Norway -- Custody Regulations Regulatory Overview

Norway's regulatory framework for cryptocurrency and digital asset custody is currently primarily governed by Anti-Money Laundering (AML) legislation, with a significant future impact anticipated from the European Union's Markets in Crypto-Assets (MiCA) regulation, which Norway, as an EEA member, will incorporate.

Here's a breakdown of the current situation and pending legislation:

Current Regulatory Landscape in Norway

The primary regulatory body in Norway for financial services, including virtual asset service providers (VASPs), is the Finanstilsynet (Financial Supervisory Authority of Norway).

1. Custodial License Requirements (Current)

Under current Norwegian law, companies offering custody services for virtual assets are primarily regulated under the Money Laundering Act (Hvitvaskingsloven).

• VASP Registration: Companies that provide services for the exchange or custody of virtual assets are considered "virtual asset service providers" (VASPs) and must register with Finanstilsynet. This is an AML/CTF (Combatting the Financing of Terrorism) registration, not a full financial services license in the traditional sense, unless the specific virtual asset qualifies as a financial instrument under other legislation.
• Requirements for Registration: To register, companies must demonstrate compliance with the Money Laundering Act, which includes:
  • Establishing robust internal control systems for AML/CTF.
  • Performing customer due diligence (CDD) procedures.
  • Monitoring transactions for suspicious activity.
  • Reporting suspicious transactions to Økokrim (National Authority for Investigation and Prosecution of Economic and Environmental Crime).
  • Ensuring fit and proper management and ownership.
• If the Digital Asset is a Financial Instrument: If a digital asset is classified as a "financial instrument" (e.g., a security token) under the Securities Trading Act (Verdipapirhandelloven) or the Financial Institutions Act (finansforetaksloven), then offering custody services for such assets would fall under existing financial services licensing requirements, which are much more stringent than simple AML registration. Finanstilsynet conducts a case-by-case assessment.

Regulatory Reference:

• Finanstilsynet - Information about Virtual Assets: https://www.finanstilsynet.no/en/financial-supervision/digital-assets/
• Money Laundering Act (Hvitvaskingsloven): https://lovdata.no/dokument/NL/lov/2018-06-01-23 (Norwegian only, English translations are usually unofficial)

2. Segregation of Client Assets Rules (Current)

• No Explicit Crypto-Specific Rule: Currently, the Money Laundering Act primarily focuses on AML/CTF obligations and does not contain specific technical rules for the segregation of client virtual assets.
• General Financial Principles: However, for any entity providing custody of client assets, the general principles of sound financial management and consumer protection would implicitly require proper segregation to protect client interests in case of insolvency or operational failure. Reputable custodians already implement such segregation as a best practice.
• If classified as a Financial Instrument: If the virtual asset is deemed a financial instrument, then the rules under the Financial Institutions Act for safeguarding client funds/assets would apply, which mandates strict segregation from the firm's own assets.

3. Insurance/Bonding Requirements (Current)

• No Specific Mandate for VASPs: There are no specific legal mandates for insurance or bonding solely for virtual asset custodians under the current AML registration regime.
• General Business Insurance: Companies are expected to have general business insurance as part of their operational risk management, but this typically doesn't cover crypto-specific risks like private key loss or protocol hacks in the same way a specific custodian bond would.

4. Cold Storage Mandates (Current)

• No Explicit Legal Mandate: Norwegian law does not explicitly mandate the use of cold storage for virtual assets.
• Security Best Practice: However, Finanstilsynet expects companies providing virtual asset services to have robust security measures in place to protect client assets. Cold storage (offline storage of private keys) is widely recognized as a critical security best practice for managing the risks associated with holding cryptocurrencies and would be considered an essential component of a sound risk management framework by the regulator.

5. Qualified Custodian Definitions (Current)

• No Specific Definition: Norway does not currently have a specific legal definition of a "qualified custodian" exclusively for virtual assets, akin to definitions found in some other jurisdictions (e.g., the U.S.).
• Registered VASP: The closest concept is a VASP that is registered with Finanstilsynet to provide custody services and complies with the Money Laundering Act. If the asset is a financial instrument, then a licensed financial institution providing custody services would be the "qualified custodian" under existing financial laws.

Pending Custody Legislation (MiCA)

The most significant upcoming change to digital asset custody regulations in Norway will be the implementation of the European Union's Markets in Crypto-Assets (MiCA) Regulation.

• EEA Relevance: Norway is part of the European Economic Area (EEA), which means that EU legislation relevant to the internal market, like MiCA, typically gets incorporated into Norwegian law.

• MiCA's Scope: MiCA provides a comprehensive regulatory framework for crypto-asset markets and service providers (CASPs) not already covered by existing financial services legislation. It aims to harmonize rules across the EU/EEA, ensure consumer protection, market integrity, and financial stability.

• Impact on Custody: MiCA introduces specific and stringent requirements for "custody and administration of crypto-assets on behalf of clients" as a regulated crypto-asset service.

  • Authorization, Not Just Registration: Under MiCA, entities wishing to provide custody services for crypto-assets (that are not financial instruments) will need to obtain authorization from their national competent authority (Finanstilsynet in Norway) as a Crypto-Asset Service Provider (CASP). This is a much more demanding process than the current AML registration.
  • Organizational Requirements: CASPs providing custody will need to:
    • Implement robust governance arrangements.
    • Have sound internal control mechanisms.
    • Maintain operational continuity.
    • Have robust IT systems and security protocols (implicitly supporting best practices like cold storage).
    • Establish clear complaint-handling procedures.
  • Client Asset Segregation: MiCA explicitly mandates that CASPs must segregate client crypto-assets from their own assets and ensure that client assets are not used for their own account.
  • Prudential Safeguards/Capital Requirements: CASPs will need to hold a minimum amount of capital (own funds) to cover their operational risks.
  • Liability: MiCA places liability on CASPs for loss of client crypto-assets or loss of access to them as a result of an "actionable event" (e.g., cyber-attack, internal fraud, private key loss).
  • Information to Clients: CASPs must provide clear, fair, and not misleading information to clients, including details on the risks involved and the insolvency regime applicable.

• Timeline: MiCA entered into force in the EU in June 2023, with rules on stablecoins applying from June 2024 and all other provisions for crypto-asset service providers (CASPs) applying from December 30, 2024. Norway will follow with its transposition into national law, likely around this timeframe or shortly after.

Regulatory Reference:

• Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114
• Finanstilsynet - Information about MiCA (Norwegian, but confirms relevance): https://www.finanstilsynet.no/regelverk/eokonomi-i-eus-rettsakter/fora/fora-12-markeder-for-kryptoverdier-og-endring-av-forordning-eu-2019/1935/

In summary: While current Norwegian regulations for crypto custody are primarily centered around AML registration, the advent of MiCA will introduce a much more comprehensive and demanding licensing regime, with explicit rules on client asset segregation, capital requirements, security, and liability, bringing crypto-asset custody closer to traditional financial services custody standards.