Member Article

A primer on burgeoning crypto-asset regulation in Cyprus

In Cyprus, the Prevention and Suppression of Money Laundering and Terrorist Financing Law, L188(I)/2007 (the “AML Law”) was amended earlier this year through L13(I)/2021 (the “Amending Law”), in order to harmonise domestic legislation with the provisions of the 4th and 5th AML Directives (Directives (EU) 2015/849 and 2018/843).The 5th AML Directive made several amendments to the 4th AML Directive (together the “AML Directives”) effectively extending AML/CTF controls to:

1. Providers of exchange services between virtual currencies and fiat currencies (“Exchange Providers”); and

2. Providers of custody services for virtual currencies (“Custody Providers”).

As a result of amendments introduced by the 5th AML Directive, EU Member States are required to ensure that Exchange Providers and Custody Providers are registered and that persons who hold management functions or are beneficial owners of Providers are fit and proper. The Amending Law was published in the Official Gazette of the Republic of Cyprus on 23 February 2021 and transposed the 5th AML Directive’s provisions into the AML law. The Cyprus Securities and Exchange Commission (“CYSEC”) has been designated as the competent supervisory authority for matters relating to crypto-asset regulation and has been given powers to regulate through the issue of Directives. As at the time of writing CYSEC has not yet published any Directives pursuant to the powers that it has been granted and as such, the regulatory framework for crypto-assets in Cyprus is not yet fully operational. It is not yet clear whether, future all-encompassing and specific primary legislation will be introduced in this area or whether the regulatory framework for crypto-assets will mostly be based on CYSEC’s Directives. In the remainder of this paper, we examine the provisions of the Amending Law and their implication for the regulatory approach towards crypto-assets in this jurisdiction, and note certain points that any new market entrant, or existing provider might wish to consider. We will publish additional updates following the publication of any relevant Directives by CYSEC. Whilst beyond the scope of this paper it is worth noting that the draft EU Markets in Crypto-Assets Regulation (“MiCA”) is expected to come into force by 2024. MiCA will be directly applicable and may cover a lot of the same subject matter as the provisions that are discussed in this paper.

Introduction of a Legal Definition of Crypto-AssetsThe 5th AML Directive adopted the following definition for “Virtual Currencies”:

a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically

In Cyprus, the Amending Law introduced a definition for “Crypto-Assets” that slightly extended the above definition. Crypto-Assets are defined in s2 of the AML Law in the exact same way as Virtual Currencies as in the 5th AML Directive but in addition to the text set out above, the AML Law definition added specific exclusions (as underlined below):

a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically and is not:a) fiat currency; orb) electronic money; orc) a financial instrument as defined in Part III of the First Appendix of [L144(I)/2017]

The exclusion of “fiat currency” from the Amending Law definition appears unnecessary as fiat currencies are usually both issued by central banks and constitute legal tender. This means that they are extremely unlikely to fall within the definition of Virtual Currency as set out in the AML Directives and which was for the most part adopted by the Amending Law. On the other hand, the exclusion of “electronic money” and “financial instruments” from the Crypto-Asset definition appears designed to remove any electronic money and financial instruments, already subject to regulation from falling under Crypto-Asset regulation to avoid potential jurisdictional overlap. This is discussed further in the Jurisdictional Overlap section below.

Defining the business of Crypto-Asset Services Providers (“CASPS”)Although the AML Directives introduced a definition of “Virtual Currencies”, they did not introduce an equivalent definition for Exchange Providers. Instead, the AML Directives merely set out that any “providers engaged in exchange services between virtual currencies and fiat currencies” fall within the Directives’ scope and that Member States must ensure that such providers are registered . The AML Directives did however provide the following definition for Custody Providers (which must also be registered):

‘custodian wallet provider’ means an entity that provides services to safeguard private cryptographic keys on behalf of its customers to hold, store and transfer virtual currencies

The Amending Law introduces a definition for Crypto-Asset Services Providers (“CASPs”) that appears to cast a wider net than the 5th AML Directive and seems intended to encompass both Exchange Providers and Custody Providers. Section 2 of the AML Law defines a CASP as:

any person who provides or carries out one or more of the following services or activities to another person or on behalf of another person to the extent that these do not fall within the services or activities provided by entities referred to in paragraphs (a) to (h) of section 2A of the AML Law : (a) the exchange of crypto-assets for fiat currency;(b) the exchange of crypto-assets for other crypto-assets;(c) the management, transfer, retention, and/or safekeeping, including custody, of crypto-assets, cryptographic keys or any others means which permit the exercise of control over crypto-assets;(d) the offer and/or sale of crypto-assets, including any initial offering; and(e) the participation in and/or provision of financial services related to the distribution, offer and/or sale of crypto-assets , including their initial offer. (referred to below as the “CASP Definition”)

