Travel Rule Compliance for VASPs in Cyprus: A Comprehensive Guide

Cyprus

As one of the leading financial hubs in the Mediterranean, Cyprus has developed a robust regulatory framework for Virtual Asset Service Providers (VASPs) to enhance anti-money laundering (AML) and counter-terrorism financing (CTF) compliance. The Travel Rule, based on Financial Action Task Force (FATF) Recommendation 16, is central to these regulations, guiding VASPs in managing transaction data for transparency and safety in the digital asset ecosystem.

This guide provides a detailed overview of Travel Rule requirements for CASPs operating in Cyprus, including compliance mandates, information sharing standards, and regulatory oversight.

Background of Cyprus’s Travel Rule Implementation

Cyprus’s Travel Rule regulations align with FATF’s Recommendation 16 and the EU’s Transfer of Funds Regulation (TFR), specifically addressing Crypto Asset Service Providers (CASPs). The Cyprus Securities and Exchange Commission (CySEC) oversees Travel Rule compliance, setting standards that require VASPs to ensure that information on both originators and beneficiaries of crypto transactions is collected, held, and securely transmitted.

Cyprus’s approach emphasizes data accuracy and security, obliging CASPs to implement rigorous Know Your Customer (KYC) and transaction monitoring practices to identify and report any suspicious activities effectively.

Scope of the Travel Rule for CASPs in Cyprus

The Travel Rule in Cyprus applies to all transfers of virtual assets involving Cypriot CASPs, regardless of transaction value, similar to the EU-wide requirements under the TFR. This rule mandates compliance for any crypto transaction in which either the originator’s or the beneficiary’s CASP is registered in Cyprus.

Key components of Cyprus’s Travel Rule include:

• Inclusion of Self-Hosted Wallets: For transactions involving a self-hosted wallet, Cypriot CASPs must verify wallet ownership, especially for high-value transactions.
• No Transaction Threshold for Compliance: CASPs must collect and verify information on crypto transfers of any amount, making compliance particularly stringent in Cyprus.

Exemptions to the Travel Rule include:

• Peer-to-Peer (P2P) Transfers: Transactions where no CASP is involved, such as direct wallet-to-wallet transfers between individuals, are exempt.
• Transactions for Public Authorities: Payments made to Cypriot public authorities, including tax payments and fines, are also exempt.

Required Information for Compliance

To comply with the Travel Rule, Cypriot CASPs must collect, retain, and share specific data for each transaction involving a virtual asset. Below is the required information for originators and beneficiaries:

Originator’s Information

• Full Name: The legal name of the transaction originator.
• Distributed Ledger Address: The address of the originator’s blockchain wallet.
• Address and Identification Number: Including official ID, Legal Entity Identifier (LEI), or other identifiers.
• Date of Birth or Place of Birth: For individuals involved in the transaction.

Beneficiary’s Information

• Full Name: Legal name of the beneficiary or entity receiving the assets.
• Blockchain Address: The distributed ledger address of the beneficiary.
• LEI or Equivalent Identifier: Required for business entities in compliance with AML protocols.

Cyprus requires CASPs to transmit this information securely before, during, or immediately following a transfer. CASPs are also required to implement secure data management processes to ensure information protection as per Cyprus’s compliance standards

Record-Keeping Requirements for Cypriot CASPs

Compliance with the Travel Rule mandates CASPs in Cyprus to maintain detailed records of all crypto transactions for at least five years. Record-keeping must cover:

• Full Transaction Records: Including details of originators and beneficiaries for audit and investigation purposes.
• KYC Documentation: All identity verification records of customers, especially for high-value transfers and transactions involving self-hosted wallets.
• Ownership Verification for Self-Hosted Wallets: Proof of ownership for self-hosted wallets used in transactions, especially for transfers exceeding EUR 1,000.

These records should be easily accessible for CySEC or any other regulatory body during an audit or investigation.

Reporting Requirements and Suspicious Activity Monitoring

Cypriot CASPs are required to monitor all transactions for signs of suspicious activity, implementing measures to report potential money laundering or terrorist financing incidents. Specific requirements include:

1. Suspicious Activity Reports (SARs): CASPs must file SARs for transactions that show unusual patterns or are suspected of illicit activities.
2. Transaction Monitoring: CASPs are required to continuously monitor for red flags such as high-volume transactions, patterns of large transactions without economic basis, and accounts linked to multiple suspicious activities.
3. Timely Submission: SARs and any required documentation should be submitted to CySEC within the legally stipulated time frame.

