Regulation of Digital Asset Service Providers 2023

1 THE NATIONAL COMMISSION OF DIGITAL ASSETS CONSIDERING:

1. That by Legislative Decree No. 643 dated January 11, 2023, published in Official Gazette No. 653, Volume No. 438, of the 24th of this same month and year, the Law on the Issuance of Digital Assets of El Salvador was issued;
2. That by means of Art. 6 of said Law, the National Commission of Digital Assets is created, as a public law institution with legal personality and its own assets, of a technical nature, with economic, financial, and administrative autonomy, to exercise the powers and duties stipulated in this Law and in the rest of the applicable common legislation;
3. That, as provided in Art. 9, letter o), of the Law on the Issuance of Digital Assets, it is its attribute: to issue technical norms and standards, as well as guides and instructions, applicable to this Law and its regulations;
4. That for the application of the Law referred to in the previous consideration, it is indispensable to establish regulatory norms that develop the necessary aspects of Digital Asset Service Providers;
5. This regulation addresses the applicable norms to the rules governing the behavior of digital asset service providers as determined by the Law on the Issuance of Digital Assets of El Salvador.

Regulation of Digital Asset Service Providers Object Art.1.- This Regulation aims to regulate Digital Asset Service Providers and establish the obligations and standards they must comply with in the development of their functions, as well as the requirements and process for their definitive registration in the respective registry. Scope of Application

2 Art.2.- This regulation is applicable to all Digital Asset Service Providers that develop one or more digital asset services within Salvadoran territory, as established in the Law on the Issuance of Digital Assets. Definitions Art.3.- For the purposes of this Law, the terms detailed below shall have the following definitions: a) Force Majeure: Refers to an inevitable natural event that may or may not be foreseen by the subject obliged to perform a specific action, but that, even if foreseen, cannot be avoided, absolutely preventing them from fulfilling what they must do. Force majeure constitutes an insurmountable physical impossibility; b) Cyber Threat: Refers to a circumstance or event that may or may not be intentional and has the potential capacity to exploit one or more vulnerabilities in the infrastructures of Digital Asset Service Providers, resulting in a loss of confidentiality of client information or relevant operations, integrity of stored information, or availability of services or communication between users or employees of Digital Asset Service Providers; c) Cyberattack: A set of actions directed against information systems, such as databases or computer networks of Digital Asset Service Providers, that cause loss of confidentiality of client information or relevant operations, integrity of stored information, or availability of services or communication between users or employees of Digital Asset Service Providers; d) Cyber Intelligence: Is the collection and analysis of information that would allow understanding and mitigating the impact of cyber threats; e) Cyber Resilience: Is the capacity of the infrastructure of Digital Asset Service Providers to anticipate, absorb, adapt, or recover quickly from a cyber threat; f) Cybersecurity: Refers to strategies, policies, and standards aimed at reducing threats and vulnerabilities in the infrastructures of Digital Asset Service Providers, as well as the capacity for deterrence, responding, and having systems resistant to cyber threats, and recovering data and relevant information; g) Conflict of Interest: Is that situation in which the judgment of an individual, concerning their primary responsibility, and the integrity of an action tend to be improperly influenced by an economic, labor, personal, professional, or family interest, contrary to the obligations corresponding to them according to the functions they exercise and generates an economic impact on the assets of shareholders or clients or users; h) Customer Due Diligence or CDD: Refers to mandatory processes and measures for all Digital Asset Service Providers, whose purpose is to collect and evaluate relevant information about a client in their capacity as a user of the digital asset market with the objective of evaluating the risk profile of each client; i) Operational Due Diligence: Refers to the mandatory processes and measures that Digital Asset Service Providers, if they operate or administer platforms or digital wallets, must implement in their information systems to allow transactions carried out on said platforms or digital wallets to be executed quickly, transparently, and accurately; j) Risk Factors: Are the inherent risks of the product or service that increase the probability of loss or failure during operation; k) Force Majeure (Human): Refers to a human act, foreseeable or unforeseeable, but inevitable, which also absolutely prevents the fulfillment of an obligation; l) Insider Information: Is any information that has not been made public, regarding the digital assets administered, promoted, or commercialized by Digital Asset Service Providers and that, if made public, could influence appreciably the prices of said digital assets. It also refers to any relevant information regarding the technical and financial functionality of the platform or digital wallet administered by Digital Asset Service Providers, which could adversely affect the operation of said platforms or digital wallets; m) Governance Token: Refers to a digital asset that primarily has voting rights regarding the modification of protocols, rules, and governance system of a platform or digital wallet that uses Distributed Ledger Technology, or similar or analogous technology, but does not limit other rights.

