AML Compliance Guidelines: Cyprus

Cyprus’s economy is mainly service-based and is supported by growing finance, tourism, and shipping sectors. The third biggest Island nation in the Mediterranean has successfully attracted large foreign investment, particularly through the “golden passport” scheme, further supplemented by a favorable tax regime and EU membership. These foreign investments were mostly directed towards the banking and real-estate sectors.

High foreign investments bring prosperity to a country. However, if left unchecked, it can be exploited by criminals to hide funds generated from serious crimes or fund even more crimes. Numerous reports have alleged that the Cyprus golden passport scheme was exploited by criminals and sanctioned individuals, particularly those from Russia.

Cyprus has shown a renewed commitment to tackle these issues by canceling many passports over corruption and money laundering concerns issued under the now-suspended citizenship scheme. The country has also introduced reforms in the supervision of the financial sector as well as “gatekeeper professions”, further enhanced by closer EU scrutiny. While reforms and closer EU scrutiny have addressed these issues to some extent, persistent money laundering vulnerabilities can damage Cyprus’ efforts to address its historical reputation as a hub of high-risk foreign investments. They may indirectly affect other nations through cross-border criminal activities.

Overview of AML and Sanctions Regulatory Framework in Cyprus

Cyprus’s Anti-Money Laundering (AML) and Sanctions regulatory framework is primarily governed by the AML/CFT Law of 2007 and the Sanctions Law of 2016, respectively. These primary legislations are reinforced by the directives issued at the EU level and the directives and guidelines provided by the supervisory bodies of each sector. The Central Bank of Cyprus (CBC), the Cyprus Securities and Exchange Commission (CySEC), the Institute of Certified Public Accountants of Cyprus (ICPAC), and the Cyprus Bar Association (CBA) are the central supervisory bodies that monitor compliance within their sectors. Regulated entities are required to conduct customer due diligence (CDD) and report suspicious transactions to the Unit for Combating Money Laundering (MOKAS) —  the financial intelligence unit (FIU) of Cyprus. Moreover, each supervisory authority within their sector enforces compliance with the Cyprus sanctions regulations. Additionally, the AML Advisory Authority— the apex committee consisting of representatives from law enforcement, supervisory authorities, and key stakeholders— facilitates the overall coordination, monitors the effectiveness of the regulatory framework, and advises on legislative reforms to the Council of Ministers.

MOKAS (FIU)

As a financial intelligence unit of Cyprus, MOKAS collects suspicious activity reports from the obligated institutions, reviews these reports to analyze trends, and forwards verified reports for investigations to the competent authority (Police) with the aim of securing the indictment of the suspects.

What is the penalty for a money laundering offense in Cyprus?

Money laundering is a punishable offense in Cyprus. If convicted, a person can face up to 14 years of imprisonment, a fine of up to EUR 500,000, or both. Moreover, a person negligently being part of money laundering can also face up to 5 years imprisonment or a fine up to EUR 50,000, or both.

AML and Sanction Laws

AML/CFT Law – Law no. 188(I)/2007

The Prevention and Suppression of Money Laundering and Terrorist Financing Laws of 2007-2021, commonly called AML/CFT Law of Cyprus. Enacted in 2007, the AML/CFT Law has been amended to extend AML obligations to non-convention financial institutions like crypto-asset services providers (CASP) and gatekeeper professions such as real estate agents, accountants, and lawyers. This is the primary legislation in Cyprus’s fight against money laundering, terrorist financing, and other connected predicate offenses. AML/CFT Law mandates the obligated institutions to identify, mitigate, and report suspicion of money laundering and terrorism financing. Obligated institutions are supervised by their respective supervisory authorities, which monitor their compliance with AML regulations and are authorized to impose administrative penalties in case of any violations.

Sanctions Law – Law 58(I)/2016

Enacted in 2016, this primary legislation incorporates European Union restrictive measures (EU Sanctions) and United Nations Security Council Resolutions or Decisions (UN Sanctions) in Cyprus’ legal framework. Under the provision of this Cyprus law, supervisory authorities that ensure AML compliance are also responsible for securing the implementation of the Sanctions Law within their sectors. It also empowers supervisory bodies to apply administrative penalties if any entity they supervise contravenes sanctions regulations. Additionally, any person found to be violating any applicable sanction will be guilty of an offense and may face criminal penalties like fines and up to 2 years imprisonment.

