The CySEC’s policy statement set out detailed requirements for crypto firms seeking registration in the regulator’s CASP register. This register is publicly accessible and include information such as the crypto firm’s name, the legal form, its address and services. The new policy also introduces a definition for crypto assets that slightly extends beyond its traditional legal status.
Some of the key obligations of a CASP are the following:
As per the CySEC Directive on CASPs Registration, the prospective CASPs must submit the relevant application form issued by CySEC for the registration in the CySEC CASP Register (the “CASP Application Form”), duly completed which must inter alia include information in relation to:
- The name, trade name, legal form and legal entity identifier on the CASP;
- The physical address of the CASP;
- The services provided and/or the activities that the CASP may carry out as defined in subparagraphs (a) to (e), in the definition of “Crypto Asset Services Provider” in paragraph (1) of section 2 of the Law;
- The website of the CASP;
- All public addresses of crypto-assets and/or of public keys/digital wallets controlled by the CASP that are used or can be used in the operation of the CASP in relation to each crypto-asset (the “Crypto-Assets Addresses”);
- The crypto-assets in relation to which they engage in any activity;
- Whether the CASP accepts other CASPs as customers or not;
- Whether or not the CASP offers business payment services in crypto-assets to vendors;
- Whether the CASP operates Crypto-Assets-ATMs, the number and the geographical location thereof;
- Whether the CASP is registered or supervised in any other jurisdiction;
- All documents and/or additional information specified in the CASP Application Form
Applicants are expected to be in a position to satisfy CySEC in relation to the following, with which upon registration, CASPs must comply on an ongoing basis, at all times (section 61E(6)(a) of the AML/CFT Law):
- The persons holding a management position in the CASP must be honest and competent, which is fulfilled if the persons have a good reputation, knowledge, skills and experience and devote sufficient time to the performance of their duties. In the case of the Board of Directors, the Board of Directors shall be comprised of at least four (4) members, two (2) of which must direct the business activities of the CASP and two (2) must be independent members, within the meaning of the CASP Registration Directive.
- The beneficiaries of CASPs are honest and competent, which is fulfilled if they have a good reputation and the ability to maintain the strong financial position of the CASP.
- The close links between the applicant and other natural or legal persons do not preclude the effective monitoring, evaluation and supervision by CySEC. Where the natural or legal person with whom the applicant has a close connection is in a Third Country, the laws, regulations or administrative provisions of the Third Country shall not impede the effective performance of the supervisory functions.
- When operating online, a website fully owned and exclusively used by the CASP must be maintained, through which the CASP will operate, without the possibility of any other person to operate through it, except for cases where the applicant is in a position to satisfy CySEC that its policies and procedures may sufficiently address the operational risks stemming therefor, including any possible consumers’ detriment and that such risks were identified by means of a risk assessment and are adequately mitigated by the policies and procedures that the CASP has in place.
- There have been established appropriate policies and procedures to ensure its compliance, including the compliance of its executives, employees and persons to whom functions are assigned to, in accordance with the AML/CFT Law and the AML/CFT Directive.
- CASPs must establish appropriate policies and procedures and must have appropriate systems and controls in place to ensure their prudent operation, including minimizing the risk of theft or loss of their clients’ crypto-assets.
- CASPs must have sufficient own funds comprised of fixed and variable component, in accordance with paragraph 1435 of the CASP Registration Directive.
- The performance of its staff shall not remunerated or evaluated in a way that conflicts with the CASP duty to act in the best interest of its clients and in particular, the CASP shall not proceed with any arrangements in the form of remuneration, sales targets or otherwise, which could motivate its staff to implement aggressive promotion practices of products or services.
- There must be sound governance arrangements in place, with clearly defined, transparent and clearly identifiable reporting lines.
- All reasonable steps must be taken to ensure the continuous and regular performance of its functions and an appropriate and up-to-date policy must be maintained to ensure its continued operation, as well as an appropriate and up-to-date data recovery policy and procedures for the timely resumption of activities, where despite the reasonable measures taken the activity of the CASP is interrupted.
- When outsourcing the performance of critical functions to third parties, reasonable steps must be taken to avoid any undue additional operational risk and in any case, it must be ensured that the quality of the internal controls or CySEC’s ability to supervise, are not materially impaired.
- CASPs must have in place sound administrative and accounting procedures, internal control mechanisms, effective risk assessment procedures and effective control and safeguard arrangements for information processing systems.
- Where the scope, nature, scale and complexity of its activity so require, the CASP must establish an internal control function that is independent of its other functions and activities, for the design and execution of its internal control mechanisms.
- CASPs must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimize the risk of data corruption and unauthorized access and to prevent information leakage, in order to maintain the confidentiality of the data at all times.
- CASPs must arrange for records to be kept of all of their activities, including the relevant correspondence, which shall be sufficient to enable CySEC to exercise its supervisory functions and to take steps to ensure the CASPs’ compliance with their obligations.
- The persons employed by CASPs shall not perform multiple functions unless the exercise of multiple functions does not prevent or it is not likely to prevent such persons from carrying out any work or function with diligence, honesty and professionalism.
- It has appropriate policies and procedures in place to ensure that its clients’ complaints are properly resolved.
- The persons employed by the CASP must be honest and professionals and posses the appropriate knowledge for the tasks assigned to them.
The Travel Rule:
1 ) Where an obliged entity sends a material crypto-asset transfer to a CASP, the relevant obliged entity must immediately and by secure means obtain the following information and submit it to the CASP:
- The payee’s name and surname;
- The payee’s crypto-asset account number;
- The payer’s name and surname;
- The payer’s crypto-asset account number;
- Where the payee or the payer does not have a crypto-asset account number, a unique transaction identifier; and
- One of the following:
- The payer’s physical address;
- The payer’s national identity number;
- The payer’s customer identification number; or
- The payer’s date and place of birth.
2) An obliged entity must follow the above irrespective of whether the obliged entity in question and the payer are the same person.
3) Where an obliged entity receives a crypto-asset transfer from a CASP, the obliged entity must ensure that:
- It has received the information specified above, and
- The information is consistent with its own records in respect of the payee’s name and, where applicable, the payee’s account number.
4) Where an obliged entity receives a crypto-asset transfer from a person other than a CASP, the obliged entity must ensure that it obtains, from the payee:
- The information specified in point iii of paragraph 1
- The information specified in point vi of paragraph 1
5) Before an obliged entity executes a material crypto-asset transfer received from any person, it must ensure that it has effective risk-based policies and procedures in place for the purposes of:
- Determining whether any of the information referred to in paragraphs 3 and 4 as the case may be, is missing, is incomplete or, where applicable, is inconsistent with the obliged entity’s own records; and
- Where a default is identified pursuant to point (i) directly above:
(a)Determining whether to execute, reject or suspend the material crypto-asset transfer; and
(b)Determining the appropriate follow-up action.
- CASP s must comply with all of their responsibilities stemming from the Cumulative
- CASP Rules at all times.
- CASPs must ensure that all information, including marketing communications, addressed to clients or potential clients, are accurate, clear and not misleading and that marketing communications are clearly identified as such and that they provide clients or potential clients with appropriate information on the
- CASP, its services and the costs and associated charges in a timely manner.
- CASPs must maintain and operate effective organizational and administrative arrangements with a view to taking all reasonable steps designed to prevent conflicts of interest from adversely affecting the interests of their clients. They must take all appropriate steps to identify and to prevent or manage conflicts of interest between itself, including its managers, employees and any person directly or indirectly linked to it by control, and their clients or between one client and another and to timely and clearly disclose to the client the general nature or/and sources of conflicts of interest and the steps taken to mitigate those risks, before undertaking business on their behalf.