Payments Insights #5 – When CASPs Overlap PSPs

The EU’s Markets in Crypto-Assets Regulation (MiCA) provides in Article 70(4) that a crypto-asset service provider (CASP) offering payment services related to its crypto activities must either obtain a payment institution authorisation itself or partner with an authorised payment service provider (PSP) under PSD2. This reflects the “dual nature” of certain crypto-assets: notably, MiCA classifies e-money tokens (i.e. stablecoins) as electronic money, meaning they are not only crypto-assets under MiCA but also “funds” under the Second Payment Services Directive (PSD2). In practice, this dual status raised uncertainty about whether CASPs dealing in stablecoins need a separate PSD2 licence in addition to their MiCA authorisation.

Divergent interpretations among Member States emerged, prompting concerns of regulatory arbitrage and consumer risk. Consequently, the European Commission,  formally asked the European Banking Authority (EBA) to clarify how PSD2’s licensing requirements apply to CASPs transacting in e-money tokens (EMTs). In response, the EBA issued a ‘No Action Letter’ in a press release in June 2025 (EBA/Op/2025/08) (the ‘Opinion’) which is effectively an EBA Opinion under Article 9c of its founding Regulation, to address the interplay between PSD2 and MiCA for such cases.

The EBA’s Opinion both guides national regulators in the interim as well as advises EU legislators on future legal amendments. To note that the EBA’s guidance in the Opinion is focused on payment services involving EMTs (stablecoins) only, and does not extend to other types of crypto-asset services and/or ARTs, which remain governed solely by MiCA

EBA’s 2025 Opinion: No-Action Guidance for CASPs with Stablecoins

 What Triggers Dual Authorisation? The EBA’s Opinion first delineates which crypto-asset activities involving EMTs should be considered “payment services” under PSD2 and thus potentially require dual authorisation. It advises national competent authorities (NCAs) to treat the transfer of crypto-assets as a PSD2-regulated payment service when the asset in question is an EMT and the transfer is carried out by a CASP on a client’s behalf. In other words, if a crypto firm facilitates a customer’s stablecoin transfer from one address or account to another, that activity should be viewed as equivalent to a funds transfer under PSD2. Likewise, the EBA considers that custody and administration of EMTs by a CASP constitutes a payment service, with any custodial wallet that allows users to send or receive stablecoins to third parties qualifying as a “payment account” under PSD2. This effectively brings CASP-operated stablecoin wallets and transfer services into the ambit of payment regulation. By contrast, the EBA Opinion makes clear that pure exchange services involving crypto-assets and EMTs do not amount to payment services. For example, a platform enabling customers to swap stablecoins for other crypto or for fiat is engaging in exchange of crypto-assets (a MiCA-regulated service) is not in payment services. In those exchange scenarios, NCAs are advised not to treat the activity as a PSD2 service, thus no separate payment licence is required. This delineation ensures that only true payment-like uses of stablecoins (transfers and transactional wallets) trigger PSD2, while investment or trading uses do not.

No-Action Relief and Streamlined Licensing: For those CASP activities that are deemed payment services (e.g. stablecoin transfer and custodial payment accounts), the EBA’s No Action Letter provides interim regulatory instructions coupled with guidance on minimising burdens. NCAs are instructed to require that such CASPs obtain a PSD2 authorisation (or partner with an authorised PSP). In other words, duplicate paperwork should be avoided by reusing documentation from the CASP authorisation process (mirroring MiCA’s own approach in Article 62(4) against duplicative information requests). Moreover, NCAs should grant a transition period until 1 March 2026 for compliance with the PSD2 licensing requirement. During this interim, a CASP already licensed under MiCA can continue providing the relevant stablecoin services without a PSD2 licence. By 2 March 2026, however, entities are expected to have secured the necessary payment institution licence or have arranged a partnership with a duly authorised PSP. After that date, the EBA advises regulators to stop any unlicensed CASPs from performing EMT-related payment services. This transition aligns with the anticipated timeframe for the new Payment Services Regulation (PSR) and PSD3 to take effect, thereby bridging the gap without leaving consumers unprotected.

Supervisory Priorities for NCAs: During the interim “no-action” period, the EBA encourages a pragmatic supervisory approach. NCAs are told not to prioritise enforcement of certain PSD2 conduct-of-business rules that pose practical challenges or duplicate protections already provided elsewhere. For example, requirements concerning the safeguarding of funds, detailed disclosure of charges, and strict execution timeframes may be de-emphasised in the context of CASP-run stablecoin services. In part this is because EMTs (being crypto-assets on distributed ledgers) don’t neatly fit some PSD2 concepts (e.g. a 24-hour execution rule may be less pertinent to near-instant blockchain transactions, and safeguarding of fiat funds might be less relevant if the stablecoins are already subject to reserve backing under MiCA’s rules for issuers).  The Opinion’s advice aims to limit the instances requiring dual authorisation so that a significant number of CASPs can operate under MiCA-only licensing without undermining user safeguards. Indeed, even without full PSD2 enforcement, CASPs remain subject to MiCA’s own conduct requirements and the detailed reserve, safekeeping and white paper obligations imposed on EMT issuers. The EBA’s balanced no-action approach thus avoids a disruptive crackdown on crypto firms in the short term, while still addressing key risk areas and buying time for a permanent legal resolve. Nevertheless, it should be noted that certain key PSD2 requirements (such as strong customer authentication, fraud monitoring, and minimum capital requirements) continue to apply during the transition to ensure consumer protection and market integrity.

