MiFID II and tokenized securities, what are the compliance gaps ? (Part II)

In the previous article, we established a clear understanding of MiFID—its scope, objectives, and impact—alongside an in-depth exploration of tokenized securities. For a deeper grasp of these foundational concepts, we encourage you to refer back to that discussion.

With the basics of MiFID II and tokenized securities in mind, we arrive at the crux of the issue: MiFID II and the current regulatory framework did not fully anticipate the advent of tokenized securities, leading to gaps in how these digital assets are regulated. In other words, there’s a compliance gap – a mismatch between the traditional rules and the new technological reality.

First, it’s important to clarify what is covered under MiFID II and what isn’t. MiFID II defines a range of “financial instruments”, and any instrument that falls into these definitions is subject to the MiFID II rules. This includes “transferable securities,” a term that means traditional securities like stocks and bonds (anything negotiable on the.

?On paper, a tokenized stock or bond should squarely fit into this definition – after all, it’s representing the same underlying rights as a conventional security. Regulators have reinforced this view: if it walks and quacks like a security, it’s a security – regardless of being on a blockchain

This principle of “technology neutrality” means just because you issued the instrument via distributed ledger technology (DLT) doesn’t exempt it from existing law.

However, acknowledging that tokenized securities are financial instruments (in most cases) is one thing; effectively applying MiFID II’s rules to them is another. ESMA, the EU’s securities regulator, noted this issue as early as 2019: many crypto-assets that qualify as MiFID instruments face interpretation challenges because “the existing rules were not designed with these instruments in mind”, and certain MiFID requirements aren’t adapted to their specific characteristics

?Let’s break down some of the key compliance gaps and challenges below.

1. Classification Uncertainty

While a straightforward tokenized share is a transferable security, not all tokens are that straightforward. Some “security?tokens” have hybrid features – for example, a token might have characteristics of equity (profit-sharing rights) but also looks like a usage token in a platform. Determining whether a particular token falls under MiFID II can be tricky and not uniform across the EU.

Different national regulators historically took slightly different views on borderline cases (one country might say a certain token is a security, another might not), leading to a lack of harmonized approach with new guidance (ESMA’s 2024 draft guidelines aim to unify this classification process), but during the early rise of tokenization there was genuine confusion. If a firm misclassifies a token that should have been treated as a financial instrument, it might inadvertently operate outside the law (for instance, selling a tokenized investment without doing MiFID suitability checks or without a license). Conversely, if a firm over-complies with MiFID for a token that isn’t a security, it may be imposing unnecessary restrictions on themselves.

This grey area in classification is a foundational compliance gap: you need to know what rules apply in the first place.

2. Trading Venue and Market Structure

MiFID II assumes that trading of securities happens on certain types of venues – regulated markets (stock exchanges), MTFs, OTFs, or via systematic internalisers. These are well-defined, heavily regulated environments. But one vision of blockchain-based finance is peer-to-peer trading or new kinds of decentralized exchanges.

Under MiFID II, if a token is a security, you generally cannot just trade it on any random platform or directly peer-to-peer in the wild; doing so could violate the trading venue rules or transparency requirements. In fact, MiFID II and related EU rules (like the Central Securities Depositories Regulation) effectively require that securities trades be settled through recognized central infrastructures. This means the law expects a CSD to register ownership and an exchange/MTF to match trades in most cases.

A purely on-chain transfer between two investors, if done without a recognized intermediary or outside an exchange, doesn’t neatly fit these requirements. The result is a compliance conundrum: Are tokenized securities forced to use traditional venues (losing the benefit of blockchain’s efficiencies), or can they trade on new blockchain-native venues (which current law didn’t contemplate)?

This gap is precisely why the EU had to create the DLT Pilot Regime to experimentally bridge traditional venues with DLT trading. Until that came into play, any firm wanting to allow secondary market trading of tokenized stocks/bonds in the EU had to navigate rules that simply never foresaw blockchain trades.

3. Best Execution and Price Discovery

MiFID’s best execution rule means if you’re a broker executing an order for a client, you have to seek out the best possible result across available venues. In the tokenized world, imagine a scenario where a particular security token could be traded on multiple platforms – say a regulated exchange and also on some alternative blockchain marketplace. The firm must monitor prices on all venues to ensure the client gets the optimal price. This is already complex in traditional finance, but at least in traditional finance, venues are well-known, and data is integrated. With new token platforms, especially if some are overseas or not fully regulated, getting reliable data to compare prices can be challenging. Additionally, many security tokens today suffer from low liquidity – there may be only one active platform or market-maker. Best execution rules still apply (the law doesn’t give a pass for illiquidity), so firms have to document how they will achieve best execution. This might involve, for example, explaining that there is only one venue and thus best execution is assessed over time (executing in a manner that minimizes market impact, etc.). It’s a practical gap in that MiFID II’s text assumes a mature market structure; in a nascent token market, adhering to the spirit of best execution requires creative policies. ESMA and national regulators have indeed been pondering how to calibrate such obligations when traditional metrics (like a reference price from a primary exchange) might not exist.

