Policy Statement of the Registration and Operation of Crypto-Asset Services Providers 


On the 25th of June 2021, the Cyprus Securities and Exchange Commission (“CySEC”) issued the Crypto-Asset Service Providers (“CASP”) Directive 269/2021 in order to provide guidance for the operating and registration conditions of the CASPs pursuant to the 5th AML Directive. 

With an announcement on the 13th of September 2021, CySec published the Policy Statement on the registration and operation of Crypto-Asset Service Providers (“CASP”). The Policy Statement covers the registration process and operations of Crypto Asset Service Providers (“CASPs) as well as their obligations stemming from the AML/CTF Law.

Under the AML/CFT Law, CASPs are obliged entities and  must therefore fully abide to their obligations stemming from the AML/CFT Law, the CySEC Directive for the prevention and suppression of money laundering and terrorist financing - Register of Crypto Asset Service Providers (the “CASP Registration Directive”) and the CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (collectively hereinafter the “Cumulative CASP Rules”), including but not limited to their obligations: to preform Know Your Client and other client due diligence measures, draw the economic profile of the their clients, identify the source of funds of their clients, monitor the clients’ transaction, identify and report suspicious transactions, undertake a comprehensive risk assessment in relation to their clients and activities undertaken and take proportionate measures per client, activity and crypto-asset in question etc.
CASPs operating from Cyprus must be registered with CySEC in order to be able to provide services and/or perform activities in relation to crypto-assets and will be regulated by CySEC under the Cumulative CASP rules. In case where a CASP is established in another EEA (European Economic Area) Member State or in a Third Country but provides services from Cyprus under any form and/or arrangement, will be operating from Cyprus in relation to the service and/or activities originating therefrom and will be subject to registration and supervision under the Cumulative CASP Rules.
EEA domiciled CASPs who are registered with the EEA NCA(National Competent Authority) of the respective Member State for the relevant services and/or activities and who are exempted from the obligation to be registered with CySEC when providing services and/or undertaking activities in relation to crypto-assets in Cyprus, must submit to CySEC a notification form providing sufficient evidence in relation to their valid registration with the said EEA NCA before they commence their operations in Cyprus. Such entities must inform CySEC of any suspension or deregistration from the register of any NCA and of any other measures that may have been taken against them pursuant to the respective national legislation, transporting 5th AML Directive.
CASPs registered in a Third Country, must be registered with CySEC in order to be able to provide services and/or perform activities, in relation to crypto assets in Cyprus and will be regulated by CySEC under the Cumulative CASP Rules. However such registration is contingent to CySEC being satisfied with such entities compliance with the Cumulative CASP Rules, taking into account inter alia, their organisational and operational specificities, their geographical location, whether such entities are subject to an oversight by a competent authority in that third country, whether there are established communication channels between CySEC and the said competent authority and whether a remote registration is likely to undermine CySEC’s ability to efficiently supervise and/or enforce the Cumulative CASP Rules. 
As per the CySEC Directive on CASPs Registration, the prospective CASPs (the “Applicants”) must submit the relevant application form issued by CySEC for the registration in the CySEC CASP Register (the “CASP Application Form”), duly completed, which must inter alia include information in relation to: 
  1. the name, trade name, legal form and legal entity identifier of the CASP; 
  2. the physical address of the CASP;
  3. the services provided and/or the activities that the CASP may carry out as defined in subparagraphs (a) to (e), in the definition of "Crypto Asset Services Provider" in paragraph (1) of section 2 of the Law; 
  4. the website of the CASP; 
  5. all public addresses of crypto-assets and/or of public keys/digital wallets controlled by the CASP that are used or can be used in the operation of the CASP in relation to each crypto-asset (the “Crypto-Assets Addresses”); 
  6. The crypto-assets in relation to which they engage in any activity;
  7. Whether the CASP accepts other CASPs as customers or not; 
  8. Whether or not the CASP offers business payment services in cryptoassets to vendors;
  9. Whether the CASP operates Crypto-Assets-ATMs, the number and the geographical location thereof;
  10. Whether the CASP is registered or supervised in any other jurisdiction;
  11. All documents and/or additional information specified in the CASP Application Form;
Applicants are expected to be in a position to satisfy CySEC in relation to the following:
  1. The persons holding a management position in the CASP must be honest and competent, which is fulfilled if the persons have a good reputation, knowledge, skills and experience and devote sufficient time to the performance of their duties. 
  2. The beneficiaries of CASPs are honest and competent, which is fulfilled if they have a good reputation and the ability to maintain the strong financial position of the CASP.
  3. The close links between the applicant and other natural or legal persons do not preclude the effective monitoring, evaluation and supervision by CySEC. Where the natural or legal person with whom the applicant has a close connection is in a Third Country, the laws, regulations or administrative provisions of the Third Country shall not impede the effective performance of the supervisory functions
  4. When operating online, a website fully owned and exclusively used by the CASP must be maintained, through which the CASP will operate, without the possibility of any other person to operate through it, except for cases where the applicant is in a position to satisfy CySEC that its policies and procedures may sufficiently address the operational risks stemming therefor, including any possible consumers’ detriment and that such risks were identified by means of a risk assessment and are adequately mitigated by the policies and procedures that the CASP has in place.
  5. There have been established appropriate policies and procedures to ensure its compliance, including the compliance of its executives, employees and persons to whom functions are assigned to, in accordance with the AML/CFT Law and the AML/CFT Directive.
  6. CASPs must establish appropriate policies and procedures and must have appropriate systems and controls in place to ensure their prudent operation, including minimizing the risk of theft or loss of their clients' crypto-assets.
