The Seychelles Financial Services Authority Introduces Draft Regulations Under The Virtual Asset Service Providers

The Virtual Asset Service Providers Bill, 2024 (the VASP Bill), sets a comprehensive legal framework regulating virtual asset service providers (VASPs) in Seychelles and awaits implementation. The Financial Services Authority (the Authority) has now produced a set of draft regulations, currently under public consultation, to supplement the legal requirements under the VASP Bill. A summary introducing each set of regulations are given as below.

The Virtual Asset Service Providers (Capital and other Financial Requirements) Regulations

The "Capital and other Financial Requirements" Regulations (the CFR Regulations), detail the financial and capital prerequisites for VASPs to ensure the sector's stability and integrity.

Scope and Objectives

The CFR regulations enforce prudent financial management among VASPs, ensuring they are financially sound and capable of meeting their obligations. The primary aims include:

• Guaranteeing adequate capitalization.
• Ensuring reliable record-keeping and financial reporting.
• Mandating suitable insurance coverage.
• Requiring the maintenance of reserve assets or monies to cover liabilities.

Capital and Financial Requirements

General Provisions

Interpretation: Key definitions include "paid-up capital," "reserve assets," and "alternative financial services."

Application

• The regulations apply to all licensed VASPs.
• Must be read along with the Act and other guidelines from the Authority.

General Requirements

• Adequate Capital: VASPs must maintain capital levels commensurate with their scale, risk, and complexity.
• Financial Infrastructure: This includes maintaining paid-up capital, proper accounting records, financial reporting mechanisms, and required insurance policies.

Specific Financial Requirements

Paid-Up Capital

• VASPs must maintain specified minimum paid-up capital in cash, bonds, or other approved securities, kept in licensed banks or compliant financial institutions.
• VASPs engaging in multiple services need adequate paid-up capital for each authorized activity.

Reserve Assets

• VASPs must hold reserve assets or monies equivalent to 100% of client liabilities, managed separately from the firm's own accounts.

Administrative Expenses

• VASPs must maintain an administrative expenses account in licensed banks, ensuring compliance with Basel II requirements.

Insurance Coverage

• Required insurance includes professional indemnity and additional policies to protect clients' assets.
• Policies can be held by related entities if they clearly cover the VASP.

Accounting and Financial Reporting

Accounting Records

• VASPs must keep accurate, up-to-date records detailing all transactions, differentiating between those on behalf of clients and those on their own account.
• Records must comply with international accounting standards and be preserved digitally for at least seven years.

Auditor's Report

• Auditors must confirm the availability and accuracy of the VASP's accounting records.
• Any deficiencies must be reported to the Authority within seven days.

Schedule of Initial Paid-Up Capital

The schedule defines capital requirements based on the type and duration of operations:

For New Entities:

• Virtual Asset Wallet Providers: USD 75,000
• Virtual Asset Exchange: USD100,000
• Virtual Asset Broking: USD50,000
• Virtual Asset Investment Providers: USD25,000

For Existing Entities:

• Required proof and annual turnover requirements: Similar to new entities but adjusted based on operational revenue.

Conclusion

The VASP Bill, along with its financial regulations, aims to foster a secure and transparent environment for virtual asset services in Seychelles. These measures are vital for protecting clients, maintaining market stability, and ensuring the responsible growth of the virtual asset sector.

The Virtual Asset Service Providers (Cyber Security Requirements) Regulations

The Virtual Asset Service Providers (Cyber Security Requirements) Regulations (the CSR Regulations), supplement the VASP Bill. The CSR Regulations establish a comprehensive framework designed to protect virtual asset service providers (VASPs) from cyber threats and ensure robust cybersecurity practices.

Scope and Objectives

These regulations are applicable to all licensed VASPs, aiming to:

• Protect systems and data from unauthorized access and cyber risks.
• Ensure business continuity in the face of cyber incidents.
• Mandate the implementation of cybersecurity strategies, policies, and controls.

General Cybersecurity Requirements

Cybersecurity Strategy

• Comprehensive Strategy: VASPs must have a cybersecurity strategy to manage operational risks, including those arising from third-party suppliers.
• Risk Management: The strategy should address risk management, event response, and damage limitation.
• System Controls: VASPs must prevent system failures, ensure compliance with contractual and legal obligations, and maintain systems' security.
• Outsourcing Considerations: Impact assessments on outsourcing and third-party software/system interoperability are required.
• Senior Management Oversight: Clear roles, responsibilities, and accountability for implementing the cybersecurity strategy are essential.
• Staff Training: Regular cybersecurity training for all staff.

