1.  Issuers of asset-referenced tokens shall have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which they are or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.

2.  Members of the management body of issuers of asset-referenced tokens shall be of sufficiently good repute and possess the appropriate knowledge, skills and experience, both individually and collectively, to perform their duties. In particular, they shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute. They shall also demonstrate that they are capable of committing sufficient time to effectively perform their duties.

3.  The management body of issuers of asset-referenced tokens shall assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2, 3, 5 and 6 of this Title and take appropriate measures to address any deficiencies in that respect.

4.  Shareholders or members, whether direct or indirect, that have qualifying holdings in issuers of asset-referenced tokens shall be of sufficiently good repute and, in particular, shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute.

5.  Issuers of asset-referenced tokens shall adopt policies and procedures that are sufficiently effective to ensure compliance with this Regulation. Issuers of asset-referenced tokens shall establish, maintain and implement, in particular, policies and procedures on:

6.  Unless they have initiated a redemption plan referred to in Article 47, issuers of asset-referenced tokens shall employ appropriate and proportionate systems, resources and procedures to ensure the continued and regular performance of their services and activities. To that end, issuers of asset-referenced tokens shall maintain all of their systems and security access protocols in conformity with the appropriate Union standards.

7.  If the issuer of an asset-referenced token decides to discontinue the provision of its services and activities, including by discontinuing the issue of that asset-referenced token, it shall submit a plan to the competent authority for approval of such discontinuation.

8.  Issuers of asset-referenced tokens shall identify sources of operational risk and minimise those risks through the development of appropriate systems, controls and procedures.

9.  Issuers of asset-referenced tokens shall establish a business continuity policy and plans to ensure, in the case of an interruption of their ICT systems and procedures, the preservation of essential data and functions and the maintenance of their activities or, where that is not possible, the timely recovery of such data and functions and the timely resumption of their activities.

10.  Issuers of asset-referenced tokens shall have in place internal control mechanisms and effective procedures for risk management, including effective control and safeguard arrangements for managing ICT systems as required by Regulation (EU) 2022/2554 of the European Parliament and of the Council ( ¹¹ ). The procedures shall provide for a comprehensive assessment relating to the reliance on third-party entities as referred to in paragraph 5, first subparagraph, point (h), of this Article. Issuers of asset-referenced tokens shall monitor and evaluate on a regular basis the adequacy and effectiveness of the internal control mechanisms and procedures for risk assessment and take appropriate measures to address any deficiencies in that respect.

11.  Issuers of asset-referenced tokens shall have systems and procedures in place that are adequate to safeguard the availability, authenticity, integrity and confidentiality of data as required by Regulation (EU) 2022/2554 and in line with Regulation (EU) 2016/679. Those systems shall record and safeguard relevant data and information collected and produced in the course of the issuers’ activities.

12.  Issuers of asset-referenced tokens shall ensure that they are regularly audited by independent auditors. The results of those audits shall be communicated to the management body of the issuer concerned and made available to the competent authority.

13.  By 30 June 2024, EBA, in close cooperation with ESMA and the ECB, shall issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 specifying the minimum content of the governance arrangements on: