Case: Custodial service + SaaS platform for business

What was the client's request?

We were approached by a client with a Polish company that already had a VASP license.
The company was developing a B2B platform that provided businesses with cryptocurrency storage services (custody) and API access to exchange operations.
After MiCA came into force, the client needed to obtain a CASP license to continue its custody activities and expand its product line.

Why couldn't the client do it on their own?

1. The requirements for custody activities turned out to be way higher than for regular VASP companies.
2. They needed specialised documents on information security (IS) and risk management that met Polish standards.
3. They didn't have enough certified IT and compliance specialists.
4. Without adapting the infrastructure and confirming the level of data protection, the application could have been rejected.

What solution did we propose and why?

We proposed a comprehensive approach to preparing the company for the CASP application, focusing on infrastructure and compliance.

The solution included:

1. Engaging certified IT consultants to audit the infrastructure and assess the level of security.
2. Signing a contract with a data centre in Poland that complies with MiCA regulatory requirements.
3. Holding a strategic session with the company's management to transform the product and processes to meet the regulator's requirements.
4. Preparing an information security policy, incident response plans, and protocols for access management and data storage.
5. Providing full support for the CASP application dossier.
6. This approach allowed the client to not just ‘fill out the paperwork,’ but to build real protection and control mechanisms into the business operating model.

Were there any difficulties in resolving the request?

The project was complex due to its deep technological component:

1. The platform had its own software and API, which required a detailed description of IT processes.
2. The documentation on security and data storage had to be practical, not just declarative.
3. The regulator pays special attention to the custodial model, so all documents were developed in close collaboration with the client's technical team.

Duration of the case

The project took about five months, including auditing, document approval, and preparation for submission.

What specialists were involved?

• Compliance consultant;
• IT auditor certified to international security standards;
• EU licensing lawyer;
• Financial analyst;
• Technical consultant on data integration and storage.

Result

1. A full audit of the security infrastructure and processes was conducted.
2. Documents on information security and risk management compliant with MiCA were developed and implemented.
3. A complete dossier was prepared for the CASP application.
4. The regulator accepted the materials without comment.
5. The client uses the fact of the application as a reputational advantage, demonstrating a high level of trust and process maturity to corporate clients.