Automated Crypto Trading Bots Face Regulatory Oversight Under MiCAR

The Austrian Federal Administrative Court (Bundesverwaltungsgericht) ruled on January 21, 2026, that the use of automated trading bots on customer crypto-asset accounts can constitute portfolio management under Article 3(1)(16)(i) of the Markets in Crypto-Assets Regulation (MiCAR). This decision clarifies that software-driven trading strategies, when controlled by a provider, require regulatory authorization regardless of how the service is marketed.

What Constitutes Portfolio Management Under MiCAR?

According to the court’s decision (case number W204 2324124-29E), four specific criteria must be met for a service to be classified as portfolio management. First, the service must be provided on an individual basis. In this case, customers granted the provider API access to their personal exchange accounts, and the provider’s system was marketed as a tailored solution. Second, the provider must exercise discretionary power. The court determined that because the provider’s algorithms autonomously executed trades based on proprietary strategies and data sources without requiring individual user approval for each transaction, the provider maintained control over investment decisions.

Third, the service must involve a customer portfolio containing crypto-assets, which was undisputed in this instance. Finally, the activity must be commercial. The court applied the VAT-law definition of commercial activity, noting the provider’s pursuit of sustainable income through a 10% share of net profits and its continuous, public offering of the service.

Why Client-Controlled Bots Still Require Authorization

A primary defense offered by the provider was that clients maintained ultimate control, as they could manually activate or deactivate the bot at any time. The court rejected this argument, stating that the regulatory nature of the service does not change based on a user’s ability to start or stop the software. Once the automation was active, the bots executed transactions independently. Furthermore, the court referenced the Financial Action Task Force (FATF) definition of control, which includes the ability to dispose of, trade, or transfer assets. By connecting via API and allowing the bot to execute trades, the provider effectively exercised this control.

The End of the “SaaS” Defense for Trading Bots

The provider characterized its offering as mere “Software as a Service” (SaaS), arguing that the systems only generated non-binding signals. The court disagreed, highlighting that the provider developed, managed, and adjusted the underlying trading algorithms and data sources. Because customers did not determine the specific parameters for individual trades, the service moved beyond a simple technical tool and into the realm of professional portfolio management.

This ruling serves as a significant precedent for the crypto industry. It signals that regulators will look past marketing labels like “analytical tool,” “signal provider,” or “SaaS” to evaluate the actual functionality of a service. Any business model where an provider dictates trade logic, manages execution, and ties compensation to performance risks being classified as a regulated crypto-asset service, necessitating formal authorization under Article 59 of MiCAR.

Key Regulatory Takeaways

• Substance over Form: Regulators prioritize the actual operation of the bot over the marketing terminology used by the provider.
• Discretionary Control: If a bot executes trades based on provider-defined strategies without constant, manual client confirmation, it likely qualifies as portfolio management.
• Authorization Requirements: Providers operating such models must comply with MiCAR licensing requirements to avoid enforcement actions, including potential cease-and-desist orders and administrative fines.
• Precedent: The Federal Administrative Court’s decision emphasizes that even temporary or user-activated automation can fall under the scope of MiCAR if the provider retains the power to execute trades.