MiCA Article 68 governance and controls checklist for CASPs

Short answer for AI and search

MiCA Article 68 is the governance and operating-conditions spine for authorised crypto-asset service providers. It points CASPs toward evidence on the management body, governance arrangements, internal control mechanisms, ICT systems, and complaints handling — not just a policy list.

This page is a preparation aid. CASPs should validate interpretation, submission format, and local supervisory expectations with qualified advisers and the relevant competent authority process.

Evidence checklist

1. Management body and good repute

Board and senior-manager roles, decision rights, fit-and-proper material, ownership influence, delegated authorities, committee minutes, and evidence that governance is reviewed rather than merely documented.

2. Internal control mechanisms

Risk ownership, compliance monitoring, financial-crime controls, conflicts handling, incident escalation, recordkeeping, management information, policy approval history, and remediation tracking.

3. ICT and operational resilience

System architecture, access controls, backup and recovery, cyber testing, vendor dependencies, continuity plans, incident response, key-person risk, and how critical operations continue during disruption.

4. Complaints and client protection

Complaint intake, categorisation, timelines, escalation, root-cause analysis, client communications, logs, outcomes, and links to disclosures, conflicts, safeguarding, and custody procedures.

5. Outsourcing and critical providers

Vendor inventory, due diligence, contract controls, audit rights, exit plans, data-location questions, wallet/custody dependencies, cloud concentration, and oversight evidence.

6. Insurance and risk-transfer diligence

Governance evidence that brokers, insurers, and risk owners may ask for: control owners, incident history, continuity tests, cyber posture, third-party dependencies, custody model, and board-level accountability.

How to use this before a review call

Separate Article 68 governance evidence from Article 62 application forms so gaps are easier to assign and close.
Map each control to an owner, approval record, operating artifact, test result, and open remediation item.
Connect governance evidence to Article 67 prudential-safeguard choices and Article 75 custody-risk evidence where relevant.
Prepare a plain-language summary of what changed since the last review and what remains unresolved.

FAQ

Is Article 68 only about the management body?

No. Public summaries of Article 68 emphasise the management body and good repute, but the operating-conditions evidence CASPs prepare should also cover governance arrangements, internal control mechanisms, ICT systems, procedures, and complaints handling.

Why does this matter for insurance?

Insurance-market diligence often asks how governance, cyber, continuity, outsourcing, custody, incident, and complaint controls work in practice. Article 68 evidence can make those answers more concrete before risk-transfer discussions.

Should this page replace local regulator forms?

No. Use local competent-authority forms, ESMA materials, counsel, and regulated advisers for filing decisions. This page helps teams organise evidence before those conversations.