It is worth noting the following points in relation to the above definition:

1. The AML Directive definition for Custody Providers (“custodian wallet provider”) appears to only capture entities that provide services in relation to the safeguarding of “cryptographic keys”. The CASP Definition in the AML Law appears to be wider in that it also captures entities which provide custody of Crypto-Assets (rather than just the custody and/or safeguarding of crypto-graphic keys) as well as “any other means” which permit the exercise of control of crypto-assets.

2. It appears difficult to distinguish between the “exchange of crypto-assets for fiat currency” and the “exchange of crypto-assets for other crypto-assets” in sub-paragraphs (a) and (b) and the “offer and/or sale of crypto-assets” in sub-paragraph (d) as, in practical terms, the sale of a Crypto-Asset effectively consists of the exchange of fiat currency for the Crypto-Asset in question, or the exchange of one Crypto-Asset for another. Given the similarity in meaning and the inclusion of the term “initial offering” (as well as the word “offer”) in sub-paragraph (d) of the CASP Definition, the sub-paragraph may be aimed towards ensuring that any entities that issue their own Crypto-Assets, or are otherwise involved in Initial Coin Offerings , fall within the definition of a CASP and become subject to the provisions of the AML Law.

3. Sub-paragraph (e) in the CASP Definition refers to the participation in and/or provision of “financial services related to the distribution, offer and sale of crypto-assets”. This term is given a specific meaning in section 2 of AML Law as follows:‘financial services related to the distribution, offer and sale of crypto-assets’ means the following services and activities in relation to crypto-assets:(a) Reception and transmission of orders;(b) Execution of orders on behalf of clients;(c) Dealing on own account;(d) Portfolio management;(e) Investment advice;(f) Underwriting and/or placing of crypto-assets on a firm commitment basis;(g) Placing of crypto-assets without a firm commitment basis; and (h) Operation of a multilateral system in which multiple third-party buying and selling trading interests in crypto-assets are able to interact in the system.

The above list closely replicates the list of Investment Services and Activities set out in Section 1 of Annex I of MiFID II and Part 1 of the First Appendix of the Investment Services Law. It is therefore apparent that any form of service, which constitutes a MiFID II investment service when offered in relation to financial instruments, will fall within the scope of the AML Law, and would require the provider to register in accordance with the provisions of the AML Law when it is offered in relation to Crypto-Assets. The adoption of near-identical terms to those in Section 1 of Annex I of MiFID II suggests that the regulatory approach towards Crypto-Assets might, in the short-term at least, closely resemble the regulatory approach currently taken towards MiFID II financial instruments. This appears to be confirmed by the designation of CYSEC as the supervisory authority for CASPs.

4. The CASP definition specifically excludes services or activities that fall “within the services or activities provided by entities referred to in paragraphs (a) to (i) of section 2A of the AML Law”. Paragraphs (a) to (i) of section 2A of the AML Law refer to, inter alia, Credit Institutions and Financial Institutions which are subject to separate and extensive financial services regulation. This appears aimed at ensuring that entities that fall under the scope of existing financial services legislation, and which offer services in relation to Crypto-Assets, are excluded from any requirements that may apply to CASPs to avoid jurisdictional overlap, although this may lead to some interesting outcomes which are discussed in further detail in the Jurisdictional Overlap section below.

