The Use of Customer Crypto-Assets for the Custodian’s Own Account

The Markets in Crypto-Assets Regulation (MiCAR) was intended to bring clarity to Europe’s crypto sector. Yet at its core lies a puzzling ambiguity: Can crypto custodians use client assets for their own account with a client’s consent—just as traditional securities custodians have done for decades?

The answer is consequential. The productive use of assets—through staking or lending—can generate returns for clients and revenue for providers. In traditional finance, securities custodians routinely lend client securities with consent, supported by robust collateralisation requirements. By contrast, the wording of article 70(1) of MiCAR—and the European legislator's unusual deletion of a key consent clause during the legislative process—has left the crypto industry uncertain (Zetzsche et al 2024; Annunziata et al 2025).

Contrary to ESMA Q&A No. 2607, we argue that—despite its ambiguous wording—MiCAR permits such use with client consent. The legislator did not intend to prohibit the productive use of assets; rather, it chose not to regulate the form of consent at the EU level, leaving that issue to national civil law. This interpretation matters not just for custodians today, but for the future regulation of crypto lending currently under debate in Brussels.

1. The Puzzle: What Happened to ‘Express Consent’?

Traditional financial regulation is clear. Article 16(8) of MiFID II requires investment firms to prevent the use of client financial instruments ‘on own account except with the client’s express consent’. The same language appears in Article 7(5) of the DLT Pilot Regulation for tokenised securities.

The European Commission's original MiCAR draft contained identical wording: Article 63(1) would have permitted the use of client crypto-assets ‘except with the client's express consent’ (COM/2020/593 final). During the informal trilogue negotiations in 2022, however, the Council and Parliament quietly deleted that phrase. The final version of Article 70(1) of MiCAR now requires custodians ‘to prevent the use of clients' crypto-assets for their own account’—full stop.

No explanation was provided. The legislative materials remain silent. On its face, this appears to amount to a blanket prohibition. The ESMA (ESMA Q&A No. 2607) has therefore concluded that custodial staking and lending are now impossible under MiCAR.

However, that reading creates significant regulatory friction. Security tokens (ie crypto-assets that qualify as securities) remain governed by MiFID II, which expressly permits use with client consent (Lehmann & Schinerl 2024). Under a literal interpretation of Article 70(1) MiCAR, a crypto portfolio would thus be fragmented: security tokens could be used productively, whereas assets regulated by MiCAR, such as stablecoins, could not. This would result in EU law regulating certain crypto assets more strictly than traditional securities—the very opposite of MiCAR's ‘MiFID light’ philosophy (Krönke 2024).

2. What the Consent Clause Was Really For

To resolve this puzzle, it is essential to understand the function of ‘express consent’ in securities regulation. It is not requirement for the validity of consent under private law. Under general private law, a client’s consent—without any particular formalities—is sufficient to authorise the productive use of their assets.

Instead, ‘express consent’ functions as a regulatory documentation requirement for supervisory purposes. Recital 10 of the MiFID II Delegated Directive explains that consent ‘should be given and recorded by investment firms in order to allow the investment firm to demonstrate clearly what the client agreed to and to help clarify the status of client assets’ (Commission Delegated Directive (EU) 2017/593). In other words, it serves an evidentiary function, enabling supervisors to verify what custodians are authorised to do.

Breaching this requirement triggers administrative penalties (Article 70 MiFID II; Art 111 MiCAR) – but does not invalidate the underlying contract. The provision is designed to ensure institutional resilience and prevent unauthorised use of client assets, rather than to constrain private autonomy.

Once the deleted clause is understood as a supervisory evidentiary rule rather than a substantive prohibition, the legislator's deletion becomes more coherent. By removing the EU-level documentation requirement, it effectively left questions of consent formalities to national private law. On this reading, the deletion reflects regulatory minimalism rather than a deliberate restriction on crypto activity.

3. Why the Teleological Reading Prevails

MiCAR's purpose supports this interpretation. Article 70(1) imposes organisational requirements designed to safeguard client assets against two key risks: insolvency risk (ie, creditor access to client assets in the event of custodian failure) and administrative risk (ie, unauthorised use or commingling of assets) (cf. Nabilou 2022).

Neither risk materialises where a client voluntarily consents to the productive use of their assets. In such cases, the client accepts the arrangement: their assets are used (for example, transferred to a borrower in a lending transaction), and they receive returns or more favourable terms in exchange. This is economically rational and grounded in private autonomy. The custodian must still segregate the assets and ensure that the client’s consent is valid; otherwise, the arrangement is invalid under private law. However, the underlying objective of Article 70(1) MiCAR is thereby fulfilled.

Systematic comparison reinforces this view. MiFID II permits securities lending with client consent, supported by collateralisation requirements to mitigate insolvency risk (Article 5(4) Commission Delegated Directive (EU) 2017/593). The DLT Pilot Regulation likewise allows the use of blockchain-based securities. Interpreting Article 70(1) MiCAR as a blanket prohibition would therefore invert the ‘same risks, same rules’ principle that MiCAR purports to follow.

4. National Private Law Takes Over

If Article 70(1) MiCAR does not prohibit consensual use, the question becomes where the limits lie. These are governed by national private law, in particular rules on general terms and conditions (GTC).

In practice, providers typically rely on two models (Skauradszun et al 2023; Meier et al 2023). Opt-in models set out the possibility of use in general terms but require separate, transaction-specific consent. Because each transaction is individually agreed, this approach generally avoids issues under GTC law.

Opt-out models, by contrast, provide for blanket consent in the standard contractual terms. Here, consumer protection rules—most notably the EU Unfair Terms Directive—may come into play. A clause that shifts insolvency-related risk onto consumers without adequate countervailing benefits could be challenged as unfair. However, carefully drafted opt-out arrangements that provide appropriate consideration (such as revenue sharing or reduced fees) are likely to withstand scrutiny, much like securities lending provisions in traditional finance.

5. The Crypto Lending Debate

This interpretation has immediate policy relevance. A recent position paper (Annunziata et al 2025) debated, among other issues, whether Article 70(1) MiCAR should be waived for lending on the assumption that it precludes all forms of productive use.

We believe a waiver would be unjustified. If Article 70(1) is interpreted as we propose, it applies naturally to crypto lending: custodians must segregate assets and obtain client consent. In addition, it seems natural to address the insolvency risk arising from the transfer of full rights in crypto‑lending in the same way as in securities lending: the provider is then obliged to provide sufficient collateral for the loan so that the customer can never be affected by the insolvency risk of the third party. In this way, the advantages of crypto-lending are retained without creating unnecessary risks.

6. Conclusion

Article 70(1) MiCAR does not prohibit productive use of client crypto-assets with consent. The omitted ‘express consent’ clause functioned as a regulatory documentation requirement, not a substantive prohibition. Its deletion left questions of consent formalities to national law.

This reading avoids regulatory inconsistencies with MiFID II, respects MiCAR's protective purpose, and enables coherent future regulation of crypto lending. As others have observed, crypto regulation benefits significantly from insights drawn from traditional finance. The path forward is not to exempt crypto from custody rules, but to apply them intelligently—drawing on securities law while adapting to the technical realities of crypto assets.

European regulators should clarify this interpretation through guidance and ensure that future crypto lending rules build on, rather than undermine, Article 70(1)’s asset segregation framework.

The authors’ paper is available here and here.

Johannes Hirtenlehner, LLM (WU), is a former research assistant at the Professorship of Banking and Financial Market Law at the University Liechtenstein.

Julian Isci, LLM (WU), is a research associate at the Professorship of Banking and Financial Market Law at University Liechtenstein.