AML/CFT Compliance in Cyprus: CySEC, CBC, and the 2026 Regulatory Landscape
Cyprus's AML/CFT regime is under heightened scrutiny. The Cyprus Securities and Exchange Commission (CySEC) and the Central Bank of Cyprus (CBC) have intensified enforcement actions, with CySEC imposing €2.3 million in fines in 2025. The regulators are focusing on crypto-asset service providers, investment firms, and banks, with an emphasis on timely suspicious activity reports, documented customer due diligence, and stringent sanctions screening.
Key Facts at a Glance
- Primary regulator
- CySEC (Cyprus Securities and Exchange Commission) for investment firms, CIFs, AIFs