> For the complete documentation index, see [llms.txt](https://www.mica.wtf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.mica.wtf/eu-level/guidelines/guidelines-on-internal-governance-arrangements-for-issuers-of-arts-under-micar.md). # EBA/GL/2024/06 — ART Internal Governance | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Authority** | EBA | | **Reference** | EBA/GL/2024/06 | | **Legal basis** | [Article 34(13) MiCA](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-34.md) | | **Status** | Final adopted; translated into the EU official languages | | **Applies from** | 20 December 2024 | | **Compliance deadline** | 20 December 2024 | | **Provenance** | English text adopted in the final report; standalone official-language publications available on EBA. | | **Source** | [EBA](https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/asset-referenced-and-e-money-tokens-micar/guidelines-internal-governance-arrangements-issuers-arts-under-micar) | | **Documents** | [Final report PDF](https://www.eba.europa.eu/sites/default/files/2024-06/611ef3d4-4d67-467f-bf0d-4c2b1dd0ef5e/Final%20report%20on%20draft%20Guidelines%20on%20internal%20governance%20of%20issuers%20of%20ARTs.pdf); [compliance table XLSX](https://www.eba.europa.eu/sites/default/files/2024-10/24ce008e-d25e-4c90-8a07-4fb2f2dc2637/EBA%20GL%202024%2006%20-%20Guidelines%20on%20internal%20governance%20arrangements%20for%20issuers%20of%20ARTs%20under%20MiCAR.xlsx) | ### Status of these guidelines 1. This document contains guidelines issued pursuant to Article 16 of Regulation (EU) No 1093/2010[^1]. In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent authorities as defined in Article 3(1) point (35)(a) of Regulation (EU) 2023/1114 to whom guidelines apply and financial institutions must make every effort to comply with the guidelines. 2. Guidelines set the EBA view of appropriate supervisory practices within the European System of Financial Supervision or of how Union law should be applied in a particular area. Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom guidelines apply should comply by incorporating them into their practices as appropriate (e.g., by amending their legal framework or their supervisory processes), including where guidelines are directed primarily at financial institutions. ### Reporting requirements 3. According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must notify the EBA as to whether they comply or intend to comply with these guidelines, or otherwise with reasons for non-compliance, by 20.11.2024 . In the absence of any notification by this deadline, competent authorities will be considered by the EBA to be non-compliant. Notifications should be sent by submitting the form available on the EBA website with the reference 'EBA/GL /2024/06 ' . Notifications should be submitted by persons with appropriate authority to report compliance on behalf of their competent authorities. Any change in the status of compliance must also be reported to EBA. 4. Notifications will be published on the EBA website, in line with Article 16(3). ### Subject matter, scope, and definitions #### Subject matter 5. These guidelines specify in accordance with [Article 34(13)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-34.md) of Regulation (EU) 2023/1114 the minimum content of the governance arrangements for issuers of ARTs in particular regarding the monitoring tools for the risks[^2]; the business continuity plans; the internal control mechanism; and the audits, including the minimum documentation to be used in the audits. #### Scope of application 6. These Guidelines apply at authorisation and on an ongoing basis to competent authorities, as defined in [Article 3(1)](/mica/title-i-subject-matter-scope-and-definitions-art.-1-3/article-3.md) point (35) (a) of Regulation (EU) 2023/1114, and to issuers of ARTs. 7. The guidelines apply to all issuers of ARTs, independently of their existing board structures. 8. Any reference to management body also includes issuers of ARTs that are legal persons managed by a single natural person. 9. Issuers of ARTs should comply and competent authorities should ensure that issuers of ARTs comply with these guidelines, including, where applicable, on a [group](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/group.md) wide basis. #### Addressees 10. These Guidelines are addressed to competent authorities as defined in [Article 3(1)](/mica/title-i-subject-matter-scope-and-definitions-art.-1-3/article-3.md), point (35)(a) of Regulation (EU) 2023/1114. 11. These Guidelines are also addressed to issuers of ARTs as defined in [Article 3(1)](/mica/title-i-subject-matter-scope-and-definitions-art.-1-3/article-3.md), point 10 of Regulation (EU) 2023/1114, of ARTs as defined in [Article 3(1)](/mica/title-i-subject-matter-scope-and-definitions-art.-1-3/article-3.md), point 6 of that Regulation. Where the [issuer](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/issuer.md) of ARTs is a [credit institution](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/crr/credit-institution.md), it should comply with Title I, Title V Sections[^3], 12.1, 12.2, 12.3 and Title VI and Title VII in conjunction with the requirements set out under Directive 2013/36/EU and the EBA guidelines on internal governance[^4]. #### Definitions 12. Unless otherwise specified, terms used and defined under Regulation (EU) 2023/1114, Directive 2014/65/EU, the 'EBA guidelines on internal governance arrangements for investment firms under IFD 7 ' and Regulation (EU) 2022/2554, have the same meaning in these guidelines. In addition, for the purposes of these guidelines, the following definitions apply: | Management body in its management function | means, the management body acting in its role of directing effectively the issuer of ARTs and includes the persons who direct its business. | | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | Management body in its supervisory function | means, where established, the management body acting in its role of overseeing and monitoring management decision- making. | | Group | means a group as defined in Article 2 (11) if Directive 2013/34/EU[^5]. | | Operational risk | means the operational risk as set out in Article 4(1)(52) of Regulation (EU) 575/2013. | | Operational resilience | means the ability for an issuer of ARTs to deliver critical or important functions through disruption. | ### Implementation #### Date of application 13. These Guidelines apply from 20.12.2024. 7 Guidelines on internal governance under Directive (EU) 2019/2034 ### 4. Guidelines #### Title I - Application of the proportionality principle 14. Issuers of ARTs and competent authorities should have regard to the principle of proportionality when applying and implementing these guidelines with a view to ensuring that the governance arrangements are consistent with the individual risk profile of the [issuer](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/issuer.md) of ARTs and the [group](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/group.md), where applicable, commensurate with its size and internal organisation, relevant to its business model, suitable for the nature, scale and complexity of its activities and sufficient to effectively achieve the objectives of the relevant regulatory requirements and provisions. 15. For the purpose of applying the principle of proportionality and to ensure the appropriate implementation of the governance requirements of Regulation (EU) 2023/1114 as further specified by these Guidelines, issuers of ARTs and competent authorities should take into account the following criteria: 1. the size of the issuer of ARTs in terms of the balance sheet total; 2. the legal form of the issuer of ARTs; 3. whether the issuer of ARTs is listed or not; 4. the classification of the [asset-referenced token](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/asset-referenced-token.md) issued as significant or non-significant pursuant to [Articles 43](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-5/article-43.md) and [44](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-5/article-44.md) and [Articles 56](/mica/title-iv-e-money-tokens-art.-48-48/chapter-2/article-56.md) and [57](/mica/title-iv-e-money-tokens-art.-48-48/chapter-2/article-57.md) of Regulation (EU) 2023/1114 5. the specifics, volume and number of ARTs issued; 6. whether the ARTs issued are admitted to trading; 7. the [consensus mechanism](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/consensus-mechanism.md) used to issue and validate the ARTs; 8. the nature and complexity of all business activities; 9. the type of authorised activities and the services performed; 10. whether cross borders activities are provided and the size of the operations in each jurisdiction; 11. the size of the [reserve of assets](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/reserve-of-assets.md); 12. the type and complexity of the assets a token is referenced to; 13. whether the holders of ART are retail holders or not; 14. the use of third-party service providers; 15. the distribution channels used, including the ones provided by third-party service providers; and 16. the existing information and communication technology (ICT) systems, including business continuity measures and the use of ICT third-party entities as referred to in paragraph 5, first subparagraph, point (h), [Article 34](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-34.md) of Regulation (EU) 2023/1114. 16. Issuers of ARTs that are managed by a single natural person should have alternative arrangements in place which ensure the sound and prudent management of such issuers and the adequate consideration of governance arrangements including by providing for adequate checks and balances in decision making. #### Title II -Role and composition of the management body **1. Role and responsibilities of the management body** 17. In accordance with [Article 34](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-34.md) of Regulation (EU) 2023/1114, the [management body](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/management-body.md) of an issuer of ARTs must define, oversee and is accountable for the implementation of sound governance arrangements that ensure effective and prudent management of the issuer and the interest of holders of ART including the segregation of duties and the identification, prevention and management of conflicts of interest within the issuer of ARTs in accordance with [Article 32](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-32.md) of Regulation (EU) 2023/1114. 