CySEC Circular C665: Electronic Submission of 2023 Risk Based Supervision Framework Information for CASPs

TO : Crypto Asset Services Providers (‘CASPs’) FROM : Cyprus Securities and Exchange Commission DATE : November 15, 2024 CIRCULAR No : C665 FILE No : E.K. 02.03.001, E.K. 01.03.004 and E.K. 01.13.001.002.002 SUBJECT : Risk Based Supervision Framework (the ‘RBS-F’) – Electronic submission of information for the year 2023 (Form RBSF-CASP)

The present Circular is issued pursuant to section 25(1)(c)(ii) & (iii) of the Cyprus Securities and Exchange Commission Law of 2009 (the ‘CySEC Law’), as amended. The Cyprus Securities and Exchange Commission (the ‘CySEC') wishes to inform the CASPs registered with CySEC, providing services in or from Cyprus about the following:

1. Information Requested by CySEC 1.1. A new Form RBSF-CASP (the ‘Form’), Version 1, found in the Appendix, is now issued and its scope is the collection of various statistical information. This Form will be issued on an annual basis. CySEC will use this information, for the purposes of conducting statistical analysis, risk management and other purposes. 1.2. The Form must be completed and successfully submitted to CySEC, by all Crypto Asset Services Providers (‘CASPs’) that were registered with CySEC and were operational as of 31st December 2023. In this respect, CASPs registered with CySEC, but were not operational as at 31st December 2023, must also submit the Form. 1.3. The Form must be successfully submitted electronically via the CySEC’s Transaction Reporting System (‘TRS’) by Friday, December 20, 2024, the latest. 1.4. The steps that CASPs will have to follow, for the successful submission of the Form to the TRS, can be found here. Upon submission, CASPs are responsible to ensure that they have received a feedback file, i.e. an official submission confirmation dispatched by the TRS in the Outgoing directory. 1.5. The feedback file will either contain a NO ERROR indication or, in case that an error(s) has occurred during submission, the description of that error(s). In case of any errors detected during submission of the Form, CASPs must review the Form and ensure that all errors are addressed and corrected, before they digitally sign and re-submit the Form. The Form is regarded as being successfully submitted to CySEC, only when a

2 NO ERROR indication feedback file is received, within the deadlines set in point 1.3. above. This feedback file is dispatched, only during CySEC regular hours. 1.6. CySEC wishes to emphasise the importance of meeting the deadline of Friday, December 20, 2024. Failure to comply with the above promptly and duly, may bear the administrative penalties of section 37(5) of the CySEC Law. It is further noted that CySEC will not send any reminders to those CASPs, which fail to comply promptly and duly. 2. General Comments for the Form 2.1. The Form will be completed only for the reporting period 1/1/2023 – 31/12/2023 and using 31/12/2023 as a reference date. 2.2. The Form will be available only in the English language. 2.3. CASPs are required to report data in Euro, rounded to the nearest unit. 2.4. Please always ensure that you have the latest version of the Form, i.e. Version 1. 2.5. Instructions on the completion of the Form can be found in the ‘Instructions’ Worksheet of the Form. 2.6. Before submitting the Form, please ensure that all validation tests that are contained in the Form (Sections A, B, C, D, E, F, G, H, I, J, K and Validation Tests Worksheet) are TRUE (Green Color). 3. Information Requested The answers provided on the Form RBSF-CASP should relate only to Crypto-Asset activities as this is defined in AML/CFT Law and not to any other Financial Instruments that fall under MiFID. In the Sections of the Form listed below, various information is requested as follows: 3.1. Section A – General Information CASPs must complete the relevant section by filling out the green cells accordingly. CySEC’s Information Technology department has provided the TRS code by email. 3.2. Section B – Customer Analysis Information regarding the number of customers, volume of transactions, deposits and withdrawals as well as information based on customer risk categorisation and country of origin. CASPs must report and analyse the total number of customers as at the reference date, by referring to Article 2 of AML/CFT Law of 2007 (‘the AML/CFT Law of 2007’

3 [188(I)/2007], as amended) and specifically the definition given for “customer” and “business relationship”. 3.3. Section C – Information for top 10 Clients Information of the 10 biggest clients of the reporting entity based on the sum of total inflows and outflows in/from each client’s account. 3.4. Section D – Other Types of Customers Further information in relation to the customers, for example, High net worth individuals, etc. 3.5. Section E – Products, Services and Transactions Information regarding crypto-asset services, financial services related to crypto￾assets. Further information regarding crypto-assets transactions, customers’ crypto￾assets and wallets etc. 3.6. Section F – Geographical Analysis Information in relation to the country of residence of customers that are natural persons, including PEPs, country of registration of customers that are legal entities, countries where the CASP has financial and other trade linkages/collaborations, business promotion establishments etc. 3.7. Section G – Countries and Geographical Areas Information regarding the assessment of the country of residence of: • the CASP’s Customers or Customers’ Beneficial Owners • the CASP’s Beneficial Owners, parent or subsidiary companies or representative offices • other third parties that the CASP has relationships/collaborations 3.8. Section H – Governance and Ownership Information regarding employees, ownership, outsourcing. 3.9. Section I – Internal Policies and Procedures Information in relation to the CASP’s AML/CFT policies and procedures. 3.10. Section J – Financial Information Information on the financial position of the CASP regarding trading income, trading costs, CASP’s Total Assets and Liabilities etc. 3.11. Section K – Customers subject to International Sanctions Information regarding customers included in the United Nations Security Council Consolidated List and/or in the European Union Consolidated Financial Sanctions List.

4 4. Method of creating, signing and submitting the Form to the CySEC CASPs should take note that a digital signature is required for the successful submission of the Form. After populating the required Excel fields in the Form, the CASPs should name their Excel file in accordance to the following naming convention: Username_yyyymmdd_RBSF-CASP The information below explains the naming convention: (1) Username – is the username of the TRS credentials, which has been sent to the CASP by the authorisation department. This codification should be entered in capital letters. CASPs that have not received the TRS credentials can do so by referring here where further information is provided about the TRS. (2) yyyymmdd – this denotes the end of the reporting period of the Form. In this case, the Form should have a 20231231 format. Future forms will have different reporting periods. (3) RBSF-CASP – this is the coding of the Form, that remains unchanged and should be inserted, exactly as it appears. (4) The Excel® must be of 2007 version and onwards. Excel will add the extension .xlsx as soon as it is saved. This extension should not be inserted manually, under any circumstances. Τhe fully completed excel form, which is named based on the above paragraph, must be submitted only electronically, through the Transaction Reporting System (‘TRS’), within the timeframes set. 5. Important Dates Summarised Dates Task November 15, 2024 CASPs can start submitting the digitally signed Form to the CySEC’s TRS system. From November 15 until December 16, 2024 CASPs can submit any queries that they have for this Circular and the Appendix attached. December 20, 2024 Deadline for submitting the Form duly completed. 6. Support 6.1. Queries on how to complete the fields of the Form Should you have any queries on the completion of Form RBSF-CASP, please submit them only in writing, any day PRIOR to Monday, December 16, 2024, by sending an email to the address riskstatistics.cifs@cysec.gov.cy .

5 6.2. Technical Queries on digitally signing and submitting the Form For technical matters on digitally signing and submitting the Form through the TRS, CASPs are advised to frequently visit the CySEC’s website, at the specified section. For further clarifications, the CASPs are requested to use the electronic address information.technology@cysec.gov.cy . All email communication with CySEC should include, in the subject, the CASP’s full name and the TRS coding. Yours sincerely, Dr George Theocharides Chairman, Cyprus Securities and Exchange Commission