Crypto regulation under CRR III: what transitional provisions and current developments are in place?

What significance do crypto assets have for banks and how is the regulatory framework structured?

A new feature of the global regulatory framework for capital requirements for bank investments in crypto assets is the explicit link between CRR III and the EU  Markets in Crypto-Assets Regulation (MiCAR). The MiCAR provides clear demarcations and definitions for crypto assets. These include e-money tokens (EMTs), asset-referenced tokens (ARTs) and non-asset-referenced tokens. At the same time, both CRR III and MiCAR explicitly exclude central bank digital currencies (CBDCs^[2]) from their scope. A future digital euro will remain subject to monetary policy rules, not prudential banking regulation.

The core of the new regulations is Sec. 501d CRR III: It assigns all of a bank’s crypto exposures to one of three groups and sets conservative capital requirements for them. This transitional regime will remain in effect until a final Regulatory Technical Standard (RTS) comes into force: The EBA consultation EBA/CP/2025/01 on the calculation and aggregation of crypto exposures concluded in April 2025. A final version of EBA/RTS/2025/04 was published in August 2025. Publication in the Official Journal of the European Union will follow shortly.

Figure 1: Classification of crypto assets into Groups A, B and C under CRR III

Group A consists of tokenized representations of traditional assets, such as a bond that is digitally securitized on a blockchain. Since the credit and market risks mirror those of the underlying instrument, the same risk weight applies. An infrastructure add-on originally proposed under Basel has been dropped.

Group B includes ARTs, i.e. stablecoins pegged to a pool of traditional assets. Due to heightened risks related to value stabilization and governance, these tokens are assigned a flat risk weight of 250%.

Group C serves as the catch-all category for all other crypto assets, such as Bitcoin. These are subject to a 1,250% risk weight, effectively requiring full capital backing. In addition, all exposures in this group together must not exceed 1% of Common Equity Tier 1 capital.

What are the operational implications of the transitional regime?

With CRR III now in force, banks must promptly classify their crypto positions into the designated groups and apply the corresponding risk weights. Netting effects are largely disregarded; long and short positions must generally be reported on a gross basis. The same applies to collateral treatment: Group B and C crypto assets are excluded from collateral recognition under Pillar 1 and therefore cannot be categorized as credit risk mitigants. This can significantly impact capital requirements. Even a moderate Bitcoin trading book may tie up a substantial portion of capital, so that the group-wide limit of 1% of Tier 1 capital is quickly reached.

In practical terms, banks must ensure that their gross exposures to assets in Groups B and C do not exceed 1% of their loss-absorbing Tier 1 capital. Institutions are therefore well-advised to define internal exposure limits at an early stage or to focus exclusively on providing custody services to their customers.

Regulatory implementation also requires new process and data structures. First of all, institutions must be able to clearly identify crypto assets as such, automatically derive their group classification and maintain historical records for supervisory audits. This affects not only trading systems but also data management and regulatory reporting. At the same time, risk controlling must be expanded to include crypto-specific stress scenarios: What would a sudden price crash or the failure of a major exchange mean for liquidity and capital?

The CRD VI^[3]  reinforces these qualitative expectations. Before launching a new crypto business model, banks must conduct an ex-ante risk assessment covering market, operational, legal and anti-money laundering risks. As part of regulatory audits, in particular SREP, regulators will increasingly scrutinize crypto risk governance and impose additional capital requirements (Pillar 2 add-ons) in the event of deficiencies. For banks, this means that lacking a robust framework for key management, cybersecurity and third-party oversight may result in additional capital requirements.

At the same time, Pillar 3 increases the pressure regarding transparency in crypto transactions. Since December 31, 2024, large institutions must disclose qualitative descriptions of their crypto transactions as well as quantitative information on gross, net and risk-weighted exposures. The EBA^[4] has finalized the relevant templates. Banks with significant crypto exposures should already be adapting their financial and business reporting structures to be able to provide reliable figures in the short term. Especially institutions that issue stablecoins on a significant scale or offer extensive custody services will increasingly attract scrutiny from investors and rating agencies.

What are the future strategic priorities for crypto regulation?

The next milestone is the finalization of the RTS under EBA/CP/2025/01. The forthcoming standard is expected to introduce certain operational reliefs – such as clearly defined netting rules for liquid tokens or recognized hedging mechanisms, provided that reliable price data is available. However, the core parameters, namely the 250% and 1,250% risk weights and the 1% Tier 1 capital limit for aggregated gross exposures in Groups B and C, are unlikely to be changed.

Article 501d (1) CRR III places the European Commission under pressure to present a legislative proposal for a final, more risk-sensitive framework. The experience gained during the transition period, the EBA consultation and any international developments, for example in the USA or the UK, will be taken into account. It remains uncertain whether established liquidity ratios such as LCR and NSFR will eventually incorporate certain stablecoins, or whether new large exposure limits for crypto issuers will be introduced. What is clear, however, is that regulatory pressure will persist.

A two-phase approach is recommended for banks. In the short term, institutions must ensure full and timely compliance with regulatory requirements: classify positions, calculate capital requirements, monitor exposure limits and establish disclosure and reporting processes. At the same time, governance structures, risk control frameworks and IT security must be aligned with the qualitative expectations set out in CRD VI. Institutions that successfully meet these requirements will be well-positioned to pursue targeted business opportunities in the second phase, such as trading and issuing tokenized bonds or offering crypto custody services to customers. The regulated environment is fostering greater trust and institutional demand, enabling well-prepared banks to expand their market share.

CRR III now brings crypto assets within the scope of banking supervision. The transitional regime is strict and provides institutions with clear regulatory boundaries. Institutions that proactively adapt their data management and operational processes are laying the groundwork for stable, compliant and reliable participation in the crypto market.