MiCA Survival Guide · Section 2
Why Applications Fail
The regulator's view: common deficiency patterns
Top 4 reasons for failure
Inadequate AML/CFT Framework (#1 rejection reason)
Common deficiencies
Generic template policies
- Copy-paste AML manuals not customized to local AML Acts
- Failure to reference specific national legislation
- No evidence of jurisdiction-specific risk assessment
Incomplete PEP definitions
- Generic definitions not aligned with local PEP classifications
- Missing domestic PEP categories
- Inadequate enhanced due diligence (EDD) procedures for PEPs
Non-functional transaction monitoring
- Claiming to have monitoring systems without demonstrating functionality
- No documented transaction monitoring scenarios
- Inability to show real-time detection capabilities
- Missing FATF Travel Rule implementation
The applicant must demonstrate not just the existence of AML policies, but their functional implementation with documented transaction monitoring, risk-scoring methodology, and proven VASP screening capability.
Incomplete or Inconsistent Application Documentation
Critical inconsistencies found
- Contradictory Business Models: Business plan describes Service A, website/whitepaper describes Service B, and terms of service reference Service C.
- Supplier Verification Failures: Claiming partnerships with custody providers who state they are not MiCA-compliant, or referencing third-party services without contractual proof.
- Capital Calculation Errors: Miscalculating minimum capital, confusing fixed overhead calculations, or failing to provide bank statements proving capital is in company accounts.
Weak Governance & Insufficient EU Substance
Governance failures
- Management Not 'Fit and Proper': Lack of demonstrated crypto/financial services expertise, management body lacks collective appropriate knowledge, or criminal record issues.
- No Clear 'Effective Place of Management': Directors scattered across multiple jurisdictions, no EU-resident executive board member, virtual offices or mail forwarding addresses (instant rejection), insufficient local operational staff.
At least one member of the executive board must be based in the EU, with documented autonomous decision-making capability within the Union rather than 'letterbox' arrangements.
Technology & DORA Compliance Gaps
IT infrastructure failures
- Incomplete ICT Risk Management Framework: Missing 'Register of Information' for third-party ICT providers, no documented digital resilience testing program, absence of ICT incident classification/reporting procedures.
- Custody & Key Management Deficiencies: Generic descriptions of wallet security (not actual policies), no documented cold/hot storage allocation strategy, missing cryptographic key lifecycle management procedures, inability to demonstrate asset segregation.
- Business Continuity Gaps: No documented Recovery Time Objectives (RTO) for critical systems, missing disaster recovery procedures, inadequate backup and redundancy systems.