--- title: Anatomy of a MiCA Class 3 Supervisory Inspection (2026) slug: mica-class3-inspection-anatomy publishedAt: 2026-05-14T16:00:00Z author: Finconduit Editorial Team tags: MiCA, DORA, AMLR, ESMA canonicalUrl: https://finconduit.com/resources/mica-class3-inspection-anatomy --- # Anatomy of a MiCA Class 3 Supervisory Inspection (2026) The inspection-readiness map — a phase-by-phase anatomy of what supervisors actually ask during a MiCA Class 3 inspection, with evidence-pack expectations at each phase. The first wave of post\-authorisation **MiCA Class 3** supervisory inspections lands in **Q3 2026** — roughly twelve months after the first cohort of full **CASP authorisations** were granted across the EEA. For **custody and trading\-platform** CASPs operating under MiCA Annex IV's **€150,000 minimum own funds** threshold, the inspection cycle is the moment the authorisation file gets stress\-tested against operational reality. The firms that prepare seriously survive intact; the firms that mistake the inspection for a paperwork exercise discover the difference too late. What follows is a **private\-practitioner playbook** written down publicly for the first time — the **inspection\-readiness map**. It walks a Class 3 CASP through the six phases of a supervisory inspection, the deep\-dive themes supervisors actually probe at each phase, and the evidence\-pack a competent compliance team has ready before the supervisory letter arrives. The map is built from the supervisory practice of **BaFin**, **ACPR**, **AFM**, **CySEC**, **MFSA**, **Bank of Lithuania** and the **CSSF** — the NCAs that have already granted material numbers of Class 3 authorisations and are now staffing the inspection function. Class 3 inspections will differ structurally from the **EMI inspection** tradition NCAs have spent fifteen years refining. The book of business is different, the safeguarding architecture is different, the market\-surveillance obligation under **MiCA Article 78** has no clean EMI parallel, and the **DORA** overlay is heavier. The map below treats Class 3 as its own supervisory animal — not an EMI inspection in crypto clothing. > **Warning:** Live\-supervision sensitive content. The first MiCA Class 3 inspection cycle is in motion; methodology will keep evolving through 2026 and 2027 as ESMA publishes thematic findings and as individual NCAs codify their own supervisory manuals. Treat this article as a structured preparation map, not regulatory advice. Confirm any specific evidence expectation with your home NCA or legal counsel before relying on it. ## Why Class 3 inspections will differ from EMI inspections The legal frame is the [Markets in Crypto\-Assets Regulation](https://eur-lex.europa.eu/eli/reg/2023/1114/oj)¹[^1], in force across the EEA from **30 December 2024**. **Class 3 CASPs** — firms providing custody and administration of crypto\-assets, operation of a trading platform, or exchange of crypto\-assets for funds or other crypto — sit at the high\-intensity end of the supervisory population. Annex IV pegs minimum own funds at **€150,000** but the operational supervision is materially heavier than that headline number suggests. Four structural differences pull Class 3 inspections away from the EMI template. First, the **safeguarding architecture** is custody of crypto\-assets, not segregated client money in a credit institution — the supervisor probes wallet architecture, multi\-party computation or HSM design, key\-ceremony evidence, and the legal characterisation of client crypto\-asset claims in insolvency. None of this maps onto EMI safeguarding inspections. Second, **MiCA Article 78** requires trading platforms to detect and report market abuse on\-chain — a market\-surveillance obligation no EMI has ever carried. Third, the [Digital Operational Resilience Act](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554)² overlay on Class 3 CASPs is heavier than on most EMIs because the ICT\-third\-party stack is denser — node infrastructure, custody\-platform vendors, blockchain\-analytics vendors, RPC providers — and each one is subject to **DORA** register\-of\-information and incident\-reporting obligations. Fourth, the customer base is structurally different — retail crypto exposure, professional traders, institutional counterparties — and the AML risk\-profile under the **AMLR** is rated higher than for a comparable\-sized EMI. The supervisory direction is converging on **bank\-equivalent governance standards** for the regulated\-fintech population. **CSSF Circular 26/906** of 20 January 2026 aligned EMI and PI governance expectations to