The Renaissance of Crypto: Registration as CASP in Cyprus
The remarkable resurgence of the crypto industry marks a strong turnaround from the collapse of crypto-exchange FTX not long ago, with Bitcoin soaring from just $16,000 two years ago to over $100,000, capturing the attention of investors and money managers everywhere. The worldwide cryptocurrency market cap has quadrupled to almost $4 trillion during the same period. Since Donald Trump's election victory, the cryptocurrency industry has entered a renaissance, driven by expectations of reduced regulatory scrutiny and a push toward mainstream adoption. Notably, a few months ago Trump vowed to make the US the "crypto capital" of the world and proposed a US Bitcoin strategic reserve; among his first moves following election was to appoint a pro-crypto Chair of the Securities and Exchange Commission and, following that, to launch his very own crypto, a memecoin named $TRUMP.
As crypto-assets appreciate on the back of a supportive US administration and expectations of light touch regulation, they become more legitimate and more mainstream, triggering the interest of large traditional investors, such as pension funds, and emboldened retail investors. It is notable that the pension schemes of Wisconsin and Michigan already have significant investments in Bitcoin ETFs, with more institutional investors likely to follow. Blackrock's Bitcoin ETF (IBIT) registered $37 billion in net inflows since its inception in January 2024. Wider crypto adoption from both retail and professional investors should fuel even more inflows into crypto-assets and crypto-funds and push more tokenisation in the economy.
MICAR, the EU's flagship Markets in Crypto-Assets Regulation, seems to be arriving at the right time to enable crypto operators to tap into the entire EU market on the basis of a single authorisation. This harmonising legislation enables issuers or offerors of crypto-assets (such as stablecoins), as well as crypto-asset services providers −CASPs − (such as crypto exchanges, brokers, platforms) to offer their tokens or services throughout the Union via their Home Member State passport.
Choosing an appropriate EU jurisdiction in which to set up a CASP business and launch EU operations involves carefully considering issues such as operating costs, taxes, talent pool, regulatory/supervisory landscape, financial ecosystem, and jurisdictional reputation. Cyprus has over the years proven its strength in each of these areas, and has grown into a renowned regional platform for financial services.
From National Regimes to the MiCAR Harmonised Framework
Prior to MICA, crypto-assets other than those that would qualify as MiFID financial instruments (i.e, as transferrable securities) or as e-money under the E-Money Directive, fell outside the scope of EU financial services regulation. As such, they were only subject to anti-money laundering provisions under the AMLD5 Directive (which does not offer a passporting regime). Hence the offering of crypto-assets or the provision of crypto-asset services was subject to divergent national rules at Member State level, causing significant complexity and burden to those wishing to operate cross-border.
While, in the absence of harmonising measures, Member States still have to respect the rules on the free movement of services, such as ensuring that national measures serve a public interest objective, are indistinctly applicable, and are necessary, suitable and proportional, this is often not very helpful in reducing barriers to cross-border business.
In the case of Cyprus, the bespoke national rules comprised of provisions in the AML/CFT Law (the law transposing AMLD5), the CySEC CASP Registration Directive and the CySEC AML Directive. These rules introduced prudential and organisational requirements that entities had to meet in order to be registered as CASPs.
The MiCAR Framework
The MICA Regulation is a pioneering regulatory framework for crypto assets and related services, aiming to strike a fair balance between the risks posed by such assets and the benefits that they can bring in terms of cheaper and faster payments. In particular, it lays down rules regarding –
Out of scope crypto includes any crypto-asset that qualifies as a MiFID financial instrument on the basis of criteria set out in recently issued ESMA Guidelines. Also, (structured) deposits, funds (other than e-money tokens), insurance and pension products, unique and non-fungible cryptos such as digital art (but not their fractional parts) and other. Additionally, exemptions apply for certain cryptos with particular features (i.e, provided for free or below certain value thresholds).
