--- title: "The Reverse Solicitation Evidence Pack: How Offshore Crypto Firms Defend the MiCA Defence" slug: reverse-solicitation-evidence-pack-crypto publishedAt: 2026-05-25T10:00:00Z author: Finconduit Editorial Team tags: MiCA, MiFID II, AMLR canonicalUrl: https://finconduit.com/resources/reverse-solicitation-evidence-pack-crypto --- # The Reverse Solicitation Evidence Pack: How Offshore Crypto Firms Defend the MiCA Defence Most offshore firms invoke reverse solicitation but cannot prove it. Here is the seven-document evidence pack that actually holds up under MiCA supervisory review. Almost every offshore crypto firm still serving EU clients tells the same story: "It's fine — they came to us. Reverse solicitation." Almost none of them can prove it. The defence written into **MiCA** Article 61 is real, narrow, and unforgiving — and **ESMA** tightened it further in its October 2024 statement. The exemption works only when an **evidence pack exists at the moment a supervisor asks for it**. Not after the request. Not reconstructed from memory. Pre\-built, per client, indexed, dated, and signed. If you cannot produce it in 48 hours, you do not have the defence — you have a marketing slogan. This guide lays out **The Reverse Solicitation Evidence Pack** — the **seven documents** every offshore CASP, VASP, or unregulated crypto firm should hold for every EU\-resident client whose business they accept. It is the pack we build for clients, refresh quarterly, and would put in front of a national competent authority tomorrow. ## Why the Defence Fails Without the File The defence comes from [MiCA Article 61](https://eur-lex.europa.eu/eli/reg/2023/1114/oj)¹[^1]. It allows a third\-country firm to provide crypto\-asset services to an EU client **only where the client initiated the service at their own exclusive initiative**. The text is short. The supervisory consequence is enormous. Three things go wrong in practice. First, the firm has **no audit trail of who initiated the contact** — only a Telegram chat, a deleted Calendly link, or a sales rep's memory. Second, the firm has continued to **cross\-sell services the client never asked for**. Third, the firm has been quietly **running EU\-targeted SEO, paid social, or events** that destroy the "exclusive initiative" claim retroactively. Each of those failures is fixable — but only with documents that exist **before the supervisor knocks**. Reverse solicitation is not an argument you make later. It is a file you maintain now. ## What ESMA Said in Its 2024 Statement \(and Why It Tightens Everything\) In October 2024, **ESMA** issued its [Statement on the practical application of reverse solicitation under MiCA](https://www.esma.europa.eu/sites/default/files/2024-10/ESMA75-453128700-1323_Statement_on_the_practical_application_of_reverse_solicitation_under_MiCA.pdf)²[^2]. It is the most important supervisory text most offshore firms have not read. The statement does three things. It confirms the exemption is to be construed **very narrowly**, echoing the language used under **MiFID II**. It clarifies that **any solicitation by any means** — including promotion via influencers, sponsorships, and online targeting of EU users — defeats the exemption. And it makes clear that the exemption **does not extend to crypto\-assets or services of a different type** from the one the client originally requested. > "The reverse solicitation exemption should be understood as very narrowly framed and must be regarded as the exception. A firm cannot rely on it to bypass MiCA." — ESMA, ESMA75\-453128700\-1323, 31 October 2024. That single paragraph reframes how **every national competent authority** — **BaFin**, **AMF**, **CySEC**, **MFSA**, **Bank of Lithuania**, **Central Bank of Ireland** — will assess complaints, whistleblower reports, and on\-site inspections. The default posture is now **presumed solicitation unless rebutted with documentation**. ## The Seven\-Document Evidence Pack — Overview The pack has **seven documents**, each addressing one specific failure mode supervisors look for. Five of them are per\-client. Two are firm\-wide. All seven should be ready to surface within 48 hours of a supervisory request. 1. **Initiator Trace** — audit log proving the client started the contact. 1. **Channel Provenance** — the inbound channel with timestamps and source attribution. 1. **Pre\-Contract Acknowledgement** — signed client declaration with regulator\-required language. 1. **Same\-Type Limitation Log** — running list of services provided, flagging anything outside the original ask. 1. **30\-Day Solicitation Quarantine** — proof that no marketing or follow\-up touched the client in the 30 days before initiation. 1. **Marketing\-Absence Attestation** — firm\-wide declaration of no EU\-targeted marketing, SEO, social, or events. 