1. What to expect following the NRA findings?

It is natural for any newly developed technology to face obstacles during its incorporation within existing ecosystems. In this case, the introduction of crypto-assets through the technology of blockchain and the offering of crypto-asset services in and from Cyprus. The difficulty can be attributed to the perception that such services bear inherent high risks, the lack of experience in dealing with such services and assets, and the lack of expertise on the unique characteristics and operations of crypto-assets.

The NRA report shows that relevant authorities have limited procedures developed and experience in mitigating the Money Laundering/Terrorism Financing (ML/TF) risks relating to crypto-assets. Yet, the anticipated rise in VA/VASP activities has led most authorities to commence implementation of legal and supervisory measures in addressing these risks on a national level.

In our opinion, based on the findings of the NRA, the following are to be anticipated in the near future;

• Supervisory authorities such as the CySEC, the Central Bank of Cyprus (CBC) and the Cyprus Bar Association (CBA) are to publish updated versions of their AML/CFT Directives.
• CySEC’s Authorisation Department to adapt its existing procedures into the CASP authorisation framework including inter alia:
  • Incorporation of procedures defined and described within the Markets of Financial Instruments Directive (MiFID).
  • Shareholders due diligence as indicated by the European Securities and Markets Authority (ESMA).
  • New technological tools for tracing VA source of funds on the blockchain.
• Authorities, such as CySEC and the Cyprus Police, to adapt to the continuous, around the clock, non-stop operating nature of blockchain and by extension crypto-assets:
  • Design and implement automated notification and monitoring systems to ensure adequate supervision of the crypto-asset services and activities, during non-working hours.
  • Request from CASP subscription to databases providing information on sanctioned entities and persons.
• Implementation of the CASP Register by CySEC, where all the necessary information about a CASP’s legal structure, arrangement, beneficial owners, and management will be collected and verified.
  • The information will be to some degree available to the public, enhancing in this way the investor’s protection and the transparency of the sector.
• The Cyprus Police departments specialising in economic and cyber-crimes, are to be trained to conduct relevant investigations.
  • Build on their existing experience and utilise the given access to databases and tools for tracing crypto-assets.
  • Gain the ability to effectively freeze, confiscate, safeguard and liquidate crypto-assets in a timely manner, avoiding significant delays.
• Within the banking sector, Electronic Money Institutions (EMI) and Payment Service Providers (PSP) to cater CASP and persons involved with crypto-asset activities, instead of Cyprus credit institutions.
  • The CBC is required to provide adequate guidance on the policies and practices which its supervised entities will need to adopt.
• Utilise the communication and collaboration channels created between Cyprus authorities and respective international authorities regarding training, best practices and investigations relating to VA/VASP activities.
• The NRA recommendations are to be used for creating a complete AML/CFT Strategy which addresses the ML/TF risks specific to the sector on a national level.

The National Betting Authority (NBA) to include a crypto-regulatory sandbox that allows data collection, reporting templates and supervisory procedures specific to crypto-asset activities.

2. Important recommendations and how they can be implemented.

Conducting an NRA on soon-to-be introduced services, offers the opportunity of implementing preventive measures and enhancing the supervisors’ activities. Beyond the findings, the NRA also provided a set of recommendations that can be used to address several findings and further instil best practices.

In this respect, our team focused its attention on the following key recommendations which are believed to lay the groundwork for the effective management of the ML/TF risks posed by the crypto-asset services:

• The adoption of the Travel Rule as a legal obligation of supervised entities through the upcoming AML/CFT Directives.
  • This will force the transactional parties of any crypto-asset transfer to collect, store, and provide information about the sender, the receiver, and the source of funds.
  • Although the CASP industry has not developed a single solution for achieving compliance with the Travel Rule, several approaches have been implemented as presented in an earlier authored article.
• In cooperation with the AML/CFT Advisory Authority, the financial industry supervisory authorities, other than CySEC, should establish registration, licensing, and supervision practices for crypto-asset activities. Moreover, they should consider adopting a common procedure of exchanging information on best practices that concern the CASP sector.
  • The most anticipated developments are expected from the CBC, for introducing the provisions based on which its supervised entities could potentially provide their services to the CASP industry.
• CySEC should be assigned responsible for detecting any unregistered VASP activities.
  • CySEC shall regularly review the CASP registration scheme and its requirements as introduced in September 2021. In this context, CySEC should assess to which extent the scheme can mitigate the ML/TF risks, considering at the same time the adoption of a licensing scheme.
• CySEC uses its experience to lead the efforts towards combatting ML/TF arising from VA/VASP activities, and support obliged entities in the identification and reporting of suspicious activities and transactions related to VA.
  • MOKAS, the designated financial intelligence unit in Cyprus, should employ the typologies and the red flags described in the FATF Virtual Assets Red Flag Indicators report of 2020, to provide to obliged entities the necessary feedback and assistance.
• The Customs Department should reconsider whether crypto-assets fall under its investigation obligations for cases where crypto-asset hardware wallets and storage devices are involved.
  • Customs Department staff should undergo specialised training for detecting and managing such devices in coordination with the Police.
  • Data collection forms should be updated for crypto-assets to be declared as a separate item of property.

Conclusion

In conclusion, SALVUS is of the view that the upcoming developments and the implementation of the discussed recommendations stemming from the 2021 NRA will further enhance the CASP registration framework. Furthermore, they will aid the integrity and transparency of CASP and crypto-asset activities in general, when it comes to AML/CFT laws and public perception. Within this context, we are confident the Cyprus financial system will be prepared to effectively respond and handle the risks arising from the rapid growth of the crypto-asset services sector.

SALVUS’ dedicated team on Crypto-Assets regulatory compliance, possesses extensive experience in several fintech projects, in addition to successfully submitting the first-ever CASP application to CySEC. Our team is ready to assist you in becoming a registered Crypto-Asset Services Provider and support all your regulatory obligations.

If you are interested to learn more about Crypto-Asset Services Providers or you would like additional information relating to the 2021 NRA or your crypto-business, please contact us at info@salvusfunds.com or call us at +357 7000 7898.