--- title: "Running a Crypto Exchange Under MiCA: Class 3 Operator Playbook (2026)" slug: mica-class3-exchange-playbook publishedAt: 2026-05-15T09:00:00Z author: Finconduit Editorial Team tags: MiCA, DORA, AMLR canonicalUrl: https://finconduit.com/resources/mica-class3-exchange-playbook --- # Running a Crypto Exchange Under MiCA: Class 3 Operator Playbook (2026) Class 3 crypto exchange under MiCA — capital, custody architecture (hot/warm/cold), matching engine, listing policy, market surveillance, DORA, AML at scale, and annual cost benchmarks by tier. Operating a crypto exchange under a **MiCA** **Class 3 authorisation** is the **most demanding** crypto regulatory programme in the EEA — and the most commercially valuable. **Class 3** authorises the two **highest**\-risk crypto\-asset services in **MiCA**'s perimeter: **custody and administration** of crypto\-assets on behalf of clients, and **operating a trading platform** for crypto\-assets. Combined, these are the operating heart of every retail\-and\-institutional crypto exchange. **Coinbase** Europe, **Kraken**, **Bitstamp**, and the major EU\-native exchanges all run **Class 3 authorisation**s as their structural foundation. The capital floor under [MiCA Article 67](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) is **€150,000** for **Class 3** — but capital is the smallest constraint. The substantive bar runs through [MiCA Article 75](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) \(custody segregation and liability for client\-asset loss\), [MiCA Article 76](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) \(trading\-platform **market integrity** rules\), the **Travel Rule** under the [Transfer of Funds Regulation](https://eur-lex.europa.eu/eli/reg/2023/1113/oj), the **AML** obligations under [EBA Guidelines](https://www.eba.europa.eu/) moving to [AMLR](https://eur-lex.europa.eu/eli/reg/2024/1624/oj) from 10 July 2027, and the **ICT** framework under the [Digital Operational Resilience Act](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554) applicable from 17 January 2025. A **Class 3** operator must satisfy all of these simultaneously, with documented operational evidence, audited annually, and inspection\-ready at all times.²[^1]³[^2]⁴[^3]⁵[^4]⁶[^5]⁷[^6]⁸[^7] This guide is the operator playbook. It covers the **Class 3** perimeter in detail, the prudential and ongoing capital model, the custody architecture \(hot, warm, cold\) and the **qualified custodian** decision, the matching\-engine and order\-handling design, the listing and **delisting policy** framework, market\-integrity and surveillance obligations, the conflicts\-of\-interest framework, outsourcing under **DORA**, **AML** programme design at exchange\-scale, the cost benchmarks for running a **Class 3** exchange, and the operational discipline that turns a granted licence into a sustainable business at scale. ## What **Class 3** Actually Authorises **MiCA** classifies crypto\-asset services into eight categories. **Class 3** is the **highest** tier under **Annex IV**'s prudential capital classification — it covers custody and **operating a trading platform**, plus all services authorised at Class 2 \(execution, exchange, transfer\) and Class 1 \(advisory, portfolio management, reception/transmission\). *Table: MiCA Annex IV class structure — Class 3 authorises everything at Class 1 and 2 plus custody and trading platform.* | Class | Services | Initial capital floor | | --- | --- | --- | | Class 1 | Advice on crypto\-assets; portfolio management; reception and transmission of orders; placement | €50,000 | | Class 2 | Class 1 services \+ execution of orders \+ exchange of crypto\-assets \+ transfer of crypto\-assets | €125,000 | | Class 3 | Class 2 services \+ custody and administration of crypto\-assets \+ operating a trading platform | €150,000 | | Fixed Overhead Requirement | All classes — higher of class floor or 25% of prior year fixed overheads | — | ## Capital — The **Annex IV** Floor and the Practical Reality **MiCA Article 67** sets the initial capital floor at **€150,000** for **Class 3** — but the floor is rarely the operating reality. Three additional capital pressures push real\-world **Class 3** capital to **€500,000–€1.5M** for