Crypto assets constitute private assets utilising cryptography and distributed ledger technology to derive their perceived or inherent value. Various types exist such as payment/exchange type tokens (for instance virtual currencies), investment type tokens, and utility type tokens (designed to access goods or services).
During 2021 several initial steps were taken for the regulation of crypto assets in Cyprus. These included the publication of Circular no. C417 by the Cyprus Securities and Exchange Commission (CySEC) addressed to Cyprus Investment Firms, the enactment of the 5th Anti Money Laundering Directive (EU)2018/843 (‘AMLD5’) into Cyprus law, via Amended Law 188(I)/2007 on ‘Prevention and Suppression of Money Laundering and Terrorist Financing’ (‘the AML Law’), and the publication of CySEC’s Directive Κ.Δ.Π. 269/2021 on ‘the Register of Providers of Services Regarding Crypto Assets’ (‘the CySEC Register Directive’).
As things currently stand, the AML Law constitutes the main Cyprus legislation on crypto asset regulation, which is complemented by the CySEC Register Directive. The CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (‘the CySEC AML Directive’) is also relevant, however it predates the AML Law and therefore is not analysed here.
The AML Law
The AML Law defines crypto assets under article 2(1) as:
“a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by persons as a means of exchange or investment and which can be transferred, stored or traded electronically and that is not,
(a) Fiat currency, or
(b) Electronic money, or
(c) Financial instruments as defined in Part III of the First Appendix of the Law on the Provision of Investment Services and Activities and Regulated Markets”.
The definition of a crypto assets service provider in article 2(1) builds on ‘the exchange between crypto assets and fiat currencies’ used in article 2(1)(3)(g) AMLD5, to include:
- Exchange between crypto assets;
- Management, transmission, transfer, holding and/or safekeeping of crypto assets or cryptographic keys;
- Offer and/or sale of crypto assets, including the initial offering; and
- Participation and/or provision of financial services regarding the distribution, offer and/or sale of crypto assets, including the initial offering.
The CySEC Register Directive
Under Article 61E (1) of the AML Law CySEC must compile and maintain a Register of crypto asset service providers, irrespective of their potential registration in another Member State. To that end, CySEC went ahead and published in June 2021 the CySEC Register Directive. Its key provisions are the following:
- Register Entries
The Register is published on CySEC’s website, and records the name, trade name, legal medium and legal entity identifier of the provider, its registered address, its website, as well as the services offered and activities in which it may participate.
- Conditions for Registration
These appear in Para 6 of the CySEC Directive. They are numerous, and include:
- Ensuring persons serving administrative functions in the provider as well as beneficiaries are honest and capable individuals. The criteria feature good reputation, knowledge, capabilities and experience, and time spent in operation of the provider.
- Adopting policies, procedures, and internal control mechanisms to ensure prudent operation, and achieve compliance of members, staff and agents with the AML Law. Records should be maintained and provided to CySEC upon request.
- Deletion from the Register or Suspension of Registration
Deletion is contemplated under Article 61E (5) of the AML Law in the following:
- where the provider does not deal in crypto assets for a continuous period of 6 months or over;
- upon registration on false pretences or following other irregularity;
- upon termination of all services and related activity under Article 2 (1) of the AML Law; and
- where the provided no longer falls under Article 61E (2).
Suspension of registration is also possible, where CySEC considers the information on the Register as incorrect or incomplete, and where the Para 6 conditions are not met. In the latter case the provider is banned from providing crypto-asset related services during suspension.
- Notification of Substantial Changes and CySEC Approval
Under Para 12, changes which are considered ‘substantial’ and require notification to CySEC as well as prior approval feature:
- a change in services or related activity of the provider;
- any change of crypto-asset addresses, defined as public addresses and/or keys/digital wallets controlled by the Provider;
- any change in the Board or in individuals with administrative positions;
- any change in beneficiaries; and
- any change in relation to the website of the provider.
- Capital Adequacy, Fees, and Conflicts of Interest
The provider should maintain:
- A sum defined under the Appendix of the CySEC Register Directive, depending on the nature of the provider’s activity (category 1-3); or
- ¼ of the fixed costs during the previous year, reviewed annually.
Fees include €10,000 for registration, €5,000 for annual renewal, and fees for notification of substantial changes.
Finally, the client must be notified of potential conflicts of interest and informed of measures taken by the provider to mitigate these risks.