Submitting a Crypto-Exchange CASP application to CySEC
The European investment services industry welcomed the Cyprus Securities and Exchange Commission (CySEC) latest addition to its regulatory framework, the Crypto-Asset Services Providers (CASP) registry. The registration as a CASP allows for several different crypto-business models and paves the way for the innovation of new products and services in the fascinating world of blockchain and crypto-related technology.
Consequently, CySEC’s CASP registry enactment is being positively seen as a sign of a growing regulator and Cyprus maturing as a financial, investment and crypto-services hub in Europe for investment firms, investment funds, and now Crypto-Asset Services Providers (CASP).
Within this commentary, our Crypto-Assets team will guide you through:
- What is a Crypto-Exchange,
- What the general requirements are for submitting a CASP application to CySEC,
- What Know Your Transaction (KYT) is and how it relates to a crypto-business
In addition, our Crypto-Assets team will provide insight, having submitted the first-ever Crypto-Asset Services Provider application to CySEC. Finally, we also outline how SALVUS can help register your crypto-business to operate and comply with the regulatory framework in Cyprus.
1. What is a Crypto-Exchange?
A crypto-exchange is a platform that enables someone to buy, sell and trade cryptocurrencies and digital assets. A crypto-exchange allows you to convert one cryptocurrency to another (for example Bitcoin to Ravencoin) and also a cryptocurrency to fiat currency (government-regulated currencies such as the Euro or U.S Dollar) for example Ethereum to U.S dollars and vice versa.
Nowadays, there are hundreds of crypto-exchanges operating worldwide with more coming to market every month. As with digital and crypto-assets having unique characteristics, crypto-exchange platforms also offer different products and investment services for their userbase. Differentiation is what sets crypto-exchanges apart and depending on the investment objective, different crypto-business models are able to satisfy different needs.
Within the Crypto-Asset Services Providers (CASP) regime by CySEC, we will see crypto-businesses offering crypto-liquidity;
- as CASP Class #2, as institutional crypto-brokers business models and
- as CASP Class #3, as crypto-exchanges business models.
2. What are the general requirements for submitting a CASP application to CySEC?
CySEC requires any CASP applicant to submit the appropriate registration forms and provide the necessary supporting documentation. In general, a CASP must comply with the following conditions set out by CySEC to register and maintain its status as a legal entity in the jurisdiction:
- Business Plan: set out the business objectives, customers, employees, governance, plans and projections.
- It should provide enough detail to show that the business proposition has been carefully thought through and that the adequacy of financial and non-financial resources has been considered.
- It should also include details on the volume and value of transactions, number and type of clients, pricing and the main lines of income and expenses.
- Initial capital adequacy requirements are dependable on the type of crypto-services a CASP wishes to provide as well as the activities they set to perform. These are broken down into three different CASP class types:
- Class 1 – 50,000 EUR
- Class 2 – 125,000 EUR
- Class 3 – 150,000 EUR
- Structural organisation: provide a description of how the CASP business is structured and organised.
- Board composition and staff
- Similar to a Cyprus Investment Firm (CIF) board, a CASP board must also be composed of at least 4 directors whereby 2 perform executive duties and 2 are non-executive directors. The majority of the directors need to permanently reside in Cyprus.
- Competency of directors and shareholders Individuals holding managerial positions within the firm are required to have the necessary reputation, knowledge, and competence to perform their duties and responsibilities. CySEC will conduct interviews with the directors and shareholders to ensure they are fit and proper for their roles.
- The CASP will have to appoint a person to be responsible for the MLR compliance, to monitor and manage compliance with policies, procedures and controls relating to money laundering and terrorist financing.
- The applicant must include a description of all outsourcing arrangements.
- Board composition and staff
- Marketing plan: include a description of the type of customers and the distribution channels.
- AML and Risk Management
- The CASP applicant must be able to demonstrate the have adequate risk management systems in place as well as procedures to comply with the Anti-Money Laundering (AML) Law.
- Anti-Money Laundering risk assessment: this should highlight the risks specific to the CASP business model activities and provide details on how the CASP mitigates those risks.
- Additionally, the CASP shall also provide training to all employees in respect to the Anti-Money Laundering Law
- CySEC requires all Crypto-Asset Services Providers applicants to have robust procedures for:
- Identifying the source of client funds
- Monitoring transactions of clients
- Performing client due diligence measures such as background checks to ensure legitimacy
- Generating client economic profiles
- Business-wide risk assessment shall be conducted along with the appropriate monitoring and mitigation policy.
