Cyprus introduces first steps towards Crypto-Asset regulation through AML Law amendments

In Cyprus, the Prevention and Suppression of Money Laundering and Terrorist Financing Law, L188(I)/2007 (the “AML Law”) was amended earlier this year through L13(I)/2021 (the “Amending Law”), in order to harmonise domestic legislation with the provisions of the 4^th and 5^th AML Directives (Directives (EU) 2015/849 and 2018/843).

The 5^th AML Directive made several amendments to the 4^th AML Directive (together the “AML Directives”) effectively extending AML/CTF controls to:

1. Providers of exchange services between virtual currencies and fiat currencies (“Exchange Providers”); and
2. Providers of custody services for virtual currencies (“Custody Providers”).

As a result of amendments introduced by the 5^th AML Directive, EU Member States are required to ensure that Exchange Providers and Custody Providers are registered and that persons who hold management functions or are beneficial owners of Providers are fit and proper.

The Amending Law was published in the Official Gazette of the Republic of Cyprus on 23 February 2021 and transposed the 5^th AML Directive’s provisions into the AML law. The Cyprus Securities and Exchange Commission (“CYSEC”) has been designated as the competent supervisory authority for matters relating to crypto-asset regulation and has been given powers to regulate through the issue of Directives. As at the time of writing CYSEC has not yet published any Directives pursuant to the powers that it has been granted and as such, the regulatory framework for crypto-assets in Cyprus is not yet fully operational. It is not yet clear whether, future all-encompassing and specific primary legislation will be introduced in this area or whether the regulatory framework for crypto-assets will mostly be based on CYSEC’s Directives.

In the remainder of this paper, we examine the provisions of the Amending Law and their implication for the regulatory approach towards crypto-assets in this jurisdiction, and note certain points that any new market entrant, or existing provider might wish to consider. We will publish additional updates following the publication of any relevant Directives by CYSEC. Whilst beyond the scope of this paper it is worth noting that the draft EU Markets in Crypto-Assets Regulation (“MiCA”) is expected to come into force by 2024. MiCA will be directly applicable and may cover a lot of the same subject matter as the provisions that are discussed in this paper.

Introduction of a Legal Definition of Crypto-Assets

The 5^th AML Directive adopted the following definition for “Virtual Currencies”:

a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically[1]

In Cyprus, the Amending Law introduced a definition for “Crypto-Assets” that slightly extended the above definition. Crypto-Assets are defined in s2 of the AML Law in the exact same way as Virtual Currencies as in the 5^th AML Directive but in addition to the text set out above, the AML Law definition added specific exclusions (as underlined below):

a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically and is not:

a)            fiat currency; or

b)            electronic money; or

c)             a financial instrument as defined in Part III of the First Appendix of [L144(I)/2017]^[2]

The exclusion of “fiat currency” from the Amending Law definition appears unnecessary as fiat currencies are usually both issued by central banks and constitute legal tender. This means that they are extremely unlikely to fall within the definition of Virtual Currency as set out in the AML Directives and which was for the most part adopted by the Amending Law. On the other hand, the exclusion of “electronic money” and “financial instruments” from the Crypto-Asset definition appears designed to remove any electronic money and financial instruments, already subject to regulation from falling under Crypto-Asset regulation to avoid potential jurisdictional overlap. This is discussed further in the Jurisdictional Overlap section below.

Defining the business of Crypto-Asset Services Providers (“CASPS”)

Although the AML Directives introduced a definition of “Virtual Currencies”, they did not introduce an equivalent definition for Exchange Providers. Instead, the AML Directives merely set out that any “providers engaged in exchange services between virtual currencies and fiat currencies” fall within the Directives’ scope[3] and that Member States must ensure that such providers are registered[4]. The AML Directives did however provide the following definition for Custody Providers (which must also be registered):

‘custodian wallet provider’ means an entity that provides services to safeguard private cryptographic keys on behalf of its customers to hold, store and transfer virtual currencies[5]

The Amending Law introduces a definition for Crypto-Asset Services Providers (“CASPs”) that appears to cast a wider net than the 5^th AML Directive and seems intended to encompass both Exchange Providers and Custody Providers. Section 2 of the AML Law defines a CASP as:

any person who provides or carries out one or more of the following services or activities to another person or on behalf of another person to the extent that these do not fall within the services or activities provided by entities referred to in paragraphs (a) to (h) of section 2A of the AML Law[6]:

(a)        the exchange of crypto-assets for fiat currency;

(b)        the exchange of crypto-assets for other crypto-assets;

(c)        the management, transfer, retention, and/or safekeeping, including custody, of crypto-assets, cryptographic keys or any others means which permit the exercise of control over crypto-assets;

(d)        the offer and/or sale of crypto-assets, including any initial offering; and

(e)        the participation in and/or provision of financial services related to the distribution, offer and/or sale of crypto-assets[7], including their initial offer.

