C
Conformis

MiCA readiness audit — client intake

This questionnaire scopes your crypto-asset service against the obligations of the EU Markets in Crypto-Assets Regulation (MiCA). Your answers are assessed against a 48-point methodology and returned as a gap analysis mapped to specific MiCA articles — showing where you appear to meet, partially meet, or fall short of each obligation, with remediation priorities. It is based on the information you provide and is not legal advice or a guarantee of authorisation.

20–35 minutes
💾 Auto-saved as you type
🔒 Treated as confidential
0 of 0 answered0%
Answer in detail — describe, don't just confirm. The audit assesses what you actually do, not yes/no claims. "We segregate client funds" tells us little; "client EUR is held in a dedicated account at [bank], reconciled daily against our ledger by the finance team" can be assessed. The more concrete your description, the more accurate your gap report. Don't upload or email documents here — if any are needed, we'll request them securely after you submit.
A
Company & contact
Who you are and how to reach you
If incorporated outside the EU, note that too — it directly affects whether you can hold a CASP authorisation.
B
Services provided
Determines your capital class and which sections apply
Select all that apply. These map to MiCA's 10 defined services and set your capital class. Tip: if clients can hold a balance after trading, you are providing custody.
What do you actually do, for whom, and how do you make money? Include client types (retail/professional), jurisdictions you serve, and rough volumes if you can.
C
Jurisdiction & substance
Home NCA, office, and real presence — Art. 59, 68
e.g. CySEC (Cyprus), BaFin (Germany), AMF (France), MFSA (Malta), CNMV (Spain), FCIS/Bank of Lithuania.
Why this matters: "letter-box" entities and fly-in directors are a leading refusal ground under the Art. 68 substance test.
Where is your registered office and where is the business actually run from? How many staff are EU-based and in what roles? Are directors EEA-resident?
D
Capital & own funds
Prudential safeguards — Art. 67, Annex IV
Paid-up share capital, share premium, retained earnings. Exclude loans, working capital, and crypto-assets held on the balance sheet — these do not count as regulatory capital.
Why this matters: ESMA Q&A 2349 (Feb 2026) confirmed the base is ALL overhead expenses — fixed AND variable — not just rent and salaries. Most firms under-state this.
What was your prior-year total expense base, and what do you deduct to reach the 25% figure? If you haven't calculated it, say so.
How are reserves composed, where are they held, how is 1:1 backing maintained and evidenced, and how often are they reconciled/audited?
E
Governance & management
Board, fit & proper, conflicts, outsourcing, wind-down — Art. 68, 72, 73, 74
Who sits on the board? Do you have independent risk and compliance functions, and to whom do they report? Name the key function holders (CEO, CFO, CRO/risk, MLRO, Head of Custody, Head of IT).
Describe the checks performed (criminal record, regulatory history, bankruptcy, reputation) and whether they're documented for the NCA file.
Is there a written remuneration policy approved by the management body that promotes sound, effective risk management and discourages excessive risk-taking? How is variable pay (bonuses, token incentives) structured for risk/compliance staff and senior management?
Do you have a written policy that is board-adopted, published on your website, and reviewed annually? How do you handle token-listing decisions and any proprietary trading?
Which functions are outsourced (e.g. cloud, KYC, custody tech)? Are there written agreements, due diligence, and exit strategies? Has the NCA been notified where required?
Why this matters: required in the NCA application file and very frequently missing.
Describe your plan to cease operations without harming clients or markets — or state plainly that you don't yet have one.
F
AML / CFT programme
MLRO, policy, CDD, risk assessment, sanctions — AMLD5 + EBA GL/2024/15
Name/role, seniority, whether the role is separate from the compliance officer, and whether the NCA/FIU has been notified.
Is there a written policy approved by the management body? What does it cover (risk appetite, customer risk rating, monitoring, escalation, STR filing)?
Standard / simplified / enhanced CDD, beneficial ownership to 25%, PEP screening, and any crypto-specific typologies you screen for (mixers, privacy coins, peel chains).
Do you have a written, periodically-updated assessment across customer types, products, geographies, and channels?
Why this matters: the most common gap among smaller CASPs. EBA GL/2024/15 applies since Dec 2025.
Which lists (EU Consolidated, OFAC, UN)? When do you screen (onboarding, on list updates)? How are matches resolved and documented?
Real-time or batch? What alert logic? Have you tested the end-to-end path of filing a suspicious transaction report to your FIU?
G
Travel Rule / TFR
Originator & beneficiary data on transfers — Reg. 2023/1113
What data do you attach to outbound transfers and capture on inbound? Which Travel Rule solution/protocol do you use, and is it interoperable with counterparty CASPs?
What risk-based controls and ownership-verification steps apply? What triggers enhanced due diligence?
Do you have a documented, risk-based decision process — rather than blanket accept/reject?
H
Client asset safeguarding
Segregation of client funds and crypto — Art. 70
Where exactly is client EUR held (which credit institution, what type of account)? Is it segregated from your own funds? How often is it reconciled and by whom?
Why this matters: omnibus wallets without segregation records create personal director liability in insolvency.
Are client assets held in distinct wallets, separate from your proprietary holdings? How do you reconcile on-chain balances against internal records?
Do client agreements specify asset types held, the liability regime, loss allocation, sub-custody arrangements, and redemption terms?
I
ICT & operational resilience (DORA)
Risk framework, continuity, incidents, vendors — Reg. 2022/2554
Do you have documented policies across identification, protection, detection, response and recovery? DORA applies to all MiCA CASPs since Jan 2025 and MiCA requires this as an authorisation condition.
Are RTO and RPO defined? Is the plan tested at least annually, with results documented?
Why this matters: DORA requires regular vulnerability assessment, and advanced threat-led penetration testing (TLPT) for entities above the significance threshold.
How often do you scan for and remediate vulnerabilities? Do you run penetration tests, and by whom (internal/external)? If you may be in scope for TLPT, note that too.
Do you maintain a register of material ICT vendors with contracts and exit strategies? What are your incident classification and NCA-reporting procedures and timelines?
J
Consumer protection & conduct
Disclosures, complaints, marketing — Art. 66, 71, 7
How do you disclose risks, costs and fees? Is client-facing information fair, clear and not misleading?
Is there a written, published procedure? What are your acknowledgement and resolution timeframes, and how are complaints logged?
Are marketing materials identifiable as such, consistent with any white paper, and carrying required risk warnings? Does this include social media?
For advice and portfolio management: how do you assess client knowledge, experience, objectives and capacity to bear losses before providing the service?
For firms executing client orders: how do you cover price, cost, speed and likelihood of execution/settlement?
K
Market abuse
Insider dealing & manipulation prevention — Title VI, Art. 86–92
How do you prevent and detect insider dealing and manipulation (wash trading, spoofing, layering, pump-and-dump)? Is there a written policy and staff training?
How do you detect and report suspicious orders and transactions to the NCA? Note this is distinct from AML STR filing to the FIU.
L
White paper & issuer obligations
Content, liability, approval, redemption — Art. 6, 15, 17, 36, 48
Why this matters: ART and EMT sit under different MiCA regimes. EMT issuers must be a credit institution or e-money institution and offer redemption at par on demand; ART issuers fall under Title III with distinct reserve, white-paper and approval rules. The audit scores you against the correct one.
Does it cover issuer details, project description, risk factors, holder rights, underlying technology, and adverse environmental impact? Has it been (or will it be) NCA-approved (ART) or notified (EMT) before publication?
Reserve investment policy, liquidity management, stress testing, and the at-par redemption right for holders.
M
Reporting, records & passporting
Ongoing obligations — Art. 65, 68(9), 85
Do you retain all orders, transactions, communications, screening results, complaints and board minutes for at least 5 years, in a reconstructable format?
What periodic and event-driven reports do you (or will you) file with your NCA — e.g. trading-platform transaction reporting, complaints data, prudential/own-funds reporting, material changes? How is this resourced and is the data path tested?
Why this matters: at 15M average daily active users in the EU (Art. 85) you become a "significant CASP" with enhanced reporting and supervisory obligations, including under DORA.
Roughly how many active EU users do you have, and is that anywhere near the 15M significant-CASP threshold? A rough figure is fine.
If so, do you have a process to notify your home NCA before providing services cross-border?
Known gaps, deadlines you're working toward, prior regulator feedback, or areas you're specifically worried about.
Basis of engagement
Please read before submitting — what this service is, and is not

