Iceland -- Custody Regulations Regulatory Overview

Iceland, as a member of the European Economic Area (EEA), is significantly influenced by European Union (EU) legislation. While its current national regulatory framework for crypto custody is primarily focused on Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT), the upcoming EU Markets in Crypto-Assets (MiCA) Regulation will fundamentally reshape the landscape.

Here's a breakdown of the cryptocurrency/digital asset custody regulations in Iceland, distinguishing between the current state and the impending changes due to MiCA.

The primary regulatory body in Iceland overseeing financial services and AML/CFT compliance is the Central Bank of Iceland (Seðlabanki Íslands), which absorbed the Financial Supervisory Authority (FME) in 2020.

Current Custody Regulations (Pre-MiCA - until December 2024 for CASPs)

Currently, there is no specific licensing regime in Iceland solely for crypto-asset custody. The existing framework primarily addresses crypto-assets through the lens of AML/CFT, treating entities providing certain crypto services as Virtual Asset Service Providers (VASPs).

1. Custodial License Requirements:

• VASP Registration: Any entity providing services related to virtual assets, including the safekeeping and/or administration of virtual assets on behalf of customers (i.e., custody), is required to register as a Virtual Asset Service Provider (VASP) with the Central Bank of Iceland. This is not a "license" in the traditional sense of financial services but rather an AML/CFT registration that imposes significant obligations.
• The registration is mandated by the Act on measures to combat money laundering and terrorist financing No. 140/2018, which transposes EU AML Directives (AMLD5, soon AMLD6) into Icelandic law.
• Scope: This typically covers situations where the custodian holds private keys and has control over clients' virtual assets.

References:

• Act on measures to combat money laundering and terrorist financing No. 140/2018: https://www.althingi.is/lagas/nuna/2018140.html (Icelandic original)
• Central Bank of Iceland - AML/CFT: https://www.cb.is/financial-supervision/aml-cft/

2. Segregation of Client Assets Rules:

• While not explicitly detailed solely for crypto-asset custody in current Icelandic law, general principles of financial services and AML/CFT best practices would strongly suggest the need for segregation. VASPs are expected to maintain clear records of ownership and transactions, and commingling of funds/assets would violate these principles and increase AML/CFT risks.
• The AML Act requires VASPs to keep records of transactions and to identify beneficial owners, indirectly supporting the need for clear asset ownership distinctions.

3. Insurance/Bonding Requirements:

• There are no specific insurance or bonding requirements mandated for crypto custodians under the current AML-focused VASP registration framework. General business insurance would be expected, but no specific prudential safeguards for crypto custody are prescribed.

4. Cold Storage Mandates:

• There are no specific legal mandates for the use of cold storage for crypto assets under current Icelandic law. However, robust security measures are expected as part of general operational risk management and AML/CFT compliance (e.g., preventing theft that could facilitate money laundering). Industry best practices for secure custody overwhelmingly recommend cold storage for the majority of assets.

5. Qualified Custodian Definitions:

• The term "qualified custodian" is not formally defined in Icelandic law specifically for crypto assets. A VASP registered with the Central Bank of Iceland to provide virtual asset services, including custody, would be the closest equivalent under the current framework.

Pending Custody Legislation (Post-MiCA - from December 2024 for CASPs)

The Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114 is an EU regulation that will directly apply within the EEA, including Iceland. It represents a comprehensive regulatory framework for crypto-assets and their service providers. The rules for crypto-asset service providers (CASPs), including those providing custody, will apply from December 30, 2024.

1. Custodial License Requirements:

• MiCA Authorization: Under MiCA, "custody and administration of crypto-assets on behalf of clients" is explicitly defined as a crypto-asset service (Article 3, point 16). Providers of this service will be required to obtain authorization from their competent national authority (in Iceland, likely the Central Bank of Iceland) to operate as a Crypto-Asset Service Provider (CASP) (Article 59).
• This authorization is a full financial services license, distinct from the current AML registration.

References:

• Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114
• Relevant Articles: Chapter 2 (Authorization and operating conditions for CASPs), specifically Article 59, and Chapter 3 (Obligations of CASPs), specifically Section 6 for custody.

2. Segregation of Client Assets Rules:

• Mandatory Segregation: MiCA explicitly mandates strict segregation of client assets.
  • Article 67 (Obligations of crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients), point 1: "A crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients shall ensure that the crypto-assets of its clients are segregated from its own assets and from the assets of other clients."
  • It also requires making arrangements to ensure the timely return of clients' crypto-assets.

3. Insurance/Bonding Requirements:

• Prudential Safeguards: MiCA (Article 66, point 10 and Article 67, point 7) requires CASPs to have robust prudential safeguards. These safeguards can take the form of:
  • Own funds (capital requirements).
  • An insurance policy.
  • The amount of prudential safeguards depends on the services provided and the nature, scale, and complexity of operations, with specific thresholds set out in Annex IV.

4. Cold Storage Mandates:

• MiCA does not mandate cold storage specifically but requires CASPs to implement robust security measures for the safekeeping of crypto-assets.
  • Article 67, point 2: "A crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients shall establish, implement and maintain robust security policies and procedures regarding the access to, and the protection of, the crypto-assets, private cryptographic keys and, where applicable, the means of access to the crypto-assets of its clients."
• This implies that CASPs must adopt industry-leading security practices, which in most cases for the majority of assets, would involve cold storage or highly secure offline solutions.

5. Qualified Custodian Definitions:

• Under MiCA, an authorized Crypto-Asset Service Provider (CASP) that has obtained the specific authorization to provide "custody and administration of crypto-assets on behalf of clients" would essentially become the "qualified custodian." The authorization process ensures they meet the stringent capital, operational, security, governance, and organizational requirements laid out in MiCA.

Summary of Key Changes with MiCA for Iceland:

• Shift from AML Registration to Full License: A significant transition from merely registering as a VASP for AML purposes to obtaining a comprehensive financial services license as a CASP.
• Explicit Custody Rules: Introduction of specific, detailed rules for crypto-asset custody covering segregation, security, and prudential requirements.
• Increased Regulatory Scrutiny: CASPs will be subject to ongoing supervision by the Central Bank of Iceland to ensure compliance with MiCA's broad range of obligations.

Iceland will need to ensure its national laws and regulatory practices align with MiCA as it comes into full effect, adapting its supervisory framework accordingly. Businesses providing crypto custody in Iceland should prepare for these significant regulatory changes.