credit\-institution norms; the same direction\-of\-travel will land on Class 3 CASPs through **ESMA thematic guidance** in the second half of 2026. A Class 3 inspection in 2026 should be prepared for as a **quasi\-bank inspection** with crypto\-specific deep\-dives, not as a registration\-style desk review. ## The inspection\-readiness map — six phases A full\-scope MiCA Class 3 inspection runs across **six identifiable phases** over a 12–20 week window from supervisory pre\-notice to remediation\-plan agreement. Some NCAs compress the middle phases; some extend the remediation phase across multiple supervisory cycles. The phases below are the structural skeleton — every Class 3 inspection across the EEA will move through them in roughly this order. ### Phase 1 — Pre\-notice \(6–8 weeks lead\) The inspection begins with a **pre\-notice letter** from the home NCA, typically issued **6–8 weeks** before the on\-site phase. The letter identifies the supervisory team, the proposed on\-site dates, the high\-level scope \(full\-scope or thematic\), and an initial document request running typically to **40–80 line\-items**. The pre\-notice phase is where the firm builds the version\-controlled evidence pack — anything not in the pack on day one of on\-site is found and flagged. Pre\-notice evidence\-pack expectations: current **business\-wide risk assessment**, current **AML policies and procedures** with version history, **organisational chart** with the three lines of defence mapped, **board minutes** for the past 24 months with the AML and risk items annotated, **MLRO annual report** and management response, **internal audit** reports for the past 24 months, and the current **safeguarding policy** with custody\-architecture diagrams. ### Phase 2 — Pre\-meeting agenda Two to three weeks before on\-site, the supervisor convenes a **pre\-meeting** — typically a single half\-day, mixed in\-person and remote. The agenda is procedural on the surface: scope confirmation, on\-site logistics, interviewees confirmed, document waves scheduled. It is substantive underneath: the supervisor uses the pre\-meeting to probe the firm's **self\-awareness** — does the firm know where its own weaknesses sit, can it articulate the residual risks the board has accepted, does it have a credible internal narrative of what has changed since authorisation. The single most consequential thing a CEO can do in the pre\-meeting is volunteer the firm's three biggest known control weaknesses — with the remediation plan and timeline already attached. A supervisor who hears self\-aware honesty calibrates the inspection one way; a supervisor who hears defensive minimisation calibrates it another way entirely. The pre\-meeting is the firm's last cheap opportunity to set the tone. ### Phase 3 — On\-site \(3–5 days at scale\) The on\-site phase runs **3–5 days** for a typical Class 3 inspection, longer for cross\-border or post\-incident inspections. The supervisory team is usually **4–8 staff**: a lead inspector, an AML specialist, an ICT/DORA specialist, a market\-surveillance specialist, and \(for Class 3\) a custody / wallet\-architecture specialist seconded from the NCA's prudential or fintech unit. Each specialist runs their own thread of interviews and walk\-throughs in parallel. The on\-site agenda is built around **control walk\-throughs**, not document review. The supervisor wants to see a transaction monitoring alert opened, triaged, escalated, and closed — in the live system, with the actual analyst doing the work. It wants to see a key\-ceremony rehearsal, a sanctions screening hit, a market\-surveillance alert, a DORA incident\-classification call. The firms that fail Phase 3 are the firms where the policy says one thing and the operator does something different — and the supervisor sees the gap in real time. ### Phase 4 — Document\-request waves During and after on\-site, the supervisor runs **two to four follow\-up document\-request waves**. Each wave is narrower and more pointed than the pre\-notice request — chasing a specific control gap, a specific customer file, a specific incident report, a specific board decision. Response windows tighten: pre\-notice was 4 weeks, wave\-one is typically 5–10 working days, later waves are 48–72 hours. The firm's ability to respond at that tempo is itself supervisory evidence. Document\-wave evidence\-pack expectations: **individual customer files** with the full KYC / EDD / source\-of\-funds / source\-of\-wealth trail, **transaction\-monitoring alert files** end\-to\-end \(alert → triage → SAR or close\), specific **market\-surveillance alerts** with