mid\-sized operators, and to €5M\+ for the largest exchanges. - Fixed Overhead Requirement \(FOR\). **25%** of prior year's fixed overheads. For a **Class 3** exchange running €2M\+ annual operating costs, the FOR exceeds the **€150,000** floor and becomes the binding constraint. - NCA\-imposed risk\-weighted add\-ons. Bank of **Lithuania**, **CySEC**, and **BaFin** routinely require additional capital based on volume, custody assets under custody \(AUC\), and operational complexity. - Operational buffer. Most experienced **Class 3** operators hold 25–50% above the regulatory floor as operational buffer, avoiding any chance of breaching the requirement during stress. - Insurance retention. Custody\-loss insurance retentions typically self\-insured up to €1M\+; capital must cover the retention layer. > **Warning:** Capital must be held in cash or High\-Quality Liquid Assets \(HQLA\) and segregated from operating accounts. Co\-mingling capital with operating cash is the most\-cited finding in Class 3 supervisory inspections — a deceptively easy mistake that triggers re\-papering of the safeguarding architecture and a public NCA letter. ## Custody Architecture — Hot, Warm, Cold **MiCA Article 75** makes the **Class 3** custodian liable for client\-asset loss except in narrow force\-majeure circumstances. The custody architecture is therefore the single **highest**\-stakes engineering decision in running a **Class 3** exchange. The standard pattern combines three layers, each with progressively stronger security and progressively slower access. *Table: Hot, warm, cold custody architecture — the standard Class 3 pattern.* | Layer | Typical balance share | Use case | Security model | | --- | --- | --- | --- | | Hot wallet | 1–5% of total AUC | Withdrawals within minutes; small daily flows | Multi\-sig with HSM, automated approval, online connectivity | | Warm wallet | 5–15% of total AUC | Larger withdrawals \(hours to days\); rebalancing | Multi\-sig with HSM, partial offline, manual co\-approval | | Cold wallet | 75–90% of total AUC | Long\-term storage, large institutional withdrawals \(1–3 days\) | Air\-gapped HSM, multi\-sig with geographically distributed signers, key ceremonies | | Deep cold storage | 0–10% of total AUC | Very long\-term reserves; institutional cold custody | Multiple\-jurisdiction physical key shards, no automated access | Many **Class 3** exchanges outsource cold and deep\-cold custody to **qualified custodian**s — **Fireblocks**, **BitGo**, **Anchorage Digital**, **Komainu** — while retaining the hot and warm tiers internally. The economic question is whether the third\-party custodian fees and SLA structure beat the cost of building equivalent in\-house security. For most operators below €5B AUC, **qualified custodian** outsourcing for cold tier is the standard. ## Matching Engine and Order Handling Operating a trading platform under **MiCA Article 76** imposes structural rules on how orders are received, matched, and executed. **Class 3** operators must publish written rules covering order types, matching priority, **market integrity**, and **conflicts of interest**. The engine itself must be auditable — supervisors can request order\-history data covering specific time windows under formal information requests. - Order types. Limit, market, stop\-limit, stop\-loss as standard; advanced order types \(TWAP, VWAP, iceberg\) per the platform's documented order\-handling policy. - Matching priority. Price\-time priority is standard; pro\-rata or hybrid models permissible if disclosed. - Best execution. **Class 3** platforms providing execution services owe best\-execution duties under **MiCA** conduct rules — comparable to MiFID II but adapted for crypto. - Market integrity surveillance. Real\-time and post\-trade surveillance for **market manipulation**, wash trading, layering, spoofing. Surveillance vendor \(Eventus, Trillium, Solidus Labs, or in\-house\) is mandatory. - Conflicts of interest. The exchange must manage conflicts arising from operating a trading venue, providing custody, and any proprietary trading positions or related entities. ## Listing Policy and Token Admission **MiCA Article 76** requires the trading platform to publish operating rules including a written **listing policy**. Asset admission decisions must be principled, documented, and applied consistently. NCAs review the **listing policy** at authorisation and probe specific listing decisions during inspections. - Issuer due diligence. White paper review \(mandatory for asset\-referenced tokens and e\-money tokens\); legal opinion on token classification; financial\-crime exposure of the issuer. - Liquidity assessment. Free float, trading volume on other venues, market depth analysis. - Technical assessment. Smart contract security audit \(where applicable\), historical incidents, network maturity. - Compliance assessment. Sanctions exposure on issuer or major holders; **AML** risk score from **blockchain analytics** on relevant addresses; alignment with the exchange's risk appetite. - De**listing policy**. Documented criteria triggering delisting — sanctions designation, substantial security breach, persistent low liquidity, regulator request. > **Note:** Most NCA\-cited concerns in Class 3 supervisory letters relate to inconsistent listing decisions — assets admitted without documented diligence, or assets retained after a delisting trigger. Build a Listing Committee with documented decision papers, version\-controlled diligence checklists, and a quarterly review cadence on the existing listed asset base. ## **DORA** — **ICT** Risk Management for **Class 3** The **Digital Operational Resilience Act** applies in full to every **Class 3** operator from 17 January 2025 — bringing crypto exchanges into the same **ICT** regulatory framework as banks, asset managers, and insurers. Compliance with **DORA** is not optional and is examined in detail at every **Class 3** supervisory inspection. - **ICT risk management** framework. Documented framework covering identification, protection, detection, response, recovery; signed off by the management body; reviewed annually. - **ICT** third\-party register. Comprehensive register of every **ICT** provider \(cloud, custody, analytics, **KYC**, **Travel Rule**\), with criticality classification and exit strategies. - Major **incident reporting**. Major **ICT** incidents reportable within hours; classification framework prescribed; FIU and NCA channels. - Threat\-led penetration testing \(TLPT\). 3\-year cycle for significant operators; coordinated by the home NCA; €100,000–€400,000 per TLPT exercise. - Critical **ICT** third party oversight. Critical third parties \(large cloud providers, dominant custody platforms\) face direct ESA oversight — joint with the home NCA. ## **AML** Programme Design at Exchange Scale **Class 3** **AML** programmes operate at scale and complexity that small **CASP**s do not face. Millions of customers, billions in monthly transaction volume, hundreds of listed assets, and material flow from self\-hosted wallets all combine to make exchange\-grade **AML** a continuous engineering and operations challenge. - Tiered **KYC** with risk\-based **EDD** triggers. Standard CDD for retail; institutional **KYC** layer; PEP and high\-risk\-third\-country **EDD**; dynamic re\-tiering based on activity. - Real\-time transaction monitoring. Rules engine running thousands of rules across customer cohorts; alerts triaged through a case\-management system; SAR pipeline to FIU. - **Travel Rule** at scale. Multi\-vendor **Travel Rule** architecture \(typically Notabene \+ Sumsub or Sygna\) covering all counterparty **CASP**s and self\-hosted wallet flows. - Blockchain analytics layered. Two analytics providers \(Chainalysis \+ TRM Labs is common\) feeding inbound deposit screening, withdrawal screening, and investigations. - Sanctions screening at every layer. Onboarding identity, ongoing identity refresh, real\-time wallet screening, transaction\-level screening — 4\-list coverage \(OFAC \+ EU \+ UN \+ OFSI\). - Annual independent **AML** audit. Required under **EBA Guidelines**; comprehensive review of programme effectiveness, false\-positive rates, SAR quality, and remediation tracking. ## The Cost of Running a **Class 3** Exchange Annual operating cost for a regulated **Class 3** exchange \(excluding pure technology and customer\-acquisition costs\) typically falls in three brackets by scale. *Table: Annual regulatory and operations cost for a Class 3 exchange by scale tier \(2026\).