News and developments

Cyprus-Regulations over Cryptocurrency and Blockchain.

1. Introduction

In recent years, Cyprus has shown that it wants to have an active role in the development of blockchain technology and especially that it wants to become a pioneering and secure financial center for the exchange of crypto assets and services.

This intention was first evident in 2018, when the Republic of Cyprus signed the ‘Declaration of the Southern Mediterranean Countries on Distributed Ledger Technologies’ and the ‘European Blockchain Partnership’, aiming to increase cooperation between the European Countries in the innovative distributed ledger technologies (DLT).[1] Whilst the same year, the Cyprus Securities and Exchange Commission (CySEC) established an Innovation Hub, which aims to act as a communication platform between CySEC and both supervised and non-supervised entities in the fields of Fintech[2] and Regtech[3]. Through communication, the Innovation Hub identifies the regulatory framework that needs to be established to meet evolving needs while also explaining to entities the existing regulations which are supervised by CySEC. These and other, actions of the Innovation Hub aim to improve the markets efficacy and enhance the investors protection.

Furthermore, the next year the Cyprus government published its National Strategy on Distributed Ledger Technologies, setting as goals the promotion of blockchain technology and other DLT, both in the public and the private sector and the creation of a proportionate regulatory framework that promotes innovation, legal certainty and protection for consumers and investors.[4]

Some of the above maxims seem to be included in the provisions of the 5th European Union Anti-Money Laundering Directive (“AMLD5”)[5], which was transposed into Cyprus Law through an amendment[6] of the Prevention and Suppression of Money Laundering and Terrorist Financing Law[7] (the “AML Law”). The AML Law, at the moment of writing, constitutes the main legislation that distinguishes and regulates cryptocurrencies in Cyprus. Through its amendment, key definitions relating to crypto-assets and crypto-asset service providers were introduced for the first time into Cyprus’ legal system. However, in line with the prementioned National Strategy, the Ministry of Finance is expected to soon bring the Bill on the Distributed Ledger Technology Law of 2021 (the “Bill”) to Parliament for voting. The Bill due to its various definitions, relating to blockchain, electronic signatures and smart contracts it’s expected to increase legal certainty in the sector.[8]

In light of the above and to better understand the relationship of Cyprus with the cryptocurrency sector we will provide, in the following sections, an overview of the current legal and regulatory framework, as well as a summary of how crypto assets and services are taxed in the country.

2. Legal and Regulatory Framework

As mentioned, the AML Law is currently the main legislation regarding crypto-assets in Cyprus.

First of all, the said legislation provides a definition for the term “crypto-asset”, which is defined as a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money but is accepted by persons as a means of exchange or investment and can be transferred, stored or traded electronically and is not:

fiat currency;

electronic money; or

“Financial instruments” as defined in Part III of the First Appendix of the Law on the Provision of Investment Services and Activities and Regulated Markets 87(I)/2017.[9]

In addition, the said legislation recognizes and defines the Crypto-Asset Service Providers (“CASPs”). As defined, a CASP is a person who provides or exercises one or more of the following services or activities to another person or on behalf of another person:[10]

exchange between crypto-assets and fiat currencies;

exchange between crypto-assets;

the management, transfer, holding and/or safekeeping, including custody, of crypto-assets or cryptographic keys or means that allow the exercise of control on crypto-assets;

the offering and sale of crypto-assets, including the initial offering; and

the participation or provision of financial services regarding the distribution, offer and sale of crypto-assets, including the initial offering

The abovementioned financial services regarding the distribution, offer, and/or sale of crypto-assets are also defined as the following investment services:[11]

reception and transmission of orders;

execution of orders on behalf of clients;

dealing on own account;

portfolio management;

provision of investment advice;

underwriting and/or placing of crypto-assets on a firm commitment basis;

placing of crypto-assets without a firm commitment basis;

operation of a multilateral trading facility for buying and selling crypto-assets.

