Reverse Solicitation under MiCA How to legally offer crypto asset services to clients from the EU without a license

Nikita Veremeev

04.02.2026 | 6 min read

Updated: 04.02.2026

I founded COREDO in 2016, and since then our team has supported dozens of international projects: from company incorporations in the EU and Asia to obtaining crypto, payment and forex licenses. Over the years one topic consistently returns to the agenda of executives and CFOs: whether it is possible to work with clients from the EU without a license if the contacts originate from the clients themselves. This is MiCA reverse solicitation — a narrow corridor of lawful cross-border servicing where the time to market, compliance risks and profitability are at stake.

MiCA: what falls within the scope

MiCA forms an EU-wide perimeter for CASPs (crypto-asset service providers) and for the assets themselves. Within the perimeter are asset-referenced tokens (ART), e-money tokens (EMT) and most other tokens that are not financial instruments under MiFID II; some utility tokens may fall outside MiCA if they are not traded on trading platforms and only provide access to an existing product.

MiCA rules for CASPs cover custody and administration of crypto-assets for clients, trading platform operations, exchange of crypto-assets for fiat or other assets, order execution, crypto-asset placements, receipt and transmission of orders, and crypto-asset advisory. If you perform these functions for EU clients from the territory of a third country, you must understand the boundaries of MiCA reverse solicitation and the national rules of complementation in individual member states.

The European Securities and Markets Authority coordinates practice together with national competent authorities (NCAs), but enforcement details are often shaped at the country level. Our experience at COREDO has shown: ignoring local guidelines is a short route to enforcement and regulatory inquiries, even if formally you rely on pan-EU rules.

What is reverse solicitation
I use a working definition: MiCA reverse solicitation is a situation where an EU client on their own initiative (client-initiated contact) approaches a provider in a third country, and that provider provides a service without prior individual or mass solicitation of demand in the EU. This is the passive reception doctrine: you accept a passive inbound, rather than creating an economic nexus by active measures in the Union.

The logic of “without prior solicitation” means no cold outreach, targeted advertising, roadshows, partner referrals tied to EU territories, or bypass communications before the moment of request. Pre-contractual communication under MiCA is allowed only as a response to a client-initiated contact, without expansion into marketing and without converting the dialogue into a mass campaign.

Requirements for websites and public information are critical here. If a site has an explicit call-to-action for EU residents, is localized in the domain zone of a specific EU country, uses EU-IP targeting, or offers promotions for the EU: NCAs may treat this as providing crypto services without an EU license, rather than as reverse solicitation. At COREDO we often begin an audit with an inventory of the digital footprint: banners, landing pages, cookie policy, geotargeting, testimonials, coverage maps.

MiCA licensing logic and exceptions
Exceptions to MiCA’s licensing obligation essentially boil down to the correct application of reverse solicitation, but national regulators calibrate the threshold of permissible actions differently. In one COREDO project for a client from Dubai we agreed with local lawyers in two EU jurisdictions the boundaries of permissible web communication: neutral content, no personalized offers, a strict ban on EU-ID retargeting.

MiCA transitional provisions are important for providers already operating under local regimes before full implementation. At the same time transitional provisions do not make reverse solicitation limitless: NCAs continue to apply their own economic presence tests, and ESMA publishes enforcement guidance that influences interpretations.

Servicing EU clients from a third country (onshore vs offshore servicing) is permissible in the absence of presence and substance in the EU, by forming a contractual structure outside the EU and building processes around passive reception. But as the share of EU clients grows and onshore teams, representative offices or agents appear in the Union, the risk of forced jurisdiction and enforcement arises.

Legally offering crypto-asset services
The key question is how to document inbound client requests. The solution developed at COREDO includes multi-level recording of client-initiated contacts in the CRM and web platform logs: recording the original click source, storing the voluntarily submitted contact form, timestamp, IP and geodata, as well as screenshots of user journeys.

Best practices for crypto service providers include an opt-in onboarding process where the client confirms they initiated the contact independently, understands the absence of an EU license and acknowledges that servicing is provided from a specific third country. Consent documentation and record-keeping requirements under MiCA require retaining these confirmations for periods at least equal to the document retention policy adopted in your jurisdiction and aligned with EU expectations.

