Clarity on crypto assets regulation in Cyprus
Ioannis Sidiropoulos of Elias Neocleous & Co discusses the initiatives Cyprus is introducing to bring clarity to crypto assets regulation
Crypto assets regulation is still considered terra incognita, with many jurisdictions only now making their first steps on this foggy landscape. Against this background, Cyprus is taking some considerable initiatives to bring some clarity to the sector and thus, to become a more attractive investment venue for this kind of business.
In the context of the implementation of pan-EU requirements including crypto-asset service providers (CASPs) under the Fifth Anti-Money Laundering Directive (5AMLD), Cyprus recently updated its definition of obliged entities under the Prevention and Suppression of Money Laundering Law 2007 (AML Law) to bring CASPs into its scope. Moreover, Cyprus authorities have also decided that Cyprus CASPs should become approved and registered with the Cyprus Securities and Exchange Commission (CySEC).
According to the AML law, a ‘provider of services’ related to crypto assets or CASPs means “a person who provides or carries out one or more of the following services or activities to another person or on behalf of another person, which do not fall under the services or activities of the liable entities referred to in paragraphs (a) to (i) of Article 2A (including banking institutions, auditors, tax advisors, legal professionals, real estate agents):
Exchange between cryptocurrencies and documentary currencies;
Exchange between crypto assets;
The management, transfer, transfer, retention, and/or safekeeping, including custody, of cryptocurrencies or cryptographic keys or means enabling the control of cryptocurrencies;
Offering and/or selling cryptocurrencies, including the initial public offering; and
Participation in and/or provision of financial services related to the distribution, offering and/or sale of cryptocurrencies, including the initial public offering.”
CySEC has recently issued a directive including details outlining the process of registration. According to this, CySEC shall publish, on its website, the CASPs’ register. The register must be publicly accessible and must include information such as the commercial name, the legal form and the legal entity identifier of the CASP, its address and its services.
On condition that the applicant pursuing registration provides all requested information and documents and also ensures that persons holding management positions with the applicant are honest and competent, CySEC will approve registration in the CASPs’ register. It is also important to note that in the case of the Board of Directors of the applicant, this must consist of at least four persons, of which two must manage the business activities of the CASP and two must be independent members.
As far as capital is concerned, CASP must at all times comply with capital adequacy requirements; as a minimum, CASPs offering only investment services must comply with the requirements of Common Equity Tier 1 capital as included in Articles 26 to 30 of the 575/2013 Capital Requirements Regulation (CRR).
CySEC also issued an additional Circular on August 3 2021, providing some clarity on the matters of the prudential treatment of crypto assets and, the enhancement of risk management procedures associated with them, focusing on Cyprus Investment Firms (CIFs).
In relation to calculation of own funds and capital adequacy ratio (Pillar I), there still being no reference in the current prudential framework for crypto assets, the following treatment should be used by the CIFs when calculating their capital adequacy requirements:
For direct investment in crypto assets on a non-speculative basis, a CIF should handle these investments according to Article 36(1)(b) of the Regulation (EU) No. 575/2013 (the ‘CRR’), i.e. direct capital deduction from own funds, as referred to at Article 9(2) of Regulation (EU) 2019/2033 (‘IFR’);
For direct investment in crypto assets on a speculative basis, a CIF should treat these as investments in a derivative product taking into consideration both the Counterparty Credit Risk and the Market Commodity Risk; and
For direct investment of a CIFs’ clients in crypto assets and/or in financial instruments relating to crypto assets with the CIF acting as the counterparty to these transactions, the CIF should also assess the counterparty credit risk and market commodity risk, as the CIF is acting as a market maker for its clients.
In relation to Internal Capital Adequacy Assessment Process (ICAAP) (Pillar II), CIFs should assess the risks from trading in crypto assets, and/or in financial instruments relating to crypto assets, for their own account or for their clients within the ICAAP. The assessment and discussion of the risks associated with the activity in crypto assets should be included together with a sensitivity analysis on how the risks identified affect the CIFs’ projections. Moreover reference must be made to any additional capital that should be held in relation to the identified risks.
Furthermore, CIFs should disclose within their Pillar III disclosures any material crypto-asset holdings and include information on:
The exposure amounts of different crypto-asset exposures;
The capital requirement for such exposures; and
The accounting treatment of such exposures.
CIFs, which trade in crypto assets, and/or in financial instruments relating to crypto assets, should reassess their risk management procedures and strategies and ensure that all risks associated with this product are duly taken into consideration.
In general, investors should be reminded that according to the Cyprus Law on Capital Adequacy of Investment (L.97(I)/2021), CIFs “must have in place sound, effective and complete strategies and processes to assess and maintain on an ongoing basis the amounts, types and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or might be exposed”. Moreover, they “must ensure that the board of directors approves and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the CIF is or might exposed to”.
Apart from the above, CySEC recommends CIFs should also examine taking mitigating measures against operational, cybersecurity and reputational risks.
Associate, Elias Neocleous & Co