(referred to below as the “CASP Definition”)

It is worth noting the following points in relation to the above definition:

1. The AML Directive definition for Custody Providers (“custodian wallet provider”) appears to only capture entities that provide services in relation to the safeguarding of “cryptographic keys”. The CASP Definition in the AML Law appears to be wider in that it also captures entities which provide custody of Crypto-Assets (rather than just the custody and/or safeguarding of crypto-graphic keys) as well as “any other means” which permit the exercise of control of crypto-assets.
2. It appears difficult to distinguish between the “exchange of crypto-assets for fiat currency” and the “exchange of crypto-assets for other crypto-assets” in sub-paragraphs (a) and (b) and the “offer and/or sale of crypto-assets” in sub-paragraph (d) as, in practical terms, the sale of a Crypto-Asset effectively consists of the exchange of fiat currency for the Crypto-Asset in question, or the exchange of one Crypto-Asset for another. Given the similarity in meaning and the inclusion of the term “initial offering” (as well as the word “offer”) in sub-paragraph (d) of the CASP Definition, the sub-paragraph may be aimed towards ensuring that any entities that issue their own Crypto-Assets, or are otherwise involved in Initial Coin Offerings[8], fall within the definition of a CASP and become subject to the provisions of the AML Law.
3. Sub-paragraph (e) in the CASP Definition refers to the participation in and/or provision of “financial services related to the distribution, offer and sale of crypto-assets”.  This term is given a specific meaning in section 2 of AML Law as follows:

‘financial services related to the distribution, offer and sale of crypto-assets’ means the following services and activities in relation to crypto-assets:

(a)        Reception and transmission of orders;

(b)        Execution of orders on behalf of clients;

(c)        Dealing on own account;

(d)        Portfolio management;

(e)        Investment advice;

(f)         Underwriting and/or placing of crypto-assets on a firm commitment basis;

(g)        Placing of crypto-assets without a firm commitment basis; and

(h)        Operation of a multilateral system in which multiple third-party buying and selling trading interests in crypto-assets are able to interact in the system.

The above list closely replicates the list of Investment Services and Activities set out in Section 1 of Annex I of MiFID II and Part 1 of the First Appendix of the Investment Services Law. It is therefore apparent that any form of service, which constitutes a MiFID II investment service when offered in relation to financial instruments, will fall within the scope of the AML Law, and would require the provider to register in accordance with the provisions of the AML Law when it is offered in relation to Crypto-Assets. The adoption of near-identical terms to those in Section 1 of Annex I of MiFID II suggests that the regulatory approach towards Crypto-Assets might, in the short-term at least, closely resemble the regulatory approach currently taken towards MiFID II financial instruments. This appears to be confirmed by the designation of CYSEC as the supervisory authority for CASPs.

4. The CASP definition specifically excludes services or activities that fall “within the services or activities provided by entities referred to in paragraphs (a) to (i) of section 2A of the AML Law”. Paragraphs (a) to (i) of section 2A of the AML Law refer to, inter alia, Credit Institutions[9] and  Financial Institutions[10] which are subject to separate and extensive financial services regulation. This appears aimed at ensuring that entities that fall under the scope of existing financial services legislation, and which offer services in relation to Crypto-Assets, are excluded from any requirements that may apply to CASPs to avoid jurisdictional overlap, although this may lead to some interesting outcomes which are discussed in further detail in the Jurisdictional Overlap section below.

CASP Regulatory Framework Outline

Section 59(b)(vii) of the AML Law provides that CYSEC is the relevant supervisory authority in relation to the services and activities that are provided by CASPS. Section 61E(1) of the AML Law provides that:

1. CYSEC will prepare and maintain a register of CASPs (the “Register”);
2. CYSEC will publish the Register on its website or in any other way that it may decide; and
3. CYSEC may determine by Directive how the Register will operate, be maintained and be updated.

Section 61E(2)(a) requires that any CASPs that provide services or activities “on a professional basis” from Cyprus, must be registered irrespectively of whether they have been registered in another Member State in relation to the same services and activities. Section 61E(2)(b) provides that any CASPs that provide services or activities “on a professional basis” in Cyprus must also be registered unless they have already been registered in another Member State in respect of the same services and activities.

