11 Jan Memo in relation to the regulations over Cryptocurrency and Blockchain in the Republic of Cyprus

Posted at 17:48h in Publications by

General Information

In recent years, Cyprus has actively embraced the evolution of blockchain technology, signaling its ambition to establish itself as a secure financial hub for the exchange of crypto assets and services.

In June 2021, the Cyprus Securities and Exchange Commission (“CySEC”) introduced a significant initiative – the Crypto Asset Service Providers (“CASP”) Registry. This groundbreaking development establishes the operational framework, registration procedures, and supervision conditions for entities engaged in providing crypto exchange services. Prospective applicants are required to submit applications to CySEC for registration, thereby allowing them to offer crypto exchange services within a well-defined and regulated framework. This move underscores CySEC’s commitment to fostering a secure and compliant environment for crypto asset service providers in Cyprus.

Legal and Regulatory Framework

The AML Law currently stands as the primary legislation governing crypto-assets in Cyprus.

Primarily, this legislation furnishes a definition for the term “crypto-asset,” describing it as a digital representation of value not issued or guaranteed by a central bank or public authority. It is not inherently tied to a legally established currency, lacks legal status as currency or money, but is accepted by individuals as a means of exchange or investment. It can be electronically transferred, stored, or traded and excludes the following:

      • Fiat currency;
      • Electronic money; or
      • Financial instruments as defined in Part III of the First Appendix of the Law on the Provision of Investment Services and Activities and Regulated Markets 87(I)/2017.

 

Furthermore, the legislation acknowledges and outlines the definition of Crypto-Asset Service Providers. According to this definition, a CASP is an entity that provides or engages in one or more of the following services or activities for or on behalf of another person:

      • Exchange between crypto-assets and fiat currencies;
      • Exchange between crypto-assets;
      • Management, transfer, holding, and/or safekeeping (including custody) of crypto-assets or cryptographic keys or means allowing control over crypto-assets;
      • Offering and sale of crypto-assets, encompassing initial offerings; and
      • Participation or provision of financial services related to the distribution, offer, and sale of crypto-assets, including initial offerings.

 

The previously mentioned financial services related to the distribution, offer, and/or sale of crypto-assets are also categorized as the following investment services:

      • Reception and transmission of orders;
      • Execution of orders on behalf of clients;
      • Dealing on own account;
      • Portfolio management;
      • Provision of investment advice;
      • Underwriting and/or placing of crypto-assets on a firm commitment basis;
      • Placing of crypto-assets without a firm commitment basis;
      • Operation of a multilateral trading facility for buying and selling crypto-assets.

 

Additionally, the AML Law mandates that a person recognized as a CASP must be formally registered with CySEC, unless it is a CASP established and registered in an EU member state. In such a case, the CASP must undergo a notification procedure, presenting evidence of its valid registration for each service or activity. If these services or activities are not covered by the existing framework, the CASP must submit an application for registration with CySEC.

To initiate the registration process outlined in Article 5 of the Directive, the applicant must first submit the Application for Registration issued by the Cyprus Securities and Exchange Commission.

The submission should include all the documents and information specified in the application form, including:

        • The information outlined in Article 4;
        • The crypto-assets’ addresses of the CASP;
        • The crypto-assets related to the services or activities provided by the CASP;
        • The types of clients served by the CASP;
        • Details on whether the CASP offers payment services in crypto-assets;
        • Information on whether the CASP operates crypto-assets ATMs, including the number and exact locations;
        • Geographic jurisdictions in which the CASP operates;
        • Details regarding the CASP’s registration or supervision in any other jurisdiction.

 

For precision, the applicant, in conjunction with the application form, is required to attach the following documents:

        • All documents pertaining to the establishment, composition, and operation of the crypto company (LLC). This includes the certificate of incorporation, certificates of shareholders and directors, and an internal operation manual.
        • A program outlining the initial plan/business plan for the next three years. This program should encompass the company’s marketing and promotional strategy, along with financial and accounting planning.
        • An AML manual that defines an AML/CFT internal policy for the CASP.
        • Documentation related to the aforementioned crypto-assets’ addresses and public keys of the CASP.
        • Documentation validating the existence of an internal system within the CASP that regulates the exchange of information and ensures data integrity.
        • Certifications from external auditors and legal advisers of the applicant.

 

Furthermore, Article 6 of the Directive outlines additional conditions that extend beyond the provision of the previously mentioned information and documents, which the applicant must fulfill to attain registration as a CASP. Specifically, it stipulates that:

Honest and Competent Leadership:

The applicant must ensure that members of the Board and anyone holding a managerial position possess honesty and competence. This is satisfied if the individual has:

      • a good reputation,
      • knowledge, skills, and experience, and
      • devotes sufficient time to the performance of their duties for the applicant.

 

Board Composition:

The Board of Directors of the applicant must consist of at least four (4) persons who meet the above conditions. Among them, at least two must direct the business activities, and the other two must be independent, non-executive members.

