DOING CRYPTO IN BULGARIA  

Crypto assets as well as the various crypto services have emerged and are developing as one of the innovative financial trends during the past decade. It is widely accepted that the provision of crypto services is currently unregulated activity in most parts of the world, including in the EU and Bulgaria. Although that statement is to a great extent true for cryptocurrencies and most other crypto assets, there are still some regulatory requirements which potential crypto service providers need to consider before accessing the Bulgarian market.

This article aims to outline some key requirements which, are expected to apply until the new legal framework on digital finance, proposed by the EU Commission, and specifically the Markets in Crypto-assets (MiCA) Regulation, which will regulate crypto assets and crypto activities, come into force.

        
I. Considerations from the perspective of the current payment and investment services, as well as AML legislation

1. What remains an unregulated activity
   
   After some discussions on the matter, both EU and Bulgarian financial supervisory authorities (the European Banking Authority and European Securities and Markets Authority, respectively, the Bulgarian National Bank and the Bulgarian Financial Supervision Commission) have reached to the conclusion that cryptocurrencies (and the related services) fall out of the regulatory perimeter of the payment services and investment services legal frameworks. This is because, on the one hand, cryptocurrencies are neither legal tender, nor funds within the meaning of the payment services legislations. On the other hand, cryptocurrencies are not likely to qualify as financial instruments either, due to their purely payment utility. Therefore, no licenses are needed for provision of crypto services such as transfer, exchange (crypto to crypto, crypto to fiat and vice versa) and custody of virtual currencies.
   
   
2. What might be a regulated activity
   
   Services related to crypto-assets other than cryptocurrencies may fall in the scope of the current investment services legal framework when the crypto assets can be qualified as financial instruments, i.e., where the assets have investment purpose or are linked to an expectation of returns. This means that the provider may need to obtain an investment firm license under the Markets in Financial Instruments Directive II (transposed in Bulgaria in the Markets in Financial Instruments Act) to be able to provide services such as transfer, exchange, and custody of those crypto assets.
   Moreover, according to the European Securities and Markets Authority (ESMA), where crypto assets qualify as financial instruments, the full set of EU financial rules, including the Prospectus Directive, the Transparency Directive, the Market Abuse Directive, the Short Selling Regulation, the Central Securities Depositories Regulation, and the Settlement Finality Directive (all transposed and applicable in Bulgaria), are likely to apply, as well.     
   
   
3. Whatis a regulated activity
   
   Often the provision of services of transfer and exchange of cryptocurrencies requires the availability of a payment account for fiat currencies in the name of the client, with a designated IBAN, to serve as a ramp to buy and sell the cryptocurrencies. In other words, the client would transfer fiat money to that individual payment account with which they will be able to purchase the chosen cryptocurrency, and vice versa, when selling a chosen cryptocurrency, the client will receive its corresponding value in fiat currency on that payment account. Further, some providers offer services of non-cash exchange of fiat-to-fiat currency as well as payment transfers to own or a third party’s account. Lastly, many providers offer their clients the issuance of a physical or digital payment card which enables the client to withdraw or otherwise dispose with the fiat money available on the respective payment account (e.g., for online shopping and/or paying at POS devices).
   
   Services such as currency exchange (fiat to fiat only), issuance of and processing transactions with prepaid physical or digital payment cards, as well as opening and operating payment accounts (even if the payment account is used only for a ramp to buy and sell cryptocurrencies) can be qualified as payment services under the Payment Services Directive (PSD 2, implemented in the Payment Services and Payment Systems Act).  The provision of such services in Bulgaria normally requires a license for a payment institution or an e-money issuer. 
   
   On another note, payment institutions, e-money issuers, companies that provide exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers are obliged entities under the Measures for Anti Money Laundering Act. They must apply in their activity measures for prevention of the use of the financial system for the purposes of money laundering (e.g., to conduct customer due diligence, to conduct risk assessments, to report suspicious transactions to Bulgarian competent AML authority, etc.). Further, companies that provide exchange services between virtual currencies and fiat currencies as well as custodian wallet providers are subject to registration for the purposes of anti-money laundering with the Bulgarian National Revenue Agency.
   
   
4. What are the next steps in case it turns out you need a license
   
   To assess whether a license is required, an in-depth analysis of the types of services to be provided should be performed. This is also the recommendation of the EU financial regulators. If yes, there are various options: e.g., to obtain a license in Bulgaria; to obtain a license in another EU country and passport it in Bulgaria (and act through a branch or directly); to become an agent of a licensed provider, etc.

      
II. Considerations from the perspective of the current consumer protection, competition and data privacy legislation

1. B2C relations
   
   B2C relations are subject to many requirements.
   Firstly, crypto service providers should consider the applicable consumer protection legislation and must provide preliminary information to the consumers prior the provision of the services. The information, among other requirements, must be provided in writing or in another appropriate way for the consumer to understand it, must be true, complete, clear, and comprehensive and must include certain minimum elements. The preliminary information should be available also online when using online platforms or other electronic sources.
   Moreover, crypto service provider should take measures to avoid unfair terms in consumer contracts (such as a clause allowing only the supplier to terminate the contract without cause).
   