Systems and Controls

• Confidentiality and Integrity: Systems must safeguard information accuracy, limit access, and comply with data protection laws.
• Audit Trails and Testing: Regular penetration testing and maintaining audit trails for system activities.
• Independent Audits: An independent party must occasionally audit the systems, ensuring their adequacy and effectiveness.

Specific Regulatory Requirements

Unforeseen Interruptions

• VASPs must implement measures to maintain operational continuity and mitigate the impact of cyber events.

Reporting Cybersecurity Risks

• Immediate Notification: Notify the Authority within 24 hours of discovering a cybersecurity risk or event.
• Detailed Reporting: Submit a detailed report within five days for successful cyber-attacks, detailing impacts and remedial actions.

Cybersecurity Reports

• Annual reports prepared by a qualified individual must cover system availability, identified risks, and implemented cybersecurity programs.

Group and Related Entities

• The Authority may consider a parent company's cybersecurity strategy if it encompasses the VASP's operations.

Data Protection

• Data protection must be integrated into the cybersecurity strategy, complying with the Data Protection Act.

Business Continuity Plan

• Formalised Plan: Approved by the board of directors, the plan must detail strategies to maintain operational continuity.
• Resource Requirements: Define necessary resources and recovery priorities.
• Regular Testing: The plan must be reviewed and tested at least every two years.
• Authority Requests: Plans and testing results must be available to the Authority upon request.

Enforcement and Penalties

Non-compliance with these regulations can result in significant penalties, including:

• Administrative fines up to SCR5,000,000 for cybersecurity strategy breaches and additional daily fines.
• Fines up to SCR2,000,000 for failures in system controls and regulatory audits.
• Fines up to SCR500,000 for business continuity plan inadequacies and additional daily fines.

Conclusion

The CSR Regulations aim to strengthen the cybersecurity framework for VASPs in Seychelles. By implementing these stringent requirements, VASPs can better protect against cyber threats, ensure business continuity, and maintain compliance with regulatory standards.

The Virtual Asset Service Providers (Advertisements) Regulations

The Virtual Asset Service Providers (Advertisements) Regulations (the Advertisements Regulations), to be established under the Virtual Asset Service Providers Bill, 2024 (VASP Bill). The Advertisements Regulations set out guidelines and requirements for advertising related to virtual asset services within or from Seychelles, with the aim of promoting transparency, fairness, and consumer protection.

Scope and Applicability

1. Advertising Limitations:

• No person is allowed to advertise virtual asset services, initial coin offerings (ICOs), or non-fungible tokens (NFTs) in or from Seychelles without complying with these regulations.
• Exceptions are made for government bodies, printers of promotional materials, and those placing advertisements without content responsibility.

2. Liabilities:

• Violations can result in fines up to SCR5,000,000 or imprisonment.

General Advertising Requirements

Clarity and Fairness:

• Advertisements must be clear, fair, complete, concise, unbiased, and not misleading.
• Ads must contain timely and accurate information consistent with the virtual asset or service being advertised.

Content Guidelines:

• Ads should clearly state returns, benefits, and associated risks.
• Ensure ads do not lure consumers into malicious or high-risk virtual asset services.
• Provide ample information for consumers to make informed decisions.
• Use plain language understandable to the target audience.
• Avoid imagery that might attract minors.

Responsibility for Third Parties:

Any person acting on behalf of a licensee or promoter is subject to these regulations, and the primary entity is liable for their actions.

Enforcement:

Non-compliance can lead to administrative penalties up to SCR500,000 and additional daily fines.

Specific Content Requirements

Information Disclosure:

• Include details like the licensee's name, license number, registered office, and third-party involvement.
• Ensure accuracy, relevance, and timeliness of the content.
• Clearly describe any risks, fees, and commission structures.

Performance Information:

• Avoid projecting returns based on unsubstantiated borrowing plans.
• Comparisons and performance references must be clear, balanced, and based on objective data.
• State explicitly that past performance is not indicative of future results.