The evidentiary basis in a dispute with a regulator relies on audit trails and IT logging. At COREDO we add to the legal memorandum an evidence preservation layer: captured versions of the site at the time of contact (web archives), cold campaign logs (showing zero EU targeting), internal instructions to managers prohibiting proactive contacts. Such COREDO practice demonstrates that even in the event of a regulatory request you can present a structured defense line.

KYC and EDD under reverse solicitation
AML principles under reverse solicitation are not weakened: a risk-based approach is mandatory just as it is for licensed activity. I recommend building KYC/CDD processes for non-residents from the outset, including PEP screening and EU sanctions lists, confirmation of beneficial ownership (UBO), and source-of-funds and wealth checks when internal thresholds are exceeded.

Transaction monitoring for client-initiated activity cannot be simplified. We implemented behavioral monitoring algorithms for several CASPs, configured thresholds for alerts and SARs, documented escalation procedures in case of suspicions and assigned MLRO duties and responsibilities at the board level. The Travel Rule’s application to crypto transactions is a separate control point, especially when interacting with European VASPs.

Enhanced Due Diligence for clients from the EU is necessary in cases of heightened risk related to jurisdiction, transaction typology or product category (for example, highly volatiletokens, participation in off-chain transactions, working with mixers). In some projects the COREDO team implemented a hybrid model: basic KYC in-house, while EDD and screening are carried out by a certified provider, with transparent outsourcing of compliance to a third party.Marketing: pre-contractual communication
Restrictions on advertising and cold outreach, the basic rule of reverse solicitation under MiCA. Any contact activity directed at EU residents, including partner programs with EU bloggers, referral payments, localized landing pages “for EU clients”, are red flags for NCAs. legal opinion drafting for reverse solicitation at our firm always includes a legal assessment of advertising campaigns and oversight of marketing materials.

Pre-contractual communication rules of MiCA allow responses to specific inquiries, but prohibit expanding the dialogue into mass mailings.

Requirements for websites and public information include neutral presentation, absence of promises of service availability in the EU, a clear disclaimer about the provider’s non-resident status and the contract’s jurisdiction. In one case COREDO’s transfer of a site from an EU domain to an international one with geotargeting disabled eliminated the provider’s risk of a formal “EU public offer”.

The test for client passivity must be clear to the sales team. We prepare cheat-sheets for managers “do/don’t”: what can be said, how to answer questions about availability for EU residents, what information is relevant and how to avoid the fine line between advising and solicitation. This reduces the likelihood of unintentionally breaching the “without prior solicitation” logic.

Structuring relationships with an EU client

Contract structuring for reverse solicitation is built around transparency and choice of law. Contract models with a client from the EU include clear terms of service and dispute jurisdiction outside the EU, disclosures about the provider’s status, the absence of an EU license and the legal position of the third country. Protective clauses in the contract should cover risks of compelled jurisdiction, product limitations and service termination in the event of regulatory requirements.

Transparency and disclosure in reverse solicitation are an ally, not an obstacle. Proper product governance, client segmentation and territorial risk assessments, as well as a documented evaluation of the applicability of the MiCA scope to specific assets (for example, ART or EMT), will help demonstrate the model’s good faith to NCAs. At COREDO we formalize governance and board-level oversight in the form of a report to the board on the share of EU clients and triggers for migration to licensing.

Data protection and GDPR implications are also critical. Even if you are outside the EU, processing personal data of EU residents requires GDPR compliance: appointing a DPO where necessary, legal bases for processing, cross-border data transfers and contracts with processors. Confidentiality and information exchange with counterparties must take into account banking secrecy, local AML rules and NCAs’ requirements.

Risks: compliance, reputation, taxes

Compliance risks in reverse solicitation include the risk of reclassification as crypto-asset service providers without a license if the regulator deems your communications to be solicitation. Regulatory fines and enforcement actions are often accompanied by a requirement to close access to EU clients and block local payment channels. COREDO works through pre-emptive remediation steps: freezing marketing, reviewing contracts, additional staff training.

Limiting reputation risks requires a conservative information policy and readiness for regulatory inquiry. Evidence preservation and a document retention policy are not formalities: the absence of log records and screenshots often undermines the provider’s legal position. Our clients who had an established audit trail went through checks with minimal losses.

Tax consequences of cross-border services depend on economic presence. The economic nexus test and the risk of a permanent establishment (PE) in the EU depend on where key managerial decisions are made, where employees are located and where marketing is conducted from. We recommend assessing cross-border tax reporting implications together with tax advisors and taking into account CRS/FATCA when structuring.