   Unfair terms are generally void unless they are individually negotiated.
   Additionally, services providers are not allowed to use unfair commercial practices. Misleading and aggressive practices are also considered as unfair and therefore forbidden. Misleading practice is for example to claim that you have a license for providing a service where actually you do not have such a license or to provide ambiguous or incomplete information to the customer, etc.
   
   There are also requirements regarding advertisements including to ensure they are easily identifiable as commercial, the provider is clearly identified, etc. Unsolicited commercials to consumers require their preliminary consent. Misleading and certain comparative advertisements are forbidden.
   
   Further, consumers have the right to withdraw from the contract without giving any reason, without compensation or penalty and without bearing any costs, within a period of 14 days from the conclusion of the contract. The service provider must, among others, inform the consumers regarding their right to withdraw from the contract in advance and provide a standard form for exercising such right.
   
   In addition, the service provider must notify the consumer for each amendment of the general terms and conditions within 7 days from the date the amendment becomes effective. If the consumer disagrees with the amendment or supplement, he/she may cancel the contract without cause without any penalty or to keep the contract under the old terms and conditions.
   
   Moreover, consumers have the right to file complaints with the Bulgarian Commission for Consumer Protection and its dispute resolution committees. A dispute may be also resolved by a consumer alternative dispute resolution entity (“ADR entity”).  The service provider must notify the consumer of those rights and must include contact information of the dispute resolution bodies in its general terms and conditions in a way that the consumer can get acquainted with their content.
   
   
2. B2B relations
   
   When concluding contracts with B2B clients it’s the law does not prescribe specific mandatory content for the contract for provision of cryptocurrencies. Therefore, the parties are generally free to determine its content insofar as it does not contravene the mandatory provisions of the Bulgarian law and good morals.
   
   Similarly to B2C relations,  service provider may specify in advance general terms and conditions for the services and should comply with requirements for signing and amending contracts under general terms and conditions.
   
   When concluding contracts electronically, the service provider must, among others, adhere to the obligations for provision of certain information to customers, such as details of the service provider, description of the services, fees and cost, steps for conclusion of the contracts, etc.
   
   
3. E-signatures and e-contracts considerations
   
   The conclusion of contract from a distance (e.g., electronically through a website or an application) requires a consideration of the applicable EU and Bulgarian legislation in the field of e-documents and e-signatures. One of the key questions is what type of e-signatures and e-documents may be used to meet the requirements for a contract and signature in writing.
   
   The qualified electronic signature is recognized as equal to the handwritten signature by virtue of the law. Therefore, they are the safest (yet burdensome) option for signing e-contracts for provision of crypto services. Regarding the other two types of electronic signatures (simple and advanced), there are no explicit restrictions in the legislation. Therefore, “simple” and advanced electronic signatures could generally be used in the process of signing e-contracts for provision of crypto services. However, to be considered as equal to a handwritten signature, according to the law, the parties must specifically agree. Many crypto service providers include such consents in their general terms and conditions or in a sperate electronic statements as part of the process of concluding the contract. According to certain case law, this is acceptable. In any event, the providers must ensure appropriate evidence and track records of signed contracts.
   
   
4. Data Protection Aspects
   
   Firstly, it is important to outline that the provisions of GDPR shall apply to processing data of Bulgarian/other EU data subjects. GDPR applies also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to: i) the offering of goods or services, irrespective of whether a payment of the data subject is required; or ii) the monitoring of their behaviour as far as their behaviour takes place within the EU. For processing of personal data of Bulgarian data subjects, additionally the rules of the Bulgarian Personal Data Protection Act (“PDPA”) should be considered.
   
   Additional matters regarding data protection aspect should be considered, such as appointing a DPO (when the requirements of the GDPR are met), introducing appropriate safeguards when transferring personal data of Bulgarian/EU data subject outside the EU/EEA, adopting website cookie policy, etc.
   
   A frequently discussed matter is the storage of personal data in a cloud. In this respect, the necessary technical and organizational measures should be taken for the purpose of safeguarding the stored personal data. When a service provider transfers and stores personal data in a cloud, which is established and maintained in a third country (outside EU/EEA), then the rules regarding the transfer of personal data outside EU/EEA should apply and additional safeguards should be introduced by the service provider.
   In conclusion, there is a wide array of requirements to consider, before starting the provision of crypto services in Bulgaria. Failure to meet those requirements exposes crypto service providers to various risks, including administrative and civil liability. To mitigate those risks, crypto service providers should ensure that their business models are carefully assessed from all relevant perspectives and the necessary requirements are met to the extent possible. Future legislative initiatives such as the MiCA Regulation should also be closely observed and timely steps for compliance should be taken.