Cyprus National Risk Assessment on VA and VASP

Cyprus National Risk Assessment 2021; Virtual Assets and Virtual Asset Service Providers

On the 21st of December 2021, the Cyprus Securities and Exchange Commission (CySEC) released Circular C478 publishing the National Risk Assessment (NRA) report by Bandman Advisors. This is the first-ever NRA with respect to Virtual Assets (VA) and Virtual Asset Service Providers (VASP). VASP are the equivalent of CASP (Crypto-Asset Services Providers), the regulatory framework for which was introduced by CySEC early in September 2021. Both acronyms, VASP and CASP, will be used interchangeably within this article.

The NRA was conducted based on international standards and in particular the Financial Action Task Force (FATF) Recommendation 15 for prior assessment of the introduction of new technologies. The main objective of the NRA was to identify and assess the Money Laundering and Terrorist Financing (ML/TF) risks posed by crypto-assets, also referred to as digital assets, and VASP.

This commentary summarises the AML/CFT legal framework, its expected updates, and the recommendations of the assessment team by Bandman Advisors, as follows:

1. Legal framework
2. Policies and procedures recommended to supervisory authorities
3. Preventative measures for obliged entities
4. Registration process of a CASP

1. Legal framework

Following the Policy Statement on the registration and operations of Crypto-Asset Services Providers (PS-01-2021), the updated AML/CFT Law is anticipated to include risk management measures on VA activities, which will be consistent with the 5th EU AML Directive (AMLD5). In this context, the forthcoming AML/CFT Directives of CySEC and Central Bank of Cyprus (CBC) are expected to provide explicit standards for VASP.

More specifically, CySEC’s and CBC’s Directives shall:

  • Adopt the Travel Rule* as a legal obligation
  • Address all the AML/CFT obligations for Obliged Entities engaged in crypto-asset activities
  • Provide Enhanced Due Diligence (EDD) requirements addressing ML/TF risks related to crypto-assets.

CASP now fall within the obliged entities definition. Thus, the entity and the entity’s directors, senior management and persons with significant control are subject to a range of sanctions, including civil and criminal penalties related to ML offences.

As mentioned in another article, all obliged entities shall have procedures in place to identify suspicious transactions and practices and a process to follow for reporting to the Cyprus Financial Intelligence Unit (MOKAS).

*The Travel Rule is an obligation for the parties (payee and payer) involved in a material ( => 1,000 Euros) crypto-asset transfer, to obtain specific information of the payee and the payer. The provided information must include as a minimum: the name, the surname, the crypto-asset account number and the payer’s physical address or national identity number or customer identification number or date and place of birth.

2. Policies and procedures recommended to the supervisory authorities

CySEC is the responsible authority for the supervision of crypto-asset activities regarding ML/TF risks. At the same time, no authority was assigned responsible for detecting and identifying unregistered crypto-asset activities. In the following years and as the crypto-asset activity increases, it is anticipated that more regulatory bodies will be engaged with the supervision of the crypto-asset and CASP activities. In this respect, we expect that the CBC will have a critical role in the supervision of virtual assets and Virtual Asset Service Providers.

In general, the NRA has shown that key national competent authorities such as CySEC and CBC have currently no or limited experience and expertise with crypto-asset activities. In this regard, very few policies and procedures have been established to mitigate the ML/TF risks arising through VA activities. Nonetheless, a set of recommendations are proposed by Bandman Advisors to the key authorities and include among others:

  • The creation of a baseline of stored data related to the crypto-asset activities.
  • CySEC to create a register with verified information of the CASP Beneficial Owners (BO), management and fitness standards. In this way the CySEC Register will be a source of robust and reliable information available to the public, ensuring high transparency within the CASP sector.
  • Access, use, and train on specialised cryptocurrency AML Compliance blockchain forensics and transaction monitoring databases which will allow effective off-site supervision.
  • MOKAS to incorporate specific identifier fields in its reporting system for Suspicious Activity Reports (“SARs”) and Suspicious Transactions Reports (“STRs”), to categorise crypto-asset related reports. Read more here on the reporting process to MOKAS.
  • The development of procedures for VA freezing, safeguarding, and liquidating in case of confiscation, using several technological approaches. In this context, CySEC shall request that such procedures are established by potential CASP during the authorisation process.
  • CySEC to include authorised CASP in its automated notification lists related to ML/TF. In addition, to require from CASP a subscription to databases that provide information on sanctioned entities and persons.
  • International cooperation for incoming and outgoing ML/TF requests related to crypto-asset activities.