the analyst notes, the **DORA register of information** with all ICT third\-party contracts indexed, and signed minutes of any board or risk\-committee meeting that touched the issue under investigation. ### Phase 5 — Fit\-and\-proper re\-interviews Every Class 3 inspection includes **fit\-and\-proper re\-interviews** of the senior management body and key function\-holders. The CEO, MLRO, Head of Compliance, CTO, and Head of Risk are interviewed individually — sometimes panel\-style, sometimes one\-on\-one — with the supervisor probing whether the person interviewed at authorisation is still the person in the seat, still doing the job described in the regulatory business plan, and still credible against the firm's current risk profile. [BaFin](https://www.bafin.de/EN/Aufsicht/FinTech/Kryptoverwahrung/kryptoverwahrung_node_en.html)³[^3]'s Q1 2026 thematic review on crypto\-custody firms ran fit\-and\-proper re\-interviews as a standalone supervisory exercise, decoupled from full\-scope inspection. The interview is not a quiz. The supervisor wants to confirm the function\-holder understands the firm's risks at their level of accountability — the MLRO can articulate the top three AML residual risks and why; the CTO can articulate the ICT third\-party concentration risk and the DORA\-mapped contingencies; the CEO can articulate the board's risk appetite and how it cascades into operational thresholds. A function\-holder who cannot answer at that level is a supervisory finding in their own right. ### Phase 6 — Findings letter \+ remediation plan negotiation Six to ten weeks after on\-site, the supervisor issues a **draft findings letter**. Findings are graded — typically **high / medium / low** priority, with high findings demanding a remediation\-plan response within 30 days. The firm has a defined right\-of\-reply window to comment on factual accuracy before the letter is finalised; that window is the firm's last clean opportunity to push back on a mischaracterised finding. The remediation plan that follows is itself a negotiation. The firm proposes; the supervisor accepts, modifies, or rejects. A well\-built remediation plan is **specific, dated, owned, and measurable** — a clear action, a named accountable officer, a hard delivery date, and an evidential test of completion. Generic remediation language \("we will strengthen our controls in this area"\) gets sent back with a request for specificity, and the firm has lost a supervisory cycle. *Table: The MiCA Class 3 inspection\-readiness map — six phases with timeline and evidence\-pack expectations.* | Phase | Timeline | Evidence\-pack expectations | | --- | --- | --- | | 1. Pre\-notice | 6–8 weeks before on\-site | Business\-wide risk assessment, AML P&Ps with version history, org chart with 3LoD, 24m board minutes, MLRO annual report, internal audit reports, safeguarding policy \+ custody architecture | | 2. Pre\-meeting | 2–3 weeks before on\-site | Scope confirmation, interviewee list, on\-site logistics, CEO/MLRO pre\-meeting prep with known weaknesses pre\-volunteered | | 3. On\-site | 3–5 days | Live control walk\-throughs: TM alert lifecycle, key ceremony, sanctions screening hit, market\-surveillance alert, DORA incident classification — all in the live system | | 4. Document waves | During \+ 4–6 weeks post | Individual customer files end\-to\-end, TM alert files, MS alert files, DORA register of information, board / risk\-cmte minutes for specific issues | | 5. Fit\-and\-proper re\-interviews | Concurrent with Phase 4 | CEO, MLRO, Head of Compliance, CTO, Head of Risk — articulate top residual risks at level of accountability; demonstrate ongoing fitness | | 6. Findings \+ remediation | 6–10 weeks post on\-site, then ongoing | Right\-of\-reply on draft findings; remediation plan that is specific, dated, owned, measurable; supervisory tracking of delivery | ## Deep\-dive themes — what supervisors actually ask Beneath the phase structure, the inspection runs through **six recurring deep\-dive themes**. Each NCA emphasises different themes — **BaFin** weights AML programme depth heavily; **AFM** tends to push hard on governance and board composition; the **CSSF** front\-loads ICT/DORA — but all six themes feature in every full\-scope inspection. ### AML programme \(CDD / EDD / TM / sanctions\) The AML deep\-dive is the longest single thread. The supervisor probes the full lifecycle: **CDD** sufficiency at onboarding, **EDD** triggers and quality where applied, **transaction monitoring** rules tuned to the actual book of business \(not the vendor defaults\), **sanctions screening** coverage