18. The duties of the [management body](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/management-body.md) should be clearly defined, distinguishing, where applicable, between the duties of the management (executive) function and of the supervisory (nonexecutive) function. The responsibilities and duties of the management body should be described in a written document and duly approved by the management body. All members of the management body should be fully aware of the structure and responsibilities of the management body and, where applicable, of the division of tasks between different functions of the management body. 19. Where applicable, the management body in its supervisory function and its management function should interact effectively. Both functions should provide each other with sufficient information to allow them to perform their respective roles. To have appropriate checks and balances in place, decision-making within the management body should not be dominated by a single member or a small subset of its members. 20. The management body's responsibilities should include at least setting, approving, and overseeing the implementation of: 1. the overall business strategy and the key policies of the issuer within the applicable legal and regulatory framework, taking into account the issuer 's long -term financial interests and solvency and interest of the holders of ARTs. 2. the policies required under [Article 34(5)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-34.md) of Regulation (EU) 2023/1114; such policies should be consistent with the risk appetite and tolerance of the issuer and the characteristics, the needs of the clients of the issuer of ARTs to whom they will be offered and their prospective holders; 3. the organisation of the issuer for the issuance of ARTs specifying the skills, knowledge and expertise required by staff and the necessary resources; 4. the overall risk strategy, the issuer's risk appetite and its risk management framework, including adequate policies and procedures, taking into account the macroeconomic environment and the business cycle, and specifying the involvement of the management body in risk management issues; 5. an adequate and effective internal control framework including a risk management framework and well-functioning internal control mechanisms to ensure compliance with applicable regulatory requirements including with regard to the management of [reserve of assets](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/reserve-of-assets.md); 6. a remuneration policy for issuers of significant ARTs that is in line with [Article 45(1)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-5/article-45.md) of Regulation (EU) 2023/1114[^6]; 7. the policies and procedures to identify, prevent, manage and disclose conflicts of interest, in line with [Article 32](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-32.md) of Regulation (EU) 2023/1114[^7]; 8. arrangements that aim to ensure that the individual and collective suitability assessments of the management body are carried out effectively, that the composition of the management body is appropriate, and that the management body performs its functions effectively; 9. a risk culture in line with Title IV Section 7 which addresses the issuer of ARTs ' risk awareness and risk-taking behaviour; 10. a corporate culture and values in line with Title IV Section 8 which foster responsible and ethical behaviour, including a code of conduct or similar instrument; 11. arrangements that aim to ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards. 21. When setting up, approving and overseeing the implementation of the aspects listed in paragraph 20, the management body should ensure that the business model and governance arrangements take into account all risks the issuer of ARTs is or might be exposed to and the risks that they pose or might pose to others and to the environment. For that purpose, issuers of ARTs should also take into account all relevant risk factors, including environmental, social and governance risks factors (ESG) and consider the climate and other environmental impacts caused by the energy consumption of the consensus and validation mechanisms used. Other ESG risk factors that should be considered include legal risks in the area of contractual or labour law, risks relating to potential human rights violations or other ESG risk factors that may affect the country where a third-party service provider is located and its ability to provide the agreed service levels. 22. The management body should oversee the process of disclosure, in particular as mandated by [Article 30](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-30.md) of Regulation (EU) 2023/1114, and communications with external stakeholders and competent authorities. 23. All members of the management body should be informed about the overall activity, financial and risk situation of the issuer of ARTs, taking into account the economic environment and business cycle, and also about any decisions taken that have a major impact on the issuance of ARTs or other material business activities. 24. A member of the management body may be responsible for an internal control function as referred to in Title V, provided that the member does not have other mandates that would compromise the member's internal control activities and the independence of the internal control function. 25. The management body should monitor, periodically review and address any weaknesses identified regarding the implementation of processes, strategies and policies relating to the responsibilities listed in this section. The governance framework and its implementation should be reviewed and updated on a periodic basis, taking into account the proportionality principle, as further specified in Title I. A deeper review should be carried out where material changes affect the issuer of ARTs. 26. Where the issuers of ARTs are legal persons managed by a single natural person in accordance with their constitutive rules and national laws, the references in these guidelines to a management body should be construed as applying to the single person that is responsible for implementing alternative arrangements to ensure the sound and prudent management of such an issuer and the adequate consideration of governance arrangements. **2. Management function of the management body** 27. The management body in its management function should actively engage in the business of the issuer of ARTs and should take decisions on a sound and well-informed basis. 28. The management body in its management function, should be responsible for the implementation of the strategies and policies set out by the management body and regularly discuss the implementation and appropriateness of these strategies and policies with the management body in its supervisory function. The operational implementation may be carried out by the issuers of ARTs ' management body. 29. Members of the management body in its management function should constructively challenge and critically review propositions, explanations and information received by the staff when exercising its judgement and taking decisions. 30. Where applicable, the management body in its management function, should regularly, timely and comprehensively inform and report to the management body in its supervisory function all relevant information necessary to perform their duties, including the risks and other developments affecting the business of the issuer of ARTs, e.g. material decisions on business activities, its organisation and underlying technologies, risks taken and compliance with the risk appetite and strategy, ML-TF risks, ICT incidents and reporting, material operational risk losses, liquidity and reserve of assets and their management. **3. Supervisory function of the management body** 31. Without prejudice to the responsibilities assigned under the applicable national company law, the management body in its supervisory function should: 1. oversee and monitor management decision-making and actions and provide effective oversight of the management body in its management function, including monitoring and scrutinising its individual and collective performance and the setting and implementation of the issuer of ARTs' strategy and objectives; 2. constructively challenge and critically review proposals and information provided by members of the management body in its management function, as well as its decisions; 3. ensure and periodically assess the effectiveness of the issuers of ARTs ' governance framework and take appropriate steps to address any identified deficiencies; 4. oversee and monitor that the issuer 's strategic objectives, organisational structure and risk strategy, its risk appetite and risk management framework, as well as other policies (e.g. investment policy on the reserve of assets) are implemented consistently; 5. monitor that the risk culture of the issuer of ARTs is implemented consistently; 6. oversee the implementation, the update and the effective application of policies and procedures to identify, prevent, manage and disclose conflicts of interest, in accordance with [Article 32](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-32.md) of Regulation (EU) 2023/1114; 11 7. oversee the integrity of financial information and reporting, and the internal control framework, including an effective and sound risk management framework; 8. ensure that the heads of internal control functions are able to act independently and, regardless of the responsibility to report to other internal bodies, business lines or units, can raise concerns and warn the management body in its supervisory function directly, where necessary, when adverse risk developments affect or may affect the issuer of ARTs; and 9. set and monitor the implementation of the internal audit plan. #### Title III -Governance framework **4. Organisational framework and structure** **4.1 Organisational framework** 32. The management body of an issuer of ARTs should ensure a suitable and transparent organisational and operational structure for that issuer of ARTs and should have a written description of it. The structure should promote and demonstrate the effective and prudent management of the issuer of ARTs and the group, where applicable. 