1. **Annual Refresh** — per\-client annual confirmation that all of the above still holds. ## Document 1 — Initiator Trace The **Initiator Trace** is the foundational document. It is a per\-client audit log answering one question: **who reached out to whom, when, and through what channel**. The supervisor's test is whether the client demonstrably moved first, with no prompt from the firm. It must capture, at minimum: the **exact timestamp of first contact**, the **identity of the natural person who made it**, the **verbatim text of the inbound message** \(or recording, transcript, or screenshot\), and the **specific service or asset class requested**. Memory does not count. Sales\-CRM tagging "inbound" does not count. The verbatim text matters because the supervisor will reconstruct intent from it. A message reading "Saw your ad on X, can you onboard me" is not reverse solicitation — it is a paid acquisition. A message reading "I was referred to your firm by my lawyer for ETH custody" is a candidate. ## Document 2 — Channel Provenance The **Channel Provenance** document classifies the inbound route and explains why that route is consistent with the exemption. There are typically four categories. - **Direct enquiry email** — sent to a non\-public contact address, ideally without the firm appearing in any EU search result the client can plausibly have used. - **On\-chain initiation** — the client sent assets to a publicly\-known firm address before any contact, with subsequent contact to formalise the relationship. - **Documented professional referral** — from a lawyer, accountant, or family office officer, with a paper trail showing the referrer initiated without the firm's instigation. - **Search\-then\-direct\-visit** — client navigated to the firm's website on their own and used a contact form. This is the weakest provenance and must be paired with a strong Marketing\-Absence Attestation. ESMA's 2023 [Supervisory briefing on reverse solicitation under MiFID II](https://www.esma.europa.eu/sites/default/files/2023-01/ESMA35-43-3242_Supervisory_Briefing_on_Reverse_Solicitation.pdf)³[^3] — relied upon by national competent authorities and explicitly referenced as guidance for MiCA — treats **online targeting, banner ads, social media, sponsorships, paid search, and influencer marketing** as solicitation. Channel Provenance must be defensible against that test. ## Document 3 — Pre\-Contract Acknowledgement The **Pre\-Contract Acknowledgement** is a short signed declaration from the client, executed **before** any service is provided. It records three facts in language the client cannot later disclaim. - The client confirms they initiated the contact **at their own exclusive initiative**. - The client acknowledges the firm is **not authorised under MiCA** and that the protections available to EU clients of an authorised CASP do not apply. - The client identifies the **specific service and asset class** requested, with the firm noting that anything beyond that scope will be treated as a new request requiring its own evidence trail. The acknowledgement is not magic. **It will not save a firm that has been actively marketing in the EU**. But its absence is fatal — supervisors treat the missing signature as evidence the firm never tested the exemption. ## Document 4 — Same\-Type Limitation Log The **Same\-Type Limitation Log** is the document supervisors test hardest because it catches the most common failure: **silent scope creep**. A client asked for custody of BTC; the firm now provides staking on SOL, OTC trading in EUR pairs, and a stablecoin lending product. None of that is covered by the original initiation. ESMA's 2024 statement is explicit: the exemption applies only to [crypto\-assets or services of the same type](https://www.esma.europa.eu/sites/default/files/2024-10/ESMA75-453128700-1323_Statement_on_the_practical_application_of_reverse_solicitation_under_MiCA.pdf) as the one the client requested. "Same type" is read narrowly — different asset classes, different services, different products each trigger a new requirement for a fresh initiation event. The log must therefore be **updated every time a service or asset class changes**, and each addition must be tied to either \(a\) a fresh client\-initiated request with its own Initiator Trace, or \(b\) a written internal note explaining why the new service is genuinely the "same type" as the original. The default presumption is that it is not. ## Document 5 — 30\-Day Solicitation Quarantine The **30\-Day Solicitation Quarantine** is the firm's evidence that **no marketing, no follow\-up email, no sales call, no cross\-sell pitch** touched the client in the 30 days immediately before initiation. Why 30 days? Because the **causal chain** between firm\-initiated contact and client\-initiated request is what supervisors are testing. A client who received a marketing email last week and "initiated" contact today is not initiating — they are responding. Thirty days is a conservative buffer and matches the practitioner consensus on how supervisors look at "recent prior contact" under MiFID II as well. The quarantine document is generated by querying **the firm's CRM, marketing automation tool, email server, and call records** for the client's email and phone — and producing a dated nil\-result attestation signed by the head of compliance. ## Document 6 — Marketing\-Absence Attestation The **Marketing\-Absence Attestation** is the firm\-wide declaration covering