Beneficial Owners’ Competence:

The applicant must ensure that its beneficial owners are honest and competent, fulfilled by having a good reputation and the ability to maintain the strong financial position of the applicant.

Online Operations:

When operating online, the applicant must maintain a website that is fully owned and exclusively operated by the CASP.

Compliance Policies:

The applicant must establish appropriate policies and procedures to ensure compliance, including the compliance of its executives, employees, and assignees, with the AML Law and the Directive of CySEC for the Prevention and Suppression of Money Laundering and Terrorist Financing.

Risk Management and Controls:

The applicant must have established appropriate policies, procedures, and systems and controls to ensure the prudent operation of the CASP, including minimizing the risk of theft or loss of its clients’ crypto-assets.

Remuneration Terms:

The applicant must ensure that the remuneration terms of the staff and any other arrangements with its staff do not conflict with its staff’s duty to act in the best interest of its clients nor motivate its staff to implement aggressive promotion practices.

Corporate Governance:

The applicant must have established appropriate corporate governance arrangements, with clearly defined and transparent reference lines.

Continuous Performance:

The applicant must take all reasonable actions to ensure the continuous and regular performance of its activities and must have established an appropriate and up-to-date policy to ensure its continued operation, data recovery, and the timely resumption of its activities, in case the activity of the CASP ceases.

Outsourcing Measures:

When outsourcing the performance of critical functions, the applicant must ensure that reasonable measures are taken to avoid any undue additional operational risk. It should also ensure that the quality of the internal controls of the CASP or the CySEC’s ability to monitor compliance is not materially impaired.

Administrative and Accounting Procedures:

The applicant must have established proper administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures, and effective security and control mechanisms for its electronic data processing systems.

Internal Control Function:

Where the scope, nature, scale, and complexity of its activity require, the applicant must establish an internal control function independent of its other functions and operations, for the design and execution of the abovementioned internal control mechanisms.

Security Mechanisms:

The applicant must have established appropriate security mechanisms to guarantee the security and authentication of the means of transfer of information, minimize the risk of data corruption and unauthorized access, and prevent information leakage to maintain the confidentiality of the data at all times.

Record Keeping:

The applicant must arrange for records to be kept of all its activities, including relevant correspondence. These records should be sufficient to enable CySEC to exercise its supervisory functions and take steps to ensure the CASP’s compliance with its obligations.

Employee Duties:

The applicant must ensure that its employees are not involved in multiple duties unless the exercise of multiple duties does not prevent or is not likely to prevent such persons from carrying out any work or function with diligence, honesty, and professionalism.

Complaint Resolution Policies:

The applicant must establish appropriate policies and procedures to ensure that its clients’ complaints are properly resolved.

Employee Professionalism:

The applicant must ensure that its employees are honest, professionals, and possess the appropriate knowledge for the tasks assigned to them.

Capital Requirements

Finally, Article 6 of the Directive establishes a condition that the applicant, based on the nature of its functions and activities, must maintain at all times own funds equal to the greater of the following amounts:

Class 1: €50,000 initial capital for the provision of investment advice.

Class 2: €125,000 initial capital for the provision of the service referred to in Class 1 and/or any of the following services:

        • Reception and transmission of client orders,
        • Execution of orders on behalf of clients,
        • Exchange between crypto-assets and fiat currency,
        • Exchange between crypto-assets,
        • Participation and/or provision of financial services related to the distribution, offering, and/or sale of crypto-assets, including the initial offering,
        • Placement of crypto-assets without firm commitment,
        • Portfolio management.

 

Class 3: €150,000 initial capital for the provision of the services referred to in Class 1 or 2 and/or any of the following services:

        • Management, transfer, holding, and/or safekeeping, including custody of crypto-assets or cryptographic keys or means enabling control over crypto-assets,
        • Underwriting and/or placement of crypto-assets with firm commitment,
        • Operation of a multilateral trading facility for buying and selling crypto-assets.

 

Anticipated adjustments to the applicants’ fixed expenses are expected to take effect from the commencement of the current fiscal year. Upon completion of the fee revision, we will duly inform you of any pertinent changes.

Charges, Fees and Timeframe

Application Fee:

The applicant pays a fee of €10,000 upon the submission of its application for registration as a CASP. If the application is rejected, this amount is non-refundable. However, if the applicant is successfully registered, no fees or charges are payable to CySEC for the first year of registration. Subsequently, the CASP is required to pay an annual fee of €5,000 for the renewal of its registration.

Fees for Notice of Change:

For the submission of a notice to CySEC regarding a substantial alteration, the following fees apply:

      • €1,000 per service or activity.
      • €2,000 per notice of change related to the members of the Board of Directors of the CASP.
      • €5,000 per notice of change related to the beneficiaries of the CASP.
      • €1,000 per notice of change related to the website of the CASP.