The rapid evolution of financial technology and blockchain has brought unprecedented opportunities and challenges to the global economy. As the adoption of digital assets grows, regulatory frameworks are being developed to ensure transparency, security, and consumer protection. Among these frameworks, the European Union’s Markets in Crypto-Assets Regulation (MiCAR) represents a significant milestone, providing comprehensive guidelines for crypto-asset operations across the EU.
Ireland, already established as a hub for financial innovation, is at the forefront of implementing these new regulations. Its reputation for a robust and credible regulatory system, combined with a favorable business environment, makes it an attractive destination for companies seeking authorisation to operate in the EU market. However, navigating the complexities of these regulations, particularly the transition from Virtual Asset Service Provider (VASP) registrations to Crypto-Asset Service Provider (CASP) authorisations, requires expertise, preparation, and strategic planning.
In the latest episode of the Blockchain Leaders Insights series by Blockchain Ireland, Paul Hearns sat down with Louise McNabola, a partner in the Financial Regulation Unit at William Fry, to discuss the intricacies of Ireland’s regulatory landscape. With years of experience in helping firms secure authorisations, Louise shared valuable insights into the key requirements, common pitfalls, and upcoming changes that organisations must prepare for.
This article distills their conversation into actionable guidance for firms navigating the MiCAR framework, providing an in-depth look at the opportunities and challenges of operating in Ireland. Whether you’re an established player in the digital asset space or a new entrant considering Ireland as your base, this guide will help you understand what it takes to succeed in one of Europe’s leading jurisdictions for financial regulation.
Ireland’s emergence as a leader in financial and crypto innovation comes with immense opportunities, but also demands rigorous preparation and adherence to high regulatory standards. The insights shared by Louise McNabola highlight the critical steps firms must take to navigate the transition from VASP to CASP under MiCAR and to thrive in Ireland’s competitive authorisation landscape.
Success in this process begins with a clear understanding of what the Central Bank of Ireland expects. Firms must approach their applications with thorough preparation, well-structured governance models, and a deep commitment to transparency and consumer protection. Early engagement with the Central Bank is highly valuable, but it must be preceded by careful internal planning to make a strong first impression. Firms need to articulate their business models clearly and concisely, ensuring that their vision aligns with regulatory requirements.
Equally important is the recognition that authorisation is more than a procedural step; it is a validation of a firm’s readiness to operate responsibly and successfully within the EU market. The need to hire key personnel early in the process and maintain a local operational focus ensures that Irish entities are not just compliant but positioned to deliver on their business objectives effectively.
Looking ahead, the regulatory landscape will continue to evolve with significant developments like the Digital Operational Resilience Act (DORA). These changes will demand even greater resilience, foresight, and adaptability from firms. Preparing now for these future challenges will help ensure that businesses remain competitive and compliant in an increasingly complex environment.
For firms navigating this journey, the rewards are substantial. Ireland’s reputation as a hub for innovation, combined with its strong regulatory framework, positions authorised firms for success not only in the local market but across the entire European Union. As Louise emphasized, the rigorous process of securing authorisation ultimately builds credibility, fosters trust with consumers, and opens doors to long-term growth and innovation.
In this pivotal moment for the financial and crypto sectors, Ireland offers a unique opportunity for forward-thinking firms to establish themselves at the forefront of the industry. By combining strategic preparation, regulatory alignment, and a commitment to operational excellence, businesses can not only meet the challenges of MiCAR and beyond but also lead the way in shaping the future of finance.
Experienced Partner of the William Fry Financial Regulation Unit with a demonstrated history of working in the law practice industry. Skilled in Banking and Financial Regulation and specialising in regulatory authorisations, advising on anti-money laundering practice and procedures, PSD2 and capital requirements under CRD IV. Experienced in structured finance banking transactions and legal research. Strong professional graduated from NUIG.