Checklist for responding to a request from an EU client

Confirm client-initiated contact: record the channel, time, IP, consent.
Check geotargeting: exclude retargeting and personalized offers for the EU.
Perform KYC/CDD, conduct PEP/sanctions screening, determine the risk profile.
Assess tokens: MiCA scope and classification (ART/EMT/utility), product limitations.
Provide disclosures: non-resident provider status, lack of an EU license, contract jurisdiction.
Appoint the MLRO responsible for monitoring and the travel rule, record thresholds and alerts.
Preserve all evidence: website screenshots, CRM logs and marketing platform logs.
Assess the share of EU clients and thresholds for migration to EU licensing.
Prepare a legal opinion on MiCA reverse solicitation and internal instructions for the team.

Licensing or reverse solicitation
Licensing vs servicing via reverse solicitation: a matter of cost-benefit analysis. The economic feasibility of operating without a license is high at early stages when you need to quickly test a product and reach initial transactions. But compliance cost modeling shows: as the share of EU revenue grows, the cost of marketing controls, legal opinions and enforcement risks begins to exceed the CAPEX for obtaining a license in the chosen EU jurisdiction.

The ROI assessment when foregoing licensing should take into account the probability of fines and restrictions, the cost of regulatory protection and the opportunity cost due to restrained marketing. Scaling the business through reverse solicitation is limited: the model is poorly compatible with active growth and product marketing. In one project COREDO prepared a roadmap: 6 months of a reverse scenario with a cap on the EU share and a parallel launch of licensing in Cyprus taking into account capital and guarantee requirements.

Exit strategies include migrating the business to the EU or servicing remotely while obtaining a license in a country oriented towards CASP. A regulator sandbox program option sometimes accelerates testing of innovative products. Registration formalities in the EU and interaction with a local lawyer, preparation of governance documents, AML policies and procedures for CASP, this is an area where the COREDO team has implemented full cycles, including product governance and board supervision.

Practice and interaction with ESMA/NCAs

ESMA’s enforcement practice shows a high interest in pre-contractual communication and cross-border onboarding. NCAs – national competent authorities of the EU: send regulatory requests and expect transparent answers: website architecture, marketing campaigns, share of EU clients, AML control and escalation procedures. Legal support for reverse solicitation is useful not only in a dispute, but also in preparation for an inspection.

The COREDO team prepares legal opinions on MiCA reverse solicitation taking into account national nuances, including the legal position of third countries and MiCA, product mapping and assessment of the marketing footprint. We agree with the client in advance on a response playbook: who responds, what data is disclosed, how the internal compliance manual for CASP is demonstrated, and how evidence preservation is presented.

Practical tip: conduct a pre-emptive gap review of marketing, onboarding and IT logging before going live with EU traffic. It is faster and cheaper than urgently fixing traces after a regulatory letter.

Internal policies and controls
Drafting an internal control policy for CASP in the context of reverse solicitation is not a simplified version of the “full” license. Documents should cover the risk-based approach to AML/CFT, KYC/EDD, transaction monitoring algorithms, thresholds for SAR, travel rule, outsourcing governance and data quality controls. The internal compliance manual for CASP structures the roles of the MLRO, the second line of defense and escalations to the board.

Control over marketing materials: a mandatory control. We recommend a pre-clearance procedure for any communication that may reach EU residents: landing pages, mailings, social media posts, partner creatives. The document retention policy sets retention periods, and the IT landscape maintains an audit trail across key systems.

Governance and board-level oversight address strategic issues: limits on the share of EU revenue, triggers for moving to licensing, a compliance and legal risk reserve budgeting model. It is at this level that it is decided whether reverse solicitation will remain an experiment or become a bridge to a full EU presence.

COREDO practice examples that work
Case 1: a Singaporean provider serving EU holdings on a request basis. The COREDO team built opt-in onboarding, centralized KYC with EDD for high-risk profiles and a strict “no EU marketing” policy. We prepared a legal opinion on MiCA reverse solicitation with a risk map and a migration plan to a Cypriot license upon reaching a 25% EU-share threshold. A regulatory inquiry from one of the NCAs was closed with an evidentiary base: logs, screenshots, instructions.

