Crypto assets regulation is still considered “terra incognita”, with many jurisdictions only now making their first steps on this foggy landscape. Against this background, Cyprus is taking some considerable initiatives to bring some clarity to the sector and thus, to become a more attractive investment venue for this kind of business.
In the context of the implementation of pan-EU requirements including crypto-asset service providers (CASPs) under the Fifth Anti-Money Laundering Directive (5AMLD), Cyprus recently updated its definition of obliged entities under the Prevention and Suppression of Money Laundering Law 2007 (AML Law) to bring CASPs into its scope. Moreover, Cyprus authorities have also decided that Cyprus CASPs should become approved and registered with the Cyprus Securities and Exchange Commission (CySEC).
According to the AML law, a ‘Provider of Services’ related to crypto assets or CASPs “means a person who provides or carries out one or more of the following services or activities to another person or on behalf of another person, which do not fall under the services or activities of the liable entities referred to in paragraphs (a) to (i) of Article 2A (including banking institutions, auditors, tax advisors, legal professionals, real estate agents):
CySEC has recently issued a directive including details outlining the process of registration. According to this, CySEC shall publish, on its website, the CASPs’ register. The register must be publicly accessible and must include information such as the commercial name, the legal form and the legal entity identifier of the CASP, its address and its services.
On condition that, the applicant pursuing registration provides all requested information and documents and also ensures that persons holding management positions with the applicant are honest and competent, CySEC will approve registration in the CASPs’ register. It is also important to note that in the case of the Board of Directors of the applicant, this must consist of at least 4 persons, of which 2 must manage the business activities of the CASP and 2 must be independent members.
As far as capital is concerned, CASP must at all times comply with capital adequacy requirements; as a minimum, CASPs offering only investment services must comply with the requirements of Common Equity Tier 1 capital as included in arts. 26 to 30 of the 575/2013 Capital Requirements Regulation (CRR).
CySEC also issued an additional Circular on 3 August 2021, providing some clarity on the matters of the prudential treatment of crypto assets and, the enhancement of risk management procedures associated with them, focusing on Cyprus Investment Firms ( CIFs).
In relation to calculation of own funds and capital adequacy ratio (Pillar I), there still being no reference in the current prudential framework for crypto assets, the following treatment should be used by the CIFs when calculating their capital adequacy requirements:
In relation to Internal Capital Adequacy Assessment Process (‘ICAAP’) (Pillar II), CIFs should assess the risks from trading in crypto assets, and/or in financial instruments relating to crypto assets, for their own account or for their clients within the ICAAP. The assessment and discussion of the risks associated with the activity in crypto assets should be included together with a sensitivity analysis on how the risks identified affect the CIFs’ projections. Moreover reference must be made to any additional capital that should be held in relation to the identified risks.
Furthermore, CIFs should disclose within their Pillar III disclosures any material crypto-asset holdings and include information on:
CIFs, which trade in crypto assets, and/or in financial instruments relating to crypto assets, should reassess their risk management procedures and strategies and ensure that all risks associated with this product are duly taken into consideration.
In general, investors should be reminded that according to the Cyprus Law on Capital Adequacy of Investment (L.97(I)/2021), CIFs “must have in place sound, effective and complete strategies and processes to assess and maintain on an ongoing basis the amounts, types and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or might be exposed”. Moreover, they “must ensure that the board of directors approves and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the CIF is or might exposed to”.
Apart from the above, CySEC recommends CIFs should also examine taking mitigating measures against operational, cybersecurity and reputational risks.