It is evident from the above that passporting into the jurisdiction will be allowed as any CASP that has been registered in a different Member State will not need to apply for entry onto the Register. In addition, it should also be noted that the term “on a professional basis” is also used in the definition of “Investment Firm” in section 2(1) of the Investment Services Law and in articles 4(1)(1) and 5 of MiFID II. Its use here suggests that issuers of Crypto-Assets might be exempt from registration requirements when issuing their own crypto-assets, given that such issuances are not done as a regular occupation or business, or on a professional basis. However, caution is advised before adopting such an interpretation given that, as set out above, the CASP Definition specifically refers to “initial offerings” of Crypto-Assets as a service that falls to be regulated. We anticipate that the matter may be clarified in due course through the publication of Directives pursuant to the powers CYSEC has been given under section 61E of the AML Law.

Section 61E also sets out that a number of other matters fall within CYSEC’s jurisdiction and that CYSEC may publish Directives prescribing additional information and details regarding, inter alia:

1. The conditions subject to which CYSEC will approve or reject applications for registration;
2. CASPs’ organisational and operating requirements;
3. Registration fees; and
4. The assessment of the fitness and propriety of CASPs’ management bodies and shareholders.

As set out above CYSEC has not yet published any Directives pursuant to the powers that it has been given by section 61E of the AML Law, but it is anticipated that the publication of such Directives will add further clarity to how the regulatory framework for CASPs will operate in practice.

Jurisdictional Overlap

As discussed briefly above, the provisions of the Amending Law appear to have been designed so as to avoid different and distinct legal provisions applying to the same subject matter or otherwise overlapping. In practice this issue might arise in the following two ways which have different implications and are both discussed briefly and separately below:

1. An entity that is properly authorised and regulated under existing financial services legislation (a “Regulated Entity”) might offer services in relation to Crypto-Assets; or
2. A Crypto-Asset might be deemed to be a “financial instrument”, or “electronic money” under existing financial services legislation;

Regulated Entities

As set out above, the CASP Definition sets out that a CASP is “any person who provides or carries out one or more of [a number of services] to another person or on behalf of another person to the extent that these do not fall within the services or activities provided by entities referred to in paragraphs (a) to (h) of section 2A of the AML Law”. Therefore, where an entity referred to in paragraphs (a) to (h) of section 2A of the AML provides any of the services referred to in the CASP Definition in relation to Crypto-Assets it does not constitute a CASP. Paragraphs (a) to (i) of section 2A of the AML Law refer to:

(a)        Credit institutions;

(b)        Financial institution;

(c)        Any of the following natural or legal persons in the exercise of their professional activities:

(i)         Auditor, external accountant and tax advisor;

(ii)        Independent legal professional…[when providing certain services];

(d)        Natural or legal person not already covered under paragraph (c) [when providing certain services]

(e)        estate agents, including when acting as intermediaries in relation to the rental of property in relation to transactions for which the monthly rental amounts to, or exceeds, ten thousand euro (€10,000);

(f)         providers of gambling services, [as provided in the relevant laws of Cyprus];

(g)        casino [which falls under the scope of the laws relevant to the operation and supervision of casinos];

(h)        a person trading in goods, if the payment is made or collected in cash and it concerns an amount equal to or greater than ten thousand euro (€10.000), regardless of whether the transaction is carried out in a single operation or in several operations which appear to be linked.

It therefore appears that where a Regulated Entity offers any of the services set out in the CASP Definition in relation to Crypto-Assets it would be exempt from the requirements set out in section 61E of the AML Law described above. In practice, we would expect that the vast majority of persons offering services in relation to Crypto-Assets that would be exempt from registration requirements under section 61E of the AML, would consist of credit institutions and/or investment firms that may in time begin to offer services in relation to Crypto-Assets. However, rather interestingly, as currently drafted the AML Law also provides that, for example, estate agents or providers of gambling services, may offer services in relation to Crypto-Assets without having to seek entry onto the Register, without having to comply with any of the additional requirements provided for by section 61E, and without having to comply with any future requirements that might be set out in future CYSEC Directives. It remains to be seen whether this position will be amended in future, whether through CYSEC Directive or a different legislative instrument.

Crypto-Assets as Financial Instruments or Electronic Money

A detailed discussion regarding the extent to which Crypto-Assets might constitute financial instruments for the purposes of MiFID II or electronic money for the purposes of the Electronic Money Directive (Directive 2009/110/EC) is beyond the scope of this paper but we note that there have been a number of publications released in the past few years that discuss the relevant issues at length.