Connect with Louse on LinkedIn
Learn more about William Fry
[00:00] Introduction
[0:13] Paul: Hello and welcome to the latest in the Blockchain Leaders Insights series brought to you by Blockchain Ireland. My name is Paul Hearns. I am co-chair of the Events and Comms Working Group and a member of the Steering Group of Blockchain Ireland. And I’m joined today by Louise McNabola, who is a partner in the financial regulation unit with legal services firm William Fry. Louise, welcome and thank you for joining us.
[0:37] Louise: Thank you, Paul. Very happy to be here.
[0:38] Paul: We’re going to be talking today about the authorisations landscape in Ireland, which has seen so much activity recently. We’re moving from the VASP authorisation process into the implementation of MiCAR and beyond. So there’s a lot to talk about. But before we do that, tell us a little bit about your background, how you came into this area in particular, and the kinds of things that you’ve been working on recently.
[1:09] Louise: Well, I started my career actually as a banking and finance lawyer with another large law firm in Dublin. And I joined Fry’s around five, five and a half years ago. And for that time to date, I’ve really been focusing on regulatory authorisations work. Principally electronic money institution, payment institution authorisations over the last number of years. Ireland did particularly well I suppose as a result of Brexit in relation to setting up or in relation to the authorisation of electronic money and payment institutions. So that’s where a lot of our time has been spent over the last number of years. Happy to say that we’ve been very successful in that in that we’ve acted for over a third of the e-money institutions that have successfully obtained authorisation in Ireland. I suppose with that level of experience, that gives us, I suppose, the depth of knowledge and the competencies to identify what kind of the key issues that the central bank would be looking for when it comes to authorisations. And it’s great now that we have the opportunity, I suppose, to get stuck into a new type of authorisation, which is the crypto asset service provider regime under MiCAR, the Markets and Crypto Assets regulation. So we’re really looking forward to getting stuck in. What we’re seeing at the moment is that there are a number of existing VASP providers. Obviously, the VASP regime is a registration regime. It’s principally an anti-money laundering regime. So it’s a registration that firms, many firms would have obtained to date with the Central Bank of Ireland. And now with the implementation of MiCAR those firms that have been providing services under a VASP registration now must go ahead and provide service or obtain an authorisation to provide services as a crypto asset service provider from the Central Bank of Ireland. So that’s where a lot of our energy is focused at the moment.
[3:01] Paul: Very good. Stepping back a little bit, though, given that the regulation is coming down at the EU level, why would organisations choose Ireland to do their registration? So just give us an idea of, you know, what might be the advantages of going through here.
[3:23] Louise: Sure. Like Ireland has proved to be a very popular jurisdiction, especially over the last number of years. Some of the reasons for that is because I suppose it’s one of the last English-speaking jurisdictions in the EU. The Central Bank of Ireland has really built up its reputation as a very credible regulator. They really robustly interrogate any firms coming in as to their business model, their risk management structures, their governance structures, etc. They want to make sure that any firms that successfully achieve an authorisation here can fulfil on their business plan and program of operations that they submit as part of the application process. They want to see these firms succeeding. So that’s why the process is quite a tough process. But at the end of the day, I think most applicants are very happy once they get through that process because, you know, it’s well recognised then that their business model is solid and the central bank have given their seal of approval and that’s recognised by a lot of other jurisdictions as well. Obviously, we’ve also got a very competitive tax structure and I think it’s a place where people have recognised that it’s a nice place to live, it’s a nice place to work. There’s a wealth of experience and expertise. Many of the roles that are required to be fulfilled as part of the regulated entity, such as chief risk officers, chief compliance officers, There’s a number of individuals that hold those relevant, really key skills that firms are looking to employ.
[4:51] Paul: Okay, well, that’s good to hear because I think that the stronger the base of an industry, the more likely it is that you’ll get the kind of innovation, I suppose, as well as investment that will kind of bring things along. That the proximity principle, I think, and the gravity that draws things to it has been well proven in other areas. So hopefully we will see that. But again, just looking at MiCAR in particular, there’s quite a number of deadlines and important dates kind of coming up in the calendar. Give us that kind of high level view of where are we now with it?
