Montenegro -- Custody Regulations Regulatory Overview

Montenegro has recently made significant strides in regulating the digital asset space. The primary legal framework governing cryptocurrency and digital asset custody is the Law on Blockchain, Digital Assets and Individual Digital Identifiers (Zakon o blokčejnu, digitalnoj imovini i individualnim digitalnim identitetima), adopted in July 2023 and effective from October 2023. This law aims to create a comprehensive regulatory environment for digital assets, including services related to their custody.

The key regulatory bodies overseeing these activities are the Capital Market Authority (KAP) for licensing and supervision of Virtual Asset Service Providers (VASPs), and the Central Bank of Montenegro (CBCG), primarily for AML/CFT oversight in cooperation with the Financial Intelligence Unit.

Here's a breakdown of the custody regulations based on the new law and related frameworks:

1. Custodial License Requirements

The Law on Blockchain, Digital Assets and Individual Digital Identifiers explicitly introduces a licensing regime for Virtual Asset Service Providers (VASPs). "Custody services" fall under the definition of VASP activities.

• Definition of VASP: Article 2(1)(7) defines a "virtual asset service provider" as a legal entity that, as its regular business activity, provides one or more of the virtual asset services specified in Article 18.
• Custody Service: Article 18(1)(2) specifies "custody of digital assets for third parties" as a regulated virtual asset service.
• Licensing Authority: The Capital Market Authority (KAP) is responsible for issuing, supervising, and revoking licenses for VASPs (Article 20).
• Licensing Conditions (Article 21): Applicants for a VASP license must meet several conditions, including:
  • Legal entity established in Montenegro.
  • Adequate organizational structure, internal control mechanisms, and risk management systems.
  • Suitable professional qualifications and reputation of management and key personnel.
  • Adequate technical and security measures for the safekeeping and protection of digital assets.
  • Minimum capital requirements and guarantees for covering potential liabilities.
  • Measures for the protection of client assets.
  • Compliance with AML/CFT regulations.
  • Possession of a cybersecurity certificate.

Regulatory Reference:

• Law on Blockchain, Digital Assets and Individual Digital Identifiers (Zakon o blokčejnu, digitalnoj imovini i individualnim digitalnim identitetima) - Official publication in the "Official Gazette of Montenegro," No. 80/23.
  • While an official English translation by the government may not be directly available online, legal firms often provide summaries. The Montenegrin text is the authoritative source.
  • You can usually find Montenegrin legislative acts on the Parliament's website or official gazette archives, e.g., via the Parliament's legislative database.
  • Capital Market Authority (KAP) website: https://www.kap.co.me/ (For official announcements and forms related to licensing)

2. Segregation of Client Assets Rules

The Montenegrin law places importance on the protection of client assets.

• Article 21(1)(9) of the Law on Blockchain, Digital Assets and Individual Digital Identifiers explicitly requires VASPs to implement "measures for the protection of client assets." This typically implies segregation, ensuring that client assets are identifiable and separate from the VASP's own assets, to prevent commingling and protect clients in case of VASP insolvency. While the law doesn't detail how assets must be segregated (e.g., separate wallets, omnibus accounts with clear ledgering), the requirement for "measures for the protection of client assets" is the legal basis.

Regulatory Reference:

• Law on Blockchain, Digital Assets and Individual Digital Identifiers (Article 21(1)(9))

3. Insurance/Bonding Requirements

The law includes provisions for financial safeguards, which can be covered by capital, guarantees, or insurance.

• Article 21(1)(7) of the Law on Blockchain, Digital Assets and Individual Digital Identifiers states that a VASP must meet "minimum capital requirements" and provide "guarantees for the coverage of potential liabilities arising from the provision of virtual asset services."
• These "guarantees" can take various forms, including professional indemnity insurance or other financial instruments designed to cover risks such as cyber-attacks, operational failures, or loss of client assets. The specific nature and amount of these guarantees are likely to be detailed in subordinate legislation or regulations issued by the Capital Market Authority.

Regulatory Reference:

• Law on Blockchain, Digital Assets and Individual Digital Identifiers (Article 21(1)(7))

4. Cold Storage Mandates

The Montenegrin law focuses on general security and protection without mandating specific technical storage solutions like cold storage.

• Article 21(1)(9) of the Law on Blockchain, Digital Assets and Individual Digital Identifiers requires VASPs to implement "organizational and technical measures for the safekeeping and protection of digital assets."
• While cold storage (offline storage) is widely recognized as a best practice for securing a significant portion of digital assets, especially those not actively used for trading, the law does not explicitly mandate it. The VASP is responsible for establishing a robust security framework that includes appropriate hot, warm, and cold storage solutions based on their risk assessment and operational needs. The regulator will assess the adequacy of these measures during the licensing process and ongoing supervision.

Regulatory Reference:

• Law on Blockchain, Digital Assets and Individual Digital Identifiers (Article 21(1)(9))

5. Qualified Custodian Definitions

The term "qualified custodian" as used in some jurisdictions (e.g., the US SEC's Advisers Act) refers to specific types of financial institutions (banks, broker-dealers, trust companies) that meet certain regulatory criteria.

• Montenegro's Law on Blockchain, Digital Assets and Individual Digital Identifiers defines and regulates Virtual Asset Service Providers (VASPs) that offer custody services. Any entity meeting the licensing requirements under this law, including capital, technical, organizational, and fit-and-proper criteria, would effectively be considered a "qualified" provider of digital asset custody services within Montenegro. The law does not differentiate between existing financial institutions and new crypto-native entities, as long as they meet the VASP licensing conditions.
• While the law doesn't use the exact term "qualified custodian," it establishes a framework where only licensed and compliant entities can provide custody services, thus ensuring a level of qualification.

Regulatory Reference:

• Law on Blockchain, Digital Assets and Individual Digital Identifiers (Articles 2, 18, 20, 21 pertaining to VASP definition and licensing)

6. Pending Custody Legislation

The Law on Blockchain, Digital Assets and Individual Digital Identifiers is a very recent and comprehensive piece of legislation, so major new custody-specific laws are not immediately "pending" in the sense of being drafted from scratch. However, several developments are likely:

• Subordinate Legislation and Guidance: The Capital Market Authority (KAP) and the Central Bank of Montenegro (CBCG) are expected to issue detailed bylaws, regulations, and guidance to clarify the implementation of the Blockchain Law, including specific requirements for capital, guarantees, risk management, and cybersecurity for VASPs providing custody services. These will provide the practical details for compliance.
• EU Alignment (MiCA): Montenegro is an EU candidate country. The European Union's comprehensive Markets in Crypto-Assets Regulation (MiCA) came into full effect in December 2024 for VASPs. While Montenegro has passed its own law, it will eventually need to harmonize its legislation with MiCA as part of its EU accession process. This could lead to amendments or further refinement of the Montenegrin framework to fully align with MiCA's robust requirements for crypto-asset service providers (CASPs), including those offering custody. MiCA sets very detailed requirements for operational resilience, governance, client asset segregation, and liability for custody providers.

Regulatory Reference:

• European Union's Markets in Crypto-Assets (MiCA) Regulation:
  • Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.
  • Official EU Legal Text: https://eur-lex.europa.eu/eli/reg/2023/1114/oj
• Montenegro's EU Accession Process: General information can be found on the European Commission's website.

In summary, Montenegro has established a foundation for digital asset custody regulation through its new Blockchain Law, focusing on licensing, client asset protection, and financial safeguards. Future developments will likely involve detailed implementing regulations and alignment with the EU's MiCA framework.