* | Cost line | Small \(€10–50M revenue\) | Mid \(€50–500M revenue\) | Large \(€500M\+ revenue\) | | --- | --- | --- | --- | | Capital tied up \(regulatory \+ buffer\) | €500,000–€1M | €1.5–€5M | €5M–€20M | | Compliance \+ AML headcount \(FTE\) | 8–12 FTEs | 20–40 FTEs | 60–150\+ FTEs | | Travel Rule \+ blockchain analytics \+ KYC stack | €200,000–€400,000 | €400,000–€800,000 | €800,000–€2M | | DORA / ICT compliance \+ TLPT | €100,000–€300,000 | €300,000–€700,000 | €700,000–€2M | | External legal counsel | €150,000–€350,000 | €350,000–€800,000 | €800,000–€2M | | Audit \(financial \+ AML \+ ICT\) | €100,000–€250,000 | €250,000–€600,000 | €600,000–€1.5M | | NCA supervisory fees | €10,000–€50,000 | €50,000–€200,000 | €200,000–€500,000 | | Total annual regulatory operations cost | €2M–€4M | €5M–€12M | €15M–€40M\+ | ## The Pitfalls That Sink **Class 3** Operators - Capital co\-mingled with operating cash. The single most\-cited supervisory finding; trivially preventable; deceptively common. - Listing decisions without documented diligence. NCAs probe specific assets; absence of decision papers triggers programme\-level findings. - Hot\-wallet share too large. NCA expectation is 5% or less of AUC in hot tier; exceeding routinely creates operational\-risk findings. - **Travel Rule** architecture not at scale. Single\-provider architecture fails when counterparty network gaps cause Sunrise rejections that exceed customer tolerance. - **DORA** register incomplete. Missing critical third parties, no exit strategy documentation, no testing schedule. - Inadequate **market surveillance**. Wash trading, spoofing, and layering signals not detected or not investigated; supervisory letters follow. - Outsourcing without **DORA**\-aligned contracts. Critical\-function outsourcing requires audit rights, exit plans, and sub\-outsourcing controls; pre\-existing contracts often fail these tests. ## Frequently Asked Questions ### Can I run a **Class 3** exchange without a **qualified custodian** relationship? Possible but operationally heavy. Self\-custody at **Class 3** scale requires a documented key\-ceremony architecture, geographically distributed signers, regular cryptographic audits, and a SOC 2 Type II report on the custody operations. Most exchanges below €5B AUC find that outsourcing cold custody to **Fireblocks**, **BitGo**, **Anchorage Digital**, or **Komainu** is operationally cheaper and supervisorily simpler than building equivalent in\-house. Larger exchanges \(**Coinbase** Europe, **Kraken**\) operate hybrid architectures. ### How does **AMLR** affect my **Class 3** **AML** programme? **AMLR** overlays the existing **EBA Guidelines** **AML** framework with a directly\-applicable single rulebook from 10 July 2027. Practical effects for **Class 3**: harmonised CDD/**EDD** across all 27 member states \(relevant for passporting exchanges\), **AMLA** direct supervision likely for the largest exchanges, **AMLR**\-aligned **Travel Rule** overlay onto the existing Transfer of Funds Regulation. Plan **AML** programme upgrades during 2026 for **AMLR** application. ### What does insurance cost for a **Class 3** exchange? Crime insurance and cyber insurance for **Class 3** operators typically runs €500,000–€2M annually for €25–100M of cover. Custody\-specific 'crypto crime' policies \(Lloyd's syndicates, specialist underwriters\) cost €50,000–€500,000 per €10M of cover depending on cold\-storage maturity, key\-ceremony evidence, and audit history. Insurance coverage is increasingly required by institutional counterparties. ### Can I list any token on a **Class 3** exchange? Subject to your **listing policy**, broadly yes — except where the token is itself a regulated **MiCA** crypto\-asset that requires its own authorisation \(asset\-referenced tokens or e\-money tokens — the issuer must be authorised\). Also excluded: tokens that are securities under MiFID II \(require a separate authorisation\), tokens with sanctions exposure, tokens that have failed your listing diligence. The breadth varies by exchange — **Kraken**'s listing list differs from **Bitstamp**'s because their respective listing policies differ. ### Is **best execution** under **MiCA** the same as under