On the 13th of September 2021, the Cyprus Securities and Exchange Commission (CySEC) issued a policy statement on the registration of crypto-asset service providers in Cyprus. The document explains the policy of the regulator in Cyprus for companies that wish to act as platforms for transactions, including purchases and sales, in cryptocurrencies and other assets.
The policy statement followed the Directive issued by CySEC and published on the 25th of June 2021 which was issued in line with the amended AML Law of Cyprus (s.61(E)) for the creation of the registry of Crypto Assets Service Providers in Cyprus.
Benefits to registering a Crypto Assets Services Provider in Cyprus
The ability to register a Crypto Asset Service Provider in Cyprus provides significant taxation benefits on the profits made from such transactions. Cyprus has the lowest corporate tax in Europe, 0% tax on the dividends and capital gains of non-tax residents (excluding the sale of land in Cyprus)
Cyprus also provides the ability to hire well-educated individuals who can support the fast growth of a business and has low set-up and maintenance cost, while the common law legal system and regulatory framework provide for legal and regulatory security to investors.
Regulated activities and minimum capital
There are three types of activities that are being regulated, as defined in s.2 of the AML Law and referred to in the website of CySEC in Cyprus and for each type of activities there is a different minimum capital required:
Class 1 Investment advice in relation to Crypto Assets – Minimum Capital €50.000
Class 2 The service referred to in Class 1 and any of the following:
- “reception and transmission of client orders
- execution of orders on behalf of clients
- trading/ exchange between crypto-assets and fiat currency
- trading/ exchange between crypto assets
- participation and/or provision of financial services related to the distribution, offering and/or sale of crypto-assets, including the initial offering
- placement of crypto-assets without a firm commitment
- portfolio management.”
The minimum capital required for Class 2 is €125.000
Class 3 Any of the services referred to in Class 1 or 2 and any of the following:
- “administration, transfer of ownership, transfer of site, holding, and/or safekeeping, including custody, of crypto-assets or cryptographic keys or means enabling control over crypto-assets
- underwriting and/or placement of crypto-assets with a firm commitment
- operation of a multilateral system, which brings together multiple third-party buying and selling interests in crypto-assets in a way that results in a transaction.”
The minimum capital required for Class 3 is €150.000
Under section 14 of the Directive, the minimum capital is one of the above-mentioned amounts, however, it must be increased to 25% of its expenses in the previous year if such an amount is higher than the minimum capital requirement. The 25% will come into effect gradually as follows:
- From the 1st of January 2022, 30% (i.e. 7.5% of its expenses of the previous year);
- From the 1st of January 2023, 60% of this amount (i.e.15% of its expenses of the previous year); and
- From the 1st of January 2024, 100% of this amount (i.e. 25% of its expenses of the previous year).
As per s.4 of CySEC’s Directive, to register as a Crypto Asset Service Provider in Cyprus an applicant must complete an application to register which contains amongst other the following information:
- The name, tradename, legal form and legal entity identifier (for example the company registration number);
- The physical address of the CASP;
- The services provided and activities of the CASP (referred to above);
- The website of the provider;
- All public addresses of crypto-assets and/or public keys/ digital wallets controlled by the provider that are used or can be used in the operation of the provider,
- The crypto assets in relation to which they engage in any activity;
- Whether the provider accepts other providers as clients;
- Whether the provider offers business payments services in crypto assets to vendors;
- Whether the provider operates crypto assets ATMs (and details thereof) etc.
The board of directors of the provider must be comprised of at least 4 directors, two of which must be executives (directing the business activities of the provider) and two must be independent, non-executive, members of the board.
In addition, the applicants must satisfy CySEC both on the application stage and on an ongoing basis that:
- the persons holding a management position in the provider are honest and competent, which is proved by having a “good reputation, knowledge, skills and experience and devote enough time for the performance of their duties. The requirements are proven with CVs, clean criminal records and questionnaires. CySEC expects a bespoke provision in the recruitment part of the Internal Operations Manual of the provider in relation to the aforesaid containing the procedures and evidence gathered when hiring and re-evaluating the honesty and competence of managers;
- The beneficiaries of the provider must be honest and competent, which is fulfilled if they have a good reputation and the ability to maintain the strong financial position of the provider;
- There have been established appropriate anti-money laundering policies;
- The providers must establish procedures and policies to ensure their prudent operation including minimizing the risk of theft or loss of their clients’ crypto-assets (to be included in the Internal Operations Manual. There is encouragement but it’s not obligatory to seek an ISO/IEC 27000 certification);
- Staff remuneration policies must not conflict with the provider’s duty to act in the best interests of its clients nor motivate the staff to implement “aggressive promotion;
- There must be sound governance arrangements in place, with clearly defined transparent and identifiable reporting lines;
- A business continuity and recovery plan including a risk assessment must be included in the Internal Operations Manual;
- The business plan must include reference to whether the provider will outsource functions and what steps will be taken to avoid risk and ensure the quality of the internal controls of the provider;
- The business plan must include, and must be monitored/ revisited on an ongoing basis, sound administrative and accounting procedures, internal control mechanisms and safeguards for information processing systems;
- The provider must have sound security mechanisms in place to guarantee the security of the means of transfer of information, minimize the risk of data corruption and unauthorized access to the data;
- The provider must have the mechanisms and maintain records of their activities including relevant correspondence to permit CySEC to exercise its supervisory functions;
- The provider must have appropriate policies and procedures in place to ensure its clients’ complaints are resolved properly; and
- The employees of the provider must be honest and have the appropriate knowledge to do the tasks assigned to them.
CySEC applies the ‘travel rule’ (which is to be expanded and further elaborated) under which any transaction in excess of €1.000 is deemed “material” and where an “obliged entity” sends a crypto asset to a Crypto Asset Service Provider, the following information must be collected and submitted to the said provider:
- The payee’s name and surname;
- The payee’s crypto-asset account number (or if it doesn’t exist a unique transaction identifier);
- The payer’s name and surname;
- The payer’s crypto-asset account number (or if it doesn’t exist a unique transaction identifier); and
- One of the following:
- The payer’s physical address, or
- The payer’s national ID number, or
- The payer’s customer identification number, or
- The payer’s date and place of birth.
Submission costs payable to CySEC
The cost of the application is €10.000 and the cost of the annual renewal of the license is €5.000
You can find CySEC’s information on Crypto Assets Service Providers here
You can find CySEC’s policy on the regulation of Crypto Asset Service Providers here