New Directive for the Registration of Crypto-Asset Service Providers

Following the recent implementation of the 5th AML Directive, the Cyprus Securities and Exchange Commission (the “CySEC”) has issued the Directive (R.A.D 269/2021) for the registration and operating conditions of Crypto-Asset Service Providers (the “Directive”).

Article Author: Theocharis Georgiadis

According to the published directive, an application for registration to the Register of Crypto-Asset Service Providers held by CySEC, must be submitted to CySEC. The application must contain the name, trade name, legal form and physical address of the applicant (potential Crypto-Asset Service Provider). The Commission must inform the applicants within six months from the date of submission of their applications. Once the application for registration is approved, CySEC shall immediately register the applicant in the Register.

Requirements for Registration: CySEC approves an application for registration in the Register, provided that the applicant meets all of the following conditions:

1. Submitted to CySEC all the information and documents required;

2. Ensures that the persons holding an administrative position are honest and competent, have a good reputation, knowledge, skills, and experience and devote sufficient time to the performance of tasks to the applicant;

3. The board of directors consists of at least 4 persons, two of whom manage the business activities and the other two are independent members;

4. Maintains a website owned and used exclusively, without the possibility for any other person to operate through the said website;

5. Established appropriate policies and procedures to ensure its compliance with the Law and the Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing;

6. Implemented and maintains internal control mechanisms to ensure its prudent operation;

7. Hold adequate own funds;

8. Ensures that the remuneration policy for persons involved in the provision of services to clients aiming to encourage responsible conduct, fair treatment of clients, as well as avoiding conflict of interest in the relationship with clients and does not make any arrangements in the form of remuneration, sales targets or any other form that could motivate its staff to pursue aggressive promotion practices of products or services;

9. Maintains perfect governance arrangements, with clearly defined, transparent and clearly identifiable reference lines;

10. Takes all reasonable steps to ensure the continuous and regular execution of its functions and maintains an appropriate and up-to-date policy to ensure its continuous operation and procedures for data retrieval and the timely resumption of its activities in case of cessation of activities;

11. Maintains sound administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and security mechanisms of electronic processing systems data;

12. Where appropriate and proportionate in view of the nature, scale and complexity of its business, the provider needs to establish and maintain an internal audit function which is separate and independent from the other functions;

13. Implemented sound security mechanisms designed to guarantee the security of the means of transfer of information, minimize the risk of data corruption and unauthorized access, and to prevent information leakage before publication, so that data confidentiality is always maintained;

14. Ensures that records are kept in relation to all the functions it performs, which include the relevant communication, in a way that allows the Commission to exercise its supervisory duties;

15. Ensures that the employees do not perform multiple duties unless the exercise of multiple duties does not prevent or is likely to prevent them from carrying out any work or function with diligence, honesty and professionalism;

16. Has appropriate policies and procedures in place to ensure that its customers' complaints are properly resolved;

17. Ensures that the persons employed, are honest with sufficient knowledge depending on the tasks assigned to them.

Capital Requirements: The Crypto-Asset Service Providers must always maintain own funds at least equal to the greater of the following amounts:

1. the amount of the initial capital referred to in the Annex to the Directive, which is proportionate to their nature and functions;

2. one quarter (1/4) of the fixed expenses of the Crypto-Asset Service Providers during the previous year. The provisions of this paragraph shall enter into force as follows:

a. 30% of the relevant amount from 1 January 2022;

b. 60% of the relevant amount from 1 January 2023;

c. 100% of the relevant amount from 1 January 2024;

Fees and Subscriptions: The applicants upon submission of the application will have to pay the amount of 10,000 euros which is not refundable in case of rejection of the application. The annual renewal of registration in the register amounts to €5,000.