In particular we note the European Securities and Markets Authority’s (“ESMA”) Advice on Initial Coin Offerings and the European Banking Authority’s (“EBA”) Report on Crypto-Assets that were both published on 9 January 2019 and discussed the legal qualification of Crypto-Assets under EU financial services laws. Both papers summarise consultations with EU National Competent Authorities (“NCAs”) regarding the legal qualification of Crypto-Assets in different EU jurisdictions. Several NCAs (the papers did not specify which) deemed that in certain circumstances Crypto-Assets can qualify as both financial instruments and/or electronic money.

At the national level, neither CYSEC nor the Central Bank of Cyprus have published any guidance setting out their views as to when a Crypto-Asset might constitute a financial instrument or electronic money for the purposes of the Investment Services Law or the domestic law implementing the Electronic Money Directive. In the absence of any specific guidance from either regulator it is difficult to draw conclusions about the approach that either regulator might take. It is evident that the features and nature of any given Crypto-Asset will be crucial as regards its legal qualification.

The implication of any given Crypto-Asset qualifying as a MiFID II financial instrument or electronic money would be wide-ranging. For example, if a Crypto-Asset qualified as MiFID II financial instrument a full set of EU and domestic rules and legislation, including, inter alia, MiFID II, the Investment Services Law, the Central Securities Depositary Regulation and the Settlement Finality Directive might come to apply to the provision of any services in relation to that Crypto-Asset. As such, any entities that might be considering registering as a CASP with CYSEC, might need to consider the extent to which any of the Crypto-Assets might qualify as MiFID II financial instruments or electronic money meaning that any services offered in relation to might fall under existing financial services legislation. If so, then any such firms would likely be required to apply for authorisation as an investment firm, electronic money institution or for another type of license. Further, they would need to remain vigilant in ensuring that any Crypto-Assets in relation to which they might offer services in the future is not deemed to fall under financial services legislation.

Finally, in advance of any Directives regarding the matter being published by CYSEC it is difficult to anticipate the degree of regulation that CASPs registered with CYSEC will be subjected to as compared to the amount of regulation that investment firms and/or electronic money institutions are currently subject to. It is however worth noting the following:

1. Article 47(1) of the AML Directive provides that “Member States shall ensure that providers of exchange services between virtual currencies and fiat currencies and custodian wallet providers, are registered, that currency exchange and cheque cashing offices, and trust or company service providers are licensed or registered, and that providers of gambling services are regulated”. The use of different terms (as underlined above) for different types of entity in article 47(1) of the AML Directive suggests that, at the EU level at least, the expectation is that providers of gambling services will be subject to more control than Exchange Providers. It should however be noted that there is nothing to prevent any EU Member State from mandating more onerous requirements for Exchange Providers.
2. This appears to be the case in Cyprus where section 61E of the AML Law gives CYSEC the power to issue Directives in relation to matters that go beyond the requirements set out in the AML Directive. For example section 61E(7) of the AML Law provides that CSYEC will adopt and apply organisational and operational requirements for CASPs, where there is no such equivalent requirement in the Directive.

Given the above, it is difficult to draw any firm conclusions about the weight of any future regulations or provisions that will apply to CASPs, and at this stage we can only anticipate the publication of any relevant Directives by CYSEC. On the one hand, the absence of extensive EU law and regulation regarding Crypto-Assets suggests that future regulation for CASPs will be less burdensome by comparison to current regulation for financial services firms (for which extensive EU law and regulation does exist and on which a great deal of domestic financial services regulation is predicated). On the other hand, the provisions of the Amending Law do suggest that CASP regulation will be more extensive than what is currently required by the AML Directives. It does however remain to be seen whether any Directives published by CYSEC will be more onerous than the provisions of MiCA, and whether once MiCA has been enacted, there will be any degree of overlap between the two regimes.

[1] Article 3(18) of the 4^th AML Directive;

[2] L144(I)/2017 (the “Investment Services Law”) transposes the Second Markets in Financial Instruments Directive, Directive 2014/65/EU, (“MiFID II”) into domestic law. Note that the definition of “financial instruments” in the Investment Services Law effectively adopts the definition of “financial instruments” in MiFID II.

[3] Article 2(1)(3)(g) 4th AML Directive;

[4] Article 47(1) 4^th AML Directive;

[5] Article 3(19) of the 4^th AML directive;

[6] This list includes credit institutions, investment firms and other bodies and is discussed further below;

[7] This term is also defined in s2 of the AML Law;

[8] Initial Coin Offerings can be described as the crypto-currency industry’s equivalent to Initial Public Offerings;

[9] As defined in article 4(1)(1) of the Capital Requirements Regulation, (Regulation (EU) 575/2013);

[10] The term as defined in the AML Law includes Investment Firms as defined in section 2(1) of the Investment Services Law (and MiFID II), insurance and reinsurance undertakings, collective investment undertakings and other financial services firms;