Risk and Warning Disclosures:

• Clearly display and explain risks, particularly when virtual assets are denominated in foreign currencies, noting potential impacts on value due to exchange rates.

Advertising Conduct Standards

Professionalism and Integrity:

Advertisers must act responsibly, avoid aggressive sales tactics, respect consumer privacy, and maintain honesty and transparency.

Third-Party Duties:

Those acting for licensees must disclose their identity and any commissions or benefits they receive.

Internet Advertising:

Online ads must adhere to print ad standards, ensure easy access and readability, and avoid manipulative practices such as hiding essential information or using difficult-to-read fonts.

Bad Practices:

Prohibited practices include hiding risk warnings, diminishing important statements with poor formatting, and providing minimal risk information.

Record Keeping

Licensees and promoters must maintain comprehensive records of all advertisements, including approval details, for at least seven years after an ad ceases to be available.

Conclusion

The Advertisements Regulations aim to ensure that advertisements relating to virtual assets and services are transparent, fair, and provide sufficient information for consumers to make informed decisions. Compliance with these regulations is mandatory to avoid severe penalties and contribute to a trustworthy virtual asset market in Seychelles.

The Virtual Asset Service Providers (Registration of Initial Coin Offering and Non-Fungible Tokens) Regulations

The Virtual Asset Service Providers (Registration of Initial Coin Offering and Non-Fungible Tokens) Regulations (the ICOs and NFTs Regulations), supplement the provisions of the Virtual Asset Service Providers Bill, 2024 (VASP Bill). The ICOs and NFTs Regulations provide a framework for the registration, promotion, and issuance of Initial Coin Offerings (ICOs) and Non-Fungible Tokens (NFTs) within or from Seychelles, ensuring transparency, compliance, and investor protection.

Scope and Applicability

These regulations apply to individuals and entities involved in the issuance, promotion, sale, or development of ICOs and NFTs in or from Seychelles, as outlined in section 27 of the Act.

Registration Process for ICOs and NFTs

Application Requirements

1. Application Submission:

• Applicants must submit a white paper as per the Schedule requirements.
• Provide policies and procedures for monitoring the issuance and offering cycle of the ICO or NFT.
• Specify where proceeds will be transferred or deposited.
• Indicate the location of records accessible in Seychelles.
• Submit details and confirmation of the promoter.
• Pay the registration application fee.

2. Authority Review:

• The Authority may request additional information for assessing the application.
• Applications are not considered complete unless they meet all regulatory requirements.
• Withdrawal of applications before determination results in forfeiture of the application fee.

Determination of Application

1. Grounds for Objection:

• Non-compliance with the Act, Regulations, codes, or guidelines.
• Failure to meet criteria in section 27(7) of the Act.
• Insufficient white paper or improper monitoring policies.
• Promoter ineligibility or non-payment of fees.
• Potential prejudice to the financial services industry or public policy concerns.

2. Approval and Registration:

• The Authority may approve the application within 30 working days if no objections arise.
• Registration is valid for up to 12 months.
• Registrant details are published on the Authority's website.

Promotion and Issuance

Publication and Advertising

White Paper Publication:

White papers can be published after receiving the Authority's no-objection notice or after 30 working days.

Advertising Duration:

Advertising can commence following the Authority's no-objection notice or after 30 working days and should adhere to the specified duration in the registration application.

Extensions and Changes

1. Extension Requests:

• Requests for extending the promotion or issuance period must be submitted three months before the end date.
• The Authority may object based on financial sector prejudice, public policy, or failure to meet financial objectives.

2. Change of Promoter:

• Notices for changing a promoter must be submitted 20 working days before the proposed change.
• The Authority may object if the new promoter is ineligible or if it causes industry prejudice.

Records Maintenance

Registrants must maintain comprehensive records for at least seven years, including:

• Identity of subscribers or investors.
• Amounts received and transferred.
• Use and allocation of proceeds.
• Locations and channels used for promotion.

White Paper Specifications

The white paper must provide full and accurate information to enable informed investor decisions, including:

• Details of directors, senior management, and key personnel.
• Objectives and purpose of the ICO/NFT offering.
• Key characteristics, business plan, and sustainability of the project.
• Financial plans and use of proceeds.
• Rights, conditions, and valuation methods associated with the offering.
• Associated challenges, risks, and mitigating measures.
• Distribution policy and technical descriptions of protocols or platforms.
• Payment methods, refund mechanisms, and intellectual property rights.

