Member Article

In an article published earlier this year, we discussed how the Prevention and Suppression of Money Laundering and Terrorist Financing Law, L.188(I)/2007 (the “AML Law”) was amended in order to harmonise domestic legislation with the 4th and 5th AML Directives (Directives (EU) 2015/849 and 2018/843 and how it introduced, for the first time, provision for the registration of Crypto-Asset Service Providers (“CASPS”). The Cyprus Securities and Exchange Commission (“CYSEC”) was designated as the relevant competent supervisory authority and was given powers to regulate through the issue of Directives.

CYSEC has since exercised its powers under section 61E(1) of the AML Law, by issuing on 25 June 2021, a ‘Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (Register of Crypto Asset Service Providers)’ (the “CASP Directive”). In this article we examine and summarise some of the CASP Directive’s provisions and comment upon their implications for potential applicants.

CASP Directive Requirements

The CASP Directive, in line with CYSEC’s statutory powers, lays down the conditions with which CASPs must comply in order to appear on a Register of CASPs (the “Register”). The Register – which will, in due course, be published on CYSEC’s website – shall be accessible to the public and will contain, inter alia, the following information relating to CASPs:

(a) name, trade name, legal form and legal entity identifier;

(b) physical address;

(c) services provided and/or the activities that a CASP may perform (as defined in subsection (1) of section 2 of the AML Law); and

(d) their website.

We note that, as of the time of writing, the Register has not been launched on CYSEC’s website and is not yet operational.

The CASP Directive provides a regulatory framework in relation to the operation and management of CASPs doing business in Cyprus. Article 6 of the CASP Directive sets out the main conditions CASPs will need to comply with in order to feature on the Register, some of which we summarise below:

(a) CASPs must have submitted to CYSEC all information, documents and data required by the registration application including the information set out above which will appear on the Register;

(b) Persons holding an administrative position with the CASP are honest and competent. Such persons must be of good repute, possess the necessary knowledge, skill and experience and devote sufficient time to the performance of their duties with the CASP;

(c) The CASP’s Board of Directors shall be composed of at least four persons who meet the requirements of (b) above, two of whom shall direct the applicant’s business activities and two of whom shall be independent directors;

(d) The CASP’s beneficial owners are honest and competent. This requirement is met if they are of good repute and have the ability to maintain a sound financial structure for the CASP;

(e) Any close links between the CASP and other natural or legal persons do not prevent CYSEC’s effective monitoring, evaluation and supervision of the CASP;

(f) The CASP has established appropriate policies and procedures and have appropriate systems and controls in order to ensure its compliance with the CASP Directive;

(g) The CASP has established appropriate policies and procedures and has appropriate systems and controls to ensure its prudent operation, including minimising the risk of theft or loss of its customers' cryptocurrency;

(h) The CASP maintains own funds/capital requirements in accordance with the provisions of article 14 of the CASP Directive (which we discuss further below); and

(i) the performance of its staff is not remunerated or evaluated in a manner that conflicts with its duty to act in the best interests of its customers and in particular does not make any arrangement in the form of remuneration, sales targets or otherwise, which could provide an incentive for its staff to engage in aggressive marketing practices for products or services.

Article 6 contains a number of other conditions that CASPs must comply with which relate to the operation of a CASP’s websites, outsourcing, complaints handling and others which are not mentioned above. Other articles in the CASP Directive pertain to, amongst other issues, matters such as the conditions subject to which CYSEC will approve or reject applications for registration, CASPs’ organisational and operating requirements, the assessment of the fitness and propriety of CASPs’ management bodies and shareholders. We note that, article 14 requires that CASPs must maintain at all times a minimum equity capital which is the higher of:

(a) €125,000 (€150,000 if custody/underwriting services are offered or if the CASPS operates a multilateral trading facility); or

(b) one quarter of its fixed costs for the previously year (revised annually).

In addition to the above, prospective applicants should note that CYSEC’s fees for reviewing applications for registration as a CASP amount to €10,000. If the application is successful CYSEC’s annual fees are waived for the first year, and amount to €5,000 per annum thereafter. Fees for notifying changes to CYSEC regarding a CASP’s registration details would cost between €1,000 - €5,000 depending on the type of notification required.

Implications for Applicants

In our previous article, which was published prior to the issue of the CASP Directive, a significant question raised was the degree of regulation that CASPs registered with CYSEC would be subjected to compared to the amount of regulation that traditional investment firms and/or electronic money institutions are currently subject to.

It appears that CYSEC has utilised the powers it has been given under section 61E of the AML Law to prescribe requirements beyond those set out in the 4th and 5th AML Directives. For example, part V of the CASP Directive prescribes various organisational and operational requirements such as the provision of information to customers or potential customers (article 14), capital adequacy (article 15) and conflict of interest (article 16) which are more extensive than the requirements set out in the 4th and 5th AML Directives.

It could be argued that the relevant parts of the AML Law combined with the CASP Directive are not distinctive enough to be considered as completely sui generis legislative instruments as many of their provisions mirror, or otherwise clearly derive from the Investment Services Law (L87(I)/2017) implementing the second Markets in Financial Instruments Directive (Directive 2014/65/EU). Several definitions and provisions in the CASP Directive appear to be identical to provisions in the Investment Services Law. For example, articles 13 and 15 of the CASP Directive that deal with the provision of information to customers and conflicts of interest are very similar to sections 24(1), 25(3) – (5) and others in the Investment Services Law.

This similarity in approach was hinted at, by the amendments to the definitions section of the AML Law and was discussed in our previous article. This suggests that, in the eyes of the legislative and regulatory authorities, cryptocurrency has not yet acquired a distinctive enough “legal identity” so as to be legislated for as a distinct category of economic activity, and that consequently, the regulatory approach towards CASPs and cryptocurrencies is likely to closely resemble that taken towards MiFID investment firms and financial instruments, at least in the short term.

It remains to be seen whether the introduction of cryptocurrency regulation through the CASP Directive will encourage more economic activity in the domestic market. Barriers for entry have now been placed in the way of potential applicants. However, the added comfort provided by compliance with regulatory requirements resembling those of MiFID investment firms, may both entice more consumers of such services into the market, and other previously hesitant service providers (such as banks) to either provide services to CASPs or enter the field themselves. In any event, we expect that the proposed Markets in Crypto Assets Directive , if enacted, will provide a common regulatory framework for crypto-assets throughout the European Union and will, with the passage of time, ensure that services in relation to crypto-assets will become more commonplace and widely adopted.