including wallet\-address screening against on\-chain analytics, and the **SAR / STR pipeline** with file\-level evidence of timely reporting. Our practitioner practice is that supervisors pull individual customer files in randomised samples and trace each one end\-to\-end — onboarding, EDD, ongoing review, alert history, exit. Our companion piece on the [AML audit for crypto firms](/resources/aml-audit-crypto-firm) sets out the file\-level evidence trail supervisors look for at this depth — including the typical request format for individual customer\-file pulls during Phase 4 document waves. ### Market surveillance under Article 78 Class 3 CASPs operating trading platforms must detect and report market abuse — insider dealing, market manipulation — under **MiCA Article 78**. [ESMA](https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica)⁴[^4] is expected to publish thematic guidance on Article 78 supervision in H2 2026. The supervisor asks: which market\-abuse scenarios is the firm screening for, how were the scenario thresholds calibrated, who tunes them and on what cadence, how does the firm reconcile on\-chain wash\-trade patterns with off\-exchange flow, and what is the STOR \(suspicious transaction and order report\) pipeline. We treat the Article 78 implementation question in depth in our [market surveillance for MiCA Class 3 trading platforms](/resources/market-surveillance-mica-class3) guide — including scenario library, threshold\-calibration approach, and STOR pipeline architecture. ### Safeguarding architecture Custody safeguarding is the deepest crypto\-specific dive. The supervisor probes the wallet topology: hot / warm / cold split, **MPC versus HSM** key architecture, signer geographies, threshold parameters, key\-ceremony evidence with video and dual\-control attestation, withdrawal\-approval workflows, address\-allow\-listing where used, and the legal characterisation of client crypto\-asset claims under the firm's home insolvency regime. The supervisor will ask to see a **recent key\-ceremony rehearsal** and the attestation pack — not in policy form, in operational form. ### Governance \+ board composition The governance deep\-dive looks at board composition \(executive / non\-executive balance, diversity of skills, crypto\-asset literacy\), committee structure \(board risk committee, board audit committee, AML committee\), the cadence and quality of board minutes, the substance of management\-information packs, and the demonstrable evidence that the board is exercising oversight rather than rubber\-stamping. **Bank of Lithuania** inspection methodology pushes particularly hard on whether non\-executive directors are independent in substance, not just on the org chart. ### ICT / DORA The DORA thread runs through the inspection alongside the AML thread. The supervisor wants to see the **DORA register of information** populated and current, the ICT\-third\-party concentration analysis, the documented **threat\-led penetration testing** programme where applicable, the ICT incident classification and reporting pipeline, and the contractual exit\-rights position with critical ICT third parties. Our [DORA implementation playbook for CASPs](/resources/dora-implementation-playbook-casps) maps the supervisor's expected evidence pack across the full DORA pillar set. ### MLRO function The MLRO function gets a dedicated supervisory thread. Reporting line \(the MLRO must report directly to a board\-level forum with unimpeded access to the chair\), resourcing \(FTE count against transaction volume and risk profile\), independence \(no operational conflict, no commercial KPI\), training cadence, and **MLRO annual report** quality. A weak MLRO annual report — particularly one without explicit recommendations the board has accepted, deferred, or rejected on the record — is one of the most reliable predictors of a high\-priority finding. *Table: MiCA Class 3 inspection deep\-dive themes with the supervisory requests practitioners should expect at each.