AMLD5 was transposed into Cyprus law in February 2021, the transposition brought Crypto-Assets under the ambit of the AML Law and therefore Crypto-Assets and services connected to Crypto-Assets are now regulated for AML purposes.  

Crypto-assets are defined as a digital representation of value that:

  • are not issued or guaranteed by a central bank or a public authority,
  • are not necessarily attached to a legally established currency, and
  • do not possess a legal status of currency or money, but
  • are accepted by persons as a means of exchange or investment and which can be transferred, stored, or traded electronically and that is not, o Fiat currency, or o Electronic money, or
    • Financial Instruments as defined in Part III of the First Appendix of the Law on the Provision of Investment Services and Activities and Regulated Markets.

In other words, Crypto-assets are digital representations of values or rights, which can be transferred and stored electronically, using specific technology (known as distributed ledger technology – DLT). Crypto-assets are inextricably linked to blockchains, as they are the blocks that make up the chains themselves. Crypto-assets come in many forms and with varying rights and functions.

A crypto-asset:

  1. can serve as an access key to a service and these are often referred to as utility tokens,
  2. can be designed to facilitate payments and these are often referred to as payments tokens,
  3. can also be designed as a financial instrument, such as transferable securities under the Markets in Financial Instruments Directive (MiFID II).

A CASP is defined as a person who provides or exercises, one or more, of the following services or activities to another person or on behalf of another person

  • The exchange between crypto-assets and fiat currencies
  • Exchange between crypto-assets
  • Management, transfer, holding, and/or safekeeping, including the custody of crypto-assets or cryptographic keys or means which allow the exercise of control on crypto-assets
  • Offering and/or sale of crypto-assets, including the initial offering; and
  • Participation and/or provision of financial services regarding the distribution, offer, and/or sale of cryptoassets, including the initial offering.

Financial Services relating to the distribution, offer, and/or the sale of crypto-assets are defined as the following investment services

  1. Reception and transmission of orders
  2. Execution of orders on behalf of clients
  3. Dealing on own account
  4. Portfolio management
  5. Provision of investment advice
  6. Underwriting and/or placing of crypto-assets on a firm commitment basis
  7. Placing of crypto-assets without a firm commitment basis
  8. Operation of a multilateral trading facility for buying and selling crypto-assets 

CySEC Directive 25 June 2021

On the 25th of June 2021 the Cyprus Securities and Exchange Commission (the “CySEC”) issued the Directive for the registration of CASPs (the “Directive”) pursuant to the 5th AML Directive which was transposed into Cyprus law in February 2021 through the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 to 2021 (the “Law”).

The Law provided a definition for CASPs and was the first step towards the regulation of crypto-asset related activities and provided that any provider carrying out activities relating to crypto-assets must register in the relevant CySEC registry as a CASP.

CASP Registration

The CySEC will publish the CASP registry online and will be publicly available and it will have the following information for each CASP:

  1. Name, tradename, legal form and legal entity identifier of the CASP.
  2. Physical address of the CASP.
  3. Services offered and/or activities performed, pursuant to the services set out in the CASP definition in the Law.
  4. The CASP’s website.

CASP Registration Requirements 

CySEC approves the applicant’s registration as a CASP provided that the applicant complies with the following:

  1. The applicant has submitted all information, documents and data required in the application form (which will be published by CySEC in due course) and/or which may be requested by CySEC during the review of the application, and especially the applicant must also provide the information set out in the previous section, as well as, the addresses of all crypto-assets.
  2. The applicant must ensure that members of the board and anyone with managerial position is honest and capable, which is satisfied by showing good repute, knowledge and skills and expertise, and by dedicating adequate time to the performance of their duties.
  3. The Board of Directors of the applicant must have at least four (4) members, who satisfy the provisions of paragraph 2 above, out of which at least two (2) must be executive members and the other two (2) must be independent non-executive members.
  4. The applicant must ensure that its beneficial owners are honest and competent, something which may be satisfied by evidencing good repute and skills to maintain the good financial structure of the applicant.
  5. In the event that the applicant will be operating online, it must maintain its exclusive website, through which it will be operating, without giving access to any other person to operate through this website.
  6. The applicant must have established proper policies and procedures which ensure its compliance, including compliance by its members, employees and assignees, with the Law and this Directive.
  7. The applicant must have established proper policies and procedures and to have in place appropriate systems and control mechanisms in order to ensure its prudent operation, including minimization of the risk of appropriation or loss of its clients’ crypto-assets.
  8. Capital requirement compliance – the applicant must maintain, at all times, own funds equal to the higher of the following amounts:
      >