- Crypto-asset public keys/wallet addresses that are controlled by and used in the activity of the crypto-business for each crypto-asset shall be provided to CySEC.
- Customer on-boarding arrangements and due diligence procedures shall be in place, along with Know Your Transaction (see KYT below) monitoring procedures.
- Record management, record-keeping and record retention policies will be presented.
- Internal Operations Manual:
- Organisational and operational arrangements: CySEC requires the CASP applicant to show the business procedures and processes that demonstrate robust governance, record keeping, complaint handling, remuneration structure as well as the proper administrative, accounting, internal control, risk assessment, data protection and data systems.
- Systems and controls: provide details of the key IT systems the CASP will use to run the business, including details of IT security policies and procedures, and the procedures in place to address the possibility of theft and fraud.
- Governance arrangements and internal control mechanisms: as part of registration, the CASP will need to provide details of governance arrangements, the internal control mechanisms in place to identify and assess risks, and a description of money laundering and counter-terrorist financing control measures in place.
- Business continuity plans including systems and human resources.
Overall, CySEC main concern and requirements are around investor protection and mitigating the risks of money laundering and terrorist financing.
3. What is Know Your Transaction (KYT) and how does it relate to a crypto-business?
KYT is a relatively new procedure, additional to the well-established KYC (Know Your Client/Customer) due diligence measures. Know Your Transaction (KYT) is performing transaction monitoring, reporting, and analysis to know where the client transaction is coming from. While KYC is undertaken during the onboarding process of a new client; KYT is a perpetual procedure used by crypto-assets services providers to monitor client transactions and report any suspicious or fraudulent paths.
Given the nature of blockchain, the DLT technology most commonly used in crypto-assets, KYC alone is not enough to ensure the risks associated with money laundering as well as terrorist financing are mitigated. Thus KYT, looking up and revealing the path of previous transactions comes into play.
Innovative regtech firms are becoming the main players within the KYT space and it is no surprise to see why. Using a data-driven approach, regulation compliance technology is able to perform robust transaction data analysis and raise flags to alert the AML Compliance Officer (AMLCO) when required.
Submitting the first-ever CASP application to CySEC – What we’ve learnt
Our Crypto-Assets team highlighted key points they identified while submitting the CASP application;
- The CASP safeguarding procedures as well as the disclosure of crypto-asset addresses of the custodian wallets are of utmost significance to CySEC and play a key role in the application.
- The product offering and services provided by the CASP must be meticulously selected to accurately demonstrate the operations and business model.
- Money Laundering Risk Assessment systems and procedures are required to be presented in detail.
- Robust KYT monitoring, crypto-wallet screening, and risk analysis procedures using blockchain technology analytical tools are critical facets of the application process.
- It is best to portray the crypto-business’ policies, procedures, and systems via diagrams and flow charts to show the methods the CASP will use to mitigate the risk of theft or loss of client crypto-assets.
The Crypto-Assets team at SALVUS has designed a checklist for the programme of operations contents, covering the operations of the CASP, and the compliance with the required policies and procedures. This will help our team with our other, current, and future, CASP applications, and also the regulator in reviewing them.
Once a successful CASP application has been reviewed and approved by CySEC, the CASP will be authorised to offer crypto-asset services in or from Cyprus, and will also be added to the CySEC CASP Register.
How SALVUS can help your crypto-business
The Crypto-Assets team at SALVUS has been involved in the licensing and registration of several fintech projects over the years. We have had real first-hand experience in the crypto space and have successfully built on that to hone our skillset and expertise.
Our CASP registration service guides crypto-businesses into becoming supervised entities in Cyprus and in complying with the Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) regulatory framework.
Furthermore, through our project management approach, we assist your crypto-business in a hands-on manner, evaluating and compiling the necessary documentation that CySEC requires for registration, licensing, and operation. Our team is able to submit the application on your behalf and handle the entire communication process to ensure your crypto-business will operate as intended.
We continue to work closely with you, post-registration to help you meet the reporting obligation deadlines set out by CySEC.
Please contact us at firstname.lastname@example.org if you would like additional information relating to your unique crypto-business needs; our Crypto-Assets team is ready.
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.