3 Digital Asset Services Art.4.- Digital Asset Service Providers may carry out the following activities: a) Exchange of digital assets for fiat money or equivalent or for other digital assets, whether using own capital or that of a third party; b) Operate an exchange or marketing platform for digital assets or digital asset derivatives; c) Risk and price evaluation, as well as the subscription of digital asset issuances; d) Place digital assets on platforms or digital wallets; e) Promote, structure, and administer all types of investment products in digital assets, as well as loans, mutuals, or any form of digital asset financing; f) The following operations when carried out on behalf and for the benefit of third parties:

1. Transfer digital assets or the means to access or control them, between natural or legal persons or between different acquirers, electronic wallets, or digital asset accounts;
2. Safeguard, custodian, or administer digital assets or the means to access or control them;
3. Receive and transmit buy or sell orders for digital assets or the negotiation of digital asset derivatives;
4. Execute buy or sell orders for digital asset derivatives; Definitive Registry of Digital Asset Service Providers Art.5.- Every Digital Asset Service Provider, including certifiers, is obliged to register in the Registry of Digital Asset Service Providers. The Registry of Digital Asset Service Providers, hereinafter referred to as the Registry, will be administered by the National Commission of Digital Assets (CNAD), whose information will be public, limited only by the measures issued by the CNAD for the protection and conservation of information.

4 Sections of the Service Provider Registry Art.6.- The Registry will be divided into four sections: a) Of natural and legal persons with provisional or definitive authorization to be Digital Asset Service Providers; b) Of certifiers; c) Of digital asset issuances carried out on the platforms or digital wallets of Digital Asset Service Providers; d) Of stablecoins issued in public offerings or admitted to marketing on the platforms or digital wallets of Digital Asset Service Providers. Application for Registration in the Registry as a Service Provider Art.7.- Interested parties wishing to register as Digital Asset Service Providers must fill out the application by electronic or physical means made available by the CNAD for this purpose. In said application, they must detail the services to which they will dedicate themselves, as well as provide the following information and documentation: a) Natural persons must present a simple copy of the Unique Identity Document or resident card; b) Legal persons must present: i) Simple copy of the testimony of the public deed of constitution of the company or branch duly registered in the Commerce Registry, with their corresponding modifications or transformations if they exist; ii) Simple copy of the credential of election of the Board of Directors or Sole Administrator, duly registered in the Commerce Registry, or of the testimony of general power of attorney, with powers to represent the company before public entities; iii) Simple copy of the Tax Identification Number Card. c) Indicate domicile, physical address, email, and phone number to receive notifications; d) Business registration;

5 e) Provide a detail of their organizational structure, including, but not limited to, names, positions, and specific functions, including their international organizational structure, if applicable; f) Provide detail of their user attention system in a coherent and efficient manner, corresponding to the nature of the service to be provided; g) All relevant information and documentation to demonstrate that they have the capacity to offer the digital asset services indicated in the registration form; h) In case they plan to offer the services detailed below, provide a list of the digital assets they plan to sell or commercialize, including the benefits, restrictions, and limits of said digital assets, as well as any type of financial and commercial restrictions: i) Exchange of digital assets for fiat money or equivalent or for other digital assets, whether using own capital or that of a third party; ii) Operate an exchange or marketing platform for digital assets or digital asset derivatives; iii) Place digital assets on platforms or digital wallets; iv) The following operations when carried out on behalf and for the benefit of third parties:

1. Transfer digital assets or the means to access or control them, between natural or legal persons or between different acquirers, electronic wallets, or digital asset accounts;
2. Safeguard, custodian, or administer digital assets or the means to access or control them;
3. Receive and transmit buy or sell orders for digital assets or the negotiation of digital asset derivatives. i) In the case of certifiers, they may only be legal persons, which, in addition to the information and documentation previously indicated, must present: i) Accreditation of being an entity that within its organization meets a minimum experience of five (5) years in financial, tax, legal, administrative, or related matters, which may be accredited personally by the partners or shareholders who make up the entity, who must hold university degrees in higher education, so that the entity assumes the experience of its members. Additionally, it must present experience in technological issues related to Digital Assets. In this last point, the certifier may hire natural or legal persons to fulfill this purpose; however, this does not transfer the responsibility of their certification; ii) Shareholder list; iii) Curriculum vitae of the partners or shareholders, with their respective attachments and certifications of the titles accrediting them.

6 Receipt, Prevention, and Resolution Art.8.- The Registry will issue a receipt of the form with its attached documentation. The physical or electronic receipt of receipt will be issued following a chronological order, and will contain, at minimum, the following: a) The serial number, date, and time of presentation of the document; b) Object of the registration application; c) Acknowledgment of receipt. The CNAD will have up to twenty (20) business days counted from the receipt of the form and its attached documentation to issue a favorable or unfavorable resolution; or to warn the applicant, if applicable, that the application is incomplete, so that within ten (10) business days they add the missing information and documentation. The CNAD's resolution will consider the economic needs of the market and the reputation of the applicant. The Registry may request additional necessary information from the applicant, which must be requested prior to the expiration of the deadline to issue the resolution, and must specify the deadline granted for the delivery of the requested information and documentation. The applicant must respond within the granted deadline. In case of no response or failure to provide the additional required information, the Commission will issue an unfavorable resolution, and the service provider may resubmit their registration application. If the resolution is favorable, the service provider will be requested to make the corresponding payment through the channels designated by the CNAD for this purpose.

7 Significant Changes in Information Art.9.- Any significant change in the information presented as part of the registration application must be reported immediately to the CNAD, provided that the CNAD has not issued its resolution, especially if the changes will affect the fulfillment of the Service Provider's obligations established in the Law on the Issuance of Digital Assets or in this Regulation. For each relevant change notified to the CNAD in the registration application, five (5) additional business days are granted to issue its resolution. Initial Registration Fee Art.10.- Applicants who have a favorable resolution from the Registry must pay an initial registration fee equivalent to fifteen monthly minimum wages of the commerce and services sector (equivalent to a total of US$ 5,475 at the date of approval of this Regulation), within ten (10) business days from the notification of the favorable resolution. In case payment is not received in time and form, the Service Provider will not be considered registered and enabled. Assignment of Definitive Registration Number and Exemption Qualification Art.11.- Verified the payment of the corresponding initial registration fee, a definitive registration number will be assigned to the Service Provider. The service provider who has a definitive registration number will enjoy the benefits established in article thirty-six (36) of the Law on the Issuance of Digital Assets from the notification of the provisional registration number. The Registry will send to the Ministry of Finance within the following three (3) business days the favorable resolution of the Digital Asset Service Provider, who is duly registered. The General Directorate of Internal Taxes will issue the qualification of exemption from taxes and levies for said service providers in accordance with what is provided in the Law on the Issuance of Digital Assets, which must be notified in legal form to the beneficiary.