all EU clients. It is signed by the CEO and head of marketing and lists what the firm does *not* do in the EU. - **No paid advertising targeted to EU IP addresses, EU geographies, or EU languages**. - **No SEO content optimised for EU\-jurisdiction keywords** \(e.g. "crypto custody Germany", "ETH staking Cyprus"\). - **No EU\-targeted social media campaigns, influencer partnerships, or sponsored content**. - **No EU events, conferences, sponsorships, or trade\-show booths**. - **No partnerships with EU\-based introducers paid on EU\-client referral**. The attestation is renewed quarterly and underpinned by an internal governance check consistent with the [EBA Guidelines on internal governance](https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-internal-governance-revised)⁴[^4]. Without governance evidence behind the signature, the attestation is a piece of paper. ## Document 7 — Annual Refresh The **Annual Refresh** is per\-client and per\-year. It re\-establishes that all of the above remains true: no scope creep, no new marketing contact, no change in the client's residency status that would alter the analysis, and a fresh acknowledgement from the client. This is the document most firms skip. They build the pack on onboarding and never touch it again. Two years later, the client has moved jurisdictions, three services have been added, and the firm has run a paid social campaign in Germany. **The defence quietly died eighteen months ago** — nobody noticed because nobody refreshed. ## Comparison: Strong vs Weak vs Failing Evidence *Table: Tiered evidence quality across the seven Reverse Solicitation Evidence Pack documents.* | Document | Strong | Weak | Failing | | --- | --- | --- | --- | | Initiator Trace | Timestamped inbound email with full text, retained in immutable audit log | CRM tag "inbound" with no source text | Sales\-rep memory only | | Channel Provenance | Documented professional referral or on\-chain initiation | Search\-then\-website\-visit with weak attestation | Telegram chat with deleted history | | Pre\-Contract Acknowledgement | Signed before any service, ESMA\-aligned language, specific asset/service scope | Generic terms\-of\-service tick\-box | Verbal confirmation only | | Same\-Type Limitation Log | Updated per service change with fresh initiation events | Annual review of services provided | No log; everything billed under original onboarding | | 30\-Day Quarantine | Automated CRM \+ email \+ call query producing dated nil\-result | Manual check at onboarding | No check performed | | Marketing\-Absence Attestation | Quarterly sign\-off backed by ad\-spend audit and SEO audit | Annual generic statement | No attestation | | Annual Refresh | Per\-client diary entry with fresh client signature | One\-time onboarding only | Pack never updated | ## Comparison: ESMA, MiFID II, MiCA Expectations Side by Side The reverse solicitation defence has been narrowing across EU financial regimes for a decade. The original is [MiFID II Recital 85](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014L0065)⁵[^5]; the doctrine has tightened under ESMA's 2023 briefing and again under MiCA Article 61 plus the 2024 statement. *Table: Reverse solicitation: how the bar has tightened from MiFID II to MiCA.* | Test | MiFID II Recital 85 \(2014\) | ESMA MiFID II briefing \(2023\) | MiCA Art. 61 \+ ESMA 2024 | | --- | --- | --- | --- | | Construction | Exception, narrow | Very narrow, exception only | Very narrow, presumption against firm | | What counts as solicitation | Direct marketing in own name | Online targeting, paid search, influencers, sponsorships | Same plus EU\-targeted SEO, social, events | | Same\-type rule | Same type of service implied | Same type expressly required | Same type of crypto\-asset AND service required | | Evidence burden | Implicit on firm | On firm | On firm; default presumption of solicitation | | Cross\-sell | Permitted if same type | Restricted | Restricted; each new type needs fresh initiation | ## The Three Failure Patterns Supervisors Catch ### Pattern 1 — Cross\-selling outside the original ask The client requested **custody of BTC**. Two years later they are using OTC, staking, and a borrow product. Each of those is **a different service or a different asset class** and each must be tied to a fresh initiation event. The Same\-Type Limitation Log is the document that prevents this. ### Pattern 2 — Passive marketing that looks active The firm runs a blog "for educational purposes only" that ranks page\-one in Germany for "crypto custody Germany". Or it sponsors a podcast distributed in the EU. Or it lists itself in an EU\-facing aggregator. ESMA's 2024 statement treats all of this as **solicitation**. The Marketing\-Absence Attestation is the only document that surfaces this internally before a supervisor does. ### Pattern 3 — "Same type" creep on asset classes A client onboarded for **ETH staking** and is now custodying a basket of ten altcoins, an asset\-referenced token, and a stablecoin lending position. Supervisors will read "same type" narrowly enough that **ART** and **EMT** almost certainly do not qualify as the same type as