The Reverse Solicitation Evidence Pack: How Offshore Crypto Firms Defend the MiCA Defence

Almost every offshore crypto firm still serving EU clients tells the same story: "It's fine — they came to us. Reverse solicitation." Almost none of them can prove it. The defence written into MiCA Article 61 is real, narrow, and unforgiving — and ESMA tightened it further in its October 2024 statement.

The exemption works only when an evidence pack exists at the moment a supervisor asks for it. Not after the request. Not reconstructed from memory. Pre-built, per client, indexed, dated, and signed. If you cannot produce it in 48 hours, you do not have the defence — you have a marketing slogan.

This guide lays out The Reverse Solicitation Evidence Pack — the seven documents every offshore CASP, VASP, or unregulated crypto firm should hold for every EU-resident client whose business they accept. It is the pack we build for clients, refresh quarterly, and would put in front of a national competent authority tomorrow.

The defence comes from MiCA Article 61¹^[1]. It allows a third-country firm to provide crypto-asset services to an EU client only where the client initiated the service at their own exclusive initiative. The text is short. The supervisory consequence is enormous.

Three things go wrong in practice. First, the firm has no audit trail of who initiated the contact — only a Telegram chat, a deleted Calendly link, or a sales rep's memory. Second, the firm has continued to cross-sell services the client never asked for. Third, the firm has been quietly running EU-targeted SEO, paid social, or events that destroy the "exclusive initiative" claim retroactively.

Each of those failures is fixable — but only with documents that exist before the supervisor knocks. Reverse solicitation is not an argument you make later. It is a file you maintain now.

In October 2024, ESMA issued its Statement on the practical application of reverse solicitation under MiCA²^[2]. It is the most important supervisory text most offshore firms have not read.

The statement does three things. It confirms the exemption is to be construed very narrowly, echoing the language used under MiFID II. It clarifies that any solicitation by any means — including promotion via influencers, sponsorships, and online targeting of EU users — defeats the exemption. And it makes clear that the exemption does not extend to crypto-assets or services of a different type from the one the client originally requested.

“

"The reverse solicitation exemption should be understood as very narrowly framed and must be regarded as the exception. A firm cannot rely on it to bypass MiCA." — ESMA, ESMA75-453128700-1323, 31 October 2024.

That single paragraph reframes how every national competent authority — BaFin, AMF, CySEC, MFSA, Bank of Lithuania, Central Bank of Ireland — will assess complaints, whistleblower reports, and on-site inspections. The default posture is now presumed solicitation unless rebutted with documentation.

The pack has seven documents, each addressing one specific failure mode supervisors look for. Five of them are per-client. Two are firm-wide. All seven should be ready to surface within 48 hours of a supervisory request.

1. 1

   Initiator Trace — audit log proving the client started the contact.

2. 2

   Channel Provenance — the inbound channel with timestamps and source attribution.

3. 3

   Pre-Contract Acknowledgement — signed client declaration with regulator-required language.

4. 4

   Same-Type Limitation Log — running list of services provided, flagging anything outside the original ask.

5. 5

   30-Day Solicitation Quarantine — proof that no marketing or follow-up touched the client in the 30 days before initiation.

6. 6

   Marketing-Absence Attestation — firm-wide declaration of no EU-targeted marketing, SEO, social, or events.

7. 7

   Annual Refresh — per-client annual confirmation that all of the above still holds.

The Initiator Trace is the foundational document. It is a per-client audit log answering one question: who reached out to whom, when, and through what channel. The supervisor's test is whether the client demonstrably moved first, with no prompt from the firm.

It must capture, at minimum: the exact timestamp of first contact, the identity of the natural person who made it, the verbatim text of the inbound message (or recording, transcript, or screenshot), and the specific service or asset class requested. Memory does not count. Sales-CRM tagging "inbound" does not count.

The verbatim text matters because the supervisor will reconstruct intent from it. A message reading "Saw your ad on X, can you onboard me" is not reverse solicitation — it is a paid acquisition. A message reading "I was referred to your firm by my lawyer for ETH custody" is a candidate.