[5:33] Louise: Okay, so where we are now, for any firm that’s wishing to issue electronic money tokens or asset reference tokens, they already have to comply with the provisions of MiCAR. That was in place since June. But now for entities that have obtained a VASP registration, who have commenced providing services by the end of this year, 31st of December, those firms can avail of what’s called a grandfathering period. So that grandfathering period will allow VASP providers to continue with their services for a period of another 12 months, that’s to the end of 2025, while they’re applying for their CASP, their full CASP authorisation. If a firm wishes to provide crypto asset services and has not actually obtained its VASP registration unfortunately those firms cannot provide services after the end of this year. So that grandfathering period is very very important for any firm that has that VASP registration, so they need to start providing services and avail of it before…
[6:37] Paul: Ok, Ok and with December approaching um I’d say I suppose particularly for organisations that might be approaching this without having gone through the VASP process, but with the wealth of knowledge that’s there around this, what are the things that they should be looking out for? What are the preparatory steps that they should be taking for that initial engagement?
[7:04] Louise: Okay, so if you are a firm that wishes to provide these crypto asset services, you don’t have your VASP registration. You’re going to have to go straight into the CASP authorisation process. The Central Bank very helpfully held an industry event there in July where a lot of the key players were present.
[7:21] Paul: A very well attended event.
[7:22] Louise: It was a very well attended event and the Central Bank were excellent in setting out what their expectations are for these firms that are coming into the process. I will say also that there’s an awful lot of information available for all these firms on the Central Bank website. But just kind of as a high level overview, the first thing is the central bank welcome early engagement. So if you are planning on making an application to be a CASP, the central bank highly recommend that you engage early with the central bank, either through if you have a contact already existing or else through the innovation hub. Now, what we would say to firms is before you make that initial engagement, early engagement with the central bank, you really need to think through your business plan, your business model. What exactly are the services you’re going to provide? How are those services going to be provided? What kind of governance structure are you going to have in place? To what degree are you going to rely on outsourcing if you’re part of a group? And all of those kind of key elements of any business model. We believe strongly that you know if you have sorted if you have a very clear idea of how you’re going to present your business model to the central bank prior to that first pre-application meeting. You present the very best strongest case up front to the central bank.
[8:42] Paul: Okay okay that early engagement advice I think is particularly important because a lot of the time the instinct might be to, you know have your ducks in a row before you have any kind of engagement that i think uh certainly that the innovation hub there have been quite vocal in saying that’s not necessarily the case yet talk to us early and there there’ll be somebody there. So i think that the combination of the experience with the VASP process plus that openness to engagement is something that firms should definitely take advantage of. Again, that self-examination side of things, making sure it’s as simple as possible to explain what you do is always a worthwhile exercise.
[9:33] Louise: Yeah, I think to be fair, the central bank are, you know, there’s a lot of individuals there within that supervisions team that are really just getting to grips with the whole crypto or digital asset model. There’s a lot of upskilling that’s going on at the moment. So I think, you know, for firms that are experienced in dealing with digital assets, I think you need to be able to step back and be able to explain what in a very simple way, what exactly you are proposing to do, how you’re proposing to provide those services, what are the flows, what are the other players involved. The best that you can describe your model, I suppose it’s the easiest way for any supervisor within the central bank to be able to understand it. And then that’ll mean that you can progress a lot faster rather than them asking detailed questions. Can you go into more detail here or here? You know, provide the information up front in the most simple terms as possible.
[10:26] Paul: Okay. And I suppose flipping it over to the other side then, the supervisory priorities of the central bank in moving to the CASP regime in particular, have they changed significantly? You mentioned that, say, anti-money laundering was a key element in VASP. What are the supervisor your priorities now from the central bank’s perspective?
