MiCA in Practice #4: Governance, Risk & Internal Controls

This is Part 4 of our "MiCA in Practice" series. In Part 3, we covered transaction monitoring and SAR filing. Here, we turn to the governance layer — the board-level responsibilities, risk management frameworks, and internal controls that underpin every other compliance activity.

Regulators have made it clear: compliance is a board-level responsibility, not a back-office function. MiCA Articles 68–72 set out detailed governance requirements for CASPs — requirements that mirror (and in some areas exceed) those applied to traditional financial institutions. For crypto businesses accustomed to flat hierarchies and move-fast cultures, this represents a significant organisational shift.

Management Body Requirements

MiCA Article 68 requires that the management body (board of directors, management board, or equivalent) of a CASP meets specific standards:

Good Repute

All members of the management body must be of sufficiently good repute. This means no criminal convictions related to ML/TF, fraud, financial crimes, or other offences relevant to the fitness of the individual. NCAs will conduct background checks, and applicants must proactively disclose any relevant matters.

Knowledge, Skills, and Experience

The management body, collectively, must possess adequate knowledge, skills, and experience to understand the CASP's activities and principal risks. This does not mean every board member needs to be a crypto expert — but the board as a whole must cover:

• Crypto-asset markets and technology
• Risk management and internal controls
• AML/CFT compliance
• Financial management and capital adequacy
• IT and cybersecurity (particularly relevant for custody providers)

Time Commitment and Conflicts

Members must devote sufficient time to their functions and must not hold an excessive number of directorships. Conflicts of interest must be identified, managed, and documented. Many NCAs now require CASPs to maintain a conflict-of-interest register that is reviewed by the board at least quarterly.

The Three Lines of Defence

MiCA expects CASPs to implement a three-lines-of-defence model — the standard governance framework used across regulated financial services:

First Line: Business Operations

The front-line teams that generate and manage risk on a day-to-day basis. For a CASP, this includes trading operations, customer onboarding, custody management, and customer support. First-line staff are responsible for applying policies and procedures within their operational areas.

Second Line: Risk Management and Compliance

Independent risk management and compliance functions that oversee and challenge the first line. This includes:

• The Compliance Function — responsible for monitoring adherence to MiCA, AML/CFT rules, and other applicable regulations
• The Risk Management Function — responsible for identifying, measuring, managing, and reporting on all material risks
• The MLRO — the designated anti-money laundering officer (may sit within the compliance function or report directly to the board)

Second-line functions must be independent from commercial activities. The head of compliance should report directly to the management body and have unrestricted access to any information required to perform their role.

Third Line: Internal Audit

An independent internal audit function that provides objective assurance on the effectiveness of governance, risk management, and internal controls. For smaller CASPs that cannot justify a full internal audit team, this function can be outsourced — but the board retains ultimate responsibility for the audit findings.

The internal audit function should review, at minimum annually:

• AML/CFT programme effectiveness (including sample testing of CDD files and alert dispositions)
• Transaction monitoring rule effectiveness and false positive rates
• Complaints handling and customer outcomes
• IT security and operational resilience
• Compliance with MiCA conduct-of-business rules

Risk Management Framework

MiCA Article 68(8) requires CASPs to establish a risk management framework proportionate to the scale and complexity of their activities. This framework should address:

• Operational risk — system failures, human error, process breakdowns, fraud
• Market risk — for CASPs holding crypto-asset positions or providing liquidity
• Custody risk — loss of client crypto-assets through hacking, key compromise, or operational error
• Liquidity risk — ability to meet obligations as they fall due, particularly during market stress
• ICT risk — cyber threats, IT system availability, data integrity (now governed by DORA)
• ML/TF risk — the risk of being used to launder proceeds of crime or finance terrorism
• Legal and regulatory risk — changes in applicable law, enforcement actions, litigation

The framework should include a risk appetite statement approved by the board, defining the types and levels of risk the CASP is willing to accept. Risks exceeding appetite must trigger escalation and remediation.

DORA: ICT Risk and Operational Resilience

The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — applies to CASPs authorised under MiCA as of 17 January 2025. DORA imposes specific requirements for:

• ICT risk management — documented framework for identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents
• Incident reporting — significant ICT incidents must be reported to the NCA within defined timeframes (initial notification within 4 hours of classification, intermediate report within 72 hours, final report within one month)
• Digital operational resilience testing — regular testing of ICT systems, including threat-led penetration testing (TLPT) for larger entities
• Third-party risk management — due diligence and contractual requirements for critical ICT service providers (cloud hosting, blockchain infrastructure, key management systems)
• Information sharing — voluntary participation in cyber threat intelligence sharing arrangements

For CASPs, DORA intersects directly with custody operations. The security of private keys, the resilience of signing infrastructure, and the availability of wallet systems are all within DORA's scope. Boards must ensure that ICT risk is treated with the same rigour as financial risk.

How BlockchainAnalysis Supports Governance and Audit

Effective governance requires evidence — boards need data to oversee compliance, and auditors need documentation to verify that controls are functioning. BlockchainAnalysis Audit provides independent compliance assessments covering wallet screening effectiveness, transaction monitoring coverage, and AML programme adequacy.

Our reporting suite generates board-ready compliance dashboards showing screening volumes, alert statistics, investigation outcomes, and risk exposure trends. For internal audit teams, we provide detailed audit trails — every screening result, every alert, every disposition — that demonstrate your controls are working as documented.

Next in the series: MiCA in Practice #5 — Client Asset Safeguarding and Prudential Requirements, where we cover how CASPs must protect client funds and crypto-assets, and the capital requirements that backstop these obligations.