Case 2: a Dubai VASP with active content marketing. COREDO’s audit revealed hidden geotargeting to several EU countries and a referral network with EU bloggers. We froze the campaigns, rewrote public disclosures, implemented pre-clearance, trained the sales team and put in place a document retention policy. At the same time we started the licensing process in Estonia; after 8 months the company moved to an onshore model.

Case 3: a British fintech platform with utility tokens. The legal assessment showed exceptions for some tokens, but ancillary services fell within the MiCA scope. COREDO’s practice confirmed: mixed models more often err in classification. We separated product flows, for some — reverse solicitation with neutral web architecture, for others — an application for a license in Slovakia.

Contract models and data protection
Contract models with an EU client should include: choice of law and dispute jurisdiction outside the EU, clear product restrictions, terms for termination of service on regulatory grounds and notifications, disclosure of economic and legal risks. Contracts should set out mechanisms for KYC/EDD, consents for processing and transfer of data, as well as the provider’s rights to transaction monitoring and freezing operations upon red flags.

Terms of service and dispute jurisdiction should work together with data protection policies. Deep integration of GDPR processes (legal bases, DSR procedures, DPIA where necessary) reduces the risk of secondary claims. In one project COREDO synchronized the ToS, privacy notice and AML policy to eliminate contradictions and demonstrate the integrity of governance.

When reverse solicitation is not advantageous
Business model alignment with MiCA requires an honest assessment. If your growth depends on marketing, partnerships and public promotion, reverse solicitation will limit scaling and increase the cost of compliance. If the business case envisages a significant flow of clients from the EU, it is advisable to plan for EU licensing in advance, choosing jurisdictions with a clear NCA practice and accessible infrastructure (for example, Cyprus, Estonia, some Central European countries).

Compliance cost modeling helps management see where the breaking point lies between the costs of legal protection for the reverse model and the CAPEX/OPEX of a licensed presence. The COREDO team often calculates scenarios: a basic reverse for 6–9 months, a hybrid model with limited marketing and a full transition to a license with an onshore team and presence and substance requirements.

What the regulator will ask during an inspection
Preparation for a regulator’s inspection on client-initiated contacts: it is not only documents. Regulators check product governance, the continuity of the customer information trail, monitoring stability, response to alerts and the competence of the MLRO. We conduct simulated requests where the client team answers questions about site structure, onboarding logic, token classification and the use of EU sanctions lists.

The regulatory perimeter under MiCA changes as ESMA publications are released, and COREDO regularly updates templates of the internal compliance manual for CASP. This allows rapid implementation of changes: for example, strengthening requirements for pre-contractual disclosures or revising the passive client test procedure.

Nuances of ART, EMT and utility tokens
Asset-referenced tokens are regulated more strictly, especially regarding issuance, reserves and disclosures. E-money tokens under MiCA trend towards requirements similar to electronic money, including capital and safeguarding of funds. Utility tokens may be outside MiCA with a narrow functional purpose, but as soon as trading availability or an investment motive appears: we return to the MiCA scope.

COREDO helps clients with product mapping: a matrix of token functions, use scenarios, impact on AML/KYC and product restrictions in reverse solicitation. This reduces the risk of incorrect classification and NCA claims.

From hypothesis to a sustainable model

Carry out a MiCA scope and applicability assessment to the product, taking into account national transpositions.
Decide whether the model allows passive inbound without marketing in the EU.
Build web and CRM architecture with inbound logging, disable EU targeting.
Develop an internal compliance manual, AML policies, travel rule procedures and the MLRO role.
Set up KYC/CDD/EDD, sanctions and PEP checks, transaction monitoring.
Prepare a legal opinion on MiCA reverse solicitation and a response plan for inquiries.
Agree on ToS, agreements, disclosures, a privacy notice and GDPR processes.
Identify triggers for moving to licensing, calculate ROI and choose a jurisdiction.
Maintain record-keeping, evidence preservation and regular board oversight.

Conclusions

Reverse solicitation under MiCA is a tool, not a goal. It helps legally test a product, carefully work with inbound requests from the EU and gather market feedback. But this model requires discipline: no marketing in the EU, impeccable documentation, strong AML/KYC and transparent contractual relations.

The COREDO team has walked this path with clients many times: from the legal opinion and process setup to transitioning to a licensed model in the EU. I am convinced that resilience in the crypto-economy is built on two pillars – strategic clarity and operational excellence. Reverse solicitation can become your bridge to Europe if you define the boundaries in advance, stay within the regulatory perimeter and make a timely decision about licensing.