The MiCA Readiness Audit is a gap analysis: it assesses the information you provide against a methodology derived from MiCA and related EU instruments, and identifies where your arrangements appear to meet, partially meet, or fall short of those obligations, with suggested remediation priorities.

By submitting, you acknowledge and agree that:

  • The analysis is based solely on the information and documents you provide. We do not independently verify, audit, or confirm them. Its accuracy depends entirely on the accuracy and completeness of your answers.
  • The report is not legal or regulatory advice, not a regulatory submission or application, not a compliance certificate, and not a guarantee, prediction, or assurance of authorisation by any national competent authority.
  • Article references and capital-class indications are indicative only; MiCA requirements and their application vary by competent authority and may change. You should obtain independent professional advice before making any regulatory decision and must not rely on the report as the basis for an authorisation decision.
  • To the maximum extent permitted by law, our total aggregate liability arising out of or in connection with the report is limited to the fee paid for it, and we are not liable for any indirect or consequential loss. Nothing here excludes any liability that cannot lawfully be excluded.
  • Your responses are treated as confidential and used solely to produce your report.

These terms govern the report. Full terms apply at the point of purchase. Governed by the laws of [jurisdiction].

Your responses are used solely to produce your MiCA gap analysis and are treated as confidential. This is a gap analysis based on the information you provide — not legal or regulatory advice, not a regulatory submission, and not a guarantee or prediction of authorisation by any competent authority. Article references are indicative and vary by NCA. See the basis of engagement above.
© Conformis — operated by Mercurial Software LTD.

Submission received

Your MiCA intake has been sent for gap analysis.

Summary of what you submitted

What happens next

  1. Your responses are assessed against the 48-point MiCA methodology.
  2. If supporting documents are needed (AML policy, wind-down plan, ICT framework, etc.), we'll request them from you afterwards via a secure link — please don't email or upload them here.
  3. You receive a gap analysis mapped to specific MiCA articles, with a remediation priority for each gap.
  4. We follow up at the email you provided to walk through the findings.