Legislative Outlook: Reconciling PSD2, PSD3 and MiCA

Beyond interim measures, the EBA Opinion offers a roadmap for long-term regulatory alignment in the upcoming PSD3 and PSR reforms. The core objective is to eliminate the need for duplicative authorisations while ensuring that users of stablecoin-based services receive equivalent protection to users of traditional payment services. The EBA’s preferred solution is to amend MiCA itself via the PSD3/PSR legislative process, so that MiCA can govern CASPs dealing in EMTs. Concretely, the Opinion advises EU lawmakers to clarify in MiCA that crypto-asset services (even those involving EMTs) are solely subject to MiCA’s provisions, notwithstanding the dual nature of EMTs as both crypto-assets and “funds”. Hand in hand with this, MiCA should be explicit that a CASP providing what would otherwise be a payment service with EMTs “need only be authorised and supervised under MiCA, and is not required to be authorised under PSD2/PSD3”. In other words, MiCA would become a one-stop regime for such firms.

To prevent any dilution of consumer safeguards, the EBA further proposes “strengthening” MiCA by importing the substance of PSD2’s consumer protection provisions for these cases. Key requirements from PSD2 Titles III and IV – covering transparency of terms, rights and obligations of users (e.g. refund rights, complaint handling, liability rules), and possibly strong customer authentication and related security measures – could be written into MiCA or cross-referenced, with appropriate adjustments for the technical specificities of DLT and stablecoin arrangements. This would ensure that a customer using a CASP’s stablecoin payment service enjoys protections “adequate and comparable to” those under PSD2, without forcing the provider to maintain two licenses. The EBA sees this MiCA-centric approach as a long-term fix that complements innovation with consumer protection.

Alternatively, if integrating these changes into MiCA proves infeasible in the PSD3/PSR legislative cycle, the EBA outlines a fallback approach within the PSD3/PSR framework itself by suggesting that the law could, hypothetically, carve out a special regime or exceptions for CASPs. The EBA recommends that legislators at a minimum clarify certain points in the new payment laws, namely that PSD3/PSR should also state clearly that when a crypto-asset service qualifies as a payment service, the PSD3/PSR requirements apply to that service – removing ambiguity about overlap.

At the same time, the EBA opines that lawmakers should enumerate which provisions of PSD3/PSR will not apply to crypto-asset payment services or will be adjusted, to account for technological differences (via explicit derogations or exclusions in the legislation). This could include, for example, adapting safeguarding rules, or clarifying that certain operational standards need modification for DLT-based payments. The goal of this alternative is similarly to spare CASPs from a wholly separate licensing process, possibly by allowing a MiCA licence to count as sufficient, while still plugging any regulatory gaps through PSD3/PSR provisions tailored to stablecoin activities. The EBA does caution against a third, more radical approach: simply excluding EMT-related services entirely from PSD3/PSR’s scope without strengthening MiCA because that would create a regulatory vacuum and potential consumer detriment.

Malta’s Advantage for Overlapping CASP/PSP Business

 As the EU moves toward an integrated approach for crypto and payment services, certain jurisdictions stand out as especially attractive for businesses going through this overlap. Malta is a prime example. Malta was the first nation (in 2018 through Chapter 590 now replaced by Chapter 647) to enact a workable regulatory framework for crypto-assets within the EU, a regime that preceded many features of MiCA. The MFSA’s proactive stance attracted major crypto firms to domicile in Malta and gave the Maltese regulator a head-start in supervising digital finance.

Furthermore, Malta offers practical advantages in terms of language and legal tradition. English is an official language and the de facto language of business in Malta, meaning international firms face no language barrier in legal processes or day-to-day operations. The legal system itself is a unique hybrid of civil law and common law influences, reflecting Malta’s historical ties to continental Europe and the UK. For companies, this means commercial law in Malta is both EU-aligned and imbued with familiar common-law principles, providing a versatile and predictable foundation for transactions and dispute resolution.

Businesses establishing as CASPs or PSPs in Malta also benefit from the country’s EU membership (ensuring passporting rights across all 27 EU states) and a crypto-friendly economic policy. The State’s support for fintech and Malta’s branding as a forward-looking digital finance hub is backed by substantive regulatory clarity and industry support networks. Malta’s fiscal regime is also highly advantageous. This, coupled with a wide double-tax treaty network and the ability to passport licences EU-wide, makes Malta particularly appealing for fintech ventures seeking an efficient base of operations.

A critical practical question arising from the EBA’s Opinion is whether existing PSD2-authorised firms may offer crypto-asset services without obtaining separate MiCA authorisation. The EBA clarifies that payment institutions and electronic money institutions licensed under PSD2 typically cannot avoid MiCA authorisation entirely, but certain streamlined notification procedures are available under MiCA’s Article 60 when the payment service involves an EMI offering a service relating to an EMT.

Thus, with this Opinion, the EBA is providing clarity on where precisely it draws the line between PSPs and CASPs. Entities providing transfer services of EMTs on behalf of clients or offering custodial wallets functionally similar to traditional payment accounts must comply with PSD2. By contrast, activities involving proprietary capital transactions (such as platforms facilitating crypto-to-crypto or crypto-to-fiat exchanges) fall exclusively under MiCA. This clear distinction helps entities operating/applying in jurisdictions like Malta, because the MFSA’s fintech team supervises both digital assets as well as PSPs without the need for inter-departmental liaison at the regulator.