Bulgaria -- Custody Regulations Regulatory Overview

Bulgaria, as a member state of the European Union, currently regulates digital asset service providers primarily through its Anti-Money Laundering (AML) framework. However, the regulatory landscape is set for a significant transformation with the impending full application of the EU's Markets in Crypto-Assets (MiCA) Regulation.

Here's a breakdown of the current and future custody regulations in Bulgaria:

Current Framework (Pre-MiCA - AML-focused)

Prior to the full application of MiCA, the primary regulatory instrument governing entities providing custody services for digital assets in Bulgaria is the Anti-Money Laundering Act (Закон за мерките срещу изпирането на пари - ЗМИП).

1. Custodial License Requirements (AML Registration):

   • Under the AML Act, entities that provide services of safekeeping and administration of crypto-assets on behalf of clients (i.e., "custodian wallet providers") are classified as Virtual Asset Service Providers (VASPs).

   • These VASPs are required to register with the National Revenue Agency (Национална агенция за приходите - НАП). This is not a "custodial license" in the traditional financial sense, but rather a mandatory registration for AML/CFT purposes.

   • Requirements for Registration: Primarily focused on anti-money laundering and counter-terrorist financing measures, including:

     • Implementing customer due diligence (CDD) procedures (KYC).
     • Monitoring transactions for suspicious activities.
     • Reporting suspicious transactions and activities to the State Agency for National Security (DANS).
     • Appointing an AML officer.
     • Developing and implementing internal AML/CFT policies and procedures.

   • Regulatory Reference:

     • Закон за мерките срещу изпирането на пари (Anti-Money Laundering Act):
       • Published in the State Gazette (Държавен вестник), e.g., Issue 27 of 2018, with numerous subsequent amendments.
       • An unofficial consolidated version can often be found on legal information portals, but for the most official Bulgarian text, refer to the State Gazette archives or major legal databases in Bulgaria.
       • Direct official URL for the consolidated text is challenging due to frequent amendments; usually found in legal databases like Lex.bg or Apis.bg.
       • National Revenue Agency (NRA) Website:
         • Information regarding VASP registration is usually available on the NRA's official website.
         • URL: https://nra.bg/ (Navigate to "Услуги" or "Виртуални активи")

2. Segregation of Client Assets Rules:

   • The current AML framework in Bulgaria does not explicitly mandate specific operational rules for the segregation of client assets from the VASP's own assets or from other clients' assets. The focus is purely on AML/CFT compliance.

3. Insurance/Bonding Requirements:

   • There are no specific insurance or bonding requirements for VASP registration under the current AML Act in Bulgaria.

4. Cold Storage Mandates:

   • The current AML framework does not mandate cold storage or any specific technological storage methods for crypto-assets.

5. Qualified Custodian Definitions:

   • The term "qualified custodian" as understood in other jurisdictions (e.g., SEC rules in the US) does not exist in the current Bulgarian AML framework. Any VASP registered to provide custody services is deemed compliant for AML purposes, but without specific operational standards for custody.

6. Pending Custody Legislation:

   • The most significant pending legislation is the transposition and full application of the EU's MiCA Regulation.

Future Framework (Post-MiCA - Comprehensive Regulation)

The EU's Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) will fundamentally change the regulatory landscape for crypto-asset custody in Bulgaria. MiCA is directly applicable in all EU member states, including Bulgaria, though national competent authorities will need to be designated and national procedures established for its implementation.

MiCA will apply in two phases:

• From 30 June 2024: Titles III (asset-referenced tokens) and IV (e-money tokens) apply.
• From 30 December 2024: The remaining provisions, including those for crypto-asset service providers (CASPs) offering custody services, apply.

