Fintech Insights #12 – MiCA & Prevention of Market Abuse

One of the aims of Regulation (EU) 2023/1114 (“MiCA”) is to bring stability to digital asset markets by ensuring that market abuse is prevented before it can even occur. In Malta, the MFSA enforces these standards through the powers given to it under Chapter 647 together with second-level measures, including European Commission Delegated Regulations and ESMA Regulatory Technical Standards. The rules on market abuse in MiCA closely correspond to those of the EU’s Market Abuse Regulation (“MAR”).

For crypto-asset service providers (“CASPs”) the task is clear: prevent abuse and protect market stability with firm governance, disciplined disclosure, and surveillance that reads on-chain signals as closely as order-book data. Enforcement of the market abuse regime is a further illustration explored in this FinTech Insights series which highlights the MFSA’s commitment to high supervisory standards whilst preserving its business-friendly approach in other areas.

Title VI MiCA captures actions and omissions concerning crypto-assets that are admitted to trading, or for which a request for admission has been made, on an EU trading platform for crypto-assets. Both regimes (MiCA and MAR) are behaviour-based and actor-neutral, capturing natural and legal persons alike, but MiCA makes explicit that prohibitions apply to orders, transactions and cancellations implemented through distributed-ledger technology.

The prohibitions and their crypto-specific contours

The prohibitions expressly capture the use of inside information to cancel or amend orders and submissions of bids, and extend to access obtained by virtue of a person’s role in distributed-ledger technology, including validators, developers and node operators. Articles 89 and 90 prohibit insider dealing and the unlawful disclosure of inside information. The “ought to know” standard for recommendations and inducements mirrors MAR. Article 89(4) preserves the familiar proviso where inside information is used in the discharge of an obligation that has become due, in good faith, and not for the purpose of circumventing the prohibition on insider dealing.

Article 91 reproduces the catalogue of manipulative behaviours found in Article 12 MAR, but adds a crypto-specific illustration that is particularly relevant for the social-media-driven dynamics of token markets. Using access to traditional or electronic media to express a view on a crypto-asset, after having taken a position in that asset, and then profiting from the resulting price movement without disclosing the conflict, is expressly identified as market manipulation. Consider an analyst who acquires a token, posts a bullish thread on a social platform, and offloads the position once the price moves. That sequence, absent disclosure of the position, is manipulation under Article 91. Compliance teams should train research and marketing staff to recognise pump-and-dump patterns and should ensure that conflicts-of-interest policies expressly address media and influencer engagement, including personal-account trading.

Article 87 of MiCA defines inside information for crypto-assets in terms that closely mirror Article 7 MAR. The information must be precise, non-public and likely to have a significant effect on price. Intermediate steps in a protracted process can themselves qualify. Where a token issuer is negotiating a significant protocol upgrade or a listing on a major venue, each material step in the negotiation may constitute inside information well before any final agreement is concluded. The alignment with MAR is deliberate, and existing case law on precision and the price-sensitivity test offers a useful interpretive guide.

Detection, reporting and surveillance

Article 92 of MiCA requires any person professionally arranging or executing transactions in crypto-assets to maintain effective arrangements to prevent and detect market abuse and to report suspicions without delay to the home competent authority, which for Malta-based CASPs is the MFSA. That duty covers orders, cancellations and submissions connected with distributed-ledger technology and extends to other aspects of how the network functions, including consensus events. Surveillance must therefore track protocol events and chain state, not only order-book prints. A compliance function monitoring a proof-of-stake network should monitor validator behaviour and block-proposal patterns, since irregular activity can indicate manipulation.

Under Commission Delegated Regulation (EU) 2025/885, firms must analyse each order and transaction, whether placed, modified, cancelled or rejected, and whether on or off a trading platform or the distributed ledger. Suspicious transaction and order reports (STOR) templates for crypto-assets now include the Digital Token Identifier and, where relevant, the transaction hash. ESMA’s technical standards under MiCA specify data fields, reporting channels and record-keeping. CASPs should adapt their MAR surveillance tools to ingest DLT data (including mempool and settlement data) and map outputs to the new STOR fields. Alert logic should cover spoofing and layering in thin order books, wash trading across linked venues, undisclosed conflicts of interest and suspiciously timed consensus events. Records, including model governance and alert logs, must be retained for five years as required by EU law and applicable Maltese requirements under Chapter 647.