  7. CASPs must have sufficient own funds comprised of fixed and variable component, in accordance with paragraph 1435 of the CASP Registration Directive.
  8. The performance of its staff shall not remunerated or evaluated in a way that conflicts with the CASP duty to act in the best interest of its clients and in particular, the CASP shall not proceed with any arrangements in the form of remuneration, sales targets or otherwise, which could motivate its staff to implement aggressive promotion practices of products or services.
  9. There must be sound governance arrangements in place, with clearly defined, transparent and clearly identifiable reporting lines.
  10. All reasonable steps must be taken to ensure the continuous and regular performance of its functions and an appropriate and up-to-date policy must be maintained to ensure its continued operation, as well as an appropriate and up-to-date data recovery policy and procedures for the timely resumption of activities, where despite the reasonable measures taken the activity of the CASP is interrupted.
  11. When outsourcing the performance of critical functions to third parties, reasonable steps must be taken to avoid any undue additional operational risk and in any case, it must be ensured that the quality of the internal controls or CySEC’s ability to supervise, are not materially impaired.
  12. CASPs must have in place sound administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and safeguard arrangements for information processing systems.
  13. Where the scope, nature, scale and complexity of its activity so require, the CASP must establish an internal control function that is independent of its other functions and activities, for the design and execution of its internal control mechanisms.
  14. CASPs must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage, in order to maintain the confidentiality of the data at all times.
  15. CASPs must arrange for records to be kept of all of their activities, including the relevant correspondence, which shall be sufficient to enable CySEC to exercise its supervisory functions and to take steps to ensure the CASPs’ compliance with their obligations.
  16. The persons employed by CASPs shall not perform multiple functions unless the exercise of multiple functions does not prevent or it is not likely to prevent such persons from carrying out any work or function with diligence, honesty and professionalism.
  17.  It has appropriate policies and procedures in place to ensure that its clients’ complaints are properly resolved.
  18. The persons employed by the CASP must be honest and professionals and possess the appropriate knowledge for the tasks assigned to them.
      1. CASPs must ensure that certain customer data is disclosed and transferred between counterparties for the purposes of consistency and clarity, known as the Travel Rule. As per CySEC, any transaction with a value equal to or in excess of one thousand Euros, must be deemed as material for purposes of the travel rule (the “material transaction”).  Where an obliged entity (as this is defined under Article 2A of the AML Law) sends a material crypto-asset transfer to a CASP, the relevant obliged entity must immediately and by secure means obtain the following information and submit it to the CASP:
        • The payee’s name and surname;
        • The payee’s crypto-asset account number;
        • The payer’s name and surname;
        • The payer’s crypto-asset account number;
        • Where the payee or the payer do not have a crypto-asset account number, a unique transaction identifier; and
        • One of the following:
          • The payer’s physical address;
          • The payer’s national identity number;
          • The payer’s customer identification number;
          • The payer’s date and place of birth.
        An obliged entity must follow the above irrespective of whether the obliged entity in question and the payer are the same person.
      2. Where an obliged entity received a crypto-asset transfer from a CASP, the obliged entity must ensure that:
        • it has received the information specified above; and
        • the information is consistent with its own records in respect of the payee’s name and, where applicable, the payee’s account number.
      3. Where an obliged entity receives a crypto-asset transfer from a person other than a CASP, the obliged entity must ensure that it obtains, from the payee:
        • the information specified in point c above;
        • the information specified in point d above.
      4. Before an obliged entity executes a material crypto-asset transfer received from any person, it must ensure that it has effective risk-based policies and procedures in place for the purposes of:
        • determining whether any of the information referred to in paragraphs 2 or 3 as the case may be, is missing, is incomplete or, where applicable, is inconsistent with the obliged entity’s own records; and
        • where a default is identified pursuant to point (1) directly above:
        • determining whether to execute, reject or suspend the material crypto-asset transfer; and b. determining the appropriate follow-up action.
      5. Paragraphs 2 and 3 shall apply to an obliged entity irrespective of whether the said obliged entity and the payee are the same person.
      6. The information obtained by obliged entities as per this section shall be deemed as part of their customer due diligence process and relevant record must be kept in accordance with the AML/CFT Law and the AML/CFT Directive.

The information obtained by obliged entities shall be deemed as part of their customer due diligence process and relevant records must be kept in accordance with the AML/CFT Law and the AML/CFT Directive.

CASPs must comply with all of their responsibilities stemming from the Cumulative CASP Rules at all times.
CASPs must ensure that all information, including marketing communications, addressed to clients or potential clients, are accurate, clear and not misleading and that marketing communications are clearly identified as such and that they provide clients or potential clients with appropriate information on the CASP, its services and the costs and associated charges, in a timely manner.
CASPs must maintain at all times own funds in accordance with the CASP Registration Directive.
CASPs must maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps designed to prevent conflicts of interest from adversely affecting the interests of its clients. They must take all appropriate steps to identify and to prevent or manage conflicts of interest between itself, including its managers, employees and any person directly or indirectly linked to it by control, and its clients or between one client and another and to timely and clearly disclose to the client the general nature or/and sources of conflicts of interest and the steps taken to mitigate those risks, before undertaking business on its behalf.

CySEC will publish relevant forms and documents in a bespoke section on its website for the commencement of the registration process for CASPs operating in or from Cyprus.

Contact Us