MiFID II? Conceptually similar but adapted. **MiCA** conduct rules require 'all sufficient steps' to obtain the best result for clients across price, costs, speed, likelihood of execution and settlement, size, and nature of the order. **Class 3** operators publish best\-execution policies, monitor execution quality, and provide clients with execution reports. The framework is lighter than MiFID II's RTS 27/28 but moving in the same direction; **AMLA** and **ESMA** technical standards will continue to refine. ### What is the **most demanding** NCA for a **Class 3 authorisation**? **BaFin** **Germany** — by a meaningful margin. The most rigorous combined assessment of capital, governance, **ICT**, **AML**, custody architecture, and conflict\-of\-interest management. Central Bank of **Ireland** is close behind on rigour but slightly slower. Bank of **Lithuania** is the **fastest** with serious\-but\-pragmatic substance expectations. Most **Class 3** operators choose **Lithuania**, **Cyprus**, or **Malta** for the speed\-substance balance; the few that choose **Germany** do so for institutional credibility. > **Call to action:** Designing or running a Class 3 crypto exchange under MiCA? Finconduit makes vetted introductions to MiCA legal counsel, custody architects, market\-surveillance vendors, and compliance leadership — and supports authorisation files, listing policy design, and operational readiness reviews. Get a free Class 3 readiness assessment. ## Related Guides - [MiCA Compliance Guide for CASPs](/resources/mica-compliance-guide-casps): Authorisation walkthrough — capital, governance, supplier stack - [The Significant CASP Threshold: When ESMA Takes Over](/resources/significant-casp-esma-threshold): **MiCA** Article 84 thresholds and **ESMA** direct supervision - [Chainalysis vs Elliptic vs TRM Labs](/resources/blockchain-analytics-providers-compared): Choosing **blockchain analytics** in 2026 - [MiCA Travel Rule Providers Compared](/resources/mica-travel-rule-providers-compared): Notabene vs Sumsub vs Sygna vs Veriscope A **Class 3** crypto exchange is a serious operational machine: capital, custody, **matching engine**, surveillance, **AML**, **ICT**, **listing policy**, and a board\-level governance discipline that pulls them all together. Done well, it is the most powerful authorisation in European crypto — passportable across 30 EEA member states, defensible to the **most demanding** institutional counterparties, and the foundation on which the next decade of European crypto market structure will be built. Done badly, it is the most expensive way to discover regulatory gravity. Build to the standard the most\-demanding NCA expects. Document everything. Audit every layer. Treat supervisors as informed counterparties, not adversaries. The exchanges that survive the next five years will be the ones that built it like an institution from day one. - [The MiCA Market Abuse Regime](/resources/mica-market-abuse-regime) — the market\-abuse obligations a Class 3 exchange operating a trading platform must implement. - [Staking\-as\-a\-Service: Regulatory Classification and Banking](/resources/staking-as-a-service-regulatory-banking) — how a Class 3 exchange should treat staking services under MiCA and the banking arrangements they require. ## Footnotes [^1]: MiCA Article 67 — Prudential requirements for crypto\-asset service providers \(Annex IV\) — sets initial capital floors of €50,000 / €125,000 / €150,000 by class. [^2]: MiCA Article 75 — Custody and administration of crypto\-assets on behalf of clients; segregation, liability for loss, and client\-asset protection requirements. [^3]: MiCA Article 76 — Operation of a trading platform for crypto\-assets; market integrity, listing rules, and conflicts of interest. [^4]: Regulation \(EU\) 2022/2554 \(Digital Operational Resilience Act — DORA\), applicable from 17 January 2025. [^5]: EBA Guidelines on the management of money laundering and terrorist financing risks \(EBA/GL/2021/02\). [^6]: Regulation \(EU\) 2024/1624 \(AMLR\) — applicable from 10 July 2027. [^7]: Regulation \(EU\) 2023/1113 \(Transfer of Funds Regulation — Travel Rule\), applicable from 30 December 2024. --- Source: https://finconduit.com/resources/mica-class3-exchange-playbook