33. The management body should ensure that the internal control functions have the appropriate financial and human resources as well as powers to effectively perform their role. As a minimum, the compliance function should operate independently, including that there is an appropriate segregation of duties. The reporting lines and the allocation of responsibilities should be clear, well-defined, coherent, enforceable and duly documented. The documentation should be updated as appropriate. 34. The structure of the issuer of ARTs should not impede the ability of the management body to oversee and effectively manage its risks or the group, where applicable, is exposed to or the ability of the [competent authority](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/competent-authority.md) to effectively supervise the issuer of ARTs. 35. The management body should assess whether and how material changes to the group's structure where applicable (e.g. setting up of new subsidiaries, mergers and acquisitions, selling or winding-up parts of the group, or external developments) impact on the soundness of the ART issuer organisational framework. Where weaknesses are identified, the management body should make any necessary adjustments swiftly. 11 See the RTS on conflict of interests under [Article 32(5)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-32.md) of Regulation (EU) 2023/1114. **4.2 Know your structure** 36. The management body should fully know and understand the legal, organisational and operational structure of the issuer of ARTs ('know your structure') and ensure that it is in line with its approved business and risk strategy and risk appetite and covered by its risk management framework. 37. The management body should ensure that the structure of an issuer of ARTs and, where applicable, the structures within a group are clear, efficient and transparent to the staff, shareholders and other stakeholders and to the [competent authority](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/competent-authority.md). 38. The management body should guide the issuer of ARTs ' structure, its evolution and its limitations and should ensure that the structure is justified and efficient and does not involve undue or inappropriate complexity. 39. When setting up such structures, the management body should understand them and their purpose and the particular risks associated with them and ensure that the internal control functions are appropriately involved. Such structures should be approved and maintained only when their purpose has been clearly defined and understood, and when the management body is satisfied that all material risks, including reputational risks, have been identified, that all risks can be managed effectively and appropriately reported, and that effective oversight has been ensured. The more complex the organisational and operational structure, and the greater the risks, the more intensive the oversight of the structure should be. 40. Issuer of ARTs should take into account in their decision-making the results of a risk assessment performed to identify whether such structures could be used for a purpose connected with ML/TF or other financial crime to ensure that the issuer or the sector is not exposed to serious risk of ML/TF. To this end, issuers of ARTs should take into account as a minimum: 1. the extent to which the jurisdiction, in which the structure will be set up complies effectively with EU and international standards on tax transparency, anti-[money laundering](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/tofr/money-laundering.md) and countering the financing of terrorism; 2. the extent to which the structure serves an obvious economic and lawful purpose; 3. the extent to which the structure could be used to hide the identity of the ultimate beneficial owner; 4. the extent to which the reason that leads to the possible setting-up of a structure gives rise to concern; 5. whether the structure might impede appropriate oversight by the ART issuer 's management body or the issuer 's ability to manage the related risk; and 6. whether the structure poses obstacles to effective supervision by competent authorities. 41. In any case issuers of ARTs should not set up opaque structures or unnecessary complex structures that have no clear economic rational or legal purpose, or structures that could raise concerns that these might be created for a purpose connected with financial crime. 42. Issuers of ART should document their decisions and be able to justify their decisions to competent authorities. 43. These structures and activities, including their compliance with legislation and professional standards, should be subject to a regular review. Where an internal audit function is established, it should perform the review on a risk-based approach. **5. Organisational framework in a group context** 44. Where applicable, issuers of ARTs should ensure that governance arrangements, processes and mechanisms are consistent and well-integrated on a group wide basis. To this end, issuers of ARTs should ensure that their subsidiaries subject to Regulation (EU) 2023/1114 should implement similar arrangements, processes and mechanisms to ensure robust governance arrangements on a group wide basis. Competent functions within an issuer of ARTs and its subsidiaries subject to Regulation (EU) 2023/1114 should interact and exchange data and information as appropriate. 45. While policies and documentation may be included in separate documents, issuers of ARTs should consider combining them or referring to them in a single governance framework document. **6.** [**Outsourcing**](#user-content-fn-3)[^3] 46. The management body should approve and regularly review and update the outsourcing policy of an issuer of ARTs, ensuring that appropriate changes are implemented in a timely manner. 47. The outsourcing policy should consider the impact of the use of the outsourcing on an issuer of ARTs ' business and the risks it faces (such as operational risks, including legal, reputational risks, and concentration risks). 48. The policy should include the reporting and monitoring arrangements to be implemented from inception to the end of outsourcing arrangements (including the due diligence process and risk assessment, the management and the monitoring of the arrangement, the termination, contingency plans and exit strategies). 49. The outsourcing of functions cannot result in the delegation of the management body's responsibilities. An issuer of ARTs remains fully responsible and accountable for all outsourced services and activities and management decisions arising from them. Accordingly, the outsourcing policy should make it clear that outsourcing does not relieve the issuer of ARTs of its legal and regulatory obligations. 50. The policy should state that outsourcing arrangements, should not hinder effective on-site or off-site supervision of the issuer of ARTs and should not contravene any supervisory restrictions on services and activities. The policy should also cover intragroup outsourcing arrangements and take into account any specific group circumstances where appropriate. 51. Issuers of ARTs should maintain at all times sufficient substance and not become 'empty shells' or 'letter -box entities'. To this end, they should: 1. meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in Section I of these guidelines; 2. retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements as referred to Section 4; 3. where operational tasks of internal control functions are outsourced, exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4. have sufficient resources and capacities to ensure compliance with points (a) to (c). #### Title IV -Risk culture and business conduct **7. Risk culture** 52. A sound, diligent and consistent risk culture should be a key element of issuers of ARTs effective risk management and should enable these issuers to make sound and informed decisions that are consistent with their risk strategy and risk appetite. 53. Issuers of ARTs should develop an integrated and enterprise wide risk culture, based on a full understanding and holistic view of the risks they are or might be exposed to, including ESG risks, the risks to holders of assets, to markets, operational risks, ML-FT risks, liquidity risks and the risks linked to the investment of the assets of the reserve, the risk to the issuer of ARTs itself and how they are managed, taking into account the issuer of ARTs' risk tolerance, and the conflicts of interest that may arise due to the interconnectedness of players in the crypto ecosystem. 54. Issuers of ARTs should develop a risk culture through policies, communication and staff training regarding the issuer of ARTs ' activities, strategy and risk profile, and should adapt communication and staff training to take into account staff's responsibilities regarding risk -taking and risk management. 55. Staff should be fully aware of their responsibilities relating to risk management. Risk management should not be confined to risk specialists or internal control functions. Business lines or units, under the oversight of the management body, should be primarily responsible for managing risks on a day-to-day basis in line with the issuers of ARTs ' policies, procedures and controls, taking into account the issuer of ARTs ' risk tolerance and appetite. 56. A strong risk culture should include but is not necessarily limited to: 1. Tone from the top: the management body should be responsible for setting and communicating the issuer's core values and expectations. The behaviour of its members should reflect these values. The management body should contribute to the internal communication of core values and expectations to staff. Staff should act in accordance with all applicable laws and regulations and promptly escalate observed non-compliance within or outside the issuer (e.g. to the competent authority through a whistleblowing process). 