The Fintech Market in Cyprus Over the Past 12 Months
Cyprus has witnessed an increase in fintech activity over the past 12 months. Following a trend of constant and continuous development over these past years, the fintech market in Cyprus has significantly evolved this year not least due to the rise of the pandemic and the turn to digital and innovative business solutions.
Crypto-activities constitute an area that has expanded, with a considerable number of crypto-exchanges and cryptotrading platforms operating in Cyprus. Foreign companies operating in crypto-activities have also established headquarters in Cyprus. The growth of the crypto industry manifests in the adoption of government- and legislature-backed initiatives towards exploring the regulation and encouraging activity in that area. The Cyprus Securities and Exchange Commission (CySEC) has set up an Innovation Hub, where it has reported the operation of crypto-asset companies and distributed ledger technology-using trading platforms involved in the offer, transfer, and verification of financial instruments and financial instrument ownership. This Innovation Hub activity confirms the increased interest in cryptobusinesses in Cyprus.
Payment innovation is a developing fintech area attracting the interest and constituting a core business activity of both incumbents and new market entrants. Connected with the payment innovation development, banks are currently implementing digital solutions to enhance their services. Banks have focused on their digital transformation like never before: the Cyprus Banks’ Association has agreed on a Memorandum of Understanding with the Government, via the Deputy Ministry of Research, Innovation and Digital Policy, on common initiatives to facilitate and expand digital transactions and banking services, aided by the use of electronic identification and electronic signature solutions, as explored by the Government. In general, the banking sector currently explores the implementation and use of digital tools, such as remote onboarding, to improve their services, especially in the face of rising competition by start-up and emerging banking-related businesses.
Issues Bound to Impact Fintech in the Coming Year
The Cyprus government together with the House of Representatives, the assistance of other stakeholders and competent authorities (including the CySEC and the Central Bank of Cyprus (CBC)), have issued the National Strategy on Distributed Ledger Technologies (Blockchain), which constitutes a long-term plan on the deployment and increasing utilisation of distributed ledger technologies, including blockchain, in both the public and private sector. Suggesting initiatives and actions aimed at encouraging activity with blockchain, the national strategy contemplates the adoption of a distributed ledger technology-based law regulating, among others, crypto-assets and businesses operating in this area. Based on a distinction between utility, security, and payment tokens, the relevant law shall provide legal certainty to businesses engaged in crypto-activities. This, in turn, is expected to significantly increase the operation of cryptobusinesses in Cyprus.
Recently, Cyprus transposed the fifth Anti-Money Laundering Directive (AMLD), whereby crypto-asset service providers are now considered obliged entities. The definition of crypto-asset service providers is more expansive than in the corresponding EU directive; providers of crypto-to-crypto and fiat-to-crypto exchange services, custodian wallet providers, and providers of a list of services related to crypto-assets as determined in the transposed AML law fall within the scope of the updated AML regime. Crypto-assets are defined as in the fifth AMLD with the added clarification that they explicitly exclude fiat currency, electronic money and financial instruments as defined in the applicable Investment Services Law.
The new AML law obliges crypto-asset service providers to register in a central registry before carrying out the provided crypto-asset-related services in or from Cyprus. CySEC is the competent body to oversee, monitor, and supervise the registration system and applications for the purpose of AML compliance. To that end, CySEC is empowered to issue a directive regarding the registration requirements and application conditions.
The expanded scope of the transposed law follows the said National Strategy and a relevant consultation by CySEC that favoured a more comprehensive AML regulation of cryptoproviders. This indicates the will to render Cyprus a safe cryptojurisdiction. This is bound to increase crypto-activity in Cyprus.
CySEC Bespoke Rules
The CySEC has issued bespoke rules on the operation of Cyprus Investment Firms, authorised and operating under the relevant Investment Services Law, as crowdfunding platform operators matching fundraising, project owners with interested crowdfunding investors. These rules impose obligations on Cyprus Investment Firms additionally to the standard requirements for such investment firms, per the applicable investment laws. Again, this is meant to encourage crowdfunding activity, this way acknowledged as a valuable alternative financing model.
While the domestic fintech trend is positive, the stance of the CBC poses some concerns regarding the exponential growth of fintech activity in Cyprus. The CBC maintains a reserved, cautious, and non-approving position against cryptocurrencies. A potentially insistent reserved and non-approving approach by the CBC could hinder fintech progress to a considerable extent. However, the recent implementation of the fifth AMLD in Cyprus and the adoption of a distributed technology law-centred law (that is currently in the works) are bound to positively turn the CBC’s approach to cryptocurrencies.
A significant business model emerging in Cyprus are fintech businesses engaged in the provision of services in relation to cryptocurrencies, mainly in cryptocurrency trading and exchange.
Building on Existing Frameworks
The banking sector is an area that has seen and is expected to experience even further significant developments through technology. The EU Payment Services Directive (PSD II 2015/2366/EC) set the ground for the implementation of open banking channels directed at facilitating financial information exchange. Building on the relevant framework and supported by the exponential technological growth, incumbent banks develop technology-enabled strategies to increase their competitiveness against emerging businesses and new market participants.
