After the MiCA deadline, provider risk becomes an operations problem

A post MiCA provider review should begin with an operational map. The deadline may sit in a regulatory calendar, but the real exposure sits in accounts, assets, open orders, reporting files, approval workflows, and settlement processes.

ESMA states that the MiCA transitional period expires across the EU on 1 July 2026. After that date, any entity providing crypto-asset services to EU clients without a MiCA licence will be in breach of EU law and must cease offering those services. ESMA also expects unauthorised CASPs to have implemented wind-down plans by 1 July 2026, and authorised CASPs to manage client migration ahead of the deadline.

That changes the buyer conversation. An institution reviewing provider risk crypto exposure after the deadline should ask more than whether a provider can continue service. It should ask what happens if the answer is unclear, delayed, or changes quickly.

The shift from deadline awareness to continuity

Before the deadline, teams tend to focus on authorisation status, register checks, client notices, and internal policy updates. Those checks matter. They are also only the top layer of the operating model.

A provider may be embedded in more places than procurement records suggest. It may sit behind custody, execution, treasury movements, RFQs, trade files, benchmark reporting, API keys, transaction exports, and finance reconciliations. If the relationship has to change quickly, each dependency becomes work for a different team.

The problem usually arrives as friction rather than drama. A withdrawal needs an extra approval. A long-tail asset cannot move to the first backup venue. A report arrives without the fields finance needs. A trading desk pauses a strategy because new settlement instructions are still being approved. None of these issues sounds strategic in isolation. Together, they can slow the institution at exactly the moment it needs control.

What can break during crypto provider migration

A rushed crypto provider migration exposes the difference between having a backup provider and having a usable exit path.

Start with assets. Which balances can be moved immediately, which assets need manual support, and which transfers depend on whitelisted addresses, travel rule checks, network conditions, or venue limits? The institution also needs to know whether pending conversions, unsettled trades, collateral arrangements, or open orders block movement.

Then look at records. Historical fills, fees, transaction IDs, balance snapshots, and custody statements need to remain accessible after the account changes. Reporting continuity is especially important for asset managers, broker-dealers, fintechs, corporates, and funds with investor, audit, tax, or internal control obligations. A clean withdrawal is still incomplete if the institution loses the evidence trail.

Permissions can create a quieter problem. Signers change. API keys sit with former employees. Service notices go to an inbox nobody checks. Withdrawal approval workflows may be well designed for normal operations and clumsy under deadline pressure. A provider review should test who can act, who can approve, and who receives the information required to make a decision.

The questions a CASP provider review should answer

A useful CASP provider review connects legal entity checks to workflow checks.

First, confirm the exact legal entity delivering the service. ESMA warns that MiCA protections apply to the specific authorised EU legal entity, not automatically to other companies in the same group or to non-EU entities. That matters where a brand operates through several entities, or where custody, execution, support, and account management are split across jurisdictions.

Second, map the service scope. Does the provider hold assets, execute trades, arrange settlement, produce reports, or all of these? Which services are delivered directly, and which depend on sub-custodians, exchanges, liquidity providers, technology vendors, or group entities? A provider can look simple from the client portal while being more complex underneath.

Third, ask for the exit sequence. What notice is given? Which assets move first? What happens to open orders? How are historical reports exported? Who confirms final balances? What proof does the institution retain? ESMA expects wind-down plans to support an orderly exit, including offboarding and transfers of crypto-assets to an authorised CASP or self-hosted wallet, with prior notice to existing clients. Buyers should translate that expectation into their own runbook.

Custody policy should answer operational questions

Custody policy is often treated as a document for due diligence files. After MiCA, it should also help operations, treasury, and risk teams understand what happens under stress.

Aplo’s Custody Policy Statement states that Aplo is registered as a Digital Asset Service Provider (DASP) with the French AMF and is upgrading its operational and legal framework to comply with MiCA. It also describes client ownership of crypto-assets, bankruptcy remoteness, no re-hypothecation without prior, express, and specific instruction, segregation models, regulated EU-based sub-custodian due diligence, and daily reconciliation.

The continuity language is especially relevant for a post MiCA provider review. Aplo states that it maintains a Wind-Down and Business Continuity Plan designed to protect client asset access during significant operational disruption or formal cessation of services. The statement also references formal notice and migration instructions, backup systems for critical custody functions, data portability, transaction histories, ownership proofs, and asset recovery protocols.

This is the kind of detail institutions should expect to discuss. Custody continuity depends on records, controls, instructions, recovery, and entitlement evidence, as well as the wallets themselves.

Settlement, execution, and the value of fewer moving parts

Provider concentration needs governance, but fragmentation creates its own operational risk. Multiple exchange accounts, custody arrangements, liquidity relationships, and reporting processes can make market access broader while making continuity harder to prove.

Aplo’s product model is directly relevant to that trade-off. Aplo’s execution services are connected to Qualified Custody and linked to its portfolio management system, with asset segregation and governance rules. Aplo’s product page describes access to multiple liquidity pools, 300+ assets, more than 100k tradable pairs, Smart Order Routing, trading from a single qualified account, execution reports, and flexible settlement options.

For an institution reviewing operational continuity, the question is whether fewer, better-controlled relationships can reduce account sprawl. A single-counterparty setup can simplify onboarding, permissions, prefunding decisions, settlement workflows, and reporting exports. The benefit is practical: fewer hand-offs to test when a provider relationship has to change or when trading activity needs to continue during review.

Post MiCA provider review checklist

Use this checklist across operations, treasury, risk, compliance, finance, and trading.

Provider status and scope

• Which legal entity provides each service?
• Is the relevant entity authorised, registered, pending, or operating under another arrangement?
• Do contracts, invoices, account documents, and public disclosures match?
• Are any services delivered by group entities or third-country providers?

Assets and custody

• Which assets are held, and under what custody model?
• Can each asset move to another provider or wallet without avoidable delay?
• Are omnibus wallets, dedicated wallets, sub-custodians, and ledgers documented?
• What happens if the provider pauses a service or starts a wind-down process?

Orders and settlement

• Are there open orders, RFQs, algorithms, unsettled trades, or collateral links?
• Can trading continue during migration?
• Are settlement cut-offs, fees, and manual approvals documented?
• Is there a fallback route for urgent trades?

Reporting and data

• Can the provider export full history, including fills, fees, balances, transfers, and ownership records?
• Are exports usable by finance, audit, tax, and portfolio systems?
• Will reporting remain accessible after closure?
• Who archives records internally?

Permissions and communication

• Are authorised signers current?
• Are withdrawal addresses reviewed?
• Are API keys, user roles, approval flows, and service contacts documented?
• Who receives regulatory, service, and incident notices?

The sharper post-deadline question

Post-deadline provider risk is best understood as a control question. Can the institution keep assets moving, orders managed, settlement clean, and reporting usable if a relationship changes under pressure?

Aplo’s MiCAR policies and disclosures, Custody Policy Statement, and product model give institutions a practical starting point for that discussion. The decision is no longer limited to access. It is about whether the operating model can hold together when regulatory assumptions, service availability, or provider relationships change.