Policy Statement on the Registration and Operations of Crypto-Asset Services Providers


CySEC with an announcement dated on the 13/09/2021 presented the Policy Statement on the Registration and Operation of Crypto Asset Services Providers (the “CASPs”) PS-01-2021 (the “Policy”), to outline the finalised rules for CASPs under the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (the “AML Law”), the CySEC Directive for the prevention and suppression of money laundering and terrorist financing regarding the Register of Crypto Asset Service Providers (the “CASP Directive”) and the CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (the “AML Directive”). The Policy along with the AML Law, CASP Directive and AML Directive will be referred collectively as the “Cumulative CASP Rules”. An unofficial translated consolidated version of the CASP Directive is attached as Appendix 1 in the Policy.

In addition to the above, CySEC sets out in the said Policy its expectations for the compliance of CASPs with the regulatory framework, including certain specific expectations in relation to the compliance of CASPs with their obligations under the AML Directive. The Policy concerns CASPs as defined in the AML Law providing services in or from the Republic as well as customers purchasing, holding or transferring crypto assets to the extent they resort the services of a CASP.

In the present Memo we will present in summary the key obligations of a CASP, as the expectations of CySEC are presented in full detail in the said Policy.

  •  Registration requirements

As per the CySEC Directive on CASPs Registration, the prospective CASPs (the “Applicants”) must submit the relevant application form issued by CySEC for the registration in the CySEC CASP Register (the “CASP Application Form”), duly completed, which must inter alia include information in relation to:

(a)    the name, trade name, legal form and legal entity identifier of the CASP;

(b)    the physical address of the CASP;

(c)   the services provided and/or the activities that the CASP may carry out as defined in subparagraphs (a) to (e), in the definition of "Crypto Asset Services Provider" in paragraph (1) of section 2 of the Law;

(d)    the website of the CASP;

(e)    all public addresses of crypto-assets and/or of public keys/digital wallets controlled by the CASP that are used or can be used in the operation of the CASP in relation to each crypto-asset (the “Crypto-Assets Addresses”);

(f)     The crypto-assets in relation to which they engage in any activity;

(g)    Whether the CASP accepts other CASPs as customers or not;

(h)    Whether or not the CASP offers business payment services in crypto-assets to vendors;

(i)     Whether the CASP operates Crypto-Assets-ATMs, the number and the geographical location thereof;

(j)     Whether the CASP is registered or supervised in any other jurisdiction;

(k)    All documents and/or additional information specified in the CASP Application Form.

Applicants are expected to be in a position to satisfy CySEC in relation to the following, with which upon registration, CASPs must comply on an ongoing basis, at all times (section 61E(6)(a) of the AML/CFT Law):

  1. Τhe persons holding a management position in the CASP must be honest and competent, which is fulfilled if the persons have a good reputation, knowledge, skills and experience and devote sufficient time to the performance of their duties. In the case of the Board of Directors, the Board of Directors shall be comprised of at least four (4) members, two (2) of which must direct the business activities of the CASP and two (2) must be independent members, within the meaning of the CASP Registration Directive.
  1. The beneficiaries of CASPs are honest and competent, which is fulfilled if they have a good reputation and the ability to maintain the strong financial position of the CASP.
  1. The close links between the applicant and other natural or legal persons do not preclude the effective monitoring, evaluation and supervision by CySEC. Where the natural or legal person with whom the applicant has a close connection is in a Third Country, the laws, regulations or administrative provisions of the Third Country shall not impede the effective performance of the supervisory functions.
  1. When operating online, a website fully owned and exclusively used by the CASP must be maintained, through which the CASP will operate, without the possibility of any other person to operate through it, except for cases where the applicant is in a position to satisfy CySEC that its policies and procedures may sufficiently address the operational risks stemming therefor, including any possible consumers’ detriment and that such risks were identified by means of a risk assessment and are adequately mitigated by the policies and procedures that the CASP has in place.
  1. There have been established appropriate policies and procedures to ensure its compliance, including the compliance of its executives, employees and persons to whom functions are assigned to, in accordance with the AML/CFT Law and the AML/CFT Directive.
  1. CASPs must establish appropriate policies and procedures and must have appropriate systems and controls in place to ensure their prudent operation, including minimizing the risk of theft or loss of their clients' crypto-assets. In relation to minimizing the risk of theft or loss of crypto-assets, CySEC herewith provide a non-exhaustive list of best practices:

(a)   Restrict the amount of crypto assets held in hot wallets in line with a relevant risk assessment taking into account all relevant risks, including the concentration risk and in any case ensure that the necessity of keeping a certain amount of crypto-assets in hot wallets is justified on reasonable and demonstrable grounds;

(b)    Introduce and apply different layers of approval for a transaction to be undertaken; by designating specific persons authorised to initiate a transaction and specific persons authorised to approve such transactions. The transaction may be initiated by persons authorized to initiate such transactions and proceed only if they are approved by a person authorized to approve the undertaking of a transaction. The criteria for the recruitment of such persons must be included in the recruitment policy of the CASP;

(c)     Segregate through “Chinese walls” the persons responsible for initiating the transactions and the persons responsible for approving the transactions;

(d)   Where third party hot wallets are being used, a due diligence must be undertaken per hot wallet provider taking into account, inter alia, the geographic location of the said provider, whether it is subject to supervision and whether it is of good repute;

(e)    Where crypto-assets are being stored off-chain (i.e. in cold wallets), CASPs shall undertake a risk assessment, in relation to the risks involved, including in relation to the concentration risk stemming from the geographic location of the storing facilities. In any case they must use secured facilities, where only specific designated persons may have access to;

(f)     Daily reconciliations at record keeping level and during regular intervals actual stocktaking in relation to the crypto-assets held in cold wallets, to confirm that the corresponding amount is indeed still in the relevant facilities.

  1. CASPs must have sufficient own funds comprised of fixed and variable component, in accordance with paragraph 14 of the CASP Directive. Where a CASP is a Cyprus Investment Firm is subject to the prudential requirements for Cyprus Investment Firms.
  1. The performance of its staff shall not be remunerated or evaluated in a way that conflicts with the CASP duty to act in the best interest of its clients and in particular, the CASP shall not proceed with any arrangements in the form of remuneration, sales targets or otherwise, which could motivate its staff to implement aggressive promotion practices of products or services.
  1. There must be sound governance arrangements in place, with clearly defined, transparent and clearly identifiable reporting lines.

    10. All reasonable steps must be taken to ensure the continuous and regular performance of its functions and an appropriate and up-to-date policy must be maintained to ensure its continued operation, as well as an appropriate and up-to-date data recovery policy and procedures for the timely resumption of activities, where despite the reasonable measures taken the activity of the CASP is interrupted.

    11. When outsourcing the performance of critical functions to third parties, reasonable steps must be taken to avoid any undue additional operational risk and in any case, it must be ensured that the quality of the internal controls or CySEC’s ability to supervise, are not materially impaired.

   12. CASPs must have in place sound administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and safeguard arrangements for information processing systems.

  13. Where the scope, nature, scale and complexity of its activity so require, the CASP must establish an internal control function that is independent of its other functions and activities, for the design and execution of its internal control mechanisms.

 14. CASPs must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage, in order to maintain the confidentiality of the data at all times.

 15. CASPs must arrange for records to be kept of all of their activities, including the relevant correspondence, which shall be sufficient to enable CySEC to exercise its supervisory functions and to take steps to ensure the CASPs’ compliance with their obligations.

 16. The persons employed by CASPs shall not perform multiple functions unless the exercise of multiple functions does not prevent or it is not likely to prevent such persons from carrying out any work or function with diligence, honesty and professionalism.

 17. It has appropriate policies and procedures in place to ensure that its clients’ complaints are properly resolved.

 18. The persons employed by the CASP must be honest and professionals and possess the appropriate knowledge for the tasks assigned to them.

