Slovenia -- Custody Regulations Regulatory Overview

Slovenia, as a member state of the European Union, primarily regulates digital asset custody through its Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) framework, which implements EU directives. The regulatory landscape is currently undergoing a significant shift with the upcoming full implementation of the EU's Markets in Crypto-Assets (MiCA) Regulation.

Here's a breakdown of the current and future custody regulations in Slovenia:

Current Custody Regulations (Pre-MiCA - primarily AML-focused)

Slovenia's current framework for virtual asset service providers (VASPs), which includes custodial wallet providers, is primarily governed by the Zakon o preprečevanju pranja denarja in financiranja terorizma (ZPPDFT-2) – the Anti-Money Laundering and Terrorist Financing Act. This act transposed the EU's 5th and 6th Anti-Money Laundering Directives (AMLD5, AMLD6).

Regulatory Body: The primary authority for VASP registration and AML/CFT oversight is the Office for Money Laundering Prevention (Urad Republike Slovenije za preprečevanje pranja denarja - UPPD). The Agency for Securities Market (Agencija za trg vrednostnih papirjev - ATVP) and the Bank of Slovenia (Banka Slovenije) also provide guidance and warnings, but UPPD handles VASP registrations.

1. Custodial License Requirements:

• VASP Registration: Entities providing services of safeguarding private cryptographic keys on behalf of clients, or holding, storing, and transferring virtual currencies, are classified as "virtual asset service providers" (VASPs) under ZPPDFT-2.

• Obligation to Register: VASPs must register with the Office for Money Laundering Prevention (UPPD). This is a registration requirement, not a full prudential licensing regime akin to banks or investment firms, but it entails strict AML/CFT compliance obligations.

• Requirements for Registration:

  • Implementation of robust internal AML/CFT policies, procedures, and controls.
  • Risk assessment frameworks (customer, product, geographical risks).
  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) measures.
  • Record-keeping of transactions and customer data.
  • Reporting of suspicious transactions to UPPD.
  • Appointment of an AML officer.
  • Training for relevant employees.
  • Fit and proper assessment for management and beneficial owners (though not as extensive as for licensed financial institutions).

  Regulatory Reference:

  • Zakon o preprečevanju pranja denarja in financiranja terorizma (ZPPDFT-2) (Anti-Money Laundering and Terrorist Financing Act) - particularly Article 4 (definition of virtual assets and VASPs) and Articles 29-37 (obligations of obliged entities).
    • Available via the Official Gazette of the Republic of Slovenia: https://www.uradni-list.si/glasilo-uradni-list-rs/vsebina/2022-01-0171/zakon-o-preprecevanju-pranja-denarja-in-financiranja-terorizma-zppdft-2
  • UPPD Website: Provides guidance and lists of registered VASPs.
    • https://www.uppd.gov.si/en/

2. Segregation of Client Assets Rules:

• Currently (Pre-MiCA): ZPPDFT-2 primarily focuses on AML/CFT compliance, ensuring the identification of asset ownership and preventing illicit finance. It does not explicitly mandate insolvency-remote segregation of client crypto assets from the custodian's own assets in the same way traditional financial regulations (e.g., MiFID II for investment firms, CRD for banks) do.
• While best practice for reputable custodians often involves some form of segregation to manage risk, there isn't a specific statutory requirement for pure crypto custodians under current Slovenian AML law to ensure client assets are legally and operationally separate and protected in the event of custodian insolvency.

3. Insurance/Bonding Requirements:

• Currently (Pre-MiCA): There are no specific statutory requirements under ZPPDFT-2 for VASPs (including custodians) to hold professional indemnity insurance or maintain a minimum level of own funds for asset protection, unlike for traditional financial institutions.

4. Cold Storage Mandates:

• Currently (Pre-MiCA): Slovenian law does not explicitly mandate the use of cold storage for crypto assets. However, VASPs are expected to implement robust technical and organizational security measures to protect client assets from loss, theft, or unauthorized access. Good practice dictates that a significant portion of client assets should be held in cold storage. Regulators would assess the overall security framework rather than dictating specific technological solutions.

5. Qualified Custodian Definitions:

• Currently (Pre-MiCA): Slovenian law (ZPPDFT-2) defines the service of safeguarding private cryptographic keys and the provider as a VASP. There isn't a separate legal definition of a "qualified custodian" that implies a higher prudential standard beyond AML compliance for pure crypto firms. Any VASP registered with UPPD and adhering to AML/CFT rules is currently considered a legitimate provider.