2. Accountability: relevant staff at all levels should know and understand the core values of the issuer of ARTs and, to the extent necessary for their role and its risk tolerance and appetite. They should be capable of performing their roles and be aware that they will be held accountable for their actions in relation to the issuer of ARTs ' risk-taking behaviour. 3. Effective communication and challenge: a sound risk culture should promote an environment of open communication and effective challenge in which decisionmaking processes encourage a broad range of views, allow for testing of current practices, stimulate a constructive critical attitude among staff and promote an environment of open and constructive engagement throughout the entire organisation. 4. Incentives: appropriate incentives should play a key role in aligning risk-taking behaviour with the issuer of ARTs ' risk profile and its long-term interests in particular for issuers of significant ARTs. **8. Corporate values and code of conduct** 57. The management body should develop, adopt, adhere to and promote high ethical and professional standards, taking into account the specific needs and characteristics of the issuer of the ARTs, and should ensure the implementation of such standards (through a code of conduct or similar instrument). It should also oversee the adherence to these standards by staff. Where applicable, the management body may adopt and implement the issuer of ARTs group-wide standards or common standards released by associations or other relevant organisations. 58. Issuers of ARTs should ensure that there is no discrimination towards staff based on gender, race, colour, ethnic or social origin, genetic features, languages, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 59. The policies of issuers of significant ARTs should be gender-neutral[^8]. This includes, but is not limited to, remuneration, recruitment policies, career development and succession plans, access to training and the ability to apply for internal vacancies. Issuers of ARTs should ensure equal opportunities 14 for all staff irrespective of their gender, including with regard to career perspectives, and aim to improve representation of the underrepresented gender in positions within the management body. Issuer of significant ARTs should monitor the trend in the gender pay gap. 60. The standards implemented should aim to enhance the issuer of ARTs' robust governance arrangements and reducing the risk to which the firm is exposed, in particular operational and reputational risks, which can have a considerable adverse impact on an issuer of ARTs profitability and sustainability through fines, litigation costs, restrictions imposed by competent authorities, other financial and criminal penalties, and the loss of brand value and investor confidence. 61. The management body should have clear and documented policies for how these standards should be met. These policies should: 1. remind staff that all the issuer's of ARTs activities should be conducted in compliance with the applicable law and with the issuer's corporate values; 2. promote risk awareness through a strong risk culture in line with Title IV, Section 7, conveying the management body's expectation that activities will not go beyond the defined risk appetite and limits defined by the issuer of ARTs and the respective responsibilities of staff; 3. set out principles on and provide examples of acceptable and unacceptable behaviours linked in particular to financial misreporting and misconduct, economic and financial crime including but not limited to fraud, money laundering and terrorist financing 14 See also Directive 2006/54/EC of the European Parliament and of the Council of 5 July 2006 on the implementation of the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation. (ML/TF), anti-trust practices, financial sanctions, bribery and corruption, market manipulation, mis-selling and other violations of consumer protection laws, tax offences, whether committed directly or indirectly; * d. clarify that in addition to complying with legal and regulatory requirements and internal policies, staff are expected to conduct themselves with honesty and integrity and perform their duties with due skill, care and diligence; and * e. ensure that staff are aware of the potential internal and external disciplinary actions, legal actions and sanctions that may follow misconduct and unacceptable behaviours. 62. Issuers of ARTs should monitor compliance with such standards and ensure staff awareness, e.g., by providing training. #### Title V -Internal control framework and mechanisms **9. Internal control framework** 63. Issuers of ARTs should develop and maintain a culture that encourages a positive attitude towards risk control and compliance within the issuer and a robust and comprehensive internal control framework. Under this framework, issuers of ARTs business lines or internal unit should be responsible for managing the risks they incur in conducting their activities and should have controls in place that aim to ensure compliance with internal and external requirements. As part of this framework, issuers of ARTs should have a permanent and effective internal compliance function with appropriate and sufficient authority, stature and access to the management body to fulfil its mission, and a risk management framework. Where proportionate, taking into account the criteria listed in Title I, issuers of ART should also have an internal risk management and audit function. In any case, the issuer of ARTs should have appropriate risk management and audit policies and procedures in place. 64. The internal control framework of the issuers of ARTs concerned should be adapted on an individual basis to the specificity of its business, its complexity and the associated risks, taking into account, where applicable, the group context. Within a group context, the issuer of ARTs concerned should organise the exchange of the necessary information in a manner that ensures that each management body, business line and internal unit, including each internal control function, is able to carry out its duties. 65. The internal control framework should cover the whole organisation, including the management body's responsibilities and tasks, and the activities of all business lines and internal units, including internal control functions, the use of third-party providers and distribution channels. 66. The internal control framework of an issuer of ARTs should ensure: 1. effective and efficient operations including with regard to issuance of ARTs; 2. adequate identification, measurement and mitigation of risks including operational risk and risk related to ICT in accordance with Regulation (EU) 2022/2554; 3. the reliability of financial and non-financial information reported both internally and externally; 4. sound administrative and accounting procedures; and 5. compliance with laws, regulations, supervisory requirements and the issuer of ARTs internal policies, processes, rules and decisions. **10. Implementing an internal control framework** 67. The management body should be responsible for establishing and monitoring the adequacy and effectiveness of the internal control framework, processes and mechanisms, and for overseeing all business lines and internal units, including internal control functions (such as compliance, risk management and internal audit functions where established). Issuer of ARTs should establish, maintain and regularly update adequate written internal control policies, mechanisms and procedures, which should be approved by the management body. Where no risk management function is established, the management body should be responsible for establishing, updating and monitoring adequate risk management procedures and policies. 68. An issuer of ARTs should have a clear, transparent and documented decision-making process and a clear allocation of responsibilities and authority within its internal control framework, including its business lines, internal units and internal control functions. 69. Issuers of ARTs should communicate these policies, mechanisms and procedures to all staff and every time material changes have been made. 70. The internal control functions should verify that the policies, mechanisms and procedures set out in the internal control framework are correctly implemented in their respective areas of competence. 71. Internal control functions should regularly submit to the management body written reports on major deficiencies that have been identified. These reports should include, for each new major deficiency identified, the relevant risks involved, an impact assessment, recommendations and corrective measures to be taken. The management body should follow up on the findings of the internal control functions in a timely and effective manner and require adequate remedial actions. A formal follow-up procedure on findings and corrective measures taken should be put in place. **11. Risk management framework** 72. As part of the overall internal control framework, issuers of ARTs should have a holistic issuerwide risk management framework extending across all their business lines and internal units, including internal control functions, recognising fully the economic substance of all their risk exposures including the risks the issuer of ARTs poses to itself, the holders of assets, operational risks and risks resulting from the reserve of assets. 73. The risk management framework should enable the issuer of ARTs to make fully informed decisions on all risks they are or might be exposed to including ICT risks in accordance with Regulation (EU) 2022/2554 (DORA) 15 and Section 12. The risk management framework should encompass all risks, including actual risks and future risks that the issuer of ARTs may be 15 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on [digital operational resilience](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/digital-operational-resilience.md) for the financial sector: Publications Office (europa.eu) exposed to. Risks should be evaluated from the bottom up and from the top down, within and across business lines or internal units using consistent terminology and compatible methodologies throughout the issuer of ARTs and at a consolidated level where applicable. All relevant risks should be encompassed in the risk management framework with appropriate consideration given to both financial and non-financial risks, including concentration, operational, ICT, reputational, legal, conduct and ESG risks. Consideration should also be given to credit risk, market risk, concentration risk and liquidity risk resulting from the reserve assets. 