On the 25th of June, 2021 Cyprus Securities and Exchange Commission (“CySEC”) introduced the Directive (269/2021) in regard to the registry of service providers whose business activities are related to cryptocurrencies “Crypto Asset Services Provider” (“CASP”) (see our previous published article on cryptocurrency exchange license in Cyprus).
CySEC is the anti-money laundering and counter-terrorist financing (AML/CFT) supervisor for crypto asset operations undertaken in or from Cyprus.
The following services and activities, provided to another person or on behalf of another person, are covered under the license requirement for CASPs, insofar these do not fall under the services or activities of the obliged entities mentioned in paragraphs (a) to (h) of article 2A of the AML/CFT Law:
- Exchange between crypto assets and fiat currencies;
- Exchange between crypto assets;
- Management, transfer, holding and/or safekeeping, including custody, of crypto assets or cryptographic keys or means which allow the exercise of control over crypto assets;
- Offering and/or sale of crypto assets, including the initial offering; and
- Participation and/or provision of financial services regarding the distribution, offer and/or sale of crypto assets, including the initial offering;
Anti-Money Laundering and Counter-Terrorist Financing requirements
The applicable general regulatory framework for CASPs is comprised of:
- The AML/CFT Law;
- The CySEC Directive for the register of crypto asset services providers;
- The CySEC directive for the prevention and suppression of money laundering and terrorist financing.
As a consequence, CASPs are required to have policies and procedures which detail the various anti-money laundering and counter-terrorist financing control measures and the implementation of these measures into the operational processes of the CASPs. It is expected, that the policies and procedures, processes and control measures are not only established at the registration stage of the business but also, based on the nature and size of the CASPs business, are ongoing monitored and evaluated and consequently, insofar necessary, result in the update of the risk assessment of the CASP. The AML/CFT policies and procedures, inter alia, must include:
- Preforming Know Your Client and other client due diligence measures;
- Drawing the economic profile of clients;
- Identifying the source of client funds;
- Monitoring the clients’ transactions;
- Identifying and reporting suspicious transactions;
- Employee’s obligations and training;
- Record keeping requirements;
- Undertaking a comprehensive risk assessment in relation to clients’ activities and take proportionate measures per client, activity and crypto asset in question.
Challenges
Whilst the above is not new to banks and other long time existent financial institutions, it is certainly for digital currency or crypto companies in Cyprus. The inclusion of crypto asset service providers as an obliged party of the AML/CFT Law exposes the businesses, who fall under the CASP definition, to never or only to some extend existent obligations. The new obligations will have an immense impact on the operation and governance structures of the business. Regulators and law makers have high expectations as for the effectiveness of the inclusion of crypto asset service providers under existing AML/CFT Laws and hence it is expected, that CASPs will be under tight supervision.
Who is affected by this?
CASPs operating in or from Cyprus:
New businesses must register with CySEC before commencing their operations in or from Cyprus.
Existing businesses that demonstrate a material existing crypto asset activity and which have not yet submitted an application.
CASPs established in the EEA operating in/from Cyprus or indirectly related with Cyprus:
Businesses established in the EEA and registered with one or more EEA National Competent Authorities for AML/CFT purposes in relation to all services or activities undertaken or intended to be undertaken in Cyprus (i.e. involving Cypriot residents, including incorporated or unincorporated entities based in Cyprus), where these services or activities are not covered by the framework that governs the registration for AML/CFT purposes.
An application to CySEC for the granting of the license and the registration of the CASP thereof is compulsory.
Conclusion
If your business is involved in any of the services and activities as stated above which includes for example trading of cryptocurrencies, investing into cryptocurrencies, exchanging of cryptocurrencies, operating cryptocurrency or crypto trading platforms etc. you are most likely subject to the new introduced Directive and the requirements specified therein. Our office is in the strong position to discuss the AML/CFT requirements and to provide advice as to:
- which requirements are necessary and relevant,
- drafting relevant policies and procedures,
- the implementation into operational structures of the requirements and
- the ongoing monitoring of their effective functioning.
In addition, we are able to provide full support with the completion of the license application, the submission thereof and relevant related questions which may occur during the application process.