Cyprus

**The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (as amended):** This is the foundational law.

**CySEC Directive for the Register of Crypto-Asset Service Providers:**

**Application Process:** Submission of a detailed application to CySEC.

**Legal Form:** The entity must be a legal person established in Cyprus.

**Management & Personnel:** Directors and key personnel must be "fit and proper," with adequate knowledge, experience, and integrity. At least four board members (two executive, two non-executive) must be present, with at least two executive directors managing day-to-day operations and physically residing in Cyprus.

**Capital Requirements:** Minimum initial capital requirements apply, typically tiered based on the scope of services. For custody, it generally falls under "Class 3" services, requiring a higher capital base (e.g., €150,000 for specific services, but can vary).

**Organisational Requirements:** Robust internal controls, effective risk management systems, IT systems, security mechanisms, business continuity plans, and compliance with data protection laws.

**AML/CFT Compliance:** Comprehensive AML/CFT policies, procedures, and internal controls, including customer due diligence (CDD), ongoing monitoring, record-keeping, and suspicious transaction reporting.

**Physical Presence:** The CASP must have a physical presence in Cyprus and demonstrate substance.

Robust record-keeping to identify client holdings.

Strong internal controls to prevent misuse or commingling.

Safeguarding client assets through secure systems.

Robust security measures for cryptographic keys.

Strong IT systems and cybersecurity policies.

Operational resilience plans to ensure the safety and integrity of assets.

**Transferable securities:** Shares, bonds, other forms of securitised debt, and other instruments giving a right to acquire or dispose of transferable securities.

**Units in collective investment undertakings.**

**Options, futures, swaps, forward rate agreements, and any other derivative contracts** relating to securities, currencies, interest rates or yields, emission allowances or other indices or financial indicators, which may be settled physically or in cash.

**Derivative instruments for the transfer of credit risk.**

**Derivatives** relating to commodities that can be physically settled or cash settled.

**Security Tokens:** These are tokens explicitly designed to represent traditional financial instruments, such as:

**Equity Tokens:** Tokens that grant ownership rights in a company, similar to shares, often conferring voting rights, dividend entitlements, or a share in profits.

**Debt Tokens:** Tokens representing a loan or debt, similar to bonds, entitling the holder to interest payments and principal repayment.

**Asset-backed Tokens:** Tokens representing a claim on underlying physical assets (e.g., real estate, commodities) or financial assets (e.g., fund units), where the holder expects a return.

**Tokens representing units in collective investment undertakings.**

**Certain Derivatives on Crypto-Assets:** If structured in a way that aligns with the MiFID II definitions of derivative contracts (e.g., options, futures, swaps on cryptocurrencies).

**Utility Tokens:** Tokens designed solely to provide access to a specific product or service within a platform or network, without conveying investment rights or an expectation of profit from the efforts of others. However, if their primary purpose or marketing shifts to investment, they could be reclassified.

**Payment/Exchange Tokens (Cryptocurrencies):** Tokens intended to function as a medium of exchange, unit of account, or store of value (e.g., Bitcoin, Ether). CySEC, in line with the EU approach, generally views these as "crypto-assets" but not "financial instruments" *unless* they display characteristics that qualify them as such (e.g., if Ether's original ICO was assessed under MiFID II principles, it might have been treated differently due to the investment expectation). These are primarily regulated under Anti-Money Laundering (AML) laws.

**E-money Tokens:** Tokens that meet the definition of electronic money under the **Electronic Money Directive 2009/110/EC** (transposed in Cyprus). These represent a claim on the issuer for a fixed monetary value and are regulated as e-money, not financial instruments.

**Prospectus Requirement:** Public offerings of transferable securities in Cyprus generally require the publication of a prospectus approved by CySEC, in accordance with the **Prospectus Regulation (EU) 2017/1129**. This regulation harmonises the requirements for the format, content, and approval of prospectuses published when securities are offered to the public or admitted to trading on a regulated market.

**Exemptions:** The Prospectus Regulation provides for certain exemptions from the prospectus requirement, including:

Offers to qualified investors only.

Offers addressed to fewer than 150 natural or legal persons per Member State, other than qualified investors.

Offers where the total consideration in the EU is less than €1 million over a 12-month period.

Offers where the denomination per unit is at least €100,000.

Offers of non-equity securities issued by a Member State or local authority.

**Issuer Authorisation:** The issuer of the security token itself typically does not need to be authorised by CySEC *unless* it is also engaging in MiFID II regulated activities, such as providing investment advice, operating a trading platform, or managing portfolios of these security tokens. In such cases, the entity would need to be authorised as a Cyprus Investment Firm (CIF).