AML Obligated Business and Professions

• Banks
• Credit Institutions
• E-Money Institutions
• Payment Institutions
• Investment Firms
• Asset Management Firms
• Administrative Service Providers
• Real Estate Agents
• Accountants, Tax Advisors, Auditors, Insolvency Advisors
• Lawyers, Law firms
• Casinos
• Gambling Services
• Traders of Works of Arts
• Crypto Asset Service Providers
• Insurance Companies and Intermediaries
• Securities Broker-Dealers
• High-Value Goods Traders (involving cash payments of 10,000 or more)

Some Sector Specific Regulations

Crypto Asset Service Providers (CASPs)

CASPs are obligated entities under the Cyprus AML Law. As of the new amendment, CASPs must register in the Cyprus CASP Register, maintained and supervised by the Cyprus Securities Exchange Commission (CySEC). The regulatory framework for CASPs consists of AML/CFT Law and CySEC Directives in Cyprus. Moreover, “The ML/TF Risk Factors Guidelines” published by the European Banking Authority (EBA) for credit and financial institutions also extends to CASPs operating in the EU region. The guideline suggests conducting adverse media searches when determining the risks associated with a client. In addition to general obligations like customer due diligence, risk assessment, record-keeping, and reporting, CASPs in Cyprus are required to comply with the EBA’s Travel Rule Guidelines. In addition to usual CDD measures, CASP is obligated to apply customer due diligence measures when conducting an occasional transaction that equals EUR 1,000 or more.

Additionally, starting December 30, 2024, CySEC will start accepting applications for preliminary assessment for licensing under the Markets in Crypto Assets (MiCA) Regulations, seeking to harmonize the regulatory framework for CASP in the EU region.

Insurance Sector

Insurance Companies Control Service (ICCS) is the competent authority that supervises the insurance sector in Cyprus. Insurance and reinsurance companies or intermediaries are obligated to identify if the beneficiary of a life insurance product or investment-related insurance policy is a politically exposed person (PEP). It also includes determining whether the ultimate beneficial owner is a PEP when the beneficiary of a life insurance or investment-related policy is a legal person. This identification or PEP screening process should be carried out before processing the payout of a policy. If a beneficiary is identified as a PEP, insurance providers must perform due diligence measures, analyze the whole business relationship with the policyholder, and inform senior management before processing the payout of the insurance policy.

Real Estate Agents

In Cyprus, Real estate agents must meet AML obligations such as customer due diligence, record-keeping, and suspicious transaction reporting. The Real Estate Registry Board supervises real estate agents.

High-Value Goods

Individuals or companies trading in goods and making or collecting payment in cash whose value equals or exceeds EUR 10,000 are subject to AML/CFT Laws and supervision by the Tax Commissioner. Moreover, the trade in works of art is also supervised by the tax commissioner, who oversees the transaction where the value of the transaction equals or exceeds EUR 10,000 without limiting it to cash payments.

Accounting Sector

External Accountants, Auditors, Insolvency Advisors, and Tax Advisors in Poland are regulated as a DNFBP sector under AML/CFT Law. The Institute of Certified Public Accountants of Cyprus (ICPAC) plays a key role in the accounting sector’s compliance with AML/CFT regulations. As a supervisory authority, it issues guidelines, conducts audits, and enforces compliance among its members, ensuring adherence to AML/CFT laws. The AML Directive to the Members of ICPAC is a comprehensive document that strengthens the sector’s ability to detect and prevent financial crimes and safeguard their operations. This mandatory AML Directive outlines all key elements of the AML compliance program, including evidencing and documenting background screening searches (against PEP, Sanctions, and negative information) for clients, beneficial owners, significant shareholders, directors, bank signatories, Attorney, and Authorized Persons.

Furthermore, the Best Practices Guide of ICPAC suggests that cross-referencing information should include inquiring about public registries and private record databases. Moreover, Business Background Checks could involve searches in:

• Civil Court Records
• Criminal Records
• Credit-Check Databases
• Address Verifications Specialized searches, including facilities and location verification.
• Bankruptcy records
• National Newspapers Databases
• National and International Law Enforcement Databases, e.g., FBI & INTERPOL
• Regulatory Records
• Commercial screening databases

Administrative Services Providers (ASPs)

In Cyprus, Trust and Company Service Providers (TCSPs) are commonly referred to as ASPs. ASPs are obligated institutions under the Cyprus AML law who are required to conduct due diligence on their clients, detect, mitigate, and report any suspicion of money laundering and terrorism financing when providing their professional activities. Some examples of such activities include creating a trust or a company, providing a registered office address, acting or arranging a person to act as a director in a company or a partner in a trust, etc. CySEC is the supervisory authority that oversees their compliance with AML laws.

Legal Sector

Legal professionals and law firms are AML-obligated entities in Cyprus and are subject to preventing and detecting money laundering when carrying out their activities. The Cyprus Bar Association (CBA) is the supervisory authority for all lawyers and law firms.

The legal sector is especially vulnerable to money laundering risks when performing activities in the domain of real estate sale/purchase and formation of trusts and companies. Real estate activities and trust and company formation services were identified as the highest risk sectors, behind only the banking sector, in the National Risk Assessment (NRA) of Cyprus.

CBA provides numerous resources to help the legal sector familiarise itself with best practices for AML compliance and Sanctions compliance from the EU, FATF, and other international bodies. In addition to AML/CFT Law, lawyers are subject to the Directive of the CBA.

Work of Arts

In Cyprus, persons who store, trade, or intermediate the trade of works of art are subject to AML obligations if this activity is carried out in a free port and where the amount of trade equals or exceeds EUR 10,000. The Customs and Excise Department supervises such activities.