The key areas of focus for banks’ are the establishment of their own application programming interface and the consideration of available technologies, such as biometric data and AI, to facilitate customer identification and authentication. The established framework has given rise to electronic money institutions and payment or account information service providers.
The Cypriot economy heavily relies on the banking sector, something that renders the domestic banks’ fintech orientation crucial to concurrent progress of fintech, in general, and the economy as a whole.
Connected with the fintech progress in banking services and activities, fintech businesses, especially start-ups, develop innovative and mobile payment solutions. Incumbent financial and credit institutions also integrate technology to enhance payments, thereby offering fintech-enabled payment solutions, products, and services. International money transfer businesses also operate in the fintech space using new technologies for their services.
Cyprus is a renowned and internationally recognised foreign exchange hub not least due to the early designation of foreign exchange as a regulated product under MiFID. The large and advanced foreign exchange market is a crucial component of the domestic financial services framework. Forex companies actively explore the use of technology, especially emerging technology, and the potential investment in technology-enabled products to transform their business, diversify their portfolio and venture into novel investment areas.
The regulatory regime applicable to fintech industry participants in Cyprus essentially follows the regulatory regime applicable to “traditional” financial services. Fintech activities, products, or services, are regulated under the existing financial services regime, depending on their nature, function, and model, and to the extent that they fall within the scope of such financial services regime, regardless of the technology they use.
The financial services framework in Cyprus consists of a complex nexus of laws, rules, and regulations, derived from EU and domestic laws. Fintech businesses could thus be subject to the existing financial services legal and regulatory framework that includes the following main laws:
Fintech providers can follow compensation models that are permitted based on their status determined by their licence/authorisation, the nature of their services, activities, customers. Fintech businesses would not be subject to bespoke disclosure requirements or type of compensation models but would follow the existing requirements for financial services.
CySEC has issued specific rules for investment-based crowdfunding, whereby crowdfunding platform providers (which can only be Cyprus Investment Firms) must provide clear and comprehensible information on the costs and charges related to the relevant crowdfunding services or investments.
The legal and regulatory framework does not distinguish between fintech industry participants and legacy players. In this sense, there are no differences between the two in terms of regulation.
Cyprus does not have a regulatory sandbox, but CySEC has introduced the Innovation Hub inviting regulated and non-regulated, innovative businesses to participate in a dedicated regulation-advancing, compliance-advancing and compliance-navigating space. The Hub seeks to act as the connecting block between the competent regulatory authority and innovative businesses operating in the fintech and regtech realm, encouraging the exchange of views and facilitating compliance and regulatory matters for both parties.
The requirements of participation indicate that CySEC focuses on genuine innovation connected with fintech and regtech.
Fintech industry participants are subject to the supervision of different, competent regulators depending on the scope of their financial services, activities, and products. Broadly, these regulators have competence over distinct financial services sectors, banking, securities and investments, and insurance. Provided that Cyprus has not introduced a bespoke fintech regulation, thereby subjecting fintech businesses to the generally applicable financial services regime, the competence of these regulators carries on to fintech, too.
CySEC is the independent supervisory authority of the investment services market, transactions in securities, the Cyprus stock exchange and the other organised markets in Cyprus, and the collective investment and asset management sector.
The Central Bank of Cyprus, as part of the European System of Central Banks, contributes to the regulation of the European monetary policy. The CBC is entrusted with the general oversight of the financial system in Cyprus. Its supervisory and regulatory powers include regulating, licensing/authorising, and monitoring the operation of credit institutions, and supervising payment institutions and electronic money institutions.
The insurance sector is supervised by the Superintendent of Insurance. The Superintended of Insurance heads the Insurance Companies Control Services, which acts on the behalf and orders of the Superintended.
Service providers seeking to outsource regulated activities are subject to specific requirements emanating from applicable regulatory frameworks depending on the scope of their activity. Such service providers are usually required to obtain authorisation or pre-notify the outsourcing arrangements and report any material developments in terms of any outsourcing. Service providers must comply with the outsourcing requirements in MiFID II, PSD II, the EBA Guidelines issued on the matter, and the domestic directives, laws, and regulations issued by CBC and CySEC.
Generally, service providers must, at all times, ensure to comply with their legal obligations regardless of any existing outsourcing arrangements, including their duties against their clients. Outsourcing arrangements cannot undermine their internal control or the supervisory role of the competent regulators. In outsourcing activities, providers must consider and manage the outsourcing risks. Any outsourcing arrangements do not absolve the service providers from their obligations.
Distinguishing between Critical, Important and Non-critical Functions
The applicable frameworks distinguish between critical and important functions and non-critical functions imposing stricter requirements for the former functions. Services providers must ensure to retain access, audit, and monitoring rights to the outsourced functions, and that the entities receiving the outsourced functions are, among others, properly qualified, adhering to appropriate security and operational requirements. The EBA Guidelines on outsourcing are also relevant in this regard. They apply to credit institutions, some investment firms, payment, and electronic money institutions. These Guidelines provide specific terms and conditions that need to be in place when outsourcing critical or important functions.
