CySEC with an announcement dated on the 13/09/2021 presented the Policy Statement on the Registration and Operation of Crypto Asset Services Providers (the “CASPs”) PS-01-2021 (the “Policy”), to outline the finalised rules for CASPs under the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (the “AML Law”), the CySEC Directive for the prevention and suppression of money laundering and terrorist financing regarding the Register of Crypto Asset Service Providers (the “CASP Directive”) and the CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (the “AML Directive”). The Policy along with the AML Law, CASP Directive and AML Directive will be referred collectively as the “Cumulative CASP Rules”. An unofficial translated consolidated version of the CASP Directive is attached as Appendix 1 in the Policy.
In addition to the above, CySEC sets out in the said Policy its expectations for the compliance of CASPs with the regulatory framework, including certain specific expectations in relation to the compliance of CASPs with their obligations under the AML Directive. The Policy concerns CASPs as defined in the AML Law providing services in or from the Republic as well as customers purchasing, holding or transferring crypto assets to the extent they resort the services of a CASP.
In the present Memo we will present in summary the key obligations of a CASP, as the expectations of CySEC are presented in full detail in the said Policy.
As per the CySEC Directive on CASPs Registration, the prospective CASPs (the “Applicants”) must submit the relevant application form issued by CySEC for the registration in the CySEC CASP Register (the “CASP Application Form”), duly completed, which must inter alia include information in relation to:
(a) the name, trade name, legal form and legal entity identifier of the CASP;
(b) the physical address of the CASP;
(c) the services provided and/or the activities that the CASP may carry out as defined in subparagraphs (a) to (e), in the definition of "Crypto Asset Services Provider" in paragraph (1) of section 2 of the Law;
(d) the website of the CASP;
(e) all public addresses of crypto-assets and/or of public keys/digital wallets controlled by the CASP that are used or can be used in the operation of the CASP in relation to each crypto-asset (the “Crypto-Assets Addresses”);
(f) The crypto-assets in relation to which they engage in any activity;
(g) Whether the CASP accepts other CASPs as customers or not;
(h) Whether or not the CASP offers business payment services in crypto-assets to vendors;
(i) Whether the CASP operates Crypto-Assets-ATMs, the number and the geographical location thereof;
(j) Whether the CASP is registered or supervised in any other jurisdiction;
(k) All documents and/or additional information specified in the CASP Application Form.
Applicants are expected to be in a position to satisfy CySEC in relation to the following, with which upon registration, CASPs must comply on an ongoing basis, at all times (section 61E(6)(a) of the AML/CFT Law):
(a) Restrict the amount of crypto assets held in hot wallets in line with a relevant risk assessment taking into account all relevant risks, including the concentration risk and in any case ensure that the necessity of keeping a certain amount of crypto-assets in hot wallets is justified on reasonable and demonstrable grounds;
(b) Introduce and apply different layers of approval for a transaction to be undertaken; by designating specific persons authorised to initiate a transaction and specific persons authorised to approve such transactions. The transaction may be initiated by persons authorized to initiate such transactions and proceed only if they are approved by a person authorized to approve the undertaking of a transaction. The criteria for the recruitment of such persons must be included in the recruitment policy of the CASP;
(c) Segregate through “Chinese walls” the persons responsible for initiating the transactions and the persons responsible for approving the transactions;
(d) Where third party hot wallets are being used, a due diligence must be undertaken per hot wallet provider taking into account, inter alia, the geographic location of the said provider, whether it is subject to supervision and whether it is of good repute;
(e) Where crypto-assets are being stored off-chain (i.e. in cold wallets), CASPs shall undertake a risk assessment, in relation to the risks involved, including in relation to the concentration risk stemming from the geographic location of the storing facilities. In any case they must use secured facilities, where only specific designated persons may have access to;
(f) Daily reconciliations at record keeping level and during regular intervals actual stocktaking in relation to the crypto-assets held in cold wallets, to confirm that the corresponding amount is indeed still in the relevant facilities.
10. All reasonable steps must be taken to ensure the continuous and regular performance of its functions and an appropriate and up-to-date policy must be maintained to ensure its continued operation, as well as an appropriate and up-to-date data recovery policy and procedures for the timely resumption of activities, where despite the reasonable measures taken the activity of the CASP is interrupted.
