Basel Institute on Governance ¦ Shaping Virtual Assets Regulations Fit For The Future

Shaping Virtual Asset Regulation Fit for the Future – Lessons from CoSP11 Tech Day

Opening the conversation on virtual assets at the first-ever tech day of the Conference of the States Parties (CoSP) highlighted a global consensus: digital finance promises efficiency, inclusion, and transparency, but it also introduces new, fast-moving risks that demand coordinated, adaptive regulation. Speakers from international organizations, regional regulators, national authorities and the private sector converged to stress three enduring priorities: harmonized standards, cross-border cooperation and pragmatic, risk-based rules that preserve innovation while protecting financial integrity. The session underscored how different jurisdictions are responding with distinct but complementary approaches: the EU’s comprehensive Markets in Crypto-Assets framework (MiCA), Qatar’s two-track model prioritizing tokenization and permissioned distributed ledgers, Georgia’s rapid sandbox-driven regulatory learning, Romania’s intelligence-led supervision and industry perspectives on operational resilience and investigative cooperation.

MiCA and the European approach – structure, scope and supervisory evolution

The EU’s MiCA regulation represents one of the most ambitious regional efforts to create a unified legal framework for crypto-asset markets. Rather than regulating tokens themselves as a single class, MiCA differentiates among asset-reference tokens, e‑money tokens and other crypto-assets, imposing proportionate obligations on issuers and service providers. Issuers of asset-reference and e‑money tokens face authorization and reserve requirements, redemption rights and recovery planning. Crypto-asset service providers (CASPs) must be licensed, comply with consumer protection and market integrity rules, and operate under national supervision, though a proposed update would centralize supervision in ESMA to reduce fragmentation. The EU has also embedded FATF-style AML travel-rule obligations, created crypto-asset account registries to enable identification of custodial account owners, and outlawed anonymous custodial accounts. MiCA’s phased implementation and subsequent amendments reflect an evolving regulatory landscape where policy adapts to market and enforcement experience.

Qatar’s two-track strategy – focus on tokenization and fit-for-purpose regulation

Qatar’s regulatory design deliberately separates tokenized real-world assets and permissioned ledgers from broad, retail-focused stablecoins and cryptocurrencies. The Qatar Financial Centre’s framework treats blockchain infrastructure and token services in light of the underlying activity: if a provider offers tokenization of financial instruments, activities such as issuance, custody and exchange become regulated financial services subject to existing prudential, conduct and AML/CFT rules. This “substance over form” stance enables rapid, targeted rules for tokenization use cases – such as real estate, securities, and money market fund tokenization – while keeping higher-risk, broadly circulating crypto-assets under review. Qatar’s approach emphasizes domestic coordination among central banks, securities regulators and law enforcement as a precondition to effective supervision and is oriented toward live simulations and progressively raising standards.

Georgia’s sandbox-first learning model – speed with safeguards

Georgia illustrated a “learn-by-doing” regulatory posture designed to reconcile the trilemma of enabling innovation, managing AML/CFT and protecting consumers. The National Bank of Georgia has rapidly introduced VASP oversight, integrated VASPs into AML frameworks, and used regulatory sandboxes to test tokenization use cases – tokenized deposits being a prime example. Georgia’s experience highlights the importance of embedding compliance and control mechanisms into product design, ensuring traceability, and designing onchain features (for example, freezing or recovery mechanisms) with law enforcement needs in mind. Georgia’s recent extension of regulator mandates to include investor protection, prudential and cybersecurity requirements shows how iterative regulatory steps can scale as markets mature.

Bastian Schwind-Wagner _Follow

"Effective virtual asset regulation hinges on clear, risk-based rules and strong domestic coordination among central banks, securities supervisors and law enforcement. Standardized blockchain analytics and interoperable data systems are essential to turn on-chain and off-chain information into actionable intelligence for supervision and investigations.

Regulators must engage the private sector and use sandboxes and live simulations to test rules and embed compliance by design into token architectures. Sustained international cooperation and rapid incident-response mechanisms will ensure digital finance evolves with integrity, resilience and public trust."

Data, intelligence and standardization – building an interoperable supervisory backbone

Speakers emphasized that regulators cannot fight onchain financial crime without quality data and standardized blockchain analytics. Romania and other discussants argued that moving from raw data to actionable intelligence is essential: standardized methodologies for blockchain analysis, clear provenance of onchain-to-offchain linkages and a reduction of false positives from analytics vendors are all prerequisites for reliable supervisory and investigatory decision-making. Practical interoperability – interconnected account registers, cross-border FIU access, and shared analytic standards – will close data gaps and reduce regulatory arbitrage. The EU’s account registry plan and interconnected FIU access by 2029 are examples of infrastructural steps toward trusted information sharing.

Private sector resilience, incident response and law enforcement cooperation

An industry perspective offered concrete lessons on operational security and post-incident reforms. Exchanges described layered defenses – multi-vendor analytic stacks, rigorous KYC, continuous screening and internal investigations – but also acknowledged persistent threats like increasingly sophisticated hacks, deepfakes and social-engineering scams. A major exchange attack highlighted the value of preparedness: transparent, timely communication to users and regulators, rapid coordination with law enforcement, and significant upgrades to custody architecture and internal controls. Industry-regulator-law enforcement cooperation has grown into a daily operational reality, with exchanges committing to fast SLAs for information requests and sharing onchain investigative leads to support asset recovery and prosecutions.

Decentralized finance – the enduring legal and operational puzzle

DeFi remains the most challenging frontier. Panelists agreed that a functional approach – looking past labels of “decentralized” toward the presence of identifiable control – should guide regulation and AML obligations. Where an identifiable actor or control mechanism exists, jurisdictions will expect licensing and compliance obligations. But truly permissionless protocols present practical enforcement limits: absent a legal person or entity to hold accountable, traditional regulatory tools are hard to apply. This unresolved tension makes DeFi a central topic for international standard setters and domestic authorities going forward.

Policy takeaways – a pragmatic menu for future-proofing regulation

First, regulators should harmonize standards and analytic methodologies to reduce fragmentation while preserving regulatory experimentation.

Second, national domestic coordination across central banks, securities regulators and law enforcement must precede international cooperation to ensure coherent domestic outcomes.

Third, regulation should emphasize “same activity, same risk, same outcome” and require embedding of compliance and recovery capabilities into token design where risk warrants.

Fourth, data interoperability and validated blockchain intelligence are foundational – regulators should invest in shared registries, common APIs and standards for attribution.

Finally, multi-stakeholder cooperation with the private sector is not optional; it is operationally essential for incident response, tracing, and implementing pragmatic supervision.

Conclusion – regulation as an adaptive, cooperative project

The CoSP11 tech day discussion made clear that there is no single blueprint for virtual asset regulation. Jurisdictions are pursuing different mixes of licensing, authorization, sandboxing and infrastructure building, tailored to national market structures and policy priorities.

What unites them is a recognition that

• adaptive, risk-based rules;
• interoperable data and analytics; and
• strong public-private and cross-border cooperation

are the pillars of a resilient regulatory ecosystem.

As markets evolve and technologies shift, ongoing dialogue among regulators, international organizations and industry will be the core mechanism for keeping financial integrity at the heart of innovation.

Acknowledgement

This summary draws on the Basel Institute on Governance presentation, which features the presenters.