74. An issuer of ARTs risk management framework should include policies, procedures, risk limits and risk controls ensuring adequate, timely and continuous identification, measurement or assessment, monitoring, management, mitigation and reporting of the risks at the business line, internal units, issuer and group level, where applicable. 75. An issuer of ARTs risk management framework should provide specific guidance on the implementation of risk strategies. This guidance should, where appropriate, establish and maintain internal limits consistent with the issuer's risk tolerance , risk appetite and be commensurate with its sound operation, operational resilience, financial strength, liquidity needs and strategic goals. An issuer of ARTs s risk profile should be kept within the established limits. The risk management framework should ensure that, whenever breaches of risk limits occur, there is a defined process to escalate and address them with an appropriate follow-up procedure. 76. The risk management framework should be subject to independent internal review, e.g., performed by the internal audit function, and reassessed regularly against the issuer of ARTs risk tolerance and risk appetite. 77. Regular and transparent reporting mechanisms should be established so that the management body and all relevant units in the issuer of ARTs are provided with reports in a timely, accurate, concise, understandable and meaningful manner and can share relevant information about the identification, measurement or assessment, monitoring and management of risks. The reporting framework should be well defined and documented. 78. Effective communication and awareness regarding risks and the risk strategy is crucial for the whole risk management process, including the review and decision-making processes, and helps preventing decisions that may unknowingly increase risk levels. Effective risk reporting involves sound internal consideration and the communication of the risk strategy and relevant risk data both horizontally across the issuer of ARTs and up and down the management chain. **12. Operational risk management and operational resilience** 79. An issuer of ARTs should have an adequate operational risk management framework and operational resilience framework. This includes effective policies and processes to: 1. identify, assess, evaluate, monitor, report and mitigate operational risk on a timely basis; and 2. identify and protect themselves from threats and potential failures, respond and adapt to, as well as recover and learn from, disruptive events to minimise their impact on delivering critical or important functions[^9]. 80. An issuer of ARTs management body should, as part of the risk management framework, approve strategies, policies and processes for the management of operational risk and operational resilience, including the risk appetite for operational risk framework and the risk tolerance for disruption of critical or important functions 17 . Those strategies, policies and processes should be periodically reviewed and updated as appropriate. 81. The management body ensures that these policies and processes are implemented effectively, fully integrated into the issuer of ARTs ' overall risk management framework, including the risk in relation of the use of third-party entities, and effectively communicated to relevant staff. 82. An issuer of ARTs should clearly assign the responsibilities for the assessment and management system for operational risk and operational resilience. 83. An issuer of ARTs should identify its exposures to operational risk, track relevant operational risk data, including material loss data, and perform scenario-analysis. 84. Issuer of ARTs should identify its critical operations, consistently with its operational resilience approach, and map the people, technology, processes, data, facilities, third-parties, including intragroup entities, and the interconnections and interdependencies among them that are necessary for the delivery of critical or important functions in a business-as-usual situation and through disruption. 85. The operational risk and operational resilience management framework should be subject to regular reviews performed by internal or external auditors that possess the knowledge necessary to carry out such reviews. The operational risk management framework and the operational resilience framework should be structured with sufficient and adequate human and technical resources. The issuer of ARTs ' operational risk assessment system and operational resilience framework should be fully integrated into the risk management framework of the issuer. 86. A system of reporting to management body that provides for adequate operational risk and operational resilience reports from relevant functions within the issuer of ARTs should be implemented. The issuer of ARTs should have in place procedures for taking appropriate actions without delay, as relevant. 87. The issuer of ARTs should identify and assess the operational risk inherent to the issuer of ARTs activities, processes and systems to make sure the inherent risks are well understood. 17 Tolerance for disruption is the level of disruption from any type of operational risk an issuer is willing to accept given a range of severe but plausible scenarios. 88. Considering Title I on the application of the principle of proportionality, issuer of ARTs should identify, analyse and measure a range of scenarios, including low probability and high severity events, some of which could result in severe operational risk losses. Inputs to the scenario analysis include relevant internal and external loss data, information from self-assessments, expert opinion, the internal control framework, forward-looking metrics, root-cause analyses and the process framework, as appropriate. The scenario analysis process should be used to develop a range of consequences of potential events, including impact assessments for risk management purposes, supplementing other tools based on historical data or current risk assessments. 89. Considering Title I, issuers of ARTs may use qualitative risk assessment approaches, while issuers of significant ARTs should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. **12.1 New product, system and process approval** 90. The issuer of ARTs should have policies and procedures for the assessment and approval of new products, processes, and systems, including on the new issuance of ARTs and related processes and systems. 91. The approval process should consider all the risks, including legal and ICT risks, in the launch of new products and in the implementation of new processes and systems, and include risks related to people, processes, systems and external events. 92. The approval process should also consider effects on the delivery of critical or important functions and on their interconnections and interdependencies as well as changes to the issuers of ART s' operational risk profile, including changes to the risk related to existing products or activities, the necessary internal controls, risk management processes, and risk mitigation. 93. The issuer of ARTs should ensure the assessment of the evolution of risks associated with new products, systems and processes over time throughout the full life cycle of a product, activities or services. 94. The issuers of ART should have a strong internal control system in accordance with Title V also with regard to new products, processes and systems to ensure that the issuer of ARTs has efficient and effective operations; safeguard its reserve of assets; produce reliable information and comply with applicable laws and regulations. **12.2 ICT risk management** 95. Issuers of ARTs should establish an ICT risk management framework in line with the requirements defined under Regulation (EU) 2022/2554. In this regard, issuers of ARTs should have in place an internal governance and control framework that ensures an effective and prudent management of ICT risks in order to achieve a high level of digital operational resilience. 18 **12.3 Arrangements with third-party entities for operating the reserve of assets, for the investment of the reserve assets, the custody of the reserve assets, or the distribution of the assetreferenced tokens to the public** 96. The management body of an issuer of ARTs that has arrangements in place with third-party entities for operating the reserve of assets, for the investment of the reserve assets, the custody of the reserve assets, or, where applicable, for the distribution of the asset-referenced tokens to the public or plans on entering into such arrangements should approve, regularly review and update a policy on the requirements for operational reliance of these third-party entities and ensure their implementation at an individual and, as applicable, group wide basis. 97. This policy should include the main phases of the life cycle of these third-party arrangements and define the principles, responsibilities and processes in relation to the use of third-party. In particular, the policy should cover at least: 1. the responsibilities of the management body including its involvement, as appropriate, in the decision-making; 2. the involvement of business lines, internal control functions and other individuals in respect of those arrangements; 3. the planning and structuring of third-party arrangements, including the definition of business requirements regarding the use of third-parties. 