    1. (i) EURO 125,000 initial capital for the provision of the following services: Reception and transmission of orders; Execution of orders on behalf of clients; The exchange between cryptoassets and fiat currencies; Exchange between crypto-assets; Participation and/or provision of financial services regarding the distribution, offer, and/or sale of crypto-assets, including the initial offering, Placing of crypto-assets with a firm commitment basis; Portfolio management.
      (ii) Euro 150,000 initial capital for the provision of the following services: Management, transfer, holding, and/or safekeeping, including the custody of crypto-assets or cryptographic keys or means which allow the exercise of control on crypto-assets; Placing of crypto-assets without a firm commitment basis; Operation of a multilateral trading facility for buying and selling crypto- assets
    2. One quarter (1/4) of the applicant’s fixed expenses on the basis of the previous year, to be revised annually. This will be calculated pursuant to the provisions of the Directive.
  9. The applicant must ensure that remuneration terms of the staff are such that do not conflict with the staffs’ duty to act in the best interests of the clients, and that the applicant does not make any adjustments in remuneration, targets of sales or otherwise that could act as a motivation for the staff to implement aggressive marketing techniques.
  10. The applicant has established proper arrangements of corporate governance with transparent and clear reference lines.
  11. The applicant takes all reasonable measures to ensure the contiinuing operation of its activities and has in place proper and up-to-date policies for ensuring its continuing operations and proper and upto-date policies and procedures for the retrieval of data and timely continuance of operations where, despite the reasonable measures in place, its operations have ceased.
  12. The applicant arranges for the outsourcing of essential functions, in order for reasonable measures to be taken to avoid any undue deterioration of the operational risk.
  13. The applicant has established proper administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment and effective security and control mechanisms in place for its electronic data processing systems.
  14. Where the scope, nature, scale and complexity of the activities require, the applicant must establish an internal control function which is independent from the other functions and operations of the applicant.
  15. The applicant has established proper security mechanisms, for the purpose of ensuring and verifying the authenticity of the means used for transmission of information, for the minimization of the risk of destruction of data and of the risk of non-authorized access, as well as, preventing any information leakages, in order to ensure that confidentiality is maintained at all times.
  16. The applicant ensures that records are kept with respect to all its activities, which also include relevant communications, and such records are kept in such manner as to enable the CySEC to perform its duties and to take such steps as to ensure the applicant’s compliance with its obligations.
  17. The applicant ensures that its staff are not involved in multiple duties and if they are the applicant must ensure that this does not affect or may affect such staff from performing any of their duties diligently, professionally and with honesty.
  18. The applicant establishes proper policies and procedures in order to ensure that any complaints from clients are duly addressed.
  19. The applicant ensures that its staff are honest and professional and have the required knowledge on the basis of their duties. 

Removal from CASP Registry

The CySEC may remove a CASP from the registry if any of the following applies:

  1. The CASP has ceased offering services relating to crypto-assets for a period of six (6) months.
  2. The CASP has been registered pursuant to false representations or in any other irregular manner.
  3. The CASP has ceased all services and activities that fall under the definition of CASP pursuant to the Law.
  4. It no longer falls under the provisions of the Law.

Applicable Fees

  1. The applicant pays the fee of EURO 10,000 together with its application for registration as a CASP. This amount is not refundable in the event that the applicant is rejected. In the event that the applicant is registered as a CASP then there is no other fee or contribution payable to CySEC for the first year of its registration.
  2. Each year after the registration there is a renewal fee of EURO 5,000 payable to CySEC.
  3. In order to notify the CySEC for a substantial alteration the following fees are applicable:
    1. EURO 1,000 per activity or service.
    2. EURO 2,000 per notice of change relating to the members of the Board of Directors of the CASP.
    3. EURO 5,000 per notice of change relating to the beneficiaries of the CASP.
    4. EURO 1,000 per notice of change relating to the website of the CASP.