Who runs a CASP? Building a real EU-Grade team under MiCA | Manimama

Get a free consultation

After filling out the form, we will help you choose a company, licence, account, and legal support. Leave a contact for communication.

We do not share your data with third parties

Back to previous page

Who runs a CASP? Building a real EU-Grade team under MiCA

light

Europe’s Markets in Crypto-Assets Regulation (hereinafter – “MiCA”) has raised the bar for how crypto businesses are staffed and governed. The era of a two-founder “garage exchange” is over. Today, crypto-asset service providers (hereinafter – “CASPs”) must meet strict standards in governance, compliance, and staffing to operate legally. EU regulators now expect CASPs to have qualified people in key roles, a clear governance structure, and a “genuine local presence” (not just a brass-plate office) with management actively overseeing the business. They will also expect evidence that senior staff are “fit and proper” – combining integrity, competence, and sufficient time commitment.

At Manimama Law Firm, we’ve unpacked what that means in practice for your org chart, hiring, and day-to-day oversight. Below is a practical walkthrough of the people and structures regulators will look for, and how to assemble them in a way that actually helps you run the business.

One size doesn’t fit all – but the rules still bite

Every CASP’s staffing depends on what you do (the MiCA service line), how you do it (own infrastructure vs. light OTC), who you serve, the volumes you handle, and how automated you are. That means proportionality matters: a lean brokerage won’t mirror a full-blown exchange. But proportionality is not a loophole – certain governance building blocks are non-negotiable and will be tested at authorisation and in supervision.

Governance that passes the “real presence” test

Start with the management body. MiCA requires a collegiate body (not a single figurehead), with its place of effective management in the EU and at least one director resident in the Union. ESMA’s Supervisory Briefing Authorisation of CASPs under MiCA (hereinafter – “Guidance”) takes this further in practice: at least one executive member should be resident in the Member State of authorisation, and senior relationships must be formalised (employment or a recognised civil-law contract under local law).

Supervisors also look at time on task. As a rule of thumb, executive board members should be able to dedicate at least half of their time to the CASP; the Chief Executive Officer (CEO) is expected to be full-time. If you argue for less, you’ll need to prove governance quality doesn’t suffer.

Finally, regulators want to see who owns internal control and risk. At least one member of the management body should be clearly responsible for implementing, maintaining, and monitoring your internal-control framework – not in theory, but in meeting minutes, reporting lines, and escalation paths.

The result is a simple litmus test: are decisions really taken in the EU by people who actually work there, with enough time and authority to do the job? If yes, you’re already ahead of many applicants.

Roles that matter

  • Compliance Manager

This role sits within the executive function and is responsible for ensuring adherence to Article 11(1) Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (hereinafter – “AML Regulation”), MiCA, and any supervisory acts. In practice, this is your Chief Compliance Officer (CCO) who oversees internal policies, monitors compliance, and reports both to management and regulators – making this position central to the firm’s integrity and accountability. This person should be part of the management body in its executive function – not merely a nominal external consultant.

  • Money Laundering Reporting Officer (Art. 11(2) of AML Regulation)

Alongside, the Money Laundering Reporting Officer (hereinafter – “MLRO”) is responsible for filing suspicious activity reports and liaising with the FIU. This role must remain independent, have sufficient resources, and report directly to the management body.

While MiCA allows combining MLRO and compliance manager roles in small, low-risk firms, regulators generally expect them to be separate. For CASPs, separating these functions ensures stronger AML oversight and greater regulatory trust.

  • Risk and Internal Control Lead (Section 4.3 of the Guidance)

Someone senior must be visibly accountable for the internal control system and risk management. In a small company, this can be a director; in a larger platform, expect a dedicated risk lead working hand-in-glove with compliance and ICT.

  • Chief Technology Officer (Art. 68(7), MiCA)

MiCA, DORA, and ESMA place strong emphasis on the resilience and security of ICT systems. While these rules do not explicitly require firms to appoint a Chief Technology Officer, every CASP is expected to ensure proper ICT oversight. For smaller setups, outsourcing may be sufficient. But for CASPs running their own infrastructure – such as custody, market-making, or portfolio management – having at least one competent in-house ICT lead, supported by external providers if needed, is essential.

  • Data Protection Officer (Art. 37, GDPR)

If the scale or nature of processing triggers it, appoint a Data Protection Officer (hereinafter – “DPO”). The role can be outsourced, and even where it isn’t strictly mandatory, engaging a DPO (or clearly assigning the responsibilities) is a practical way to strengthen your posture with both clients and supervisors.

Two themes run through these roles. First, clarity: who does what, who can say “stop,” and who reports to whom. Second, independence where it counts: avoid structures where the person checking the controls is also the one being checked.

Сonclusion

The evolution of crypto regulation in the EU, spearheaded by MiCA, has put people and governance at the center of compliance. For any CASP aiming to thrive in this regulated era, assembling the right team is as important as having the right technology. A CASP that invests in proper staffing and training is not only checking a regulatory box; it is building the foundation for sustainable growth.

The takeaway is motivating: meeting these personnel requirements isn’t just about avoiding penalties – it can be a competitive advantage. When you can honestly say that your exchange or platform is run by experienced professionals, with strong anti-fraud and security teams in place, you’re essentially telling users their money and data are in safe hands. In an industry built on trust (trust in code, and trust in companies), this kind of assurance is priceless. By building a team that satisfies EU regulatory standards, CASPs not only stay on the right side of the law but also set themselves up for long-term success in the market. Treat the org chart as a living control: revisit role clarity after incidents, audits, and major changes – not only at license time. 

Our Contacts

If you would like to become our client or partner, please do not hesitate to contact us at support@manimama.eu.

Alternatively, you can use our Telegram @ManimamaBot, and we will respond to your inquiry.

Join our Telegram to receive news in a convenient way: Manimama Legal Channel.

The content of this article is intended to provide a general guide to the subject matter, not to be considered as a legal consultation.

Tags

Chat

Ready to move forward? Let's get started today

Tell us what you want to create. We will prepare a legal structure that ensures its implementation

Tokenization

Tokenization

Licensing

Incorporation

Other

Send Request
send
Telegram send
Your global legal partner
for crypto & fintech success

Talk to our experts

By clicking the "Contact us" button, I confirm that I have read the Privacy Policy and agree to the collection and processing of my personal data in accordance with the General Data Protection Regulation (GDPR).