[10:50] Louise: I think the supervisory expectations and their priorities haven’t changed as a result of the introduction of this CASP regime. They’re the same supervisory priorities that would have always existed for any regulated entity. For example, governance. The central bank will expect the firm, the board of any regulated firm to have an appropriately constituted board of directors and a senior management team that there should be the correct flow of information from the senior management team to the board. All these firms should operate within a three lines of defence model and there should be the appropriate, I suppose audit and checking and oversight roles that should be complied with and regular reporting to the board. Another key priority for the central bank would obviously be the protection of consumers. Consumers at the heart of their, I suppose their expectation their supervisory expectations. So all steps should be taken by any firm to ensure that when dealing with consumers that their products are fully explained, fully transparent, pricing models are explained, terms and conditions reflect the appropriate protections for consumers and that every step I suppose every avenue is followed to make sure that the consumer is appropriately protected. Just another key, I suppose, supervisory expectation would be that, especially where a firm comes from a group of companies, that the hearts and minds of that firm are located firmly in Ireland. That means that the firm is governed by the Irish entity. While they may be part of a group and there will be other kind of high-level group influences, maybe expectations regarding strategy or product development etc, it’s really important that the board of an Irish firm actually can take those, I suppose, high-level objectives at a group level, but bring them back then to the Irish firm level, consider them, interrogate them, and then approve them as appropriate. So the hearts and minds must firmly be with the Irish firm.
[13:01] Paul: Okay. Well, as a slight aside, have you seen much in the way of organisations looking for authorisations from the Irish regulator, but with the intention of operating in other jurisdictions?
[13:14] Louise: Well, first of all, there is obviously the passporting regime. So once you have your authorisation as a CASP from the Central Bank of Ireland under Irish law, you have the ability then to passport your services to any other country within the EU. That’s the same process that currently exists for electronic money institutions and payment institutions. So that passporting ability is there. However, if you are purely establishing a firm in Ireland with no intention of actually providing services from Ireland, but just providing services in other jurisdictions, the central bank aren’t particularly in favour of that sort of a model. They want to see the firm being run, managed from Ireland, providing services in Ireland and, of course, within the EU. But it has to be an Irish-based entity.
[14:05] Paul: Interesting. Okay. Okay. Well, you mentioned as well the number of organisations that you had worked with, or rather the proportion in looking for or in going through authorisations. So given that sort of experience that you’ve had, what are the common pitfalls that you come across? Are there regular mistakes or omissions that people make when they’re going through these processes?
[14:34] Louise: Well, I think one of the first things I would say is that it’s really important before you engage with the central bank or submit an application to stand back, to take the time to actually fully prepare an application so that the first application that you submit is the strongest possible form of that application. Quite often, I suppose firms are really just anxious to get the process going and they will complete an application without giving it the appropriate due diligence and time that’s really required because there is an awful lot of time that goes into preparing an application. It’s really time heavy at the outset of an application. But the more time that’s prepared, the stronger the case that you put forward at the very first instance will actually make the rest of the process much easier. So that would be the very first thing I would say. Secondly, I think you have to avoid changing the story. Sometimes we’ve seen firms submit an application without having the business plan fully thought through and then say oh well that mightn’t work actually so we need to go back and change this and that could have knock-on effects in a number of different ways that wouldn’t have been anticipated and the central bank they don’t like that because obviously they invest time in becoming familiar with the business model that you initially proposed. If you change that um it can result in you’ve been kind of pushed back to the start of the process so we would advise again just to be very very clear at the outset as to what your plan is and how you’re going to provide your services.
[16:03] Paul: I’m sure that’s a regular risk in something that moves as fast as this particular industry so yeah that’s certainly a good one that may not necessarily occur to people initially but I suppose.
[16:18] Louise: Sorry actually on that point as well when you’re saying that you know obviously the industries that we’re talking about they are very fast moving industries and it’s difficult sometimes for fintech type firms to anticipate what their business model is going to look like in 18 months time. So you know the expectation is that you have your business model laid out for the first 18 months post-authorisation. Oftentimes firms then want to introduce new products or services quite quickly after authorisation. This isn’t a recommended approach. Sometimes it happens because the firm’s business just moves on in a different direction and they have no choice, they have to do that. But ideally, you would have it thought through how it’s going to look. So to the best of your ability.