Conclusion

The ICOs and NFTs Regulations, seek to establish stringent guidelines for the registration, promotion, and issuance of ICOs and NFTs. By adhering to these regulations, issuers and promoters ensure compliance, transparency, and protection for investors, thereby fostering a trustworthy and secure virtual asset environment in Seychelles.

Virtual Asset Service Provider (Safekeeping and Management of Client's Asset) Regulations: An Overview for Clients

The Virtual Asset Service Providers (VASPs) (Safekeeping and Management of Client's Asset) Regulations (the SMCA Regulations), under the Virtual Asset Service Providers Bill, 2024 (VASP Bill), outline critical guidelines for VASPs offering custodial services. These regulations seek to ensure the safe management of client assets such as virtual assets, NFTs, private keys, and stablecoins.

Scope and Applicability

These regulations apply to all VASPs authorized to offer custodial services as listed in the First Schedule of the Act.

General Requirements for Custodial Services

Establishing Policies and Controls

1. Policies and Systems:

• Licensees must establish comprehensive policies, systems, and controls to safeguard and manage client assets.
• Adequate measures must be taken to protect clients' ownership rights and mitigate risks like loss or asset value reduction.

2. Organizational Arrangements:

• Licensees must ensure efficient organizational arrangements for transferring client assets.
• Policies should include reconciliation procedures and specify protections against asset loss or misuse.
• Clients must be able to access these policies electronically within two days upon request.

3. Regulatory Compliance:

• Licensees failing to comply face enforcement actions, including penalties up to SCR5,000,000 and additional daily fines.

Handling Client Assets

Client Agreements and Transparency

Mandatory Agreement Terms:

• Clients must agree to the terms before receiving custodial services.
• Licensees must inform clients about custody policies, custodial entities, pooled assets, protection measures, fees, responsibilities, and risks.

Managing Client Assets

1. Asset Matching:

Licensees must ensure that the total held client assets match what was agreed upon.

2. Transfer Authorization:

Transfers must be explicitly authorized by the client.

3. Funds Handling:

Client funds must be deposited separately from licensee's funds by the end of the business day.

4. Segregation and Safeguarding:

Client assets must be held in individual wallets under client names.
Licensees must have arrangements ensuring clients' ownership rights are protected and that assets are not used without consent.

5. Asset Usage Records:

Explicit prior consent is required before using client assets, and this consent must be documented.
Unauthorized use of client assets is strictly forbidden and subject to heavy penalties.

Technological and Operational Standards

Reliable Systems

Technological Compatibility:

• Technology used for holding client assets must be reliable, resilient, and secure.
• Systems should ensure robust security measures for private and public keys and wallet storage.

Protecting Client Interests

No Unauthorized Claims:

• Licensees cannot grant security interests over client assets except for clearing or settlement of clients' obligations.
• Any third-party claims must be documented thoroughly.

Utilising Sub-Custodian Arrangements

Internal Group Sub-Custodians

Conditions for Engagement:

• Licensees can use sub-custodians within the same group if compliant with regulatory requirements and with formal agreement.
• Sub-custodians must provide equivalent safekeeping and segregation controls and indemnify the licensee against losses.

External Sub-Custodians

1. External Engagement:

• Engaging external sub-custodians requires a formal agreement, equivalent legal and control standards, and similar AML/CTF requirements.
• Licensees must ensure client assets are segregated and identifiable.

2. Consideration Factors:

• Before engagement, factors like expertise, reputation, financial stability, and legal compliance of the sub-custodian must be evaluated.

Record-Keeping Obligations

Accurate Records:

• Licensees must maintain accurate, up-to-date records accessible from their Seychelles office.

Register of Positions:

• A register tracking client asset transactions and ownership must be maintained to resolve discrepancies swiftly.

Anti-Money Laundering and CTF Amendments

Recent amendments to the Anti-Money Laundering and Countering the Financing of Terrorism Regulations introduce new definitions and compliance requirements, particularly addressing virtual assets and enhancing transparency and security in transaction reporting.

Conclusion

The SMCA Regulations seek to set stringent standards for managing and safeguarding client assets. By adhering to these regulations, clients can trust that their virtual assets are managed securely and transparently, protecting their investments and ensuring compliance with Seychelles' legal framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.