Special Requirements for Self-Hosted Wallets

Self-hosted wallets are in scope under Cyprus’s Travel Rule, necessitating specific compliance measures for transfers involving these wallets:

• Ownership Verification: For any transaction above EUR 1,000 involving a self-hosted wallet, CASPs must verify that the wallet is controlled by the customer.
• Data Collection and Verification: CASPs must obtain proof of ownership, either through KYC documentation or technical means that confirm the user’s control over the wallet.

This measure ensures that self-hosted wallets in Cyprus meet the same transparency standards as those hosted by regulated entities.

Challenges Faced by Cypriot CASPs in Travel Rule Compliance

Cypriot CASPs may encounter unique challenges in Travel Rule implementation, particularly when managing compliance across jurisdictions or handling large transaction volumes. Key challenges include:

1. Cross-Border Transactions: CASPs dealing with international customers may face compliance conflicts due to the differing requirements in other countries
2. Data Privacy: Ensuring customer data protection in compliance with GDPR while collecting necessary information under the Travel Rule can be challenging, especially when dealing with non-EU jurisdictions
3. Operational Costs: The need for real-time compliance, ownership verification, and transaction monitoring increases operational costs for CASPs, particularly for smaller businesses.

To address these challenges, CASPs may leverage compliance technologies that automate data collection, verification, and secure record storage, ensuring that data privacy and operational efficiency are maintained.

Role of CySEC in Regulating Travel Rule Compliance

The Cyprus Securities and Exchange Commission (CySEC) oversees the enforcement of Travel Rule requirements in Cyprus. CySEC provides guidance to CASPs on maintaining compliance, managing data privacy, and addressing issues related to cross-border transactions.

CySEC’s role includes:

• Auditing Compliance: Conducting regular audits and reviews of CASPs to ensure adherence to the Travel Rule and AML/CTF requirements.
• Guidance on Regulatory Updates: Informing CASPs of new requirements, particularly as AML laws evolve to address new crypto-related risks.
• Data Protection Oversight: Collaborating with data protection authorities to ensure CASPs adhere to GDPR while meeting compliance standards.

CySEC also issues additional guidelines on handling transactions with non-compliant jurisdictions, enabling CASPs to make informed decisions on risk exposure and customer management.

Future Developments and Compliance Deadlines

The TFR was officially published in the EU’s Official Journal on June 9, 2023, and came into effect on June 29, 2023. Cypriot CASPs must fully comply by December 30, 2024, with additional guidance expected from CySEC on data protection and handling non-compliant counterparties.

CySEC and the European Banking Authority (EBA) are expected to issue further guidance on compliance procedures and data protection requirements, especially concerning third-country CASPs. This will include recommendations for handling missing or incomplete data on the originator or beneficiary.

How MarketGuard Helps Cypriot CASPs Achieve Travel Rule Compliance

MarketGuard offers a comprehensive compliance solution designed to meet the specific regulatory requirements for CASPs in Cyprus. The platform includes features that simplify Travel Rule compliance and facilitate secure data management, offering a seamless solution for CASPs to comply with CySEC’s strict guidelines.

Key MarketGuard features include

• Automated Data Collection: Collect and store all required information on originators and beneficiaries with ease, ensuring compliance for every crypto transaction
• Self-Hosted Wallet Verification: Automatically verify wallet ownership for self-hosted wallets in high-value transactions, enabling Cypriot CASPs to remain compliant with ownership verification requirements.
• GDPR-Compliant Data Protection: MarketGuard’s platform is fully GDPR-compliant, ensuring that customer data is securely stored and shared within the regulatory framework.
• Suspicious Activity Monitoring: The platform includes robust monitoring tools to flag and report suspicious transactions automatically, making compliance with CySEC and AML standards straightforward.

With MarketGuard’s support, CASPs in Cyprus can navigate Travel Rule compliance confidently, maintain regulatory alignment, and focus on growing their digital asset services without sacrificing operational efficiency.