8 Renewal Registration Fee Art.12.- Properly registered Service Providers must pay an annual renewal fee equivalent to ten monthly minimum wages of the commerce and services sector during the first quarter of the calendar year (equivalent to a total of US$ 3,650 at the date of approval of this Regulation), regardless of the initial registration date. In case payment is not verified during said period, their registration will be cancelled ex officio and they will automatically lose the tax benefits granted in article thirty-six (36) of the Law on the Issuance of Digital Assets. Modification of the Registry of Service Providers and Certifiers Art.13.- Service Providers may expand the services they offer to the public, for which they must present a modification request to the Registry, along with the corresponding documentation for the services indicated in their application. Additionally, they must also present a modification request to the Registry when the following situations occur: a) They wish to reduce the services they provide; b) There is any substantial change in the information required for their registration, such as change of corporate name, information related to security systems, organizational structure, domicile, among others. The Registry must issue a receipt of the modification request, and notify the Service Provider about the changes made to their registration within a period of twenty (20) business days. Cancellation of Registration Art.14.- The inscription in the Registry of Providers or Certifiers will be totally cancelled for the following causes: a) By request of the Provider or Certifier due to the definitive cessation of their activities; b) For lack of payment of the renewal registration fee; c) By revocation issued by the CNAD through a reasoned resolution detailing the causes of cancellation and identifying the specific non-compliances of the Provider or Certifier as a result of the corresponding administrative process, the above as a result of a sanctioning administrative procedure that allows the service provider to present arguments and defense proofs, prior to the final resolution that establishes the revocation of the cancellation. d) e) The Service Provider or Certifier whose inscription is cancelled may reapply for registration meeting the requirements established in the Law on the Issuance of Digital Assets and this Regulation.

9 Issuance Registry Art.15.- Service Providers must send a quarterly report to the CNAD, which will be confidential, in the first twenty (20) days of the months of April, July, October of the current year, and January of the following year, regarding the Digital Asset Issuances that are commercialized through their digital wallets or platforms. The report will contain at minimum the following: a) Name of the Issuer; b) Name of the commercialized digital asset; c) Name of the Project; d) Start date of commercialization; e) Technical and commercial characteristics of the digital assets; f) Evolution of the inherent risks of the product and its administration since the last report presented to the CNAD. The Registry must be updated according to the information provided by the Service Providers. Stablecoin Registry Art.16.- Service Providers must send a quarterly report, in the first twenty (20) days of the months of April, July, October of the current year, and January

10 of the following year, regarding the stablecoins admitted to commercialization in their digital wallets or platforms. The report will contain at minimum the following: a) Name of the Issuer; b) Name of the Stablecoin; c) Name of the Project; d) Start date of commercialization; e) Technical and commercial characteristics of said stablecoin; f) Evolution of the inherent risks of the product and its administration since the last report presented to the CNAD. The Registry must be updated according to the information provided by the Service Providers. Good Faith and Impartiality in Digital Asset Markets Art.17.- Digital Asset Service Providers must act impartially without prioritizing their own interests over those of their clients, and attending to the benefit of these and the proper functioning of the digital assets they manage, commercialize, or promote. Therefore, they must comply with the following: a) They must not cause artificial evolutions of the quotes or prices of the digital assets admitted to negotiation on the platform or digital wallet they administer, whether for their own benefit or that of third parties; b) Ensure that sufficient funds are safeguarded in their balances to satisfy the refund of funds for users of their platforms; c) In cases where the purchase or sale of digital assets is managed on behalf of oneself and others, the values or sale prices assigned to investors must be done respecting the principle of investor priority, under the rule of first in time, first in right, ensuring that no investor is harmed in particular; d) They must abstain from carrying out operations with the exclusive object of receiving commissions or multiplying them abusively and without benefit for the affected clients with such operations;

11 e) They must contribute to transparency in the formation of market prices of digital assets, avoiding the disclosure to the public of false, inaccurate, or tendentious information; f) They must collaborate with the supervision and surveillance functions of the National Commission of Digital Assets; g) In case the investments of the acquirer of digital assets have been directly advised by the Digital Asset Service Provider - and due to market price variations, new information, changes in estimates, or market risks that affect the investment recommendation and varied to the detriment of the investor, they must communicate this to the investor and request instructions regarding it, in any case it is presumed that the Digital Asset Service Provider will act in the best interest of the investor and will carry out the transaction at the best possible price. Code of Conduct Art.18.- Each Digital Asset Service Provider must draft a Code of Ethics within the following six (6) calendar months after their definitive registration in the Registry of Digital Asset Service Providers, which they must make available to all their clients

12