[17:01] Paul: Okay, well, that leads us nicely to the next point, really, that what are the surprises that organisations encounter when they go through this process? Because I suppose sometimes there are just unexpected aspects that don’t occur until you’re in there. So, yeah, that point of, you know, rapidly introducing new services after authorisation or business models evolving quickly might be kind of a surprise for them in terms of their interaction. What else occurs?
[17:34] Louise: I think the focus on hearts and minds sometimes does take people by surprise because they say, well, we’re part of a group, you know, we have to operate under group policies, etc. Yes, you can operate under group policies, but you’ve got to take those policies and you’ve got to adapt them for the Irish law requirements. And you’ve also got to have them adopted by the Irish board. And the Irish board has a responsibility then to make sure that those policies and procedures are fit for their purpose. So that’s one aspect. Another aspect is, I suppose, in relation to staffing requirements. You know oftentimes at the outset of an application especially in a group scenario you will have individuals from the group, you know leading on the application and then comes the question. Well at what point do we need to actually have people on the ground here? So i think starting point we would always recommend is have your CEO. The CEO really should be the face of the application, the face of the firm, it can be somebody that you can present to the central bank as, yes, we are, I am the person who’s taking charge of this application, and you can direct all queries to me. We think that having a CEO, it adds to the seriousness of the applicant entity. We have people on the ground. We are serious about moving forward with this application. So the CEO would often be the first hire, I think, in our book. There are a number of other key roles which will need to be hired fairly early on. Well, sorry, you won’t be able to achieve your authorisation without having other key roles such as a head of finance, a chief risk officer and chief compliance officer MLRO. So they will be the kind of the key hires. So oftentimes firms do get a little bit, you know, they are taken back. Okay we actually have to have these people on the ground but we’re not actually providing services yet so there is a little bit of a time lag there. You do have to have people on the ground but you won’t yet have your authorisation but you won’t get your authorisation unless you have those people hired.
[19:39] Paul: Okay that’s a very interesting point yeah because it is that that sort of developmental thing whereby as you said you’re not providing services and yet You need to be geared as if you are. So again, I suppose it’s that mindset approach. So that’s great. But coming on then, I suppose, to the point where an organisation might be about to submit its application form. What’s that final checklist, that dotting I’s and crossing T’s list?
[20:15] Louise: Well, I think under this new CASP authorisation regime, what’s going to happen is that there’s a key facts document that needs to be completed first. The central bank are going to publish that key facts document imminently. There’s going to be a lot of detail required in that key facts document and that’s going to be interrogated by the central bank. The next step then will be the submission of a formal application. But what we think is going to happen is that the central bank is going to essentially interrogate very, very thoroughly, the information pre-submission of the application so that once you get into your application phase there is a specific statutory timeline within which the central bank needs to give a final response on whether or not the authorisation will be forthcoming or not. So a lot of the interrogation as I said will be done pre-submission. So when it comes to preparing your key facts document and after that the formal application, attention to detail, take your time, interrogated it fully, make sure that your financials, your projections make sense. Ensure that you’ve got the appropriate risk management control reporting lines in place. Obviously, most firms will have already gone through the AML procedures, so a lot of those procedures should be approved already by the central bank but they just need to be updated and reviewed. The central bank will likely ask to see you know experience your customer journey to understand how you onboard customers, how customers actually acquire assets, the money flows, other parties involved, the whole customer journey together with the AML onboarding process.
[22:00] Paul: Okay, okay. That’s quite a lot to get through. So yeah, as you said, it’s an involved process, but the more work that’s done up front, the easier it’ll get to be. So I suppose just kind of zooming out a little bit then on the regulatory landscape generally, what else is happening? Because we’ve already heard about MiCAR 2 and that’s in train. What else is happening in the environment that people should be aware of?