Issuers of non-security crypto-assets and firms providing services related to them (e.g., exchange, custody, transfer, portfolio management, advice) must register with CySEC as **Crypto Asset Service Providers (CASPs)** under the **Law for the Prevention and Suppression of Money Laundering and Terrorist Financing (L.188(I)/2007)**, as amended by **L.13(I)/2021**. This registration focuses primarily on AML/CFT compliance.

**Trading Venues:** Secondary trading of such tokens must take place on regulated markets (RMs), multilateral trading facilities (MTFs), or organised trading facilities (OTFs) which are regulated under MiFID II and overseen by CySEC.

**Post-Trade Transparency & Transaction Reporting:** Transactions are subject to the reporting and transparency requirements of MiFID II and the **Markets in Financial Instruments Regulation (MiFIR) (Regulation (EU) No 600/2014)**.

**Market Abuse Rules:** The **Market Abuse Regulation (EU) No 596/2014 (MAR)** applies, prohibiting insider trading, market manipulation, and requiring disclosure of inside information for security tokens admitted to trading on regulated venues.

Currently, there are no specific EU-wide secondary trading rules for non-security crypto-assets. However, entities facilitating the secondary trading of such tokens in Cyprus are typically considered CASPs and must be registered with CySEC under the AML Law. The upcoming **Markets in Crypto-Assets (MiCA) Regulation** will introduce comprehensive rules for crypto-asset service providers (CASPs) and issuers of non-security crypto-assets, including specific requirements for operating trading platforms, which will significantly alter this landscape.

**Unauthorised CASPs:** Issuing warnings or imposing administrative fines on entities offering crypto-asset services in Cyprus without proper CySEC registration under the AML Law.

**AML/CFT Deficiencies:** Penalising CASPs for failing to comply with their anti-money laundering and counter-terrorist financing obligations (e.g., insufficient customer due diligence, inadequate risk assessments, poor transaction monitoring).

**Misleading Marketing:** Addressing misleading advertisements or promotions related to crypto-asset services.

**Cyprus Securities and Exchange Commission (CySEC) Official Website:**

**CySEC Policy Statement on the Registration of Crypto Asset Service Providers (CASPs) and its Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing:**

(Often updated, search on CySEC website for "AML Directive" or "CASP Policy Statement")

A relevant link to the Legal Framework section on CASPs: https://www.cysec.gov.cy/en-GB/entities/crypto-asset-service-providers-casps/legal-framework/

**Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017):**

This is the national transposition of MiFID II. Finding a direct public URL for the latest consolidated version might require searching legal databases (e.g., Cyprus Bar Association, legislation portals).

An older but relevant link detailing the law: https://www.cysec.gov.cy/en-GB/legislative-framework/investment-services-law/

**Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114 (Future Framework):**

**Regulator Name:** Cyprus Securities and Exchange Commission (CySEC)

**Entity Targeted:** eToro (Europe) Ltd (a major global trading platform also offering crypto services)

**Violation Type:** Non-compliance with regulatory requirements related to organizational requirements, safeguarding clients' funds, and prevention of money laundering and terrorist financing (AML/CFT). This included deficiencies in operational risk management, internal controls, and measures taken to prevent money laundering and terrorist financing.

**Date:** January 29, 2024 (The decision covered violations from January 2020 to December 2022).

**Outcome:** Imposition of an administrative fine. eToro (Europe) Ltd stated it has taken corrective measures.

**Source URL:** CySEC Official Announcement - eToro (Europe) Ltd

**Entity Targeted:** Bitpanda GmbH (a well-known European digital investment platform operating as a registered VASP in Cyprus)

**Violation Type:** Non-compliance with the AML/CFT Law, specifically regarding internal controls and measures for the prevention of money laundering and terrorist financing, and deficiencies in customer due diligence procedures.

**Date:** July 10, 2023 (The decision covered violations from December 2020 to September 2022).

**Source URL:** CySEC Official Announcement - Bitpanda GmbH

**Cyprus Securities and Exchange Commission (CySEC)**

Role: The primary regulator responsible for supervising and registering Virtual Asset Service Providers (VASPs) under the AML/CTF framework. It ensures compliance with AML directives, assesses the fitness and propriety of VASP management, and oversees operational requirements.

**Unit for Combating Money Laundering (MOKAS)**

**Role:** Cyprus's Financial Intelligence Unit (FIU), responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and other information regarding potential money laundering and terrorist financing activities. While not a direct regulator of VASPs, it is central to the AML/CTF ecosystem.

