The current interpretation of the European Banking Authority (EBA) shows that Crypto Asset Service Providers (CASP) will most likely be affected by CESOP reporting obligation in the future. This article explains how this transition is coming about, what impact it will have on technology, compliance and operations, and outlines how this new regulatory challenge can be overcome.
The EBA’s latest guidance on the interlinking of MiCA and PSD2 marks a significant change for crypto custodians. Until now, MiCA has been understood as a clearly defined regime; now, however, the focus is shifting to an aspect that many CASPs had not anticipated: certain services – in particular the custody and transfer of e-money tokens – may in future be classified as payment services within the meaning of PSD2. This creates the possibility that CASPs will fall under the requirements of the ‘Central Electronic System of Payment Information’ (CESOP) and will have to fulfil reporting obligations that were previously reserved for traditional payment service providers.
CESOP has demonstrated in practice how complex regulatory implementation can be. Differences between test and production environments, unspecific error messages and short-term documentation changes quickly lead to high costs and operational uncertainty. These are precisely the challenges that CASPs will also face in future, as soon as token or wallet processes are interpreted as EMT transfers or account-functional wallet services. Incidentally, many of the challenges are similar to the pitfalls we recently described for newly licensed payment service providers – now they are affecting CASPs in a similar way.
Crypto asset service providers under pressure to act
Although the EBA is granting a transition period until 2 March 2026, there is already considerable pressure to act. CASPs must clarify how their tokens are to be classified for regulatory purposes, whether wallets are considered payment accounts, and which reporting processes are to be technically mapped. As soon as their business models fall within the scope of the CESOP reporting requirements under Section 22g of the UStG (German Value Added Tax Act) in Germany, for example, sanctions come into play: Incorrect, incomplete or late CESOP reports are considered an administrative offence under Section 26a of the German Value Added Tax Act (UStG) and can be punished with fines of up to €5,000.
DPS is one of the first providers to develop a complete CESOP solution, test it in collaboration with banks and payment service providers, and roll it out productively. The CESOP Compliance Service has been tested in real high-load environments, is technically mature and can be integrated quickly. Our experience from numerous implementations enables us to address regulatory risks precisely and eliminate typical sources of error in advance. The solution is cost-effective, ready for immediate use and relieves institutions of a large part of the operational reporting process.
Conclusion
For CASPs, the EBA’s ‘no action letter’ therefore means one thing above all: MiCA is not the end of regulatory development, but the beginning of a new chapter in compliance. Those who check early on whether their services extend into the payment services area will create clarity and maintain control over costs and operational stability. Those who wait risk bottlenecks, false reports and increased attention from the supervisory authority.