4. risk identification, assessment and management in accordance with Section 11; 5. due diligence checks on prospective third-parties; 6. policies and procedures to identify, prevent, manage and disclose conflicts of interest, in line with [Article 32](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-32.md) of Regulation (EU) 2023/1114; 7. business continuity planning and exit strategies to ensure the issuer of ARTs ' operational resilience in the event of a failure or disruption at a third-party entity 18 Please refer to Regulation (EU) 2022/2554, OJ L 333, 27.12.2022, p. 1 -79 impacting the provision of critical operations. The issuer of ARTs ' business continuity and exit plans should assess the substitutability of the third-party entity that it uses for critical operations, and other viable alternatives that may facilitate operational resilience in the event of an outage at a third-party entity such as bringing the activity back in-house; * h. the approval process of new arrangements; * i. the implementation, monitoring and management of those arrangements, including the ongoing assessment of the third-party entit ies' performance to ensure that the relationship remains within the issuer of ARTs ' risk appetite and tolerance for disruption of critical operations and core business lines; * j. the procedures for being notified and responding to changes to an arrangement by third-party entities; * k. the independent review and audit of compliance with legal and regulatory requirements and policies; * l. the renewal processes for arrangements with third-party entities; * m. the documentation and record-keeping; and * n. the exit strategies and termination processes, including a requirement for a documented exit plan for each arrangement with a third-party entity, where such an exit is considered possible, taking into account possible service interruptions or the unexpected termination of an agreement. 98. Issuers of ARTs should assess the potential impact of arrangements with third-party entities on their operational risk and operational resilience, in accordance with section 12, and should take into account the assessment results when deciding, if a function should be performed by a third-party entity and should take appropriate steps to avoid undue additional operational risks before entering into these arrangements. 99. Within the risk assessment, issuer of ARTs should also take into account the expected benefits and costs of the proposed arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed arrangement, taking into account at least the measures implemented by the issuer of ARTs and by the service provider to manage and mitigate those risks. 100. When carrying out the risk assessment prior to the reliance on third-party entity and during ongoing monitoring of the thirdparty entity's performance, issuer of ARTs should, at least: 1. identify and classify the relevant functions and related data and systems as regards their sensitivity and criticality and required security measures; 2. conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for the arrangement and address the potential risks, in particular the operational risks, including subcontracting, legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the services are or may be provide; 3. consider the geographic dependencies and management of related risks. These risks may relate to the economic, financial, political, legal and regulatory environment in the jurisdiction(s) where the relevant service will be. 101. Before entering into an arrangement with a third-party and considering the risks, including operational risks and counterparty risk, issuers of ARTs should ensure in their selection and assessment process that the third-party entity is suitable. 102. Issuers of ARTs should ensure that the third-party entity has an adequate business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 103. Additional factors to be considered when conducting due diligence on a potential thirdparty entity include, but are not limited to: 1. its business model, nature, scale, complexity, financial situation, ownership and group structure; 2. the long-term relationships with the third-party entity that have already been assessed and perform services for the issuer of ARTs; 3. the level of substitutability of the service and service provider including the ability to exit the third-party arrangement and either transition to another service provider or bring the critical service back in-house or the potential impact of such substitution on the issuer of ARTs ' critical operations; 4. whether or not the third-party entity is supervised by competent authorities. 104. Issuers of ARTs should take appropriate steps to ensure that the third-party act in a manner consistent with their values and code of conduct. 105. Issuers of ARTs should ensure at all times that the third party they use to distribute ARTs to the public complies with the procedures ensuring the compliance with the obligations in relation to the prevention of money laundering and [terrorist financing](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/tofr/terrorist-financing.md) under Directive (EU) 2015/849 and, where applicable, Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets. The third-party entity should in its internal control systems ensure a continuous compliance with the obligations in relation to the prevention of money laundering and terrorist financing under Directive (EU) 2015/849 and, where applicable, Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain cryptoassets. **13. Internal control functions** 106. The internal control functions should include an effective and permanent internal compliance function, and where appropriate and proportionate, taking into account the criteria listed in Title I, a risk management function and an internal audit function. Where issuers of ARTs do not establish and maintain a risk management function and an internal audit function, they should be able to demonstrate upon request that the policies and procedures adopted and implemented for an internal control framework effectively achieve the same outcome as the guidelines provided in this Title V. 107. Issuers of significant ARTs are encouraged to establish internal risk management and internal audit functions. Where the issuer of ARTs does not establish an internal risk management function (RMF) or internal audit function (IAF), the responsibilities of these functions as set out in these guidelines are with the management body, who may delegate the operational tasks internally or externally to a third-party provider, e.g. in form of an outsourcing arrangement 19 . **13.1 Heads of the internal control functions** 108. Heads of internal control functions should be established at an adequate hierarchical level that provides the head of the control function with the appropriate authority and stature needed to fulfil his or her responsibilities. The head of compliance and, where established, the heads of the risk management and internal audit functions should report and be directly accountable to the management body, and their performance should be reviewed by the management body. 109. Where necessary, the heads of internal control functions should be able to have access and report directly to the management body in its supervisory function to raise concerns and warn the supervisory function, where appropriate, when specific developments affect or may affect the issuer of ARTs. This should not prevent the heads of internal control functions from reporting within the regular reporting lines as well. 110. Issuers of ARTs should have documented processes in place to assign the position of the head of an internal control function and for withdrawing his or her responsibilities. In any case, the heads of internal control functions should not be removed without the prior approval of the management body in its supervisory function where it is established. **13.2 Independence of internal control functions** 19 The outsourcing of operational tasks of compliance may still be possible. 111. In order for the internal control functions to be regarded as operating independently, the following conditions should be met: 1. their staff do not perform any operational tasks that fall within the scope of the activities the internal control functions are intended to monitor and control unless it is demonstrated that, in view of the criteria listed in Title I for the application of the proportionality principle, the internal control functions continue to be effective. In that case, issuer of ARTs should assess whether the effectiveness of their internal control functions is compromised. 2. Where appropriate, they are organisationally separate from the activities they are assigned to monitor and control; 3. the remuneration of the internal control functions staff should not be linked to the performance of the activities the internal control function monitors and controls and should not otherwise be likely to compromise the staff members' objectivity[^10]. **13.3 Resources of internal control functions** 112. Internal control functions should have sufficient resources. Taking into account the application of the proportionality principle as set out in Title I, they should have an adequate number of qualified staff with adequate skills, knowledge and experience. Staff should remain qualified on an ongoing basis and should receive training as necessary. 113. Internal control functions should have appropriate ICT systems and support at their disposal, with access to the internal and external information necessary to meet their responsibilities. They should have access to all necessary information regarding all business lines and relevant risk-bearing subsidiaries, in particular those that can potentially generate material risks for the issuer of ARTs. **14. Risk management function** 114. Where established, the risk management function (RMF) should cover the whole issuer of ARTs. The RMF should have sufficient authority, stature and resources, taking into account the proportionality criteria listed in Title I, to implement risk policies and the risk management framework as set out in Section 11. 115. The RMF should have, where necessary, direct access to the management body in its supervisory function, where established. 116. The RMF should have access to all business lines and other internal units that have the potential to generate risk. 117. Staff within the RMF should possess sufficient knowledge, skills and experience in relation to risk management techniques and procedures, and markets and products, and should have access to regular training. 