for portfolio management (Guidelines).
• ICT operational resilience for certain entities under MiCA (Guidelines).

Deadline for comments is 25 June 2024.

ESMA will publish a final report based on the feedback received and will submit the draft technical standards to the European Commission for endorsement by 30 December 2024 at the latest.

In an interview with the ECB, she discussed the Markets in Crypto-Assets Regulation (MiCA), saying that it is important to remember that "even with the implementation of MiCA, which is clearly a step forward, there will be no such thing as a safe cryptoasset. Consumers need to be aware that MiCA does not provide the same protection as for traditional financial products."

ESMA made a specific reference to cryptoassets, saying "...while the Markets in Crypto-Assets Regulation (MiCA) is close to adoption, cryptoassets offered by investment firms will continue to be unregulated in most jurisdictions until MiCA applies."

The regulator expressed concern that offering products and services that are unregulated "gives rise to both investor protection and prudential risks".

ESMA said investment firms should make investors fully aware of the unregulated status of these products and services and of the fact that they may not benefit from the regulatory protections that apply to investments in a regulated product. 

ESMA recommended firms take into consideration the impact that their unregulated activities may have on the their business activity as a whole when it comes to risk management systems and policies.

The risks highlighted by ESMA for unregulated products/services include:

• potential for investors to be misled as to the level of protection they get, especially if the unregulated products/services are provided on the same webpage as regulated ones (where the investment firm’s website is unclear and confusing for investors as to the regulatory status of the products/services being sold);
• potential for investors to not be fully aware of the nature of the product/service, and their risks;
• potential for investors to be confused or mis-sold products (investors may rely on a recommendation from the investment firm, even though MiFID requirements such as suitability and appropriateness assessments only apply to investment services, in relation to financial instruments); and
• some investment firms may encourage the confusion between regulated and unregulated products and services.

ESMA highlighted the following expected behaviours from investment firms providing regulated and unregulated products and services to avoid investor confusion about the firm's offering:

• The regulatory status of the product/service is clearly and effectively communicated in all dealings with clients, and at every stage of the sales process.
• Information about the regulatory status of the product and/or service is fair, clear and not misleading.
• The terminology used does not imply that the product/service is regulated or protected in any way where this is not the case.
• Information provided explicitly states what investor protections are lost/not applicable when investing in a product/service deemed to be out of scope of
  financial regulation, including: compensation schemes, client assets protections,  supervision by the national competent authority and recourse to any national regulatory authorities. 
• The investment firm’s regulatory status is not used as a promotional tool. When engaging in unregulated activities, information provided to the client or potential client, including marketing materials and other documentation, does not include a reference to the investment firm being authorised/regulated by a national competent authority.  
• Information on an investment firm’s website related to unregulated activities is clearly distinguished from regulated activities. Investment firms have separate sections on any website they operate for regulated activities and any other activities which they carry out. Client documentation is distinguished accordingly in order to ensure that clients are sufficiently aware of the differences in protection.

The report identifies 12 good practices that national competent authorities and other public entities can follow when designing and implementing their financial education initiatives.

The key deliverables for 2023 are:

1. Enabling sustainable finance – develop remaining technical standards under the Sustainable Finance Disclosure Regulation (SFDR) and work to better understand and fight against greenwashing.

2. Facilitating technological innovation and effective use of data – develop technical standards and guidelines in order to help the market prepare for the implementation of key new regulations in the area of digital finance: the Digital Operational Resilience Act (DORA), the Regulation on Markets in Crypto-Assets (MiCA) and the DLT Pilot Regime.

3. Investors and issuers – continue to report on the impact of costs and charges for retail investors and coordinate new workstreams on mystery shopping. Coordinate a Common Supervisory Action (CSA) in the area of sustainability, covering the risk of greenwashing in the fast-growing area of sustainable investment products. ESMA also expects to be mandated to support the regulatory framework for sustainable finance, under the Corporate Sustainable Reporting Directive, the proposed regulation for EU Green Bonds and the SFDR.

4. Markets and infrastructures – develop technical standards on authorisation and registration of benchmark providers. Deliver the final technical standards and guidelines mandated under the CCP Recovery and Resolution Regulation.

5. Risk assessment – continue to monitor market developments to assess risks, in particular the impact of commodity market developments, financial market impacts of inflation and rising interest rates.

6. Supervision and convergence – continue risk-based supervision of all EU CRAs, TRs and SRs as well as certain DRSPs, benchmark administrators and third-country CCPs, and work with national authorities to promote supervisory convergence and a common understanding of where major risks lie. Prepare for the supervision of Consolidated Tape Providers (CTPs), subject to ongoing legislative proceedings on MiFIR review and for the oversight of critical ICT third-party providers (CTPPs) with the other ESAs. 

The article is in six sections:

(i) an overview of recent market developments; 

(ii) analysis of specific sources of risk; 

(iii) potential transmission channels to traditional financial markets; 

(iv) ESMA's approach to monitoring risks in the market; 

(v) a brief overview of regulatory responses; and 

(vi) concluding remarks.

The Joint Committee of the ESAs advises national competent authorities, financial institutions and market participants to take a number of policy actions including:

1. Supervisors should continue to monitor risks to retail investors some of whom buy assets, in particular cryptoassets and related products, without fully realising the high risks involved. 

"Some retail investors may not be fully aware of the long-term effects of rising inflation on their assets and purchasing power. In the context of growing retail participation and significant volatility in cryptoassets and related products, retail investors should be aware of the risks stemming from these. The recent events and subsequent selloff of cryptoassets raises concerns on the appropriate assessment of the risks and the developments of this market segment going forward and requires particular attention of financial institutions and supervisors. Where disclosures are ineffective, these risks are compounded.

2. Financial institutions and supervisors should continue to carefully manage environmental related risks and cyber risks. 

"They should ensure that appropriate technologies and adequate control frameworks are in place to address threats to information security and business continuity, including risks stemming from increasingly sophisticated cyber-attacks."