Cyprus -- Custody Regulations Regulatory Overview

Cyprus, as an EU member state, primarily regulates cryptocurrency and digital asset custody through its anti-money laundering and counter-terrorist financing (AML/CFT) framework, with the Cyprus Securities and Exchange Commission (CySEC) as the competent authority. This framework will soon be significantly superseded and harmonized by the EU's Markets in Crypto-Assets (MiCA) Regulation.

Here's a breakdown of the current and upcoming custody regulations in Cyprus:

Current Regulatory Framework (Pre-MiCA)

The primary legal basis for regulating crypto custody in Cyprus currently stems from the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (as amended), which transposed the 5th EU Anti-Money Laundering Directive (AMLD5) into national law. Under this framework, entities providing crypto custody services are classified as Crypto-Asset Service Providers (CASPs) and are required to register with CySEC.

Key Regulatory References:

1. The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (as amended): This is the foundational law.
   • Reference: While a direct public link to the latest consolidated version in English can be challenging to find, it's the domestic law transposing EU AML directives. You can find information on its application via CySEC.
2. CySEC Policy Statement PS-01-2021 regarding the registration of Crypto-Asset Service Providers (CASPs): This document outlines the practical requirements for CASP registration and ongoing compliance.
   • URL: https://www.cysec.gov.cy/CMSPages/GetFile.aspx?guid=1f00882e-9edc-4395-8889-08a7371d7c3d
3. CySEC Directive for the Register of Crypto-Asset Service Providers:
   • URL: https://www.cysec.gov.cy/CMSPages/GetFile.aspx?guid=fc41e6e0-aa31-41e7-bc22-38435d88f6c5

1. Custodial License Requirements (CASP Registration)

Any entity providing services of "custodian wallet provider" (i.e., providing services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual assets) must register as a CASP with CySEC.

Requirements include (as per PS-01-2021 and related directives):

• Application Process: Submission of a detailed application to CySEC.
• Legal Form: The entity must be a legal person established in Cyprus.
• Management & Personnel: Directors and key personnel must be "fit and proper," with adequate knowledge, experience, and integrity. At least four board members (two executive, two non-executive) must be present, with at least two executive directors managing day-to-day operations and physically residing in Cyprus.
• Capital Requirements: Minimum initial capital requirements apply, typically tiered based on the scope of services. For custody, it generally falls under "Class 3" services, requiring a higher capital base (e.g., €150,000 for specific services, but can vary).
• Organisational Requirements: Robust internal controls, effective risk management systems, IT systems, security mechanisms, business continuity plans, and compliance with data protection laws.
• AML/CFT Compliance: Comprehensive AML/CFT policies, procedures, and internal controls, including customer due diligence (CDD), ongoing monitoring, record-keeping, and suspicious transaction reporting.
• Physical Presence: The CASP must have a physical presence in Cyprus and demonstrate substance.

2. Segregation of Client Assets Rules

While the current Cypriot AML/CFT framework, through CySEC's directives, emphasizes strong internal controls, risk management, and client protection, it does not explicitly mandate the strict segregation of client assets in the same way traditional financial regulations (like MiFID II for investment firms) do, using dedicated client accounts.

Instead, the requirements focus on:

• Robust record-keeping to identify client holdings.
• Strong internal controls to prevent misuse or commingling.
• Safeguarding client assets through secure systems.
• Mitigation of operational risks.

The absence of explicit segregation rules is a gap that MiCA aims to address.

3. Insurance/Bonding Requirements

The current CySEC framework for CASPs does not explicitly mandate a specific amount or type of insurance or bonding for custody services. However, CASPs are generally required to have robust risk management frameworks and sufficient capital to cover operational risks. Good practice dictates that reputable CASPs would seek appropriate insurance coverage (e.g., crime insurance, cybersecurity insurance) as part of their overall risk mitigation strategy, but it is not a direct regulatory requirement with a specified amount under current Cypriot law.

4. Cold Storage Mandates

Cyprus's current regulatory framework, through CySEC, does not explicitly mandate the use of cold storage for all client crypto assets. However, it requires CASPs to implement:

• Robust security measures for cryptographic keys.
• Strong IT systems and cybersecurity policies.
• Operational resilience plans to ensure the safety and integrity of assets.