118. Where established, the RMF should be a central organisational feature of the issuer of ARTs, structured so that it can implement risk policies and control the risk management framework. The RMF should play a key role in ensuring that the issuer of ARTs has effective risk management processes in place. The RMF should be actively involved in all material risk management decisions. Where applicable, in a group, the RMF in the Union parent undertaking should be able to deliver a group-wide holistic view on all risks and to ensure that the risk strategy is complied with. 119. The RMF should provide relevant independent information, analyses and expert judgement on risk exposures, and advice on proposals and risk decisions made by business lines or internal units, and should inform the management body as to whether such information and advice is consistent with the issuer of ARTs risk profile. The RMF may recommend improvements to the risk management framework and corrective measures to remedy breaches of risk policies, procedures and limits. **14.1 RMF's role in risk strategy and decisions** 120. The RMF's involvement in decision -making processes should ensure that risk considerations are taken into account appropriately. However, accountability for the decisions taken should remain with the business and internal units, and ultimately the management body. **14.2 RMF's role in material changes** 121. Before decisions on material changes to products, processes or systems or on exceptional transactions are taken, the RMF should be involved in the evaluation of the impact of such changes on the issuer of ARTs and should report its findings directly to the management body before a decision is taken. 122. The RMF should evaluate how the risks identified could affect the issuer of ART's ability to manage its risk profile and the risks linked to the reserve of assets. **14.3 RMF's role in identifying, measuring, assessing, managing, mitigating, monitoring and reporting on risks** 123. The RMF should ensure an appropriate implementation of the risk management framework and that all risks are identified, assessed, measured, monitored, managed and properly reported on by the relevant units of the issuer of ARTs. 124. The RMF should ensure that identification and assessment are not based only on quantitative information or model outputs, but also take into account qualitative approaches. The RMF should keep the management body informed of the assumptions used in, and the potential shortcomings of, the risk quantification tools and methods, including models and analysis. 125. The RMF should ensure that transactions with related parties are reviewed and that the risks they pose for the issuer of ARTs are identified and adequately assessed. 126. The RMF should ensure that all identified risks are effectively monitored by the business or internal units. 127. The RMF should regularly monitor the actual risk profile of the issuer of ARTs and scrutinise it against the strategic goals and risk appetite and report the results to enable decision-making by the management body in its management function and challenges by the management body in its supervisory function. 128. The RMF should analyse trends and recognise new or emerging risks and increases in risk arising from changing circumstances and conditions. It should also regularly review actual risk outcomes against previous estimates (i.e. back testing) to assess and improve the accuracy and effectiveness of the risk assessment methods and risk management process. 129. The RMF should evaluate possible ways to mitigate identified risks. Risk reporting to the management body should include proposals for appropriate risk-mitigating actions. **14.4 RMF's role in risk appetite and limits** 130. The RMF should independently assess breaches of risk appetite or limits. The RMF should inform the business or internal units concerned and the management body and recommend possible remedies. The RMF should report directly to the management body in its supervisory function when the breach is material, without prejudice for the RMF to report to other internal functions. 131. The RMF should play a key role in ensuring that a decision on its recommendation is made at the relevant level, complied with by the relevant business units and appropriately reported to the management body and, where established, the risk committee. **14.5 Head of the risk management function** 132. Where established, the head of the RMF should be responsible for providing comprehensive and understandable information on risks and advising the management body, enabling this body to understand the issuer of ARTs overall risk profile. Where no independent function has been established, the responsibilities of the head of the risk management function lie with the staff to whom the risk management procedures are entrusted or the members of the management body directly. 133. The head of the RMF should have sufficient expertise, independence and seniority to challenge decisions that affect an issuer of ARTs ' exposure to risks. Where the head of the RMF is not a member of the management body, taking into account the principle of proportionality as set out in Title I, issuer of ARTs should appoint an independent head of the RMF who has no responsibilities for other functions and reports directly to the management body. Where it is not proportionate to appoint a person who is dedicated only to the role of head of the RMF, taking into account the principle of proportionality as set out in Title I, this function can be combined with the head of the compliance function or can be performed by another senior person, provided there is no conflict of interest between the tasks performed. In any case, this person should have sufficient authority, stature and independence (e.g. head of legal). 134. The head of the RMF should be able to challenge decisions taken by the issuer's management and its management body, and the grounds for objections should be formally documented. If an issuer of ARTs wishes to grant the head of the RMF the right to veto decisions (e.g., a credit or investment decision or the setting of a limit) made at levels below the management body, it should specify the scope of such a veto right, the escalation or appeal procedures, and how the management body will be involved. 135. Issuers of ARTs should establish strengthened processes for the approval of decisions on which the head of the RMF has expressed a negative view. In its supervisory function, the management body should be able to communicate directly with the head of the RMF on key risk issues, including developments that may be inconsistent with the issuer of ARTs ' risk strategy and risk appetite and the head of the RMF should be able to directly report material concerns to the management body in its management function. **15. Compliance function** 136. Issuers of ARTs should establish a permanent and effective compliance function to manage compliance risk and should appoint a person to be responsible for this function across all the activities of entity (the compliance officer). 137. The role of compliance officer, taking into account the principle of proportionality as set out in Title I, can be combined with the head of the RMF or, where it is not proportionate to appoint a person who is dedicated only to this function, can be performed by another senior * person (e.g. head of legal), provided there is no conflict of interest between the tasks performed. 138. Staff within the compliance function should possess sufficient knowledge, skills and experience in relation to compliance and relevant procedures and should have access to regular training. 139. The management body in its supervisory function should oversee the implementation of a well-documented compliance policy, which should be communicated to all staff. Issuers of ARTs should set up a process to regularly assess changes in the law and regulations applicable to its activities. 140. The compliance function should advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, and should assess the possible impact of any changes in the legal or regulatory environment on the issuer of ARTs ' activities and compliance framework. 141. The compliance function should ensure that compliance monitoring is carried out through a structured and well-defined compliance monitoring programme and that the compliance policy is observed. The compliance function should report to the management body and communicate as appropriate with the RMF on the issuer of ARTs ' compliance risk and its management. The compliance function and the RMF should cooperate and exchange information as appropriate to perform their respective tasks. The findings of the compliance function should be taken into account by the management body and the RMF in decisionmaking processes. 142. Issuer of ARTs should take appropriate action against internal or external behaviour that could facilitate or enable fraud or financial crime and breaches of discipline (e.g. breaches of internal procedures or breaches of limits). **16. Internal audit function** 143. Where established, the internal audit function (IAF) should be independent and have sufficient authority, stature and resources. In particular, issuers of ARTs should ensure that the qualification of the IAF's staff members and the IAF's resources, in particular its auditing tools and risk analysis methods, are adequate for the issuer of ARTs size and locations, and the nature, scale and complexity of the risks associated with the issuer of ARTs ' business model, activities, risk culture and risk appetite. 144. The IAF should be independent of the audited activities. Therefore, the IAF should not be combined with other functions. 145. The IAF should, following a risk-based approach, independently review and provide objective assurance of the compliance of all activities and units of an issuer of ARTs, including the use of third-party entities, with the issuer of ARTs ' policies and procedures and with external regulatory requirements. 146. The IAF should not be involved in designing, selecting, establishing or implementing specific internal control policies, mechanisms, procedures or risk limits. However, this should not prevent the management body in its management function from requesting input from internal audit on matters relating to risk, internal controls and compliance with applicable rules. 