* | Theme | Sample supervisory requests | | --- | --- | | AML programme | Pull 20 randomly\-sampled customer files end\-to\-end; show TM alert volumes by scenario, false\-positive rates, SAR conversion; demonstrate sanctions screening including wallet\-address screening | | Market surveillance \(Art 78\) | List of MS scenarios implemented; threshold\-tuning log; sample STORs filed; reconciliation of on\-chain wash\-trade detection with off\-exchange flow | | Safeguarding | Wallet topology diagram; MPC/HSM design doc; key\-ceremony video \+ attestation; withdrawal\-approval workflow walk\-through; insolvency legal opinion on client claims | | Governance \+ board | Board minutes 24m with AML/risk items annotated; NED independence assessment; board MI pack samples; board AML committee terms of reference | | ICT / DORA | Register of information; ICT 3P concentration analysis; incident classification log; threat\-led pen\-test programme; exit\-rights position with critical 3Ps | | MLRO function | MLRO reporting line \+ board access protocol; MLRO annual report w/ recommendations \+ board response; FTE plan vs transaction volume; training cadence | ## The tabletop exercise — pre\-inspection drill The single most cost\-effective preparation step a Class 3 CASP can take is a **pre\-inspection tabletop** — a structured, full\-day rehearsal of the inspection using external counsel or an independent compliance adviser playing the supervisor. The tabletop runs the pre\-meeting agenda, simulates Phase 3 walk\-throughs in the live system, runs three fit\-and\-proper interviews under supervisory conditions, and stress\-tests two or three of the deep\-dive themes most likely to surface findings. The output is not a report — it is a **pre\-inspection gap register** with 60–90 day fixes assigned to named owners. Items that cannot be fixed before the supervisor arrives are converted into pre\-volunteered weaknesses in the Phase 2 pre\-meeting. The tabletop turns surprises into supervisor\-credit; the alternative is letting the supervisor find the gaps for the first time, on the record, with a finding attached. > **Tip:** Run the tabletop 90–120 days before the realistic inspection window — long enough that the gap register can be remediated, close enough that the live state of controls matches what the supervisor will see. A tabletop run six months ahead becomes stale; a tabletop run three weeks ahead is too late to fix anything. ## Common findings — and how to pre\-empt them Across the early Class 3 inspection cycle, a small number of findings recur with high frequency. Pre\-empting them is the highest\-leverage preparation a firm can do. - **TM rule library left at vendor defaults** — supervisors expect rules tuned to the firm's actual customer segments, product mix, and on\-chain typologies. The fix is a documented threshold\-calibration cycle with the analyst who runs it sitting in the inspection room. - **MLRO reporting line below the board** — a recurring finding even for firms that scored well at authorisation. Move the line, document the move, evidence direct chair access. - **Business\-wide risk assessment stale at 18\+ months** — refresh annually with an explicit log of what changed and why; do not let the BWRA become a static authorisation artefact. - **DORA register of information incomplete** — every ICT third\-party contract, including the long\-tail of SaaS tools, must be on the register with the function\-criticality classification documented. - **Customer\-base composition reporting weak** — the firm cannot quickly produce the percentage of its book that is retail vs professional, EEA vs non\-EEA, high\-risk segment vs standard. This was the lead finding in BaFin's Q1 2026 thematic review. - **Key\-ceremony evidence inadequate** — policies describe ceremonies but no recent ceremony has been videoed, dual\-control\-attested and filed. Run one and file the evidence pack before the supervisor asks. Firms that have run a serious [bank\-diligence file](/resources/bank-diligence-file-crypto-firm) exercise as part of opening institutional banking will find the inspection evidence pack overlaps materially with what their bank already required. The two exercises are different audiences but share roughly 60% of underlying artefacts. ## Frequently asked questions ### How much warning does a Class 3 CASP get before a supervisory inspection? Typically **6–8 weeks** for a full\-scope planned inspection, evidenced by a formal pre\-notice letter. Thematic deep\-dives and post\-incident inspections can run on shorter notice — sometimes 2–4 weeks. Unannounced supervisory visits are rare in the Class 3 population in 2026 but are not legally precluded; firms with open enforcement history should assume reduced lead times. ### Who from the firm sits in the inspection room? The CEO and MLRO are present throughout. The Head of Compliance, CTO, Head of Risk, and Head of Operations rotate through the relevant sessions. Board members are not normally in the on\-site room, but the chair and the chair of the board risk committee are typically interviewed separately during Phase 5. External counsel is allowed but not expected to drive the engagement — the supervisor wants to hear