The Channel Provenance document classifies the inbound route and explains why that route is consistent with the exemption. There are typically four categories.

• Direct enquiry email — sent to a non-public contact address, ideally without the firm appearing in any EU search result the client can plausibly have used.

• On-chain initiation — the client sent assets to a publicly-known firm address before any contact, with subsequent contact to formalise the relationship.

• Documented professional referral — from a lawyer, accountant, or family office officer, with a paper trail showing the referrer initiated without the firm's instigation.

• Search-then-direct-visit — client navigated to the firm's website on their own and used a contact form. This is the weakest provenance and must be paired with a strong Marketing-Absence Attestation.

ESMA's 2023 Supervisory briefing on reverse solicitation under MiFID II³^[3] — relied upon by national competent authorities and explicitly referenced as guidance for MiCA — treats online targeting, banner ads, social media, sponsorships, paid search, and influencer marketing as solicitation. Channel Provenance must be defensible against that test.

The Pre-Contract Acknowledgement is a short signed declaration from the client, executed before any service is provided. It records three facts in language the client cannot later disclaim.

• The client confirms they initiated the contact at their own exclusive initiative.

• The client acknowledges the firm is not authorised under MiCA and that the protections available to EU clients of an authorised CASP do not apply.

• The client identifies the specific service and asset class requested, with the firm noting that anything beyond that scope will be treated as a new request requiring its own evidence trail.

The acknowledgement is not magic. It will not save a firm that has been actively marketing in the EU. But its absence is fatal — supervisors treat the missing signature as evidence the firm never tested the exemption.

The Same-Type Limitation Log is the document supervisors test hardest because it catches the most common failure: silent scope creep. A client asked for custody of BTC; the firm now provides staking on SOL, OTC trading in EUR pairs, and a stablecoin lending product. None of that is covered by the original initiation.

ESMA's 2024 statement is explicit: the exemption applies only to crypto-assets or services of the same type as the one the client requested. "Same type" is read narrowly — different asset classes, different services, different products each trigger a new requirement for a fresh initiation event.

The log must therefore be updated every time a service or asset class changes, and each addition must be tied to either (a) a fresh client-initiated request with its own Initiator Trace, or (b) a written internal note explaining why the new service is genuinely the "same type" as the original. The default presumption is that it is not.

The 30-Day Solicitation Quarantine is the firm's evidence that no marketing, no follow-up email, no sales call, no cross-sell pitch touched the client in the 30 days immediately before initiation.

Why 30 days? Because the causal chain between firm-initiated contact and client-initiated request is what supervisors are testing. A client who received a marketing email last week and "initiated" contact today is not initiating — they are responding. Thirty days is a conservative buffer and matches the practitioner consensus on how supervisors look at "recent prior contact" under MiFID II as well.

The quarantine document is generated by querying the firm's CRM, marketing automation tool, email server, and call records for the client's email and phone — and producing a dated nil-result attestation signed by the head of compliance.

The Marketing-Absence Attestation is the firm-wide declaration covering all EU clients. It is signed by the CEO and head of marketing and lists what the firm does not do in the EU.

• No paid advertising targeted to EU IP addresses, EU geographies, or EU languages.

• No SEO content optimised for EU-jurisdiction keywords (e.g. "crypto custody Germany", "ETH staking Cyprus").

• No EU-targeted social media campaigns, influencer partnerships, or sponsored content.

• No EU events, conferences, sponsorships, or trade-show booths.

• No partnerships with EU-based introducers paid on EU-client referral.

The attestation is renewed quarterly and underpinned by an internal governance check consistent with the EBA Guidelines on internal governance⁴^[4]. Without governance evidence behind the signature, the attestation is a piece of paper.

The Annual Refresh is per-client and per-year. It re-establishes that all of the above remains true: no scope creep, no new marketing contact, no change in the client's residency status that would alter the analysis, and a fresh acknowledgement from the client.