  • The Travel Rule
  1. CASPs must ensure that certain customer data is disclosed and transferred between counterparties for the purposes of consistency and clarity, known as the Travel Rule. As per CySEC, any transaction with a value equal to or in excess of one thousand Euros, must be deemed as material for purposes of the travel rule (the “material transaction”). Where an obliged entity (as this is defined under Article 2A of the AML Law) sends a material crypto-asset transfer to a CASP, the relevant obliged entity must immediately and by secure means obtain the following information and submit it to the CASP:

(a)    The payee’s name and surname;

(b)    The payee’s crypto-asset account number;

(c)     The payer’s name and surname;

(d)    The payer’s crypto-asset account number;

(e)    Where the payee or the payer do not have a crypto-asset account number, a unique transaction identifier; and

(f)      One of the following:

(i)      The payer’s physical address;

(ii)     The payer’s national identity number;

(iii)    The payer’s customer identification number;

(iv)    The payer’s date and place of birth.

An obliged entity must follow the above irrespective of whether the obliged entity in question and the payer are the same person.

  1. Where an obliged entity received a crypto-asset transfer from a CASP, the obliged entity must ensure that:

(1)    it has received the information specified above; and

(2)    the information is consistent with its own records in respect of the payee’s name and, where applicable, the payee’s account number.

  1. Where an obliged entity receives a crypto-asset transfer from a person other than a CASP, the obliged entity must ensure that it obtains, from the payee:

(1)    the information specified in point (c) above;

(2)    the information specified in point (d) above.

  1. Before an obliged entity executes a material crypto-asset transfer received from any person, it must ensure that it has effective risk-based policies and procedures in place for the purposes of:

(1)   determining whether any of the information referred to in paragraphs 2 or 3 as the case may be, is missing, is incomplete or, where applicable, is inconsistent with the obliged entity’s own records; and

(2)    where a default is identified pursuant to point (1) directly above: a) determining whether to execute, reject or suspend the material crypto-asset transfer; and b) determining the appropriate follow-up action.

  1. Paragraphs 2 and 3 shall apply to an obliged entity irrespective of whether the said obliged entity and the payee are the same person.
  1. The information obtained by obliged entities as per this section shall be deemed as part of their customer due diligence process and relevant record must be kept in accordance with the AML/CFT Law and the AML/CFT Directive.
  • Ongoing Responsibilities

CASPs must comply with all of their responsibilities stemming from the Cumulative CASP Rules at all times.

CASPs must ensure that all information, including marketing communications, addressed to clients or potential clients, are accurate, clear and not misleading and that marketing communications are clearly identified as such and that they provide clients or potential clients with appropriate information on the CASP, its services and the costs and associated charges, in a timely manner.

CASPs must maintain at all times own funds in accordance with the CASP Registration Directive.

CASPs must maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps designed to prevent conflicts of interest from adversely affecting the interests of its clients. They must take all appropriate steps to identify and to prevent or manage conflicts of interest between itself, including its managers, employees and any person directly or indirectly linked to it by control, and its clients or between one client and another and to timely and clearly disclose to the client the general nature or/and sources of conflicts of interest and the steps taken to mitigate those risks, before undertaking business on its behalf.

  • Investment Firms to operate as CASPs

In the Policy, CySEC expressed its opinion in relation to Investment Firms registering as CASPs. CySEC believes that it is prudent to ring-fence the investment services from crypto-asset activities, at least until a certain level of maturity is reached, in order to avoid spill-over risks. Without prejudice to their view on ring-fencing, CySEC will review any application by an Investment Firm to engage in crypto-assets’ activities on their own merit, taking into account the specificities entailed. It is worth noting that crypto-assets’ activities undertaken by Investment Firms, will be subject to the prudential requirements of the IFD/IFR, which are more stringent than the capital requirements provided for in the CASP Directive.

  • Next Steps

CySEC will publish relevant forms and documents in a dedicated section on its website for the commencement of the registration process of the CASPs operating in or from Cyprus. On the announcement dated 13/09/2021, CySEC concluded that it will analyse the market practises and will assess the effectiveness of existing rules and, where necessary, may issue guidance for the compliance of supervised entities with the regulatory framework and/or amend the existing rules accordingly.