"Crypto-Assets" - Crypto-assets are broadly defined, and the Regulation distinguishes between 3 distinct crypto-asset classes, applying a different regulatory treatment to each:
Stablecoin type of cryptos would typically be classified as either EMTs (Electronic Money Tokens) or as ARTs (Asset-Referenced Tokens) and their issuers are subject to stringent requirements. Cryptos other than ARTs and EMTs (Other Crypto) are only subject to transparency/disclosure requirements. A common requirement for all crypto is the drafting and publication of a crypto White Paper, a document somewhat similar to a prospectus, the contents of which are prescribed in Annexes I-III.
On decentralised finance (DeFi), the Regulation provides that crypto-assets provided in a fully decentralised manner without any issuer/intermediary (i.e, Bitcoin), are out of scope. That said, CASPs that provide services in relation to such assets (i.e, wallet providers, exchanges) are in-scope.
Crypto-assets that comply with MiCAR's requirements enjoy EU passporting rights, meaning that the issuer or offeror is entitled to offer its tokens to the public or have them admitted to trading in Member States throughout the Union via a simple notification to its Home Member State authority.
Requirements − For crypto other than EMTs and ARTs (Other Crypto), the only requirement is that the offeror or person seeking admission to trading is a legal person, that a crypto White Paper is notified to its competent authority and published, and that certain marketing and conduct of business rules are complied with. On the other end, EMTs are deemed to be electronic money under the e-Money Directive and as such, can only be issued and offered by e-money institutions or credit institutions. With respect to ARTs, these can be issued and offered either by a credit institution following a notification to its competent authority and submission of the required documentation, or by any legal person that fulfils MICAR's prudential and organisational requirements and acquires an authorisation from its competent authority.
EMTs and ARTs may, where certain criteria are fulfilled, be classified as "Significant EMT" or "Significant ART" in which case they become subject to direct supervision by the European Banking Authority (EBA) and to additional obligations.
MICAR Title V: Authorisation of CASPs
According to MiCAR, a CASP is a person that provides any of the crypto-asset services listed below and, as such, falls within the scope of application of the Regulation. CASPs authorised by their home Member State competent authority, may offer these services throughout the Union either under the freedom of establishment or the freedom to provide services.
Authorisation as a CASP is reserved to:
- Legal persons authorised by their Home Member State according to Art.63.
- Financial entities: (i) credit institutions, (ii) investment firms, (iii) UCITS and AIF managers, (iv) e-money institutions, (v) central securities depositaries and (vi) market operators, following the notification procedure of Art.61.
Financial Entities as CASPs à Notification Procedure
The above-mentioned financial entities do not require authorisation; they are only subject to a requirement to notify their competent authority and submit documentation concerning the features, organisation and policies of their crypto-services. Moreover, a financial entity may not be allowed to offer all the above services but only specific ones that are equivalent to the services already offered by that entity. While a credit institution may offer any of the above-listed services, an investment firm may only provide those services that are equivalent to the services it is entitled to provide under its MiFID license. An AIF manager may only provide services equivalent to portfolio management and the non-core services for which he is authorised.
- The notification to the competent authority −CySEC in the case of Cyprus −is made using the standard forms and templates contained in Implementing Technical Standards.
Legal Persons as CASPs à Authorisation Procedure
MiCAR requires legal persons authorised as CASPs to have their registered office in a Member State, their place of effective management in the EU and at least one director resident in the Union. The application to the competent authority for authorisation must contain information such as:
|
Name and contact details of entity; legal form, articles of association, programme of operations, the specific crypto-services to be offered; governance arrangements; proof of management's good repute, skills and competence; proof of good repute of shareholders with qualifying holdings; internal controls; segregation of clients' crypto-assets and funds, ICT security, execution policy (if applicable), etc. |
- The legal person submits its application for authorisation to the competent authority −CySEC in the case of Cyprus −using the standard forms and templates contained in the relevant Implementing Technical Standards. Provided the application is complete, the competent authority must determine within 40 working days whether to grant or refuse it.