Third country (meaning outside Cyprus and the EU) outsourcing might be subject to specific requirements. Outsourcing regulated activities of critical operation function to third-country entities might require the authorisation of these entities by their competent home authorities.
The extent of fintech providers’ responsibility as gatekeepers for any activities on their platform depends on the type of platform and activity they enable thereof. In the absence of a fintech regulation, the existing financial rules and regulations apply to fintech providers depending on the type of services they offer and enable.
Despite the lack of a comprehensive fintech regulation resulting in the application of the existing laws and regulations, CySEC has issued a directive on investment-based crowdfunding (see 2.3 Compensation Models) containing specific rules of operation for crowdfunding platform providers and indicating its approach to the supervision and regulation of fintech business models. The issued bespoke directive regulates investment-based crowdfunding and substantiates the applicable investment law. Based on this directive, only Cyprus Investment Firms (CIF) can act as investment-based crowdfunding providers offering platforms that enable project owners to match with interested investors. CIF must comply with the general investment law requirements and these new bespoke rules.
These rules require the CIF acting as crowdfunding platform providers to abide by transparency obligations and monitor the transparent behaviour of project owners, prevent any conflict of interest, protect investors’ funds, and safeguard the involved financial instruments, monitor the fair pricing of the crowdfunding offers, and conduct due diligence on the project owners. These rules indicate that CIF as crowdfunding fintech providers are deemed to be gatekeepers of these crowdfunding platforms.
Current knowledge suggests that no significant enforcement actions have been taken by regulators for any fintech providers or the provision of fintech products. CySEC enforcement actions have largely targeted non-compliant CIF, therefore, the involvement of CIF with fintech activities is an area where enforcement actions might focus on.
Fintech providers may be subject to other non-financial services regulations. These frameworks do not differentiate between new fintech providers and legacy players.
Fintech providers are likely to be subject to privacy obligations having to comply with the relevant framework regulating the protection of personal data. The main legislation that subjects a wide range of businesses, including, thus, fintech providers, to data processing obligations is the EU General Data Protection Regulation (2016/679) (known as GDPR) and the respective Cyprus Law 125(I)/2018 that mainly reiterates and substantiates certain aspects of the GDPR. This privacy framework encompasses a very wide scope of processing activities and introduces heightened compliance obligations for transfer to third-country jurisdictions or the processing of sensitive data (such as biometric data that are currently extensively used and explored for fintech and regtech purposes).
Anti-money Laundering Regime
The AML regime might also apply to fintech providers. The AMLD and the relevant domestic, transposing laws apply in Cyprus and require businesses (obliged entities) to carry out checks and assessments of their clients in terms of AML risks. As explained in 1.1 Evolution of the Fintech Market, Cyprus has implemented the fifth AMLD in an encompassing way intended to encourage the safe and confident deployment of various cryptoservices and cryptobusinesses in Cyprus. A CySEC-supervised registry is setup for AML-compliance purposes. Crypto-service providers must apply for registration and, upon CySEC approval, register in the registry before conducting their cryptobusiness. The scope of cryptoservice providers brought within the AML regime is quite wide, including providers of exchange services between crypto-assets and fiat to crypto-assets, custodian wallet providers, and providers of other defined services regarding crypto-assets. The new, updated AML regime opens the door for the rise of cryptoservices.
The more comprehensive and wide approach in Cyprus is consistent with the FATF recommendations and the European Commission’s proposal for a regulation in Markets in Crypto-Assets (MiCA). Cyprus, thus, seeks to impose heightened AML obligations in anticipation of a crypto-encompassing EU-wide and international standard of regulation.
Cybersecurity requirements are relevant for fintech providers. These security requirements derive from regimes such as the PSD II for payment and open banking services and activities, and other, wider regulations. Cybersecurity requirements in Cyprus are found in various regulations, including the Electronic Commerce Law, the Law Regulating Electronic Communications and Postal Service, the Regulation and respective domestic law on electronic identification and trust services for electronic transactions in the internal market (eIDAS regime) and the privacy framework, including the GDPR. Other cybersecurity-related EU regulations are also applicable to fintech providers.
Marketing and Advertising Rules
Any social media content by fintech providers could be subject to the marketing and advertising rules applicable to existing financial and investment firms. In general, social media content containing marketing and advertising material must be clear, fair, and not misleading, and clearly identifiable as such. Other consumer protection laws could also apply to social media content, depending on the recipient of the content (consumer laws protect natural persons in Cyprus). The GDPR applies as well imposing specific requirements for marketing material disseminated through the use of clients’ personal data.
For any software developed for use in the provision of fintech services and products, no specific regulations apply in Cyprus. Software developers should consider the implication of any cybersecurity laws and requirements, and privacy laws as described herein.
Fintech businesses usually need to appoint auditors to review their financial statements. No other entities review the activities of industry participants.
Industry participants may in principle offer unregulated products/services alongside regulated products/services.
