CySEC Circular C675: EU Regulation 2023/1113 and EBA Guidelines on Reporting Obligations for Crypto Asset Service Providers

TO : Crypto Asset Service Providers (‘CASPs’) FROM : Cyprus Securities and Exchange Commission DATE : 27 December 2024 CIRCULAR NO. : C675 SUBJECT : A. EU Regulation 2023/1113 - Transfer of Funds Regulation B. EBA Guidelines C. Reporting Obligations

1. Application of EU Regulation 2023/1113 The Cyprus Securities and Exchange Commission (the ‘CySEC’) herewith wishes to inform the CASPs, as defined in the TFR Regulation1 , in the MiCA Regulation2 and in Article 2A of the AML/CFT Law3 , that the EU Regulation 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (the ‘TFR Regulation’), concerning the implementation of the ‘‘Travel Rule’’ for transfers of crypto-assets, will be applicable on the 30th of December 2024. With regard to the application of Articles 28, 29, 30, 31, 32, 33 and 38 of the TFR Regulation, national legislation is being proposed and adoption is expected. The TFR Regulation applies, among others, to transfers of crypto-assets, including transfers of crypto￾assets executed by means of crypto-ATMs, where the crypto-asset service provider or the intermediary crypto-asset service provider4 (the ‘ICASP’), of either the originator or the beneficiary has its registered office in the Union. 1TFR Regulation: Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849. 2 MiCA Regulation: Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in cryptoassets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937. 3 AML/CFT Law: The Prevention and Suppression of Money Laundering and Terrorist Financing Law, as amended. 4 ‘Intermediary crypto-asset service provider’ means a crypto-asset service provider that is not the crypto-asset service provider of the originator or of the beneficiary and that receives and transmits a transfer of crypto-assets on behalf of the crypto-asset service provider of the originator or of the beneficiary, or of another intermediary crypto-asset service provider.

As of 30 December 2024, CASPs have additional obligations under the TFR Regulation, namely when it comes to the information on the originator and beneficiary that is to accompany a transfer of crypto-assets. These obligations are explained in more detail in the EBA Travel Rule Guidelines (EBA/GL/2024/11). 2. EBA Guidelines Also CySEC wishes to inform you that, for the application of the TFR Regulation, has decided to adopt the following Guidelines issued by European Banking Authority (the ‘EBA’): a. The ML/TF risk factors Guidelines (EBA/GL/2024/01) set out how financial institutions, including CASPs, should assess their exposure to ML/TF risks, and how they should adjust customer due diligence measures in line with those risks (applicable on 30.12.2024). b. The Risk-based AML/CFT supervision Guidelines (ΕΒΑ/GL/2023/07) set out the components of an effective, proportionate approach to the AML/CFT supervision of CASPs and other financial institutions (applicable on 30.12.2024). c. The Travel Rule Guidelines (EBA/GL/2024/11) that specify the steps CASPs should take to detect missing or incomplete information that accompanies a transfer of crypto- assets, and the procedures they should put in place to manage a transfer that lacks the required information (applicable on 30.12.2024). d. The Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 (EBA/GL/2024/15) that is specific to payment service providers (the ‘PSPs’) and CASPs and specifies what PSPs and CASPs should do to be able to comply with restrictive measures when performing transfers of funds or crypto-assets (applicable on 31/12/2025). According to the TFR Regulation, existing procedures will need to be adapted in order to comply with a number of obligations. Also the TFR Regulation will require CASPs to take appropriate adaptation measures in order to properly comply with the new obligations in the field of counteracting money laundering and terrorist financing, which will involve the need to implement appropriate technical and organizational solutions. 3. Reporting Obligations (Articles 17 and 21 of the TFR Regulation) According to Article 17 (1) of the TFR Regulation: “The crypto-asset service provider of the beneficiary shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU)

2015/849, for determining whether to execute, reject, return or suspend a transfer of crypto-assets lacking the required complete information on the originator and the beneficiary and for taking the appropriate follow-up action”. According to Article 21 (1) of the TFR Regulation: “The intermediary crypto-asset service provider shall establish effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject, return or suspend a transfer of crypto-assets lacking the required information on the originator and the beneficiary and for taking the appropriate follow up action”. According to Article 17 (2) of the TFR Regulation: “Where a crypto-asset service provider repeatedly fails to provide the required information on the originator or the beneficiary, the crypto-asset service provider of the beneficiary (…) shall report that failure, and the steps taken, to the competent authority responsible for monitoring compliance with anti-money laundering and counter-terrorist financing provisions”. According to Article 21 (2) of the TFR Regulation: “Where the crypto-asset service provider repeatedly fails to provide the required information on the originator or the beneficiary, the intermediary crypto-asset service provider (…) shall report that failure, and the steps taken, to the competent authority responsible for monitoring compliance with anti-money laundering and counter-terrorist financing provisions”. Ιn line with Articles 17(2) and 21(2) of the TFR Regulation, the CASP and/or the ICASP are expected to report to the CySEC, a CASP that repeatedly5 fails to include the information on the originator and beneficiary and the steps taken, as required in terms of the TFR Regulation and the relevant Guidelines. Sincerely, Dr. George Theocharides Chairman Cyprus Securities and Exchange Commission 5 As described in Travel Rule Guidelines (EBA/GL/2024/11).