On the 25th of June 2021, the Cyprus Securities and Exchange Commission (the "CySEC") issued the long-awaited Directive regarding the Registry of Providers of services relating to crypto assets 269/2021 (the "Directive"). The said Directive was issued following the amendments of the 5th AML Directive, which was implemented by the Republic of Cyprus into the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 to 2021 (the "Law"). The 5th AML Directive brought major amendments to the virtual currency industry as for the first time providers of services related to crypto assets (the "PSCA") were defined. In the present article the registration and authorization procedure of the Directive will be summarized.
CySEC will issue on its website the Registry of PSCA which will be accessible by the public, maintaining the following information for the registered PSCA:
(a) Name, trade name, legal form and the legal entity identifier of the PSCA;
(b) The physical address of the PSCA;
(c) The services and/or the activities offered by the PCSA as provided in the definition of PSCA in paragraphs (a) to (e) of Article 2 of the AML Law, namely:
(i) Exchange between cryptocurrencies and fiat currencies;
(ii) exchange of cryptocurrencies with cryptocurrencies;
(iii) the management, transfer, holding, and/or safekeeping, including custody, of cryptocurrencies or cryptographic keys or means enabling control over cryptocurrencies;
(iv) offering and/or selling cryptocurrencies, including the initial public offering; and
(v) participation and/or provision of financial services related to the distribution, offering and/or sale of cryptocurrencies, including the initial public offering;
(d) the website of the PSCA.
Application for the registration to PSCA Registry
Subject to the provisions of paragraphs (2) and (3) of article 61E of the Law, for the registration of PSCA in the PSCA Register, the applicant submits duly completed the registration application (the "Application") issued by CySEC, which will be available on CySEC's website. The Application must include the information referred in the previous paragraph above as well as the addresses of crypto assets of the PSCA, accompanied by all the documents and data specified in it. The original documents and data are submitted in the official language of the Republic or in English.
The applicant must notify CySEC regarding any changes relating to the information submitted with their Application, from the date of submission of the Application until the notification of the decision of CySEC for the approval or rejection of the Application. During the examination of the information and/or documentation submitted with the Application, CySEC may request clarifications and/or additional data, documents or information, which in its discretion are necessary for reaching its conclusion.
CySEC informs the applicant within six (6) months from the submission of a fully completed Application whether or not the registration in the Register of PSCA has been successful.
CySEC requirements for registration to PSCA Registry
CySEC may approve an Application provided that the applicant meets the following conditions:
(a) The applicant has submitted all the information, documents and/or data that are required and/or has provided any clarifications requested by CySEC as mentioned above;
(b) The applicant reassures that the persons holding a managerial position in the PSCA must be competent and honest, which is fulfilled if they have a good reputation, knowledge and skills as well as experience and are capable of devoting enough time to the execution of their duties towards the PSCA. This point is crucial for CySEC, since it gives extra emphasize in the Directive by defining good repute, integrity and morality as well as knowledge, skills and expertise;
(c) The Board Members of the PSCA must be consisted at least of four persons, which meet the criteria mentioned in point (b) above, where the two of the four persons must manage the business activities of the PSCA and the other two to be independent members;
(d) The beneficiaries of the PSCA are honest and competent, which is fulfilled if they have a good reputation and the ability to maintain the strong financial structure of PSCA. To maintain the strong financial structure of the PSCA, the beneficiaries must have sufficient financial strength to ensure the sound and prudent management of PSCA in the foreseeable future (usually three years), for which they should satisfy CySEC;
(e) The close links between the applicant and other natural or legal persons do not prevent the effective monitoring, evaluation and supervision of CySEC. Where the natural or legal person with whom the applicant has a close connection is in a third country, the laws, regulations or administrative provisions of the third country shall not impede the effective performance of the supervisory functions of CySEC;
(f) When operating online, the PSCA must maintain its own website which will have the exclusive ownership and use where it will operate its activities without the possibility of any other person operating through it;
(g) It has established appropriate policies and procedures to ensure its compliance, including with its members, employees and persons to whom functions are assigned, in accordance with the Law and the Directive;
(h) It has established appropriate policies and procedures and has appropriate control systems and mechanisms in place to ensure the prudent operation of the PSCA, including to minimize the risk of theft or loss of its customers' cryptocurrencies;
(i) The PSCA has own funds in accordance with the provisions of the Directive;