Pending Custody Legislation (MiCA - Markets in Crypto-Assets Regulation)

The most significant upcoming change is the full implementation of the EU's Markets in Crypto-Assets (MiCA) Regulation (Regulation (EU) 2023/1114). MiCA entered into force on June 29, 2023. While rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) will apply from June 30, 2024, the remaining provisions, including those for crypto-asset services and their providers (CASPs), will apply from December 30, 2024.

MiCA will directly apply across all EU member states, including Slovenia, harmonizing the regulatory framework for crypto assets. Slovenia will need to designate competent national authorities (likely ATVP, possibly in conjunction with Bank of Slovenia and UPPD) to oversee MiCA compliance.

MiCA's Impact on Custody Regulations:

MiCA introduces a comprehensive licensing and prudential framework for "crypto-asset service providers" (CASPs) offering "custody and administration of crypto-assets on behalf of third parties" (MiCA Article 3(1)(10)). This will fundamentally redefine "qualified custodians" within the EU.

1. Custodial License Requirements (under MiCA):

• Authorization: CASPs offering custody services will require authorization from a national competent authority (e.g., ATVP in Slovenia). This is a much more stringent licensing process than the current AML registration.
• Key Requirements (MiCA Articles 59-64, and specific for custody Articles 65-68):
  • Legal form: CASPs must be legal persons established in the EU.
  • Governance: Robust governance arrangements, internal control mechanisms, risk management procedures.
  • Management body: Members must be of good repute and possess sufficient knowledge, skills, and experience.
  • Initial capital: Requirement for minimum initial capital or professional indemnity insurance (see below).
  • Operational reliability: Sound administrative and accounting procedures, adequate IT systems, security protocols, business continuity plans.
  • Conflict of interest: Measures to prevent and manage conflicts of interest.
  • Complaints handling: Effective and transparent procedures.
  • Prudential safeguards: Specific requirements related to safeguarding client assets.

2. Segregation of Client Assets Rules (under MiCA):

• Mandatory Segregation: MiCA explicitly mandates robust client asset segregation. CASPs providing custody services must:
  • Article 66(2): Make adequate arrangements to safeguard the ownership rights of clients over their crypto-assets and, where applicable, their rights over funds, especially in the event of the CASP's insolvency.
  • Article 66(3): Keep client crypto-assets separate from their own crypto-assets.
  • Article 66(4): Keep client funds separate from their own funds with credit institutions or central banks.
  • Article 66(5): Ensure client crypto-assets are held in separate addresses or accounts, clearly identifying the clients.

3. Insurance/Bonding Requirements (under MiCA):

• Professional Indemnity or Own Funds: MiCA Article 60(2) and Article 66(5) require CASPs providing custody services to maintain either:
  • Professional indemnity insurance covering specific risks (e.g., loss of client crypto-assets, operational errors, cyber risks).
  • Own funds equivalent to the professional indemnity insurance coverage.
  • The amount will be determined based on the nature, scale, and complexity of the services, and the types of crypto-assets involved.

4. Cold Storage Mandates (under MiCA):

• While MiCA does not explicitly mandate "cold storage," it requires CASPs to implement "adequate organisational arrangements to minimise the risk of loss or theft of crypto-assets" (Article 66(1)). This implicitly demands robust security measures, which for digital assets often includes the use of cold storage for a substantial portion of assets, multi-signature schemes, and strong cryptographic key management.

5. Qualified Custodian Definitions (under MiCA):

• Under MiCA, a "qualified custodian" will effectively be an authorised Crypto-Asset Service Provider (CASP) that has received a license to provide "custody and administration of crypto-assets on behalf of third parties" from a competent national authority in an EU Member State. Such a CASP will be subject to the full prudential, organizational, and conduct of business requirements of MiCA, elevating it far beyond a simple AML registration.

Regulatory Reference (MiCA):

• Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):
  • Full text available in the Official Journal of the European Union: https://eur-lex.europa.eu/eli/reg/2023/1114/oj
  • Relevant articles for custody: Article 3(1)(10) (definition), Articles 59-64 (authorization), Articles 65-68 (custody-specific requirements).

Summary and Conclusion

Currently, Slovenia regulates crypto custody through its AML/CFT Act (ZPPDFT-2), requiring VASPs to register with the UPPD and comply with anti-money laundering obligations. This framework is primarily concerned with preventing illicit financial activities rather than prudential supervision of asset protection.

From December 30, 2024, the EU's MiCA Regulation will directly apply, ushering in a comprehensive and harmonized licensing regime for crypto-asset service providers, including custodians. MiCA will introduce stringent requirements for authorization, governance, organizational arrangements, capital/insurance, and crucially, mandatory segregation of client assets and robust safeguarding obligations, effectively establishing a definition of "qualified custodian" within the EU. Slovenia's national regulators will be responsible for implementing and enforcing MiCA's provisions.