3. Preventative measures for obliged entities

The NRA identified specific vulnerabilities in the crypto-asset services provision sector, that lie in the characteristics of the virtual assets, such as:

  • the anonymity and pseudo-anonymous nature
  • the online and global accessibility
  • the immediate convertibility to fiat currencies through exchanges and their reintroduction to the economy
  • the difficulty to freeze or reverse a transaction once it has been completed
  • the non-face-to- face client relationship
  • the custody risk of hot and cold wallets in which crypto-assets can be kept in a software (hot) wallet installed on a device or cloud, or a hardware (cold) wallet like a physical storage device
  • the commingled wallets where exchanges operate through a common wallet and account structure, resulting in VASP transactions not being registered on the blockchain.

The assessment team provided a set of preventive and risk-mitigating measures that address the above vulnerabilities, such as:

  • The development of a risk-based approach for customer due diligence throughout the entire relationship cycle, including:
    • Passport check
    • Video selfie
    • Address check
    • IP address check
    • And whether the client’s country of residence allows VA activity.
  • Transaction monitoring, also known as Know Your Transaction procedure, wallet and crypto-asset source monitoring measures, applying:
  • For fiat money deposits:
    • Source of wealth confirmation
    • Wire transfers
  • For crypto-asset deposits:
    • Source of wealth confirmation
    • Source of funds tracking through blockchain analytics
    • Deposit limits.
  • Adoption of the Travel Rule by developing procedures that make use of specialised crypto AML intelligence monitoring tools,
  • Being aware of any regulatory differences that may cause regulatory arbitrage,
  • Incorporating, within the entity’s AML compliance program, procedures for reporting to MOKAS,
  • Efficient cooperation with the competent authorities.

4. Registration process of a VASP/CASP

The registration process of a potential VASP (known as CASP under CySEC), is divided into two steps:

  1. In the first step, CySEC conducts due diligence on the proposed entity’s shareholders, and
  2. In the second step, CySEC assesses its business model and plan.

During the shareholders’ due diligence, CySEC examines the source of funds to ensure that the entity’s initial capital has derived from legitimate activities and is adequate to support at least three years of operations. The supporting documentation required:

  • tax returns
  • bank confirmation letters and
  • audited financial statements for existing entities.

It is worth noting that the same assessment process is followed for any changes in the shareholding structure, the management structure, and for any license extensions.

The second step of authorization is the business model and plan assessment, and the entity’s organizational structure.

Lastly, if the entity fulfils all requirements, then it is granted authorisation to provide VA services.

Although any crypto-asset related activity is considered by the industry as totally prohibited by the CBC, the NRA has indicated that this is not the case. It has been highlighted that CBC supervised entities regularly seek approval from the regulator to engage in such innovative activities.

To this end, CySEC and CBC have stipulated that supervised entities wishing to offer crypto-asset activities, should proceed with the establishment of a separate legal entity dedicated for that purpose. Those entities are then free to pursue an application of registration in CySEC’s CASP Register.

More details on the general requirements for submitting a CASP application to CySEC can be found in an earlier article authored by our Crypto-Assets Licensing team at SALVUS.


The NRA indicates that the crypto-asset services provision sector will experience fast growth in the coming years, as more entities and individuals wish to engage in crypto-asset related activities globally. Therefore, by adopting specific regulatory provisions, implementing appropriate policies and procedures, and acquiring specialised knowledge and expertise, CySEC will ensure robustness, high transparency, and adequate management of many ML/TF risks based on a well-designed legal framework in and out of Cyprus.

SALVUS has accumulated first-hand experience in the licensing, registration, and compliance of several fintech projects. Our Crypto-Assets team has successfully submitted the first-ever CASP application to CySEC and is ready to guide your company into becoming a registered Crypto-Asset Services Provider and assist in all AML/CFT regulatory obligations.

If you would like additional information relating to your crypto-business needs or crypto-compliance obligations, please contact us at info@salvusfunds.com or call us at +357 7000 7898.


Should you be interested to read more about crypto-assets, blockchain, or Anti-Money Laundering, please visit the selected articles below:

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post