Furthermore, the AML Law imposes the obligation on a person who is recognized as a CASP, to be formally registered with the CySEC, unless it is a CASP established and registered in a member state of the European Union (“EU”). In such a case, the CASP must follow a notification procedure, providing evidence in relation to its valid registration for each service or activity.[12] Where these services or activities are not covered by the above framework, the CASP must submit an application to be registered as a CASP with CySEC.[13]

Another important provision of the AML Law is the recognition of CySEC as the responsible authority for the supervision of CASPs and of the dealings with crypto-assets that fall under the existing regulatory framework.[14]

Due to its supervisory role, CySEC, on 25 June 2021, issued the Directive (the “Directive”) for the registration of CASPs pursuant to the AML Law. The Directive, being a secondary legislation, constitutes another component of the Cyprus legal framework, which regulates the formation, operation and modification of the CASPs Register and sets the requirements for their inclusion in the Register.[15]

Specifically, Article 4 of the Directive provides that CySEC publishes the CASPs Register on its website[16], which is accessible to the public, providing the following information for the CASPs that are registered:

(a) The name, trade name, legal form and legal entity identifier of the CASP;

(b) the physical address of the CASP;

defined in subparagraphs (a) to (e), in the definition of "Crypto Asset Services

Provider" in paragraph (1) of section 2 of the Law;

(d) the website of the CASP

To achieve registration in the Register, Article 5 of the Directive provides that firstly the applicant shall submit the Application for Registration[17] issued by the Cyprus Securities and Exchange Commission and which is available on its website, dully completed and shall be accompanied by all documents and information specified in it, including:

(a) the information referred to in Article 4 (see above);

(b) the crypto-assets’ addresses of the CASP;

(d) the types of clients the CASP services;

(e) information as to whether the CASP offers payment services in crypto-assets;

(f) information as to whether the CASP operates crypto-assets ATMs, the number and the exact location thereof;

(g) the geographic jurisdictions in which the CASP operates;

(h) information as to whether the CASP is registered or supervised in any other jurisdiction

To be precise along with application form the applicant will need to attach the following documents:

All documents related to the foundation, composition and operation of the crypto company (LLC). Such as the certificate of incorporation, the certificate of shareholders and directors, an internal operation manual.

A program of initial plan/Business plan for the following three years, which will include the marketing and promotional strategy of the company along with its financial and accounting planning.

An AML manual, which will define an AML/CFT internal policy of the CASP.

Documentation regarding the abovementioned crypto-assets’ addresses and public keys of the CASP.

Documentation proving the existence of an internal system in the CASP that regulates the exchange of information and ensures the non-leakage of information.

Certifications from the external auditors and legal advisers of the applicant.

Furthermore, Article 6 of the Directive lists the conditions, beyond the provision of the aforementioned information and documents, that the applicant must meet to achieve registration as a CASP.

It specifically provides that:

The applicant must ensure that members of the Board and anyone holding a managerial position are honest and competent, which is fulfilled if the person has:

good reputation

knowledge skills and experience and

devotes sufficient time to the performance of its duties to the applicant

The Board of Directors of the applicant must compromise of at least four (4) persons, who satisfy the above condition, out of which at least two must direct the business activities and the other two must be independent, non-executive members.

The applicant must ensure that its beneficial owners are honest and competent, which is fulfilled if they have good reputation and the ability to maintain the strong financial position of the applicant.

When operating online, the applicant must maintain a website that its fully owned and exclusively operated by the CASP.

The applicant must have established appropriate policies and procedures to ensure its compliance, including the compliance of its executives, employees and assignees, with the AML Law and the Directive of CySEC for the Prevention and Suppression of Money Laundering and Terrorist Financing.[18]

The applicant must have established appropriate policies and procedures and have appropriate systems and controls in place to ensure the prudent operation of the CASP, including minimizing the risk of theft or loss of its clients’’ crypto-assets.

The applicant must ensure that the remuneration terms of the staff and any other arrangements with its staff, do not conflict with its staff duty to act in the best interest of its clients nor motivates its staff to implement aggressive promotion practices.