Regardless of the specific business models using or deployed for robo-advice systems, robo-advisers could fall within the scope of MiFID II as investment services for financial instruments. This will trigger the application of MiFID II meaning that robo-advisers would need to be MiFID authorised. Robo-advisers have not been otherwise or further regulated in Cyprus and there has, generally, been limited guidance on the matter by domestic competent authorities.
Robo-advisers and robo-advice have been the subject of the European Securities and Markets Authority’s (ESMA) Guidelines on certain aspects of the MiFID II suitability requirements. The relevant Guidelines define the “robo-advice”, as the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool, anticipating that investment advice and portfolio management services are mostly connected with robo-advice.
The Guidelines require entities relying on such advice to properly inform their clients of the extent and implications of so relying on robo-advice. ESMA Guidelines seek to include robo-advice to suitability assessment, and address and guard against the risks engendered by the lack of human interaction associated with advice provided using automated or semi-automated robo-advice systems.
Thus far, there has been no implementation of robo-advice solutions by legacy players.
In case robo-advisers fall within the scope of MiFID II, then the rules on customer trading will apply. These rules entail the “best execution” obligations requiring entities to hold an order execution policy, to make orders on the most favourable terms for their investment clients, complying with the handling of client order rules.
The regulation of loans presents differences between individuals on the one hand, and business on the other hand (including small businesses).
Business to business lending is not prohibited or subject to specific restrictions of authorisation in Cyprus, whereas loans to individuals are subject to several consumer regulations, including the Consumer Credit Law 106(I)/2010 that transposes the Directive 2008/48/EC. This law protects consumers that include natural persons and imposes requirements on the provision of credit for up to EUR75,000. Additionally, natural persons also benefit from the protection of Unfair Contract Terms Law 93(I)/1996 that prohibits the imposition of unfair terms by credit providers.
Online lending is not common in Cyprus and has not been the subject of specific regulation.
Industry participants conduct the credit assessment of their clients pursuant to relevant directives issued by CBC. The directives provide details on specific limitations and factors that credit institutions must consider in assessing the suitability and creditworthiness of their clients.
Credit institutions must conduct proper due diligence processes and comply with the anti-money laundering regime before lending funds to any client. These obligations arise from the applicable AML regime as transposed into the domestic framework, including the recent transposition for the fifth AMLD. CBC has issued a directive on the proper risk and impact assessment that banks must conduct before accepting to onboard and grant any loans to potential clients.
The main sources of funds for loans are deposits or other forms of repayable funds, securitisation, and own funds. Peer-to-peer lending is not particularly developed in Cyprus.
Only credit institutions licensed by the CBC can fund their lending activities by taking deposits. Cyprus banks’ primary source of their lending activities remains the deposit-taking. Online lending has yet to be deployed by any incumbent commercial bank in Cyprus.
Consistent with the limited activity in online lending, syndication of online lending does not really take place in Cyprus.
Credit institutions, payment institutions, and e-money institutions can process payment activities in accordance with the respective frameworks regulating their operation. The relevant regulations enable these institutions to operate and implement payment systems, subject to applicable requirements. In practice, the payment processors use the systemic payment infrastructure for payment processing.
Cyprus regulates payments by reference to PSD II and the domestic, transposing law. The Cyprus payment services law does not make specific provisions for cross-border payments and remittances. This law does, however, require compliance with the EC Regulation 924/2009 which obliges banks to levy the same charges on electronic payment transactions for both national and EU cross-border payments.
Fund administration services may be provided internally by the regulated entities under the AIFM and the UCITS laws but may be delegated or outsourced to third parties, to fund administrators. Fund administrators need not be authorised by CySEC but the outsourcing arrangement must be notified with CySEC. Fund administration services usually include the provision of administrative accounting and bookkeeping services, the fund’s record keeping, maintenance of shareholder register, calculation of net asset value. While fund administration services are not regulated or licensable, fund administrators will be under the obligation to comply with certain conditions and contractual duties as determined in the applicable laws.
For portfolio management services, any outsourcing may only be carried out by a duly CySEC-authorised entity for both UCITS and AIF.
Before any outsourcing arrangement is allowed, the outsourcing regulated entity needs to comply with certain conditions, which must and are enforced through a written agreement with the third-party. The precise conditions and requirements depend on the type of fund involved.
The outsourcing entity should ensure that the third-party is qualified or hosts employees with sufficiently good repute and experience to carry out the outsourced activities. The outsourcing entity should make sure that the outsourcing arrangements do not undermine the effective supervision of the fund or its management or activities especially towards the interests of investors. The regulated entity must be able to monitor, instruct and withdraw the outsourcing arrangements at any time, and review the provision of the outsourced services, at all times.
Essentially, the regulated entity cannot outsource such services to a such degree or nature so that it is rendered a letter-box entity. In this sense, the regulated entity’s contract must make relevant provisions to allow it to comply with its obligations and retain control over the outsourced activities. The stipulated legal conditions have a direct effect on the content of the contract.
Additionally, other contractual issues might arise, such as adhering to cybersecurity standards, the provision of services with due care and skill, following best practices, compliance with data protection laws.
