A very significant and ground-breaking step has been taken by the Cyprus Securities and Exchange Commission (“CySEC”) to regulate certain activities concerning crypto assets as a result of the transposition of the 5th Anti – Money Laundering Directive (the ‘’AML Directive’’) into the national legislation.
As with other jurisdictions who have implemented regulatory regimes for crypto assets, such as France Estonia and the Philippines, the approach of the CySEC has been a cautious one requiring crypto asset service providers to register and comply with rules for money service businesses such as compliance, liquidity risk management, IT risk management place sound risk management mechanisms and governance procedures.
The applicable regulatory framework comprises of the following:
- The Prevention and Suppression of Money Laundering and Terrorist Financing Law (N. 188(I)/2017), as amended (the “AML Law’’);
- The CySEC Directive for the register of crypto asset services providers (“CASPs”);
- The CySEC directive for the prevention and suppression of money laundering and terrorist financing (the “CySec AML Directive”); and
- A policy statement on the registration and operation of Crypto-Assets Service Providers (“Policy Statement” ).
Through the creation of a register and a strict application process with multiple requirements vis a vis anti-money laundering regulation, risk management mechanisms and governance procedures, Cyprus can now offer a light regulatory framework for crypto-assets activities as further described below. Cyprus is already a notable hub for many investment firms and with the Crypto-Assets market being an emerging field with barely any precedent available for its procedures and its regulation, the ultimate challenge for the regulator is to set the right foundations for the Crypto-Asset Service Providers to operate on whilst, ensuring compliance through sound protection mechanisms and risk minimisation methods.
Crypto-Assets & Provision of Services by Crypto-Assets Service Providers
The AML Law defines a crypto-asset as “a digital representation of value that is neither issued nor guaranteed by a central bank or a public authority, it is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored, and traded electronically and is not a) fiat currency; or b) electronic money; or c) financial instruments as defined in the Investment Services Law.”
Pursuant to the AML Law, Crypto-assets service providers are defined as persons providing to another person or on behalf of another person the below services or exercising one or more of the below activities:
- exchange between crypto-assets and fiat currencies;
- exchange between crypto-assets;
- management, transferring and/or safekeeping, including custodianship of crypto assets or cryptographic keys or means enabling control over crypto-assets; offering and/or selling crypto-assets, including initial public offering;
- participation and/or provision of financial services related to the distribution, offering and/or sale of crypto-assets, including the initial public offering.
The Policy Statement defines that ‘’Financial Services relating to the distribution, the offer and/or the sale of crypto assets’’ comprise of the following services associated to crypto assets:
- Reception and transmission of orders;
- Advice on investment and executing orders on behalf of the clients;
- Dealing on own account;
- Portfolio management;
- Provision of investment advice;
- Underwriting and/or placing crypto assets with or without a firm commitment basis;
- Operation of a multilateral trading facility for buying and selling crypto assets.
CASPs Requirements
To be formally recognised as a CASP, a Cyprus legal entity must register with the CySEC before commencing operations. This is effected through the submission of a duly completed application form indicating the name, business name, legal form and legal entity identifier of the CASP, its physical address, the services to be provided by the CASP, the website of the CASP as well as completing detailed questionnaires relating to the ultimate shareholders and proposed management of the CASP.
The CySEC AML Directive provides for the registration procedure of CASPs, the requirements of which oblige a CASP to adopt sound risk management mechanisms ensuring risk minimisation and provide, inter alia, evidence of effective governance procedures. As such, a CASP will need to prepare and submit its internal operations manual, business plan and AML manual which must adhere to the strict and detailed requirements set out in the applicable laws outlined above.
A notable requirement for businesses looking to register as a CASP is that the initial capital requirement of a CASP ranges between EUR 50.000 to EUR 150.000, depending on the type of the crypto-asset activity and on how the CASP will be classified in accordance with the three classes that exist as per TABLE A below.
TABLE A – Crypto-asset activities and initial capital
| CASP | Type of crypto-asset activity | Initial Capital |
| Class 1 | CASPs that provide investment advice | €50.000 |
| Class 2 | CASPs providing the service referred to in Class 1 and/or any of the following services:
|
€125.000 |
| Class 3 | CASPs that provide any of the services referred to in Class 1 or 2 and/or:
|
€150.000 |
Further conditions that have to be fulfilled are the disclosure of all the legal and beneficial holdings in the CASP structure, the moral integrity of the board and shareholders, experience of the management, effectiveness of the compliance and risk management tools and requirements for local offices and personnel. It is worth noting that the members of the Board of the CASP need to be at least two persons who are at all times of sufficiently good reputation and possess sufficient knowledge. There are limits on the number of directorships the directors can hold and other conditions which the directors of the CASP will need to satisfy (i.e., adequate training, adequate skills). In relation to the staff employed in Cyprus, this will be determined by the activities, structure, projected turnover of the company as well as the head offices of a CASP have to be in Cyprus.
Upon the successful registration of the CASP, the register which will be available to the public via CySEC’s website will state the following information for each registered CASP:
- The name, business name, legal form and legal entity identifier of the CASP;
- Registered address;
- The services provided or intended to be provided by the CASP; and
- The CASPs website.
Conclusion
The implementation of the register has already incited a flurry of economic activity and interest. As at the date of the posting of this article, no CASPs have been registered but a number of applications have been submitted to the Regulator and there is significant interest from the market. Although the Cyprus regulator has not gone as far as to impose supervisory regulatory requirements, the adoption of compliance requirements in the form of the register has already been seen to provide reassurance to existing crypto asset providers and/ or new applicants looking to enter the market.