(j) Ensures that the performance of its staff is not remunerated or evaluated in a manner that conflicts with its duty to act in the best interests of its customers and in particular does not make any adjustments in the form of remuneration, sales targets or otherwise form, which could motivate its staff to implement aggressive promotion practices of products or services;
(k) It has sound governance arrangements, with clearly defined, transparent and clearly identifiable reference lines;
(l) Takes all reasonable steps to ensure the continuous and regular performance of its functions and maintains an appropriate and up-to-date policy to ensure its continued operation as well as procedures for data retrieval and the timely resumption of its activities in case the activities of the PSCA are interrupted;
(m) Ensures that it entrusts the performance of essential functions to third parties, so that reasonable steps can be taken to avoid any undue deterioration of operational risk and in no way substantially impairs the quality of the internal control of the PSCA or CySEC's ability to monitor PSCA;
(n) Has sound administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and security mechanisms for electronic data processing systems;
(o) Where the scope, nature, scale and complexity of its activity so require, the PSCA has established an internal control function that is independent of its other functions and activities, for the design and execution of its internal control mechanisms of the procedures mentioned above;
(p) It has sound security mechanisms to ensure and verify the authenticity of the means of transmitting information, minimizing the risk of data destruction and unauthorized access and preventing information leakage, so that data confidentiality is always maintained;
(q) Ensures that records are kept in relation to all the functions it performs, which also include the relevant communication, in such a way as to enable CySEC to exercise its supervisory duties and to take actions to ensure compliance with the obligations of the PSCA;
(r) Ensures that the persons employed by it do not perform multiple duties unless the exercise of multiple duties does not prevent or is likely to prevent such persons from carrying out any work or function with diligence, honesty and professionalism;
(s) It has appropriate policies and procedures in place to ensure that its customers' grievances are properly resolved;
(t) Ensures that the persons employed in the PSCA possess the appropriate guarantees of honesty and professionalism and the appropriate knowledge according to the tasks assigned to them.
Once the registration application is approved, CySEC shall immediately register the applicant in the PSCA Register.
PSCA capital requirements
As per the Directive, the PSCA must always maintain capital at least equal to the greater of the following amounts:
(a) the amount of the initial capital of the below Annex, depending on the nature of its functions and activities;
(b) one quarter (1/4) of the fixed expenses of the PSCA during the previous year, revised annually.
If less than one year has elapsed from the date on which the PSCA became active, it shall use, for the calculation referred to in point (b) above, the estimated fixed costs included in its forecasts for its transactions of the first twelve months, as submitted with the PSCA Application.
The provisions of point (b), shall enter into force on 1 January 2022, as follows:
(a) 30% of the amount concerned from 1 January 2022;
(b) 60% of the relevant amount from 1 January 2023;
(c) 100% of the relevant amount from 1 January 2024.
PSCA providing investment advice
PSCA providing the services of Category 1 and/or any of the following services:
(a) Receiving and transmitting orders; and/or
(b) Execution of orders on behalf of clients; and/or
(c) Exchange between cryptocurrencies and fiat currencies; and/or
(d) Exchange between cryptocurrencies; and/or
(e) Participation and/or provision of financial services related to the distribution, offering and/or sale of cryptocurrencies, including the initial offer; and/or
(f) disposal of cryptocurrencies without commitment withdrawal; and/or
(g) portfolio management
PSCA providing any of the services of Category 1 or 2 and/or:
(a) management, transfer, transition, holding, and/or safekeeping, including custody, of cryptocurrencies or cryptographic keys or means enabling control over cryptocurrencies; and/or
(b) acceptance and/or disposal of crypto assets with a commitment to withdraw; and/or
(c) operation of a multilateral system in which several persons interested in buying and selling cryptocurrencies can interact in a way that results in a transaction.
For the purposes of examining the application for registration in the PSCA Register, the PSCA pays to CySEC a fee of 10,000 Euros. If the application for registration in the PSCA Register is approved by CySEC, the PSCA does not pay any fee or subscription to CySEC for the first year of its registration in the PSCA Register. In case the application for registration in the Register of PSCA is not approved by CySEC, the fee paid by the PSCA is not refundable.
In case of renewal in the PSCA Register for a period of one (1) year, the PSCA pays a subscription of 5,000 euros.
For the submission of a notice of substantial change, a fee shall be paid as follows:
(a) EUR 1,000 per service or activity;
(b) EUR 2,000 per change in the persons consisting the Board Members of the PSCA;
(c) EUR 5,000 per change in the beneficiaries of the PSCA;
(d) EUR 1,000 per change regarding the website of the PSCA.
At the time of publication of the present article, CySEC has not issued the relevant Application. It is expected to be issued within the next month.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.