The permissible trading platforms in Cyprus are determined by reference to MiFID II, the applicable EU regime in financial instruments. Cyprus, in accordance with this regime, operates a regulated market, the Cyprus Stock Exchange), and enables trading in authorised multilateral trading facilities (MTF) and organised trading facilities (OTF). The Cyprus Stock Exchange is governed by the Securities and Cyprus Stock Exchange Laws and is supervised, as a regulated market, by CySEC.
MTF and OTF are governed by the investment services law (87(I)/2017). Market operators seeking to operate an MTF or an OTF should obtain the prior authorisation of CySEC after complying with a list of strict requirements, relating to organisational measures, transparency and non-discrimination requirements, management of technical operations, etc.
Crowdfunding platforms also concern the regulatory framework in Cyprus. Investment-based crowdfunding on financial instruments may be only carried out by licensed Cyprus investment firms and is now subject to bespoke rules that supplement and substantiate the existing, general investment services provisions.
Cryptocurrency trading or exchange in secondary venues and exchanges might also trigger the application of existing or prospective regulatory regimes. For more details please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.
Different asset classes falling under the scope of financial instruments are largely subject to the same regulatory regime. Crypto-assets currently seem to follow this approach to the extent that they qualify as financial instruments. For now, the existing financial services laws will apply to such crypto-assets.
Currently, cryptocurrency exchanges are not regulated under a single, comprehensive, and tailored crypto-exchanges regime. Relevant guidance by CySEC seems to suggest that cryptocurrencies falling within the scope of features and functionalities of “traditional” financial instruments would be subject to the applicable financial services regime. Further to this approach, operating a trading platform with cryptocurrencies could trigger the application of existing financial laws, depending on the type of cryptocurrency. Trading in such cryptocurrencies could thus constitute a regulated activity requiring authorisation or imposing specific requirements.
The Emergence of Cryptocurrency
The emergence and rise of cryptocurrency exchanges have been the subject of lengthy and collaborative deliberation between the government, the legislature, and competent authorities. The domestic authorities intend to update the existing framework on cryptocurrency exchanges. In a National Strategy issued on Distributed Ledger Technology (Blockchain) the authorities anticipate the adoption of a DLT-specific law that will also regulate cryptocurrencies and crypto-exchanges.
Contemplating a distinction between payment, security, and utility cryptocurrencies, this bespoke regulation will clarify and provide requirements for entities using these cryptocurrencies, including exchanges and trading platform providers. It is worth noting that the European Commission is currently proposing a Markets in Crypto-assets regulation (MiCA) that intends to cover the operation of cryptocurrency exchanges in the EU crypto-assets market.
The AML Directive
The fifth AMLD has also regulated aspects of cryptocurrency exchanges since it has brought entities engaging in the exchange of virtual currencies to fiat currencies within the relevant regulatory scope. As explained in 1.1 Evolution of the Fintech Market and 2.10 Implications of Additional, Non-financial Services Regulations, Cyprus has transposed the fifth AMLD, expanding the scope of the EU Directive to include further services offered by cryptoproviders (exchanges between crypto-assets and between fiat currencies to crypto-assets, custodian wallet providers, and providers of a set list of services determined by the AML law).
Listing to the Cyprus Stock Exchange presupposes the publication of a prospectus per the Prospectus Regulation. The listing requirements and standards are provided by the applicable securities laws. Interested companies must abide by general listing requirements and specific-market requirements depending on the kind of regulated market and the securities to be listed (Main market, Alternative market, Corporate bonds Market, Collective Investment Schemes markets (tradable and non-tradable)). Trading in MTF or OTF also requires meeting certain legal requirements, which are, however, less strict than the regulated market requirements.
Listing to unregulated exchanges is not subject to specific laws and regulations. It depends on the contractual terms imposed by the unregulated cryptocurrency exchange.
The rules on order handling in Cyprus stem from MiFID II requiring the adoption of such measures that allow the prompt, fair, and expeditious execution of client orders, considering other clients’ orders.
Investment-based crowdfunding is subject to a specific CySEC-issued directive. For details, please see 1.1 Evolution of the Fintech Market. For other types of peer-to-peer platforms (including loan-based crowdfunding or any other crowdfunding), no specific regulation or guidance has been issued. The type of crowdfunding instruments, the involvement, and the extent of involvement of participants and crowdfunding platform providers are most likely to impact the potential regulation of crowdfunding.
For now, peer-to-peer trading platforms have not been widely used in Cyprus. Based on the general fintech market trend in Cyprus, peer-to-peer is expected to first impact and encourage adoption by new fintech players.
Similar to order handling rules, the best execution of customer trade rules derive from MiFID II. These rules are reiterated in the national investment services law. Investment firms shall take measures to ensure that when executing orders for their clients they obtain the best possible result for their clients considering certain factors stipulated in the applicable law. The best execution principle does not apply where the client determines how to carry out the trade order.
Regulated investment firms in Cyprus are subject to the inducement regime entailed in MiFID II. Specifically, investment firms should not receive any remuneration, discount, or non-monetary benefit for routing client orders to a particular trading venue.