1. Custodial License Requirements:

   • Under MiCA, entities providing "custody and administration of crypto-assets on behalf of clients" will be categorized as Crypto-Asset Service Providers (CASPs).
   • These CASPs will require authorization from a national competent authority. In Bulgaria, it is highly anticipated that the Financial Supervision Commission (Комисия за финансов надзор - КФН) will be designated as the competent authority for MiCA.
   • Requirements for Authorization (Article 59 of MiCA):
     • Legal entity with a registered office in an EU member state.
     • Minimum initial capital requirements (e.g., for custody services, €125,000 or a quarter of fixed overheads from the previous year, whichever is higher, potentially covered by professional indemnity insurance).
     • Robust governance arrangements, including clear organizational structure, internal control mechanisms, risk management procedures.
     • Effective arrangements to prevent conflicts of interest.
     • Sound administrative and accounting procedures.
     • Adequate IT systems, resources, and security access protocols (e.g., for private keys).
     • Suitability of management and shareholders (fit and proper tests).
     • Business plan, internal policies, and procedures for all MiCA requirements.

2. Segregation of Client Assets Rules (Article 69 of MiCA):

   • MiCA explicitly mandates stringent segregation rules for CASPs providing custody services. They must:
     • Segregate clients' crypto-assets from their own assets and from the assets of other clients.
     • Maintain records and accounts that allow for the immediate segregation of clients' crypto-assets.
     • Ensure that crypto-assets held on behalf of clients are not used without the explicit prior consent of the client.
     • Return clients' crypto-assets or their equivalent value promptly.
     • Be able to return any crypto-assets belonging to clients to them without delay in the event of their insolvency.

3. Insurance/Bonding Requirements (Article 60 of MiCA):

   • MiCA sets prudential requirements for CASPs, including initial capital requirements.
   • Instead of holding the full amount of initial capital in own funds, CASPs may be able to cover a portion of these requirements with a professional indemnity insurance policy that covers the territories where the CASP offers services. The specific conditions for such insurance are detailed in MiCA.

4. Cold Storage Mandates:

   • MiCA does not explicitly mandate "cold storage" as a specific technology. However, it requires CASPs to:
     • Implement the highest standards of operational reliability, security, and integrity in managing private keys and access credentials to crypto-assets.
     • Have robust security policies and procedures in place.
     • Ensure operational resilience and provide for rapid recovery of crypto-assets and clients' information in case of a system failure.
   • While not explicitly named, the requirement for robust security and management of private keys often implies the use of offline (cold storage) and multi-signature solutions as best practices.

5. Qualified Custodian Definitions:

   • MiCA essentially defines a "qualified custodian" by setting the rigorous authorization and operational requirements for CASPs providing custody and administration services. Any entity authorized under MiCA to perform these services and adhering to all MiCA's requirements would de facto be a "qualified custodian" within the EU framework.

6. Pending Custody Legislation (Bulgaria's Role):

   • Bulgaria will need to adopt national legislation to complement MiCA. This will involve:

     • Designating the competent authority: As mentioned, the FSC is the most likely candidate.
     • Establishing procedures for the authorization, supervision, and enforcement of MiCA rules for CASPs in Bulgaria.
     • Amending existing laws (e.g., the FSC Act, possibly parts of the AML Act) to align with MiCA and grant the designated authority the necessary powers.

   • This legislative work is expected to be finalized before MiCA's full application date of December 30, 2024.

   • Regulatory Reference for MiCA:

     • Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (Text with EEA relevance).
     • URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114
     • Financial Supervision Commission (FSC) Website (Expected Competent Authority):
       • URL: https://www.fsc.bg/

Conclusion:

Currently, crypto custody in Bulgaria is only subject to AML registration and compliance. However, with MiCA's full application by the end of 2024, Bulgaria will implement a comprehensive and robust regulatory framework for crypto-asset custodians, introducing specific licensing, capital, operational, security, and client asset segregation requirements in line with EU-wide standards. Companies operating or planning to operate crypto custody services in Bulgaria should prepare for these significant changes and monitor the Bulgarian government's designation of the competent authority and its specific national implementing legislation.

Disclaimer: This information is for general informational purposes only and does not constitute legal or professional advice. It is essential to consult with legal professionals specializing in Bulgarian and EU financial and crypto regulations for specific guidance.