147. The IAF should assess whether the issuer of ARTs ' internal control framework as set out in Title V is both effective and efficient. In particular, the IAF should assess: 1. the appropriateness of the issuer of ARTs' governance framework; 2. whether existing policies and procedures remain adequate and comply with legal and regulatory requirements and with the risk strategy and risk appetite of the issuer of ARTs; 3. the compliance of the procedures with the applicable laws and regulations and with decisions of the management body; 4. whether the procedures are correctly and effectively implemented (e.g. compliance of transactions, the level of risk effectively incurred, etc.); and 5. the adequacy, quality and effectiveness of the controls carried out and the reporting conducted by the business units (first line of defence) and the risk management and compliance functions. 148. The IAF should verify, in particular, the integrity of the processes ensuring the reliability of the issuer of ARTs ' methods and techniques for risk quantification, including models. It should also evaluate the quality and use of qualitative risk identification and assessment tools and the risk mitigation measures taken. 149. The IAF should review the adequateness of the processes for the development of white papers, their approval and the processes how ARTs are offered to the public. 150. The IAF should have unfettered issuer-wide access to all the records, documents, information and buildings of the issuer of ARTs. This should include access to management information systems and minutes of all committees and decision-making bodies. 151. The IAF should adhere to national and international professional standards. An example of the professional standards referred to here is the standards established by the Institute of Internal Auditors. 152. Internal audit work should be performed regularly in accordance with an audit plan and a detailed audit programme following a risk-based approach. 153. An internal audit plan should be drawn up at least once a year on the basis of the annual internal audit control objectives. The internal audit plan should be approved by the management body. 154. All audit recommendations should be subject to a formal follow-up procedure by the appropriate levels of management, communicated to the management body of the issuer of ARTs and made available to the competent authority to ensure and report on their effective and timely resolution. #### Title VI -Business continuity management 155. Without prejudice to the applicable requirements under DORA, issuers of ARTs should establish, as part of the implementation of their business continuity policy and plans established in accordance with [Article 34(9)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-34.md) of Regulation (EU) 2023/1114, a sound business continuity management and response and recovery plans to ensure their ability to operate on an ongoing basis, to manage incidents that could disrupt the delivery of critical operations in line with the issuer of ARTs ' risk appetite and tolerance for disruption, and to limit losses and disruption to service provision in the event of severe business disruption. Issuers of ARTs may establish a specific independent business continuity function taking into account the proportionality criteria listed in Title I. 156. An issuer of ARTs relies on several critical resources (e.g. IT systems, including cloud services, communication systems, core staff and buildings). The purpose of business continuity management is to reduce the operational, financial, legal, reputational and other material consequences arising from a disaster or extended interruption to these resources and consequent disruption to the issuer of ARTs ' ordinary business procedures. Other risk management measures might be intended to reduce the probability of such incidents or to transfer their financial impact to third-parties (e.g. through insurance). 157. In order to establish a sound business continuity management plan, an issuer of ARTs should carefully analyse risk factors for, and its exposure to, severe business disruptions and assess (quantitatively and qualitatively) their potential impact, using internal and/or external data and scenario analysis. This analysis should test the issuer of ARTs ' ability to deliver critical operations through disruption and should cover all business lines and internal units, including the RMF or risk management procedures, and should take into account their interdependency. The results of the analysis should contribute to defining the issuer of ARTs recovery priorities and objectives. 158. On the basis of the abovementioned analysis, an issuer of ARTs should put in place: 1. contingency and business continuity plans to ensure that the issuer of ARTs reacts appropriately to emergencies and is able to deliver critical operations and maintain essential data if there is disruption to its ordinary business procedures; 2. recovery plans for critical resources and critical or important functions 21 to recover from disruption and enable the issuer of ARTs to return to ordinary business procedures in an appropriate timeframe. Any residual risk from potential business disruptions should be consistent with the issuer of ARTs ' risk appetite; 3. for other activities, or where the continuity of critical essential functions is impossible to ensure, issuers of ARTs should have in place procedures for the timely recovery of data and functions and the timely resumption of their activities. 159. Contingency, business continuity and recovery plans should be documented and carefully implemented. The documentation should be available within the business lines, internal units and RMF for staff in charge of risk management procedures and should be stored on systems that are physically separated and readily accessible in case of contingency. Appropriate training should be provided. Plans should be regularly tested and updated. Any challenges or failures occurring in the tests should be documented and analysed, with the plans reviewed accordingly. #### Title VII -Transparency 160. Strategies, policies and procedures should be communicated to all relevant staff throughout the issuer of ARTs. Staff should understand and adhere to policies and procedures pertaining to their duties and responsibilities. 161. Accordingly, the management body should inform and update the relevant staff about the issuer of ARTs ' strategies and policies in a clear and consistent way, at least to the level needed to carry out their particular duties. This may be done through written guidelines, manuals or other means. ### Related * [digital operational resilience](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/digital-operational-resilience.md) — defined term used on this page * [asset-referenced token](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/asset-referenced-token.md) — defined term used on this page * [competent authority](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/competent-authority.md) — defined term used on this page * [consensus mechanism](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/mica/consensus-mechanism.md) — defined term used on this page * [terrorist financing](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/tofr/terrorist-financing.md) — defined term used on this page * [credit institution](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/crr/credit-institution.md) — defined term used on this page * [credit institution](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/credit-institution.md) — defined term used on this page * [parent undertaking](https://github.com/jakesenfti/micawtf/blob/main/spaces/definitions/dora/parent-undertaking.md) — defined term used on this page [^1]: Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, (OJ L 331, 15.12.2010, p.12). [^2]: Any reference to risks in these guidelines should include all risks to which issuers of ARTs are or may be exposed, including money laundering and terrorist financing risks. [^3]: This section should be read in conjunction with Section 12.3 of these guidelines where applicable. Issuers of ARTs should refer, to the extent applicable, to the EBA guidelines on outsourcing, taking into account the application of the principle of proportionality. [^4]: Guidelines on internal governance under Directive 2013/36/EU [^5]: Directive 2013/34/EU on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings [^6]: See the RTS on the minimum content of the governance arrangements on the remuneration policy for issuers of significant ARTs in accordance with [Article 45(7)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-5/article-45.md)(a) of Regulation (EU) 2023/1114. [^7]: See the RTS on conflict of interests under [Article 32(5)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-2/article-32.md) of Regulation (EU) 2023/1114. [^8]: See the RTS on the minimum content of the governance arrangements on the remuneration policy for issuers of significant ARTs in accordance with [Article 45(7)](/mica/title-iii-asset-referenced-tokens-art.-16-47/chapter-5/article-45.md)(a) of Regulation (EU) 2023/1114; [^9]: BCBS Principles for Operational Resilience, March 2021, [\[https://www.bis.org/bcbs/publ/d516.pdf\](https://www.bis.org/bcbs/publ/d516.pdf](https://www.bis.org/bcbs/publ/d516.pdf]\(https://www.bis.org/bcbs/publ/d516.pdf\)) [^10]: See also the EBA guidelines on sound remuneration policies, available at [\[https://www.eba.europa.eu/regulation-andpolicy/remuneration/guidelines-on-sound-remuneration-policies\](https://www.eba.europa.eu/regulation-andpolicy/remuneration/guidelines-on-sound-remuneration-policies](https://www.eba.europa.eu/regulation-andpolicy/remuneration/guidelines-on-sound-remuneration-policies]\(https://www.eba.europa.eu/regulation-andpolicy/remuneration/guidelines-on-sound-remuneration-policies\)). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.mica.wtf/eu-level/guidelines/guidelines-on-internal-governance-arrangements-for-issuers-of-arts-under-micar.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.