CASP Regulatory Framework OutlineSection 59(b)(vii) of the AML Law provides that CYSEC is the relevant supervisory authority in relation to the services and activities that are provided by CASPS. Section 61E(1) of the AML Law provides that:1. CYSEC will prepare and maintain a register of CASPs (the “Register”);

2. CYSEC will publish the Register on its website or in any other way that it may decide; and

3. CYSEC may determine by Directive how the Register will operate, be maintained and be updated. Section 61E(2)(a) requires that any CASPs that provide services or activities “on a professional basis” from Cyprus, must be registered irrespectively of whether they have been registered in another Member State in relation to the same services and activities. Section 61E(2)(b) provides that any CASPs that provide services or activities “on a professional basis” in Cyprus must also be registered unless they have already been registered in another Member State in respect of the same services and activities. It is evident from the above that passporting into the jurisdiction will be allowed as any CASP that has been registered in a different Member State will not need to apply for entry onto the Register. In addition, it should also be noted that the term “on a professional basis” is also used in the definition of “Investment Firm” in section 2(1) of the Investment Services Law and in articles 4(1)(1) and 5 of MiFID II. Its use here suggests that issuers of Crypto-Assets might be exempt from registration requirements when issuing their own crypto-assets, given that such issuances are not done as a regular occupation or business, or on a professional basis. However, caution is advised before adopting such an interpretation given that, as set out above, the CASP Definition specifically refers to “initial offerings” of Crypto-Assets as a service that falls to be regulated. We anticipate that the matter may be clarified in due course through the publication of Directives pursuant to the powers CYSEC has been given under section 61E of the AML Law. Section 61E also sets out that a number of other matters fall within CYSEC’s jurisdiction and that CYSEC may publish Directives prescribing additional information and details regarding, inter alia:1. The conditions subject to which CYSEC will approve or reject applications for registration;2. CASPs’ organisational and operating requirements;3. Registration fees; and 4. The assessment of the fitness and propriety of CASPs’ management bodies and shareholders. As set out above CYSEC has not yet published any Directives pursuant to the powers that it has been given by section 61E of the AML Law, but it is anticipated that the publication of such Directives will add further clarity to how the regulatory framework for CASPs will operate in practice.

Jurisdictional OverlapAs discussed briefly above, the provisions of the Amending Law appear to have been designed so as to avoid different and distinct legal provisions applying to the same subject matter or otherwise overlapping. In practice this issue might arise in the following two ways which have different implications and are both discussed briefly and separately below:1. An entity that is properly authorised and regulated under existing financial services legislation (a “Regulated Entity”) might offer services in relation to Crypto-Assets; or2. A Crypto-Asset might be deemed to be a “financial instrument”, or “electronic money” under existing financial services legislation;

Regulated EntitiesAs set out above, the CASP Definition sets out that a CASP is “any person who provides or carries out one or more of [a number of services] to another person or on behalf of another person to the extent that these do not fall within the services or activities provided by entities referred to in paragraphs (a) to (h) of section 2A of the AML Law”. Therefore, where an entity referred to in paragraphs (a) to (h) of section 2A of the AML provides any of the services referred to in the CASP Definition in relation to Crypto-Assets it does not constitute a CASP. Paragraphs (a) to (i) of section 2A of the AML Law refer to:(a) Credit institutions;(b) Financial institution;(c) Any of the following natural or legal persons in the exercise of their professional activities:(i) Auditor, external accountant and tax advisor;(ii) Independent legal professional…[when providing certain services];(d) Natural or legal person not already covered under paragraph (c) [when providing certain services] (e) estate agents, including when acting as intermediaries in relation to the rental of property in relation to transactions for which the monthly rental amounts to, or exceeds, ten thousand euro (€10,000);(f) providers of gambling services, [as provided in the relevant laws of Cyprus];(g) casino [which falls under the scope of the laws relevant to the operation and supervision of casinos]; (h) a person trading in goods, if the payment is made or collected in cash and it concerns an amount equal to or greater than ten thousand euro (€10.000), regardless of whether the transaction is carried out in a single operation or in several operations which appear to be linked.

It therefore appears that where a Regulated Entity offers any of the services set out in the CASP Definition in relation to Crypto-Assets it would be exempt from the requirements set out in section 61E of the AML Law described above. In practice, we would expect that the vast majority of persons offering services in relation to Crypto-Assets that would be exempt from registration requirements under section 61E of the AML, would consist of credit institutions and/or investment firms that may in time begin to offer services in relation to Crypto-Assets. However, rather interestingly, as currently drafted the AML Law also provides that, for example, estate agents or providers of gambling services, may offer services in relation to Crypto-Assets without having to seek entry onto the Register, without having to comply with any of the additional requirements provided for by section 61E, and without having to comply with any future requirements that might be set out in future CYSEC Directives. It remains to be seen whether this position will be amended in future, whether through CYSEC Directive or a different legislative instrument.