4. Suitability and Complexity

Tokenized securities often qualify as complex products (especially if they involve derivatives or novel structures). Under MiFID II, selling complex products to retail investors triggers an appropriateness test (to check if the investor understands the product if no advice is given), and any investment advice or portfolio management involving them requires a rigorous suitability assessment. The compliance gap here is mostly about investor understanding and risk – many investors find the concept of blockchain-based assets confusing. How do you explain to a client used to a traditional stock certificate that now their ownership is represented by a token in a digital wallet? What about the technical risks (cybersecurity, losing private keys, etc.)? These aren’t traditional risk factors in a prospectus, yet they are very real for tokenized assets. MiFID II’s existing framework doesn’t spell out how to account for “tech risk” in suitability, but a diligent advisor should consider it. For example, a 70-year-old conservative investor might be okay owning blue-chip stocks in a regular account, but if those stocks were only available in tokenized form, is the additional technical step a risk that makes it unsuitable for them? Possibly yes, if they are not comfortable with digital wallets or if the custody solution is too experimental. Firms have to extend traditional investor protection concepts to cover these new wrinkles, essentially filling the gap with internal policies (since the law doesn’t explicitly enumerate them).

5. Custody and Asset Safekeeping?

MiFID II and related regulations impose strict rules on how client assets are safeguarded. Typically, if an investment firm holds securities for clients, those securities must be segregated, kept in qualified custodian accounts, and there are periodic reconciliations to ensure nothing is amiss. With tokenized securities, what is the “custody” approach? If the client holds their own tokens in a personal wallet, the firm technically isn’t holding custody – but then the client is bearing new responsibilities (and if they mess up, does the firm have any duty to help?). If the firm or a third-party custodian holds the private keys on behalf of the client, they must treat those tokens just like any other client asset – which means new operational procedures: using digital wallets, secure key storage (perhaps hardware security modules, multi-signature schemes), and dealing with blockchain governance issues (e.g., what if there’s a fork in the blockchain or a smart contract upgrade – things traditional custody never worried about). Current regulations don’t detail any of this, because, again, it wasn’t in contemplation. We have a gap where traditional custodians are adapting tech solutions and regulators are having to consider whether, for example, a crypto-custodian needs to be separately licensed or if existing custodian rules suffice. (Notably, the EU is also working on a Regulation on digital operational resilience, which touches on some tech risk issues, but that’s another piece of the puzzle.)

6. Reporting and Transparency Oddities

As mentioned, MiFID II requires extensive trade and transaction reporting. One quirk is that every financial instrument that is reported needs an identifier (an ISIN – International Securities Identification Number – or other code). Many security tokens were initially issued without ISINs (since they weren’t on traditional exchanges that assign them). Firms dealing in such tokens have had to obtain ISINs or use surrogate identifiers to report trades to regulators. Moreover, if trades occur on a blockchain, regulators might not have direct visibility into that (unlike an exchange where regulators often get data feeds). Therefore, the onus is on the firm to extract the necessary data from the blockchain and include it in their MiFID-mandated reports. This is doable but requires integration between blockchain data and the firm’s reporting systems – something not trivial and not foreseen when MiFID’s reporting rules were drafted. Additionally, MiFID II’s transparency regime (publishing trade details to the public if above certain thresholds, etc.) wasn’t designed for an environment where trades might automatically be visible on a public ledger. There’s an argument that if all trades are on a public blockchain, the market is de facto transparent. However, MiFID II has specific formats and approved channels for transparency (like Approved Publication Arrangements for trade reports). Until regulators say “yes, a public blockchain node output can count as a trade tape,” firms likely still need to use the approved channels – effectively double-reporting what’s already visible on-chain to ensure compliance.

In summary, the compliance gap is not that tokenized securities are unregulated – if they fit the definition, MiFID II applies – but rather that the rules were designed for a traditional market paradigm. This leaves practitioners and regulators struggling to interpret how to fulfill the spirit of the law when the letter of the law doesn’t neatly map onto the new technology. ESMA captured it well: Regulators face challenges, and certain requirements “are not adapted” to crypto-assets.? Until adaptations are made (through new rules or guidance), there’s a risk of inconsistency and uncertainty. And where there’s uncertainty in regulation, there’s potential risk – for firms and investors alike.