Casinos and Gambling Operators

Casinos and gambling services providers, including lotteries, poker games, and betting transactions, are regulated under AML regulations in Cyprus and supervised by the National Betting Authority (NBA). Casinos and gambling operators are also obligated to ensure that they don’t violate any provision of the Sanctions Act by dealing with any person listed on EU or UN sanctions lists. Casinos and gambling operators must conduct customer due diligence measures when carrying out transactions that amount to EUR 2,000 or more, such as collecting winnings or wagering of stakes, regardless of whether it was processed in a single transaction or series of connected transactions. When such a limit is reached, obligated entities are required to comply with other CDD measures, such as identifying PEPs and reporting any suspicion of money laundering or terrorism financing to the MOKAS. NBA’s Directive on the Prevention and Suppression of Money Laundering is a comprehensive guide for the entities it supervises.

Key elements of AML Compliance in Cyprus

Customer Due Diligence (CDD) Measures:

Identity Verification:

• Verify the customer’s identity as per defined EU and local regulations

• Identify and verify the beneficial owner, including understanding the ownership and control structure for legal entities.
• Verify the identity and authenticity of any third party claiming to be acting on behalf of the customer.

Nature and Purpose:

• Assess the purpose and intended nature of the business relationship.
• Obtain information from the client where assessment is not

Ongoing Monitoring:

• Continuously monitor transactions to ensure consistency with the customer’s profile and information available regarding the source of funds
• Keeping customer’s documents and information up to date

As per the Central Bank of Cyprus’ Directive, supervised institutions are required to periodically check their customer base for the presence of negative information in the press, the internet, or commercial information databases and update customer information or risk profile if necessary. Adopting a reliable screening solution can achieve this requirement for adverse media screening. In addition, this directive mandates that institutions screen their customer base and transactions against EU and UN sanction lists. The sanctions screening process should be performed in real time before processing any transaction or starting a business relationship with a customer.

Identity verification documents and personal information obtained while performing CDD measures are subject to the provision of the General Data Protection Regulation (GDPR) law in Cyprus.

When to apply CDD measures:

Obliged Entities are required to apply customer due diligence measures in the following situations:

• When establishing a business relationship
• When performing an occasional transaction (subject to certain limits)
• When the risk of ML/TF risk is assessed as high
• When the accuracy or adequacy of previously obtained identification information is in doubt

Reporting Obligation:

Obligated entities are required to report certain information to the MOKAS regarding reasonable suspicion that a person is engaged in money laundering or terrorist financing. This includes transactions that were attempted but not completed. Moreover, a report to MOKAS shall also be submitted in case a true match for terrorism-related sanctions is suspected to be linked to terrorist financing.

Sanctions Compliance in Cyprus

Supervisory authorities responsible for ensuring compliance with AML laws in Cyprus are also responsible for ensuring compliance with the sanctions applicable to Cyprus. As a member of the EU and UN, Cyprus must comply with EU and UN sanctions. EU and UN sanctions are incorporated in the Cyprus legal framework by Law 58(I)/2016.

When establishing a business relationship or conducting an occasional transaction, obliged entities should also consider the underlying risks associated with persons (legal/natural) subject to administrative sanctions imposed by local authorities such as the Cyprus Securities and Exchange Commission.

In addition, the  CBC Sanctions Directive advises on considering compliance with other international sanctions where they maintain operations in other countries, particularly sanctions enforced by OFAC of the US Department of Treasury and the UK HM Treasury.

CBC’s Sanctions Directive outlines a comprehensive strategy to ensure compliance with applicable sanctions regulations. Such as:

• Developing and maintaining up-to-date policies, procedures, and controls in line with the risks of sanctions associated with the  geographical diversity of its operations and customers
• Policies and procedures to screen customer information obtained during the CDD process against the sanction list Cyprus
• Screening against sanctions should include customers, beneficial owners, and related third parties (like directors, nominees, trustees, partners, representatives, contractors, etc) where applicable.
• Screening customers at the time of onboarding and re-screening on a real-time basis whenever there’s a change in client information or update in sanctions lists
• Screening the entire customer base for complying with ad-hoc requests by the CBC
• Maintaining the audit trail of the screening process

Supervisory authorities, empowered by article 59 of the AML/CFT law, can impose a fine reaching 1,000,000 and/or cancel the license in case of any violation committed against sanction regulations. In addition, a natural person who violates applicable sanctions in Cyprus could be liable for up to 2 years imprisonment, a fine not exceeding EUR 100,000, or both. On the other hand, violations committed by a legal entity could lead to a fine of EUR 300,000.

On 10 December 2024, the UK announced support for establishing a new National Sanctions Implementation Unit to enhance the capacity of the Island nation to stop illicit Russian funds from flowing into Europe. The Unit will share intelligence and expertise between OFSI, OTSI, and Cypriot Finance Ministry. Similarly, in 2024, Cyprus signed several MoUs with the United States to increase cooperation, training, and capacity building in different sectors, including countering emerging threats, money laundering, and sanctions evasion. These measures highlight Cyprus’ commitment to ensuring regional peace and security and outline the significance of compliance with international sanctions beyond EU and UN obligations.