**The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (L. 188(I)/2007), as amended.**

**Date:** Originally enacted in 2007, but significantly amended over time, particularly in **2021**, to transpose the **5th Anti-Money Laundering Directive (AMLD5)** and bring VASPs under its scope. These amendments defined "Virtual Assets" and "Virtual Asset Service Providers" (VASPs) and designated CySEC as the supervisory authority.

**Key Provisions:** Requires VASPs to register with CySEC, implement robust AML/CTF measures (KYC, transaction monitoring, risk assessments), report suspicious activities, and adhere to internal control procedures.

**CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (Regulatory Administrative Act No. 466/2021)**

**Date:** Issued by CySEC in **June 2021**.

**Key Provisions:** This directive provides the detailed operational requirements and guidelines for VASPs registered with CySEC. It covers:

Categorization of VASP services (e.g., exchange between virtual assets and fiat, transfer of virtual assets, safekeeping, initial coin offerings).

Specific AML/CTF obligations (customer due diligence, record-keeping, risk management, internal controls, reporting obligations).

Organizational requirements (management, capital adequacy, professional indemnity insurance).

**EU Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114**

**Date:** Adopted by the EU in **May 2023**.

**Impact:** MiCA will be the overarching, harmonized regulatory framework for crypto-assets across the EU, including Cyprus. It will replace the existing national AML-driven frameworks for certain aspects and introduce comprehensive rules for crypto-asset issuance, operation, and services.

Rules concerning asset-referenced tokens (ARTs) and e-money tokens (EMTs) will apply from **30 June 2024**.

Rules concerning other crypto-assets and crypto-asset service providers (CASPs) will apply from **30 December 2024**.

**Cyprus's Stance:** CySEC is actively preparing for the implementation of MiCA, which will streamline the regulatory landscape and shift certain aspects from an AML-only focus to a broader prudential and market integrity framework.

**Permitted and Regulated:** Crypto trading and the operation of crypto exchanges (classified as VASPs) are **permitted** in Cyprus, provided they are properly **registered and supervised by CySEC**.

**Registration Requirement:** Any entity wishing to offer services related to virtual assets in or from Cyprus must apply for registration with CySEC as a VASP.

**Compliance Obligations:** Registered VASPs are subject to stringent AML/CTF requirements, including:

**Customer Due Diligence (KYC):** Verifying the identity of their customers.

**Transaction Monitoring:** Monitoring transactions for suspicious patterns.

**Risk Assessments:** Conducting regular risk assessments related to money laundering and terrorist financing.

**Reporting:** Reporting suspicious transactions to MOKAS.

**Operational Requirements:** Adhering to organizational, governance, and capital adequacy requirements set by CySEC.

**Consumer Protection:** While the current framework is heavily AML-focused, CySEC's oversight aims to instill a degree of market integrity and consumer protection through the fitness and propriety assessment of management and operational controls. MiCA will significantly enhance consumer and investor protection.

**Adopted:** Yes, the Travel Rule is considered adopted in Cyprus through its direct application of EU law and the integration of FATF standards into its national AML/CFT framework.

**EU Level:** The primary legal basis for the Travel Rule for crypto-assets across the EU, including Cyprus, is **Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (recast Transfer of Funds Regulation - TFR 2023)**. This regulation repeals the previous TFR (EU) 2015/847 and is part of the EU's AML/CFT legislative package alongside the Markets in Crypto-Assets Regulation (MiCA). As an EU Regulation, it is **directly applicable** in all member states, including Cyprus, without requiring national transposition, though national authorities issue guidance.

**URL:** Regulation (EU) 2023/1113 on EUR-Lex

**National Level:** The overarching national AML/CFT framework in Cyprus is the **Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2000 (Law 188(I)/2007, as amended)**. This law incorporates various EU AML Directives (AMLDs) and grants regulatory powers to authorities like CySEC. CySEC issues directives and guidance under this national law to ensure compliance.

**URL (CySEC's page referencing AML/CFT law):** CySEC - Prevention and Suppression of Money Laundering and Terrorist Financing Law

For the EU as a whole, **Regulation (EU) 2023/1113 applies from 30 December 2024.**

Therefore, this is the de jure effective date for the full application of the Travel Rule for crypto-asset transfers in Cyprus as per the EU regulation. Cypriot Crypto Asset Service Providers (CASPs) must be fully compliant by this date.

**No lower threshold:** TFR 2023/1113 significantly amends the Travel Rule for crypto-asset transfers by eliminating the de minimis threshold. This means that for **all crypto-asset transfers, regardless of amount**, CASPs must obtain and verify originator and beneficiary information if they are involved in the transfer.

This removes the previous €1,000 threshold that existed for traditional wire transfers in earlier iterations of the TFR for the specific case of crypto-assets.

The TFR 2023/1113 applies to **Crypto-Asset Service Providers (CASPs)** as defined under the upcoming MiCA Regulation.

