On the 25th June 2021 the Cyprus Securities and Exchange Commission (the “CySEC“) issued the directive R.A.A. 269/2021 regarding the register of service providers concerning crypto assets, in accordance with articles 59 and 61E of the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, Law 188(I)/2007, as amended (the “Law”). The Law was amended earlier in 2021 to implement and harmonize into Cyprus law, the 4th and 5th AML Directives (Directives (ΕU) 2015/849 and 2018/843), which focus on achieving higher transparency by preventing the financial market from being misused for illegal purposes like money laundering and financing of terrorism. Although EU has not fully regulated crypto assets and cryptocurrencies these directives provide some form of regulation.
CySEC was regulated to be the supervisory authority responsible for providers who provide services related to crypto asset services. Despite the fact that crypto assets are not yet fully regulated in Cyprus, CySEC has issued a directive on the “Register of Providers of Services regarding Crypto Assets” (the “CySEC Directive”). CySEC Directive regulates the creation, maintenance, operation and update of the register of crypto assets services providers (“CASP”) and sets the requirements for their registration in the register.
According to the relevant definitions provided under the Law:
“Crypto asset” means a digital representation of a value which is not issued by a central bank or public authority or guaranteed, is not necessarily linked to a legally circulating currency and does not have the legal status of currency or money, but is accepted by individuals as a means of trading or investment and can be transferred, stored or circulated electronically and is not
(a) fiat currency; or
(b) electronic money, or
(c) financial instruments as defined in Part III of the First Annex to the Investment Services and Activities and Regulated Markets Law;
“Crypto asset Service Provider” means a person who provides or exercises one or more of the following services or activities to another person or on behalf of another person, which do not fall under the services or activities of the obliged entities mentioned in paragraphs (a) to (h) of article 2A:
(a) Exchange between crypto assets and fiat currencies;
(b) Exchange between crypto assets;
(c) Management, transfer, holding and/or safekeeping, including custody, of crypto assets or cryptographic keys or means which allow the exercise of control on crypto assets;
(d) Offering and/or sale of crypto assets, including the initial offering; and
(e) Participation and/or provision of financial services regarding the distribution, offer and/or sale of crypto assets, including the initial offering”.
Any interested company shall apply for registration to the registry in order to be able to provide the above services within the regulatory framework for AML purposes. New businesses must register with CySEC before commencing their operations. According to the relevant regulations the following entities are mandatory to be registered with CySEC, in order to provide services regarding crypto assets:
- Crypto asset service providers which provide services on a professional basis from Cyprus, regardless of their registration in another Member State of the European Union;
- Crypto asset service providers which provide services on a professional basis in Cyprus, except for businesses who provide services regarding crypto assets that have been registered in another Member State of the European Union.
Therefore it is imperative for any third country CASP to be registered in CySEC so that it is qualified and permitted to provide such services in Cyprus or in the European Union (from a Cyprus base) and for any CASP operating from Cyprus .
CySEC publishes the following information in the CASP register:
- name, trading name, legal form and registration number of the CASP;
- the registered address of the CASP;
- the official website of the CASP;
- the respective services provided by the CASP.
Registration and Requirements
It is worth mentioning that no law or any other regulation includes any provisions regarding the granting of a license of a CASP. However, a CASP should meet certain criteria in order to get registered with CySEC as they are obliged entities under the AML law and must comply with all AML obligations such as KYC, source of funds etc.
The process of the registration of the CASP in the CySEC register is separated into the below two steps.
- Incorporate a Cyprus limited liability company as per the Cyprus Companies Law, Cap 113
This is a very simple procedure which takes about 7 business days to be finalised by the Cyprus Registrar, provided that there is an approved name for the company by the Registrar. Emphasis should be given to the company's organizational documents to include the relevant services to be provided as well as appointing two executive and two non-executive directors where the majority of them must be tax residents of Cyprus.
- Registration in CySEC
Upon the incorporation of the Cyprus legal entity applicants shall prepare a package for CySEC to examine including the following:
- CySEC Application forms for CASP registration;
- Organisation documents and certificates of the company;
- Due diligence information and completed questionnaires on shareholders, directors and other managerial stuff;
- AML Manual, in compliance with the relevant law;
- Internal Operations Manual describing the procedures, control systems and security mechanisms in place ensuring the prudent operation of the CASP, including minimizing the risk of data corruption, information leakage and unauthorized access which in turn may lead to theft or loss of its customers' cryptocurrencies or funds. This should also cover issues of remuneration, safeguarding, recruitment, business continuity, conflicts of interest and outsourcing;
- Group structure and governance arrangements;
- Business plan including operating model and the forecast accounting plans for the first three years;
- Link to a fully-developed website exclusively owned by the CASP;
- Other internal policies and procedures addressing matters such as outsourcing, accounting, risk management, internal audit, financial information, record keeping, customer complaints, electronic data processing systems, authenticity of the means of transmitting information.
Also a potential CASP should be in position to fulfill the below:
- The directors must be approved by CySEC upon assessment of their knowledge, skills and experience in the field and must be evaluated whether they satisfy the “fit and proper” test based on their good repute and financial soundness;
- Satisfy the legal substance requirement with a fully operational office within Cyprus and employment of local stuff;
- Capital adequacy;
- Satisfy the requested board composition as stated above.
Types of service and capital requirements
There are three types of activities regulated by CySEC for which there is a different minimum capital requirement:
|CASP||Type of Services in Crypto assets||Initial Capital|
|Class 1||CASPs that provide investment advice||EUR 50,000|
|Class 2||CASPs providing the service referred to in Class 1 and/or any
of the following services:
i. reception and transmission of client orders and/or
ii. execution of orders on behalf of clients and/or
iii. exchange between crypto assets and fiat currency and/or
iv. exchange between crypto assets and/or
v. participation and/or provision of financial services related to the distribution, offering and/or sale of crypto assets, including the initial offering and/or
vii. placement of crypto assets without firm commitment and/or
viii. portfolio management.
|Class 3||CASPs that provide any of the services referred to in Class 1
or 2 and/or:
i. administration, transfer of ownership, transfer of site, holding, and/or safekeeping, including custody, of crypto-assets or cryptographic keys or means enabling control over crypto-assets and/or
ii. underwriting and/or placement of crypto-assets with firm commitment and/or
iii. operation of a multilateral system, which brings together multiple third-party buying and selling interests in crypto-assets in a way that results in a transaction.
CySEC shall reply to any application within six months from the submission date. For the review of the application by CySEC, the fee is EUR 10,000, irrespective of the fact that the application is approved or not. The annual contribution for the renewal of the license is EUR 5,000 and this fee is not payable on the first year of registration. The fee, for the submission of a material change regarding the CASP, shall be between EUR 1,000 – EUR 5,000. Possible amendments include any changes of the following:
- in the services or related activity of the provider;
- of the address of the crypto assets;
- of a board member or any person holding an administrative position;
- in beneficiaries;
- in the website of the provider.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.