ordinary crypto\-assets — they are categorised separately in MiCA itself. ## Retention and Audit Trail Reverse solicitation evidence has no fixed retention period in MiCA itself, but two adjacent regimes set the practical floor. **AML retention** requires CDD records for at least **five years** after the end of the business relationship; MiFID II record\-keeping similarly imposes a five\-year minimum. The [AMLR](https://eur-lex.europa.eu/eli/reg/2024/1624/oj)⁶[^6] extends this approach across the EU for obliged entities. The practitioner default for the Reverse Solicitation Evidence Pack is therefore **retain for the duration of the relationship plus a minimum of five years**, indexed by client ID, with **write\-once immutability** so the audit trail itself cannot be retro\-edited. Storage should sit somewhere a supervisor can be granted access on request without the firm needing to compile from raw systems — a dedicated compliance vault, ideally with a single\-page client cover sheet listing the seven documents and their last\-refresh date. > **Warning:** Supervisors increasingly request evidence within 48 hours. If the pack must be reconstructed from CRM exports, email archives, and signed PDFs across multiple jurisdictions, you will miss the window — and the missed window itself becomes evidence of weak governance. ## Frequently Asked Questions ### How do you prove reverse solicitation under MiCA? You prove it with a pre\-built evidence file, per client, that captures who initiated the contact, when, through what channel, with what request — plus a signed acknowledgement from the client, a firm\-wide attestation that no EU marketing took place, a log restricting services to the original ask, and an annual refresh. The pack must exist before a supervisor asks. Reconstructing it after a request rarely succeeds. ### What documents do you need to defend reverse solicitation? Seven: Initiator Trace, Channel Provenance, Pre\-Contract Acknowledgement, Same\-Type Limitation Log, 30\-Day Solicitation Quarantine, Marketing\-Absence Attestation, and an Annual Refresh. Five are per\-client and two are firm\-wide. Missing any one weakens the defence; missing the Pre\-Contract Acknowledgement or the Marketing\-Absence Attestation tends to be fatal. ### How long must reverse solicitation evidence be retained? MiCA does not set a fixed period, but practitioner standard is the relationship duration plus a minimum of five years — aligned with AMLR and MiFID II record\-keeping floors. Records should be held in write\-once storage so the audit trail itself cannot be retro\-edited, with indexed cover sheets per client to enable a 48\-hour supervisory response. ### Can you do reverse solicitation marketing in the EU? No. The phrase is a contradiction. The moment a firm markets — through advertising, SEO targeting EU keywords, paid social, influencer partnerships, sponsorships, or EU events — the reverse solicitation defence is defeated for every EU client the firm subsequently accepts. ESMA's 2024 statement on MiCA is explicit. Firms wanting to reach EU clients must obtain a CASP authorisation; the exemption is for genuinely unsolicited inbound business only. > **Call to action:** Finconduit assembles the seven\-document Reverse Solicitation Evidence Pack per client onboarded, with quarterly refresh and supervisor\-ready audit trail. Book a free assessment. ## Related Guides - [MiCA Reverse Solicitation: When Can Offshore Firms Serve EU Clients?](/resources/mica-reverse-solicitation-offshore) — the threshold analysis behind the evidence pack - [MiCA Compliance Guide for CASPs](/resources/mica-compliance-guide-casps) — full authorisation walkthrough for firms exiting the exemption - [EEA / UK / Offshore Crypto Incorporation](/resources/eea-uk-offshore-crypto-incorporation) — choosing the home jurisdiction that pairs with the defence - [CASP Transitional Period Calendar](/resources/casp-transitional-period-calendar) — the timing pressure forcing firms to lock the pack in now The firms that survive the next MiCA supervisory cycle will not be the ones with the cleverest legal arguments. They will be the ones with the **file already on the shelf**. Build the pack now, refresh it on a calendar, and treat the seven documents as part of onboarding — not as something a lawyer drafts the week the regulator calls. ## Footnotes [^1]: Regulation \(EU\) 2023/1114 of the European Parliament and of the Council on markets in crypto\-assets \(MiCA\), Art. 61, OJ L 150, 9.6.2023. [^2]: ESMA, Statement on the practical application of reverse solicitation under MiCA, ESMA75\-453128700\-1323, 31 October 2024. [^3]: ESMA, Supervisory briefing on reverse solicitation under MiFID II, ESMA35\-43\-3242, 13 January 2023. [^4]: EBA Guidelines on internal governance under Directive 2013/36/EU, EBA/GL/2021/05, 2 July 2021. [^5]: Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments \(MiFID II\), Recital 85, OJ L 173, 12.6.2014. [^6]: Regulation \(EU\) 2024/1624 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing \(AMLR\), OJ L, 19.6.2024. --- Source: https://finconduit.com/resources/reverse-solicitation-evidence-pack-crypto