Obligations Applicable to CASPs
CASPs are subject to prudential, organisational and conduct of business requirements.
|
Prudential Requirements |
Annex IV provides for a minimum capital requirement of €50,000 or €125,000 or €150,000, depending on the crypto-asset services provided. The capital requirement for a CASP's is the highest of (a) the minimum capital requirement, and (b) ¼ of the previous year's fixed overheads |
|
|
Safekeeping of clients' crypto-assets and funds |
CASPs that hold client crypto-assets must have arrangements in place to protect the ownership rights of clients, especially in the event of the CASP's insolvency. As for client funds, these must be placed with a credit institution or central bank and be separately identifiable |
The Regulation includes several other requirements relating to governance arrangements, outsourcing, conflicts of interest, and complaints handling. It also lays down additional obligations that apply to the provision of specific crypto-asset services, such as -
- For the service of exchanging crypto-assets for funds or for other crypto-assets (the equivalent of MiFID's dealing on own account), the CASP is subject to pre and post trade transparency.
- For the service of order execution, CASPs are subject to a best execution obligation and required to have an order execution policy and their clients' consent to that policy.
On Reverse Solicitation: As with MiFID II, MICAR also permits reverse solicitation, whereby 3rd country providers of crypto-services are entitled to provide services to EU-based clients only at the client's own exclusive initiative (no active/passive promotion or marketing in the EU). ESMA's recent Guidelines provide useful guidance and examples of conduct that may or may not qualify as MICAR-compliant.
Non-compliant crypto-assets and obligations for CASPs: CASPs are expected to stop providing services in relation to non-MiCAR compliant ARTs and EMTs. This is particularly the case with respect to services that likely constitute an offer of tokens to the public or admission to trading, such as operating a trading platform and admitting to trading non-compliant ARTs or EMTs. According to ESMA, even services such as reception and transmission, execution, and exchange in relation to non-compliant ARTs or EMTs could in some cases constitute an offer to the public and hence result in the CASP breaching the authorisation requirements of Titles III & IV (consisting of the conditions for offering EMTs & ARTs).
MiCAR also introduces a crypto-specific market abuse regime. It defines inside information and lays down prohibitions with respect to insider dealing, unlawful disclosure, and market manipulation.
MICAR Application and Transitional Provisions
Transitional Provisions: The Regulation contains grandfathering provisions for crypto-asset service providers that provided services prior to 30/12/2024. It provides that these entities may continue providing their services until 1/07/2026 or until they are granted or refused an authorisation under MICAR (whichever is sooner). Member States are granted discretion not to apply this 18-month transitional regime, or reduce it. Many member states have used this option to reduce the period to 12 or even 6 months. As for Cyprus, the transitional period has been set to 18 months.
The Way Forward
MICAR's application represents a pivotal moment, offering businesses a stable foundation, legitimacy, and the opportunity to innovate and offer crypto-assets and services across the EU market at a time when crypto-assets are gaining momentum and moving into the mainstream.
Obtaining a CASP authorisation in Cyprus is a straightforward process and, for entities previously registered as CASPs under the national regimes, the process is even simpler. The competent authority, the Cyprus Securities and Exchange Commission (CySEC), has built substantial experience and knowledge on crypto services in recent years and has demonstrated a willingness to engage with stakeholders on authorisation and regulatory compliance issues.
As for financial entities, such as investment firms or fund managers, the fact that they are already licenced and supervised under the MiFID/UCITS/AIFM frameworks, means no additional authorisation is required; the entity is only required to submit a notification and accompanying documentation to the CySEC.
Aspiring CASPs should assess the specific requirements applicable to them under MICAR and its implementing laws, considering their status (i.e, financial entities or not) and the crypto-services they plan to offer. Based on this analysis, they should develop an appropriate business model and implementation plan to facilitate a seamless notification or authorization process and ensure a smooth start to their operations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