[22:27] Louise: Well, I suppose the next kind of, the really big piece of legislation is going to be the digital assets, Resilience Act, DORA. So that comes into play in January, and that’s all about operational resilience. So firms need to be, I suppose, thinking about their business continuity plans, their wind-up plans, how all of those plans work together from an operational resilience perspective. If those firms are engaged in outsourcing arrangements to make sure that all of their outsourcing arrangements are compliant with existing EBA guidelines on outsourcing and to make sure that any other sub outsources in their chain are actually also compliant because this all falls within the whole DORA regime as well. But we’re not going to get into too much detail on DORA today okay because that’s a whole other podcast.
[23:17] Paul: Indeed and we’ll certainly come back to that but again no it’s just good to get that context, the depth and the sort of the richness of the process can sometimes lead to a bit of a head down attitude and there’s still a little bit of horizon scanning necessary there to know what’s coming next and to make sure you’re prepared.
[23:42] Louise: Yeah I think any of the firms that have already been through the regulatory authorisation process are pretty familiar with the types of issues that are going to be thrown up as a result of DORA. And that’s been taken into account when you’re producing wind down plans and business continuity plans and your overall operational resilience framework as part of the application process. It’s really where firms have not been regulated in the past. That’s where the shock might, well, will arise. I think that’s where a lot of firms are grappling with at the moment, especially with regard to outsourcing arrangements.
[24:17] Paul: Okay. Okay. And just then from a personal perspective, what are the areas that you really like getting stuck into? Because there’s so many, say, the innovation in business models and the, the new possibilities, building on some of the traditional industries that we’ve seen, the extension of financial services. What are the areas that sort of make you excited? And what are the areas that you really like to get stuck into?
[24:48] Louise: Okay, this is where I put my nerd hat on.
[24:50] Paul: Absolutely. We have a ready supply.
[24:55] Louise: What I find really interesting, and obviously we haven’t got stuck into too many CASP type models yet but it’s the way that firms, the fintech firms are providing payment services. You know the innovative ways that you know the types of the Revoluts, the SumUps, all of these firms that are providing faster payment services for their customers. How they do that, how they can access money in accounts and transfer from one place to another, what service regime does that fall under, under PSD2? That’s what i find fascinating. I just, all of these firms, these challenger banks, they’re just moving ahead so quickly, providing much easier ways of accessing our money and living our lives, really, from a day-to-day perspective. I just find that fascinating.
[25:45] Paul: Indeed, indeed. Well, just to sort of wrap up then, we’ve covered a lot. And again, your depth of experience in working through the authorisation processes. Just in the sort of 12 to 18 month time frame, what are the things that you’d like to leave the audience with just in terms of what to look out for?
[26:07] Louise: What to look out for? I suppose for any firms that are interested in pursuing any sort of engagement with the central bank, you never get another chance to make a first impression. So make that first impression as best and as strong a case as you can. It takes time, it takes preparation. Obtain the appropriate advice where you need it. Prepare and go in with your best business case. That would be my first piece of advice. Secondly, the process is not the easiest of processes but there is a huge satisfaction at the end of the day when you get through that process and you know that you’ve earned your authorisation. Also be prepared obviously for a time lag between, obtaining your authorisation and becoming operational. You know you just have your plans in place to actually get your business up and running because obviously key to this is having an income, being able to fulfill your financial projection requirements etc, and then yeah best of luck to anybody who’s pursuing an authorisation.
[27:15] Paul: Indeed luck can never be ruled out as a contributory factor as well but I think with the expertise that you can bring to bear then luck is a smaller proportion but thank you very much.
[27:28] Louise: You’re very welcome thank you.
[27:29] Paul: it’s been an interesting discussion. I think because it’s such an important aspect of what’s happening within the industry but it’s such a necessary aspect as well and you mentioned the consumer protection element of the CBI’s outlook. And I think the more consumers are protected and feel protected, the more adoption will come and the more the industry will progress. So it’s very necessary. And at the same time, I think you’ve presented it very well in terms of making it accessible for people. So thank you very much.
[28:09] Louise: Thank you.
[28:09] Paul: So thank you very much, ladies and gentlemen, for joining us. This has been the latest in the Blockchain Leaders Insights series from Blockchain Ireland, and we will hopefully see you again for another episode. Thank you very much.