The basic principles of market integrity against market abuse are based on the Market Abuse Regulation, (EU) 596/2014 and the Directive 2014/57/EU on criminal sanctions for market abuse, the Market Abuse Directive. The principles apply to the regulated market, and the entities operating an MTF or OTF.
The applicable regime seeks to protect the markets against insider dealings and the unlawful disclosure of inside information, and market manipulation. At the same time, this regime seeks to protect legitimate market practices to prevent the undue restriction of market practices.
High-frequency and algorithmic trading are regulated by MiFID II and the investment services law in Cyprus. Consequently, algorithmic trading is regulated in relation to financial instruments, and not asset classes that are outside the scope of these instruments.
Any investment firm engaging in algorithmic trading is under specific requirements connected with this trading technique. These requirements relate to the algorithmic system’s resilience and capacity, appropriate trading thresholds and limits, and the prevention of any order sending or operation of the system that could contribute to a disorderly market. The algorithmic trading-engaging investment firm must also have effective plans to deal with any potential failure of the system, monitor and test the system, and ensure that effective systems and risk controls are in place to prevent the use of algorithmic trading against the market integrity.
These firms must notify CySEC of their participation in any trading venue and, in turn, CySEC may require the regular or ad-hoc provision of details on their use of algorithmic trading. Investment firms engaging in high-frequency algorithmic trading must also keep a full record of the placed, cancelled, and executed orders and trading quotations which they should be able to make available to CySEC upon request.
Regulated markets may impose higher fees to higher-frequency algorithmic trading-using firms and must be able to flag with the market participants any orders made by algorithmic trading.
The investment services law framework regulates the players seeking to implement a market making strategy using algorithmic trading. According to MiFID II and the Cyprus investment services law, after considering a number of factors relating to the liquidity, scale, and nature of the relevant market and the features of the traded instrument, must act as a market maker during a provided portion of the trading venue’s trading hours and enter into a binding written agreement with the trading venue to regulate these trading hours and ensure that effective systems and controls are and remain in place.
The applicable law on algorithmic trading does not distinguish between funds and dealers.
Current knowledge suggests that no specific rules apply to algorithmic trading developers as software programmers/developers. In case the programmers develop software of algorithmic trading that grants them control over the trading practice or extends beyond the scope of mere software development, they could be subject to the provision of investment services as a regulated practice.
Investment research and financial analysis are ancillary services per MiFID II. Further to this, no specific authorisation is granted by CySEC for the sole provision of ancillary services. Investment firms may be authorised for the provision of core investment services and extend the scope of authorisation to ancillary services, such as the investment research and financial analysis services.
Spreading rumours and other unverified information relating to financial instruments regulated under MiFID II can trigger the application of the market abuse framework (see 7.9 Market Integrity Principles). False, unverified, or rumour-based information circulating could amount to market manipulation or disrupt the market integrity.
Cyprus does not specifically regulate financial research platforms and the posting of any information by third parties. The operators of financial research platforms, to the extent applicable to financial instruments, must abide by the principles of the market abuse regulation preventing the spreading of inside information or the operation of any market manipulative actions in the platform. Any such activity must be reported.
The Law on Insurance and Reinsurance Businesses regulates the activities of insurance companies, and insurance brokers, agents, mediators. In terms of underwriting, the law offers general conditions on underwriting risks for life or non-life insurance products. In this sense, industry participants use various underwriting processes ensuring to comply with the general and wide principles of underwriting provided in the law.
The law on insurance and reinsurance businesses in Cyprus differentiates between life and non-life (general) insurance. Under each of these categories, specific types of insurance apply. Both types of insurance are regulated and require the authorisation of the Superintendent of Insurance. While for the most part, the authorisation remains distinct for the pursuit of either life or non-life insurance activities, entities authorised for life insurance may obtain authorisation for a part of non-life insurance activities and vice versa.
Regtech providers are not likely to be regulated in Cyprus. Regtech providers usually rely on technology to offer technical support and services that facilitate compliance with applicable regulatory obligations. This means that for the most part, regtech providers will not engage in financial regulated activities.
This is not absolute since where regtech providers offer services that could be covered under any applicable financial regulatory framework, this would render them, regulated providers. In this sense, the precise type of activities carried out by regtech providers might result in the application of specific regulations.
Regtech providers could also be subject to non-financial regulations such as the applicable privacy and GDPR obligations.
Financial services firms seeking to engage technology providers for part of their services need to comply with the applicable outsourcing arrangements. As explained, the type of function outsourced to the regtech/technology provider, meaning if it is critical or important, or not, creates distinct obligations on the financial services firm. As per the EBA Guidelines, the financial services firm may be a credit institution, a payment or e-money institution, and some kinds of investment firms. For more details on outsourcing arrangements see 2.7 Outsourcing of Regulated Functions.
Blockchain has yet to be implemented by traditional players in the financial industry, but traditional industry participants have demonstrated interest in exploring the potential use of blockchain. The incumbents’ interest has increased in anticipation of the DLT-focused legislation that the government and the house of representatives have proposed to implement in their collaborative National Strategy. The relevant legislation is currently in the drafting process and is expected in the near future.