This is the document most firms skip. They build the pack on onboarding and never touch it again. Two years later, the client has moved jurisdictions, three services have been added, and the firm has run a paid social campaign in Germany. The defence quietly died eighteen months ago — nobody noticed because nobody refreshed.

The reverse solicitation defence has been narrowing across EU financial regimes for a decade. The original is MiFID II Recital 85⁵^[5]; the doctrine has tightened under ESMA's 2023 briefing and again under MiCA Article 61 plus the 2024 statement.

The client requested custody of BTC. Two years later they are using OTC, staking, and a borrow product. Each of those is a different service or a different asset class and each must be tied to a fresh initiation event. The Same-Type Limitation Log is the document that prevents this.

The firm runs a blog "for educational purposes only" that ranks page-one in Germany for "crypto custody Germany". Or it sponsors a podcast distributed in the EU. Or it lists itself in an EU-facing aggregator. ESMA's 2024 statement treats all of this as solicitation. The Marketing-Absence Attestation is the only document that surfaces this internally before a supervisor does.

A client onboarded for ETH staking and is now custodying a basket of ten altcoins, an asset-referenced token, and a stablecoin lending position. Supervisors will read "same type" narrowly enough that ART and EMT almost certainly do not qualify as the same type as ordinary crypto-assets — they are categorised separately in MiCA itself.

Reverse solicitation evidence has no fixed retention period in MiCA itself, but two adjacent regimes set the practical floor. AML retention requires CDD records for at least five years after the end of the business relationship; MiFID II record-keeping similarly imposes a five-year minimum.

The AMLR⁶^[6] extends this approach across the EU for obliged entities. The practitioner default for the Reverse Solicitation Evidence Pack is therefore retain for the duration of the relationship plus a minimum of five years, indexed by client ID, with write-once immutability so the audit trail itself cannot be retro-edited.

Storage should sit somewhere a supervisor can be granted access on request without the firm needing to compile from raw systems — a dedicated compliance vault, ideally with a single-page client cover sheet listing the seven documents and their last-refresh date.

You prove it with a pre-built evidence file, per client, that captures who initiated the contact, when, through what channel, with what request — plus a signed acknowledgement from the client, a firm-wide attestation that no EU marketing took place, a log restricting services to the original ask, and an annual refresh. The pack must exist before a supervisor asks. Reconstructing it after a request rarely succeeds.

Seven: Initiator Trace, Channel Provenance, Pre-Contract Acknowledgement, Same-Type Limitation Log, 30-Day Solicitation Quarantine, Marketing-Absence Attestation, and an Annual Refresh. Five are per-client and two are firm-wide. Missing any one weakens the defence; missing the Pre-Contract Acknowledgement or the Marketing-Absence Attestation tends to be fatal.

MiCA does not set a fixed period, but practitioner standard is the relationship duration plus a minimum of five years — aligned with AMLR and MiFID II record-keeping floors. Records should be held in write-once storage so the audit trail itself cannot be retro-edited, with indexed cover sheets per client to enable a 48-hour supervisory response.

No. The phrase is a contradiction. The moment a firm markets — through advertising, SEO targeting EU keywords, paid social, influencer partnerships, sponsorships, or EU events — the reverse solicitation defence is defeated for every EU client the firm subsequently accepts. ESMA's 2024 statement on MiCA is explicit. Firms wanting to reach EU clients must obtain a CASP authorisation; the exemption is for genuinely unsolicited inbound business only.

• MiCA Reverse Solicitation: When Can Offshore Firms Serve EU Clients? — the threshold analysis behind the evidence pack

• MiCA Compliance Guide for CASPs — full authorisation walkthrough for firms exiting the exemption

• EEA / UK / Offshore Crypto Incorporation — choosing the home jurisdiction that pairs with the defence

• CASP Transitional Period Calendar — the timing pressure forcing firms to lock the pack in now

The firms that survive the next MiCA supervisory cycle will not be the ones with the cleverest legal arguments. They will be the ones with the file already on the shelf. Build the pack now, refresh it on a calendar, and treat the seven documents as part of onboarding — not as something a lawyer drafts the week the regulator calls.