from the function\-holders themselves. ### What happens if findings include a serious failing? A serious failing triggers an enforcement track parallel to the remediation plan. The supervisor can require business\-restriction measures \(new\-customer freeze, product withdrawal\), impose monetary penalties, require management changes, and — in the most severe cases — withdraw the CASP authorisation. The firm's right of appeal sits with the home Member State's administrative\-law framework. Most firms in the 2026 cohort that get high\-priority findings will not face enforcement — they will face an intensive remediation cycle under supervisory oversight, with a follow\-up inspection 12–18 months later. ### How does the supervisor coordinate with host\-state NCAs for passported activity? Home\-state primacy applies. The home NCA leads the inspection; host\-state NCAs may second a participant where the firm has material activity in the host state, or may run a parallel host\-state thematic on a different cadence. **ESMA** coordinates the supervisory\-college structure for the largest cross\-border CASPs. The [**CSSF**](https://www.cssf.lu/)⁵[^5] model — alignment to bank\-equivalent governance norms under Circular 26/906 — is increasingly the reference architecture for cross\-border Class 3 supervision. ### How long is the remediation cycle? Typical Class 3 remediation cycles run **6–18 months** from findings letter to closed\-out remediation. High\-priority findings are typically closed within 6 months; medium findings within 12; low findings rolled into the firm's next business\-planning cycle. Supervisory tracking is continuous — quarterly check\-ins with the lead inspector are the norm for the early Class 3 cohort. > **Call to action:** Preparing for your first MiCA Class 3 inspection? Finconduit's inspection\-readiness review — a structured tabletop exercise mapped to your home NCA's methodology — turns supervisory surprises into supervisor\-credit. Book a free regulatory assessment. ## Related guides - [AML Audit for a Crypto Firm](/resources/aml-audit-crypto-firm): file\-level evidence walk\-through for the AML deep\-dive supervisors run at Phase 4. - [Market Surveillance for MiCA Class 3 Trading Platforms](/resources/market-surveillance-mica-class3): Article 78 scenario library, threshold\-tuning approach, and STOR pipeline design. - [DORA Implementation Playbook for CASPs](/resources/dora-implementation-playbook-casps): the ICT/DORA evidence pack supervisors expect at Phase 3 and Phase 4. - [AMLR Readiness — 12\-Month Roadmap](/resources/amlr-readiness-12-month-roadmap): how the AMLR transposition reshapes the AML programme the inspector will probe. - [Bank\-Diligence File for a Crypto Firm](/resources/bank-diligence-file-crypto-firm): 60% of the inspection evidence pack overlaps with the institutional\-banking file most CASPs already carry. The first Class 3 inspection cycle will set the supervisory tone for the rest of the MiCA era. Firms that arrive with a tested evidence pack, a self\-aware narrative, and a credible remediation muscle will exit the cycle with their authorisation strengthened. Firms that arrive treating the inspection as a paperwork exercise will exit with findings, restrictions, and a supervisory file that follows them for years. The map above is built to put readers in the first group. ## Footnotes [^1]: Regulation \(EU\) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto\-assets \(MiCA\), OJ L 150, 9.6.2023. Annex IV sets minimum own funds requirements by CASP class; Class 3 \(custody and operation of a trading platform\) requires €150,000. [^2]: Regulation \(EU\) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector \(DORA\), OJ L 333, 27.12.2022. DORA applied from 17 January 2025 and treats CASPs as in\-scope financial entities. [^3]: BaFin — Crypto custody supervision pages. BaFin's Q1 2026 thematic review of crypto\-custody and CASP supervision focused on AML programme depth and customer\-base composition reporting. [^4]: European Securities and Markets Authority \(ESMA\) — Markets in Crypto\-Assets Regulation \(MiCA\) implementation hub. ESMA's thematic work on Class 3 supervision is expected to land in H2 2026, codifying Article 78 market\-surveillance expectations. [^5]: Commission de Surveillance du Secteur Financier \(CSSF\), Luxembourg. CSSF Circular 26/906 of 20 January 2026 aligned EMI and PI governance expectations to bank\-equivalent standards — a direction\-of\-travel relevant for forthcoming MiCA Class 3 supervisory expectations. --- Source: https://finconduit.com/resources/mica-class3-inspection-anatomy