The academic sector in Cyprus has been particularly active in implementing or promoting the use of blockchain. The University of Nicosia became the first university in the world to offer a Master’s degree in digital currency and has established the Institute of Future, aimed at exploring the use of blockchain together with other emerging technologies, such as artificial intelligence and the internet of things.
Local regulators hold diverse views and take varying actions in response to blockchain. For the time being, blockchain used in financial services is not subject to comprehensive or bespoke regulations. Instead, our understanding of local regulators’ views on blockchain is informed by reference to various warnings, circulars, piecemeal rules, and strategy plans.
As a starting point, blockchain-enabled activities, services, and products, including cryptocurrencies, are not prohibited, or restricted by any specific law. The most obvious, positive reception of blockchain by regulators is the Strategy issued for Distributed Ledger Technologies including Blockchain. There, the national executive and legislative branches lay down a national plan on promoting the use of blockchain across the public and private sector, describing specific use cases and delineating their future actions. The Strategy prioritises the improvement of the provision of financial services using blockchain as demonstrated by the set-up of an ad-hoc committee that is explicitly empowered to assess the use of blockchain in the financial industry, and since the Strategy contemplates the adoption of legislation that will govern the use of cryptocurrencies. The said legislation will also regulate wider DLT and blockchain relevant matters, thereby facilitating the use of blockchain.
Local financial regulators have focused their regulatory interest in blockchain uses that involve cryptocurrencies. Both CySEC and CBC have issued warnings, recommendations, and clarifications for blockchain-enabled cryptocurrencies.
CBC holds a cautious approach against cryptocurrencies and does not authorise any activities involving cryptocurrencies even if they apparently fall within CBC’s competence. CBC has repeatedly issued warnings to the public for the risks involved in using cryptocurrencies. Their volatility, the lack of relevant protections to their users, and money-laundering risks constitute the main cryptocurrency risks highlighted by CBC. As explained, the recent transposition of the fifth AMLD to the domestic framework is expected to change CBC’s cautious approach to a more receptive stance. The reserved stance was possibly because the lack of regulation, especially in terms of AML protection, posed considerable risks; these risks are now mitigated by the operation of the CySEC-supervised crypto-asset service providers’ registry and the AML obligations imposed on these providers.
CySEC has issued similar warnings to potential investors stressing the uncertain framework around cryptocurrencies. Still, CySEC has acknowledged the beneficial prospect of blockchain-using products and services by establishing the Innovation Hub to help with the regulatory and compliance matter arising by the use of innovative business models, including blockchain models. Again, the fifth AMLD is bound to influence the approach of CySEC towards crypto-activities in a positive way.
In terms of regulation, CySEC has clarified that initial coin offerings could be regulated per the EU and national capital markets laws in case their structure falls within the scope of the existing regulations. For derivatives on cryptocurrencies, CySEC, consistent with the relevant European Securities and Markets Authority (ESMA) decision, has issued a circular clarifying that they may constitute financial instruments under the applicable investment services law.
Consequently, investment firms interested to offer services relating to derivatives on cryptocurrencies must be properly authorised by CySEC, obliging to the general investment law requirements and the bespoke restrictions and rules issued on cryptoderivatives by ESMA, as assumed and extended by CySEC. Lately, in November 2020, and following a relevant EBA report on crypto-assets, CySEC has issued a circular dealing with the prudential treatment of crypto-assets and financial instruments relating to crypto-assets and the applicable, enhanced risk management procedures imposed on Cyprus investment firms.
As explained in 12.2 Local Regulators' Approach to Blockchain, blockchain assets are not specifically regulated in Cyprus. No formal classification of blockchain assets applies, even though the piecemeal guidance offered by the local regulators seems to suggest a potential approach to certain cryptocurrencies. As stated in 12.2 Local Regulators' Approach to Blockchain, derivatives on cryptocurrencies may qualify as financial instruments and trigger the applicable investment services legal framework.
Offerings of cryptocurrencies could be subject to the existing financial services laws and regulations where their structure meets the conditions of such laws and regulations. In this sense, not all blockchain assets are a form of regulated financial instruments. Only to the extent that they present financial instrument features and functionalities would the Cyprus authorities regard them as financial instruments.
The DLT-focused law described in the Strategy anticipates a formal distinction between crypto-assets. These will be separated into security and non-security tokens (which consist of utility and payment tokens). Security tokens will present security features and qualify as transferable securities per the applicable investment services law. Utility tokens will constitute a promise for the provision of a service/product that is paid in advance with the said token, while the payment token will constitute a means of payment for acquiring services/products.
This formal distinction maintained in the Strategy seems to offer the grounds for certainty and predictability in the crypto-area, even though the precise scope and details on these tokens would need to be clarified. At the same time, the increasing use of stable coins gives rise to further questions on the formal distinction between various types of tokens, and whether the anticipated distinction would be adequate. These matters will be addressed in the adopted, blockchain-centred law pursued by the government.