While not explicitly named, the principles strongly imply that secure, offline storage (cold storage) would be a critical component of a robust security framework for substantial holdings, especially for a custodian. The emphasis is on the overall security architecture rather than a specific technology.

5. Qualified Custodian Definitions

Under the current Cypriot framework, the term "qualified custodian" is not explicitly defined as a separate category or status. Instead, any entity that successfully registers as a CASP with CySEC and complies with all the requirements for providing custody services is considered a legally operating custodian in Cyprus. The "qualification" is derived from the CySEC registration and ongoing compliance.

Pending Custody Legislation: Markets in Crypto-Assets (MiCA) Regulation

The most significant upcoming change is the full application of the Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) across the European Union, including Cyprus. MiCA will introduce a harmonized and comprehensive regulatory framework for crypto-assets and crypto-asset service providers (CASPs) within the EU.

Key Regulatory Reference:

1. Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):
   • URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

Timeline:

• June 29, 2023: MiCA entered into force.
• June 30, 2024: Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) will apply.
• December 30, 2024: Rules for all other crypto-assets and CASPs (including custody providers) will apply.

MiCA's Impact on Custody Services:

MiCA will significantly enhance and standardize custody regulations, introducing much more specific and stringent requirements:

1. Authorization/Licensing

• CASPs offering "custody and administration of crypto-assets on behalf of clients" will require authorization as a CASP under MiCA. CySEC will be the competent authority for authorizing and supervising CASPs in Cyprus.
• Existing CASPs in Cyprus will need to adapt their operations and potentially re-apply or notify for authorization under MiCA.

2. Segregation of Client Assets Rules (Explicit)

MiCA explicitly mandates robust rules for the segregation of client assets:

• Article 67: CASPs providing custody services must hold crypto-assets on behalf of clients separately from their own assets. They must ensure that client crypto-assets are not used for their own account and are identifiable from the CASP's own crypto-assets.
• This means dedicated accounts or mechanisms to ensure client ownership is protected, particularly in case of the CASP's insolvency.

3. Insurance/Bonding Requirements (Explicit)

MiCA introduces clear professional indemnity insurance requirements:

• Article 67(4): CASPs providing custody services must either have a professional indemnity insurance policy or own funds equivalent to the potential liability risks arising from their activities. The amount of such insurance or own funds must be sufficient to cover losses that may arise from negligence, errors, omissions, fraud, or operational failures. ESMA will develop regulatory technical standards (RTS) to specify the minimum monetary amount of the professional indemnity insurance or own funds.

4. Cold Storage and Security Mandates (Enhanced)

MiCA reinforces and makes more explicit the requirements for robust security:

• Article 67: CASPs must establish, implement, and maintain an internal policy on safeguarding client crypto-assets, which shall include appropriate technological and organisational measures to ensure the security of the crypto-assets.
• This includes robust IT systems, secure storage of cryptographic keys, access controls, cybersecurity protocols, and business continuity plans. While not explicitly naming "cold storage," the emphasis on "appropriate technological and organisational measures" for safeguarding keys and assets strongly implies that cold storage (or equivalent highly secure offline methods) will be a standard requirement for significant holdings to meet MiCA's security obligations.

5. Qualified Custodian Definitions (Implied by Authorization)

Under MiCA, the term "qualified custodian" will effectively refer to a CASP that has been authorized to provide "custody and administration of crypto-assets on behalf of clients" by a national competent authority (like CySEC) and is fully compliant with all the detailed requirements set out in MiCA. The rigorous authorization process and ongoing compliance obligations under MiCA serve as the "qualification" standard.

In summary: Cyprus currently regulates crypto custody primarily through its AML/CFT framework, requiring CASP registration with CySEC, which entails robust governance, risk management, and security protocols, but lacks explicit mandates for asset segregation, specific insurance, or cold storage. MiCA will fundamentally transform this landscape by introducing a harmonized, comprehensive, and far more prescriptive regulatory regime, making explicit requirements for client asset segregation, professional indemnity insurance, and enhanced security for all authorized crypto-asset custodians across the EU.