In Cyprus, these entities are currently registered with the Cyprus Securities and Exchange Commission (CySEC) as **Crypto Asset Service Providers (CASPs)** under the Prevention and Suppression of Money Laundering and Terrorist Financing Law.

This includes, but is not limited to, entities that:

Are involved in the transfer of crypto-assets on behalf of a customer.

Provide other services related to crypto-assets that facilitate transfers.

**URL (CySEC CASP Register):** CySEC - Register for Crypto Asset Services Providers

Crypto-asset account number of the originator (or unique transaction identifier).

Address of the originator (or national identification number, or customer identification number, or date and place of birth).

Crypto-asset account number of the beneficiary (or unique transaction identifier).

**Information Verification:** CASPs must verify the accuracy of the originator information on the basis of documents or data obtained from a reliable and independent source.

**Information Transmission:** The required information must be transmitted with the crypto-asset transfer (or immediately after) to the beneficiary CASP, using secure and reliable communication channels. Interoperability solutions (e.g., TRP, OpenVASP, Travel Rule Universal Protocol - TRUP) are expected for efficient information exchange between CASPs.

**Record Keeping:** CASPs must retain the collected information for a period of five years, in line with general AML/CFT record-keeping requirements.

**Sanctions Screening:** CASPs are required to screen originator and beneficiary information against relevant sanctions lists.

**Missing or Incomplete Information:** CASPs must have policies and procedures for handling transfers with missing or incomplete information. This may include:

Restricting the availability of the crypto-assets.

Reporting suspicious activity to the Unit for Combating Money Laundering (MOKAS), Cyprus's Financial Intelligence Unit (FIU).

CySEC's existing directives on AML/CFT compliance for CASPs (e.g., Circular C367 and Circular C446) set the broader expectation for robust internal controls, risk assessment frameworks, and the use of appropriate technology to manage AML/CFT risks.

**URL (CySEC Circulars - search for AML/CFT and CASP):** CySEC Circulars

**Monetary Fines:** Substantial fines can be imposed. For legal persons (CASPs), fines can reach up to **€5 million or 10% of their total annual turnover**, whichever is higher, or even up to twice the amount of the benefit derived from the breach, if that can be determined. For individuals, fines can reach up to **€1 million**.

**Withdrawal or Suspension of Authorization/Registration:** CySEC has the power to suspend or completely withdraw a CASP's registration if serious breaches occur, effectively preventing them from operating in Cyprus.

**Public Reprimands:** Disciplinary measures can include public statements identifying the non-compliant entity and the nature of the breach.

**Cease and Desist Orders:** Orders requiring the CASP to stop specific non-compliant activities.

**Referral for Criminal Prosecution:** In cases involving severe breaches, particularly those linked to actual money laundering or terrorist financing, the matter can be referred to the Attorney General's Office for criminal investigation and prosecution, which may lead to imprisonment for individuals.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

**June 29, 2023:** MiCA entered into force.

**June 30, 2024:** Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) will apply.

**December 30, 2024:** Rules for all other crypto-assets and CASPs (including custody providers) will apply.

CASPs offering "custody and administration of crypto-assets on behalf of clients" will require authorization as a CASP under MiCA. CySEC will be the competent authority for authorizing and supervising CASPs in Cyprus.

Existing CASPs in Cyprus will need to adapt their operations and potentially re-apply or notify for authorization under MiCA.

**Article 67:** CASPs providing custody services must hold crypto-assets on behalf of clients separately from their own assets. They must ensure that client crypto-assets are not used for their own account and are identifiable from the CASP's own crypto-assets.

This means dedicated accounts or mechanisms to ensure client ownership is protected, particularly in case of the CASP's insolvency.

**Article 67(4):** CASPs providing custody services must either have a professional indemnity insurance policy or own funds equivalent to the potential liability risks arising from their activities. The amount of such insurance or own funds must be sufficient to cover losses that may arise from negligence, errors, omissions, fraud, or operational failures. ESMA will develop regulatory technical standards (RTS) to specify the minimum monetary amount of the professional indemnity insurance or own funds.

**Article 67:** CASPs must establish, implement, and maintain an internal policy on safeguarding client crypto-assets, which shall include appropriate technological and organisational measures to ensure the security of the crypto-assets.

This includes robust IT systems, secure storage of cryptographic keys, access controls, cybersecurity protocols, and business continuity plans. While not explicitly naming "cold storage," the emphasis on "appropriate technological and organisational measures" for safeguarding keys and assets strongly implies that cold storage (or equivalent highly secure offline methods) will be a standard requirement for significant holdings to meet MiCA's security obligations.