Issuers of blockchain assets and initial sales of blockchain assets are not specifically regulated in Cyprus. Initial coin offerings in Cyprus could trigger the application of existing financial services laws where the coins are structured in such a way that falls within the scope of the said laws. Consequently, firms involved in initial coin offerings could be subject to, among others, the Prospectus Directive, MiFID II, the Alternative Investment Fund Managers Directive, and the AMLD.
CySEC has raised the risks of initial coin offerings stressing the potential risk of investors losing their whole investment capital and lacking any regulatory protection. The Strategy also raises the significant risks associated with initial coin offerings, as indicated in ESMA’s guidance on Initial Offerings and Crypto-assets, which include the risk of fraud, cyber-attacks, money laundering, and market manipulation. The Strategy recognises that once these risks are addressed, possibly through regulation, initial coin offerings could be useful and more extensively used as alternative fundraising means.
Cyprus does not explicitly regulate blockchain asset trading platforms, at least for now. Should the blockchain assets fall within the scope of the existing financial and investment services regime, it could be possible for regulators to impose the existing framework’s regulatory requirements on the trading platforms. This has not happened to the best of our knowledge. The provisions of the law transposing the fifth AMLD apply to entities engaging in the exchange of crypto to fiat and crypto to crypto currency services and custodian wallet providers, as well as providers of crypto-related services defined in the transposing law. These providers must apply for registration and register with a CySEC-supervised registry before offering crypto-asset services.
The Strategy and the proposed legislation therein suggest the regulation of crypto-asset trading and exchange platforms. In this sense, crypto-asset trading platforms could be subject to explicit provisions soon.
The lack of regulatory certainty as to the status of blockchain assets means that there are no certain rules and regulations on funds investing in such assets. Cyprus does not regulate this matter. The status of blockchain assets matters to determine whether funds can invest therein. It is not clear whether and which kind of crypto-assets may fall within the scope of UCITS or AIFMD.
CySEC has issued a circular whereby Cyprus Investment Firms that invest in crypto-assets need to follow the applicable prudential framework, including the obligations under the CRR Regulation (EU) 575/2013.
Any regulatory treatment of virtual currencies or blockchain assets is determined by their function, features, and structure. The Cyprus regulation does not make any differentiation between virtual currencies or blockchain assets and does not define either of these virtual assets.
The domestic fifth AML law defines a crypto-asset as “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by persons as a means of exchange or investment and which can be transferred, stored and traded electronically and it is not:
The Strategy discusses virtual/crypto-assets and refers to tokens, cryptocurrencies, without delineating the precise scope of any of these terms. The adoption of formal legislation will clarify the limits and nature of all relevant terminologies, probably considering the definition of crypto-assets in the AML law.
The Cyprus regulatory framework neither defines nor specifically regulates DeFi (Decentralised Finance). There is limited guidance on the regulation of DeFi platforms in Cyprus by competent authorities.
While DeFi is not defined in the regulation, in practice it is usually understood to refer to blockchain-based, decentralized financial services/products based on digital assets, making use of smart-contracts or decentralised applications. The unique feature of DeFi platforms and the greatest regulatory hurdles are associated with the lack of oversight or monitoring by a central authority, and the reliance on decentralised processes to operate the relevant platforms. Financial services and transactions carried out in decentralised finance platforms include the making of deposits, lending, and borrowing, receiving/charging interest, and transferring, staking, trading, and exchanging value.
Based on the kind of transactions operating in the DeFi platforms different regulatory frameworks could apply (taking deposits, for example, is a CBC-regulated activity). Other regulatory regimes that might be triggered include the anti-money laundering regime, the privacy framework, the consumer protection framework, the securities and investment services laws. DeFi-specific issues, connected with the use of a decentralised system, such as the application, and the validity and enforceability of smart contracts per the Cyprus contract law, and the attribution of liability in a decentralised network are also not clear from a legal and regulatory perspective in Cyprus.
For now, there is no regulation or guidance on the way DeFi platforms are governed. Many legal and regulatory issues, some raised here, will need to be addressed by the competent authorities.
Open banking in Cyprus is largely regulated by the EU Payment Services Directive (PSD2) and the transposing national Payment Services Law. The domestic laws do not pose specific restrictions or requirements in terms of open banking not least beyond what is contemplated by the relevant EU directive. Essentially, the relevant regulatory framework obliges credit institutions, mainly banks, in Cyprus to grant authorised third-party providers access to their clients’ data via Application Programming Interfaces (APIs).
Despite the lack of specific restrictions or additional conditions in the Cyprus framework, open banking is still underdeveloped in Cyprus.
Open banking is still not quite developed in Cyprus, with most commercial banks being involved with sandbox or sandbox-equivalent initiatives. The Bank of Cyprus and the Hellenic Bank, the two largest domestic commercial banks, for example, are developing open banking systems at a sandbox level. This means that while open banking raises data privacy and security concerns, domestic banks have yet to comprehensively address these concerns; indeed, domestic banks are currently exploring ways to address such concerns within the sandbox, testing environment.