Article 76 of MiCA requires platform operators to keep, for at least five years, the data relating to all orders advertised through their systems, or to give the competent authority access to the order book. In Malta, Cap. 647 mirrors the EU approach by designating the MFSA as the competent authority and by laying down rules on appeals, offences and confidentiality that support market stability.

Operating rules also prevent admission of crypto-assets with an inbuilt anonymisation function unless the operator can identify holders and trace transaction history. For CASPs, this means documented admission controls, clear criteria for traceability and a record of the analytics used for each listing. These records form the evidential spine for any future market abuse investigation.

Can market abuse be prevented in DeFi?

Title VI of MiCA attaches to assets admitted on an EU trading platform. Recital 22 confirms that crypto-asset services provided in a fully decentralised manner without any intermediary fall outside MiCA’s scope. This raises the question on how to prevent market abuse in decentralised finance (DeFi) However, Article 86 reaches conduct concerning in-scope assets wherever it occurs, meaning manipulation routed through a decentralised exchange remains caught where the asset is admitted on an EU venue. DeFi’s pseudonymous nature poses evidential challenges, but several tools assist enforcement. Blockchain analytics and forensic wallet clustering can trace transaction flows. The travel rule obligations under Regulation (EU) 2023/1113 (the ‘Transfer of Funds Regulation’ or ‘TFR’) and customer due diligence requirements under Regulation (EU) 2024/1624 (the ‘AMLR’) create an identifiable chain linking wallets to verified customers. Order-book retention under Article 76 and MiCA’s admission restriction on inbuilt anonymisation further support evidence gathering.

Cross-border information requests under Articles 95 to 101 of MiCA enable regulators to obtain data across jurisdictions. For compliance teams, practical steps include ensuring surveillance systems surface wallet clusters and cross-venue patterns, and linking blockchain analytics outputs to internal KYC records. This enables rapid identification of the underlying customer when supervisory queries arrive. While DeFi’s decentralised structure limits direct regulatory reach, the combination of on-chain transparency and CeFi touchpoints provides workable mechanisms to detect and pursue market abuse.

Compliance is key, but NCAs have a role too.

For Maltese CASPs, prevention hinges on four pillars, usually embodied in the work of the Compliance Officer. First, governance sets tone and accountability, with a single market abuse policy that covers both MiCA and MAR activity and assigns ownership for disclosure, surveillance and STOR decisions. Second, disclosure discipline requires timely publication of inside information under Article 88, clear delay procedures aligned with Implementing Regulation (EU) 2024/2861 and evidence that confidentiality was protected. Third, surveillance should integrate exchange data with DLT signals, use typologies tailored to crypto trading and record tuning decisions and alert outcomes for five years. Fourth, training for front-office, research and marketing teams on Article 91 examples, conflicts in media engagement and personal-account dealing ensures that the CASP’s employees effectively implement the licence holder’s policies.

MiCA’s supervisory architecture shows that ESMA can play a central coordinating role, and exercise direct supervision over significant asset-referenced and e-money tokens, while NCAs retain primary supervisory competence over CASPs and other issuers. This model preserves the indispensable acumen of National Competent Authorities, which possess the granular understanding of local markets necessary for effective supervision.

Smaller EU Member States such as Malta may apply the regime in a manner proportionate to their market scale, within the bounds of the Single Rulebook, while larger jurisdictions can place greater emphasis on the EU’s strategic autonomy objectives. Rigid MiCA centralisation under ESMA would sacrifice this flexibility without delivering meaningfully better outcomes for the EU’s digital asset economy. By maintaining a decentralised network coordinated through supervisory convergence, the EU achieves consistent compliance with financial regulatory standards while respecting the diverse regulatory contexts across the EU Member States and the different types of businesses they attract to its common market.