The applicant must have established appropriate corporate governance arrangements, with clearly defined and transparent reference lines.

The applicant must take all reasonable actions to ensure the continuous and regular performance of its activities and must have established an appropriate and up to date policy to ensure its continued operation, the recovery of data and the timely resumption of its activities, in the case where despite the reasonable measures in place the activity of the CASP have ceased.

When outsourcing the performance of critical functions, the applicant must ensure that reasonable measures are taken to avoid any undue additional operational risk and that the quality of the internal controls of the CASP or the CySEC’s ability to monitor compliance, are not materially impaired.

The applicant must have established proper administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and effective security and control mechanisms in place for its electronic data processing systems.

Where the scope, nature, scale and complexity of its activity so require, the applicant must establish an internal control function that its independent of its other functions and operations, for the design and execution of the abovementioned internal control mechanisms.

The applicant must have established appropriate security mechanisms in order to guarantee the security and authentication of the means of transfer of information, minimize the risk of data corruption and unauthorized access and to prevent information leakage, in order to maintain the confidentiality of the data at all times.

The applicant must arrange for records to be kept of all of its activities, including the relevant correspondence, which shall be sufficient to enable the CySEC to exercise its supervisory functions and to take steps to ensure the CASP’s compliance with its obligations.

The applicant must ensure that its employees are not involved in multiple duties, unless the exercise of multiple duties does not prevent or its is not likely to prevent such persons from carrying out any work or function with diligence, honesty and professionalism.

The applicant must establish appropriate policies and procedures in order to ensure that its clients’ complaints are properly resolved.

The applicant must ensure that its employees are honest and professionals and possess the appropriate knowledge for the tasks assigned to them.

Capital Requirements

Finally, Article 6 of the Directive sets as a condition that the applicant, depending on the nature of its functions and activities, must maintain at all times own funds equal to the greater of the following amounts[19]:

a) Class1-€50,000 initial capital for the provision of investment advice

Class2-€125,000 initial capital for the provision of the service referred to in Class 1 and/or any of the following services:

i) reception and transmission of client order and/or

ii) execution of orders on behalf of clients and/or

iii) exchange between crypto-assets and fiat currency and/or

iv) exchange between crypto-assets and/or

v) participation and/or provision of financial services related to the distribution, offering and/or sale of crypto-assets, including the initial offering and/or

vi) placement of crypto-assets without firm commitment and/or

vii) portfolio management.

Class3- €150,000 initial capital for the provision of the services referred in Class 1 or 2 and/or any of the following services:

i) management, transfer, holding, and/or safekeeping, including custody of crypto-assets or cryptographic keys or means enabling control over crypto-assets and/or

ii) underwriting and/or placement of crypto-assets with firm commitment and/or

iii) operation of a multilateral trading facility for buying and selling crypto-assets

b) 60% of the applicants’ fixed expenses during the previous year, to be revised annually. This amount will be calculated in accordance with Articles 14 (3) and (4) of the Directive and the percentage of the relevant amount will increase to 100% from the 1st of January 2024.[20]

Charges and Fees

Article 16 of the Directive provides the charges and fees that a CASP pays to CySEC for the registration and renewal of its registration in the Register, as well as for the submission and review of notifications.

To be exact, the applicant pays the fee of €10,000 along with the submission of its application for registration as a CASP. If the applicant is rejected this amount is not refundable, if on the other hand the applicant is successfully registered the CASP does not pay any fees or charges to CySEC for the first year of its registration. After this period, the CASP must pay each year a fee of €5,000, for the renewal of its registration.

As mentioned, for the submission of a notice to CySEC regarding a substantial alteration, a fee shall be paid as follows:

€1,000 per service or activity

€2,000 per notice of change relating to the members of the Board of Directors of the CASP

€5,000 per notice of change relating to the beneficiaries of the CASP.

€1,000 per notice of change relating to the website of the CASP.