11. When outsourcing the performance of critical functions to third parties, reasonable steps must be taken to avoid any undue additional operational risk and in any case, it must be ensured that the quality of the internal controls or CySEC’s ability to supervise, are not materially impaired.
12. CASPs must have in place sound administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and safeguard arrangements for information processing systems.
13. Where the scope, nature, scale and complexity of its activity so require, the CASP must establish an internal control function that is independent of its other functions and activities, for the design and execution of its internal control mechanisms.
14. CASPs must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage, in order to maintain the confidentiality of the data at all times.
15. CASPs must arrange for records to be kept of all of their activities, including the relevant correspondence, which shall be sufficient to enable CySEC to exercise its supervisory functions and to take steps to ensure the CASPs’ compliance with their obligations.
16. The persons employed by CASPs shall not perform multiple functions unless the exercise of multiple functions does not prevent or it is not likely to prevent such persons from carrying out any work or function with diligence, honesty and professionalism.
17. It has appropriate policies and procedures in place to ensure that its clients’ complaints are properly resolved.
18. The persons employed by the CASP must be honest and professionals and possess the appropriate knowledge for the tasks assigned to them.
(a) The payee’s name and surname;
(b) The payee’s crypto-asset account number;
(c) The payer’s name and surname;
(d) The payer’s crypto-asset account number;
(e) Where the payee or the payer do not have a crypto-asset account number, a unique transaction identifier; and
(f) One of the following:
(i) The payer’s physical address;
(ii) The payer’s national identity number;
(iii) The payer’s customer identification number;
(iv) The payer’s date and place of birth.
An obliged entity must follow the above irrespective of whether the obliged entity in question and the payer are the same person.
(1) it has received the information specified above; and
(2) the information is consistent with its own records in respect of the payee’s name and, where applicable, the payee’s account number.
(1) the information specified in point (c) above;
(2) the information specified in point (d) above.
(1) determining whether any of the information referred to in paragraphs 2 or 3 as the case may be, is missing, is incomplete or, where applicable, is inconsistent with the obliged entity’s own records; and
(2) where a default is identified pursuant to point (1) directly above: a) determining whether to execute, reject or suspend the material crypto-asset transfer; and b) determining the appropriate follow-up action.
CASPs must comply with all of their responsibilities stemming from the Cumulative CASP Rules at all times.
CASPs must ensure that all information, including marketing communications, addressed to clients or potential clients, are accurate, clear and not misleading and that marketing communications are clearly identified as such and that they provide clients or potential clients with appropriate information on the CASP, its services and the costs and associated charges, in a timely manner.
CASPs must maintain at all times own funds in accordance with the CASP Registration Directive.
CASPs must maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps designed to prevent conflicts of interest from adversely affecting the interests of its clients. They must take all appropriate steps to identify and to prevent or manage conflicts of interest between itself, including its managers, employees and any person directly or indirectly linked to it by control, and its clients or between one client and another and to timely and clearly disclose to the client the general nature or/and sources of conflicts of interest and the steps taken to mitigate those risks, before undertaking business on its behalf.
In the Policy, CySEC expressed its opinion in relation to Investment Firms registering as CASPs. CySEC believes that it is prudent to ring-fence the investment services from crypto-asset activities, at least until a certain level of maturity is reached, in order to avoid spill-over risks. Without prejudice to their view on ring-fencing, CySEC will review any application by an Investment Firm to engage in crypto-assets’ activities on their own merit, taking into account the specificities entailed. It is worth noting that crypto-assets’ activities undertaken by Investment Firms, will be subject to the prudential requirements of the IFD/IFR, which are more stringent than the capital requirements provided for in the CASP Directive.
CySEC will publish relevant forms and documents in a dedicated section on its website for the commencement of the registration process of the CASPs operating in or from Cyprus. On the announcement dated 13/09/2021, CySEC concluded that it will analyse the market practises and will assess the effectiveness of existing rules and, where necessary, may issue guidance for the compliance of supervised entities with the regulatory framework and/or amend the existing rules accordingly.