The above confirms that there is a fairly demanding legal system for registering a company as a CASP, which therefore effectively prevents the risks that exist for abusing the operation of such an organization, by attempting to launder money or causing instability in the economy. This preventive goal is also served by the obligation that exists for CASPs under the AML Law to perform due diligence when carrying out an individual transaction amounting or exceeding €1,000, regardless of whether the transaction is carried out with a single transaction or with several connected transactions.[21] The prementioned Directive of CySEC for the Prevention and Suppression of Money Laundering and Terrorist Financing is also a part of the implementation of this goal and constitutes the last piece of legislation that regulates crypto-assets in Cyprus.[22]

To complete this chapter, we should also mention that related to the above is also the Policy Statement of CySEC on the registration and operations of CASPs.[23] It is important to note that this text is not a legislative text, but it is considered important and useful because through it CySEC describes its approach regarding the registration and operation of CASPS. In essence CySEC helps CASPs understand its expectations for their compliance with the regulatory framework, by providing important and useful definitions. The most important information that CySEC gives in its Policy Statement is about how it categorizes crypto-assets. Categorization is important, because it determines to which legislations the crypto-asset will be subject to. It seems that CySEC applies a classification depending on their structure and based on European Legislation, considering as «Financial Instrument Tokens» crypto-assets that qualify as financial instruments under the L.87(I)/2017, transposing MiFID II[24]. It also considers as «E-Money Tokens» crypto-assets that qualify as electronic money under the Electronic Money Law,[25] transposing EMD2[26] and finally considers as «crypto-assets» crypto-assets that fall within the abovementioned definition in the AML Law.

3. Taxation of crypto-assets and services

At the moment Cyprus has no specific legal framework in place for crypto-assets nor has the Cyprus Tax Department provided guidance on how such assets should be recognized, treated and taxed.

There are two views on how crypto-assets should be taxed. One of the positions is that it should be taxed as trading income and therefore be taxed at 12,5%, which constitutes one of the lowest and most attractive corporate tax rates in Europe.

The other approach is to consider crypto-assets as a financial instrument, in which case the proceeds from such sale will not trigger any taxation in Cyprus.

In regards to the value added tax (VAT), the only guidance that exists today is from the European Court of Justice[27], which states that the exchange of fiat currencies for cryptocurrencies and vice versa are exempt from VAT.

To conclude, without specific provisions in the legislation it is difficult to determine when and what type of taxation is to be applied on crypto trading in Cyprus but the above gives some guidance.

4. Conclusion

Τhe above shows the important actions that Cyprus took and is taking until today in the field of crypto-assets. While at the same time showing, the challenges it has to face and resolve in the future.

Nevertheless, it is considered that the opportunities created through them, for action and development in the field of crypto-assets, are countless.

If you are interested in establishing your crypto company in Cyprus, we can provide the assistance and guidance you need in each step of the procedure.

Disclaimer

The content of this publication is intended to provide a general guide on the subject matter and it is not to be considered as a legal advice. Legal advice should be sought based on the particular facts of your case.

Footnotes

[1] https://www.mise.gov.it/images/stories/documenti/Dichiarazione%20MED7%20versione%20in%20inglese.pdf and https://digital-strategy.ec.europa.eu/en/news/european-countries-join-blockchain-partnership

[2] term used to describe any technology that delivers financial services through software, such

as online banking, mobile payment apps or even cryptocurrency.

[3] term used cloud computing technology through software-as-a service to help businesses comply with regulations efficiently and less expensively

[4] https://www.parliament.cy/images/media/assetfile/Blockchain%20Strategy%20English_FINAL.pdf

[5] Directive (EU) 843/2018

[6] L.13(I)/2021

[7] L.188(I)/2007

[8] https://mof.gov.cy/assets/modules/wnp/articles/202109/949/docs/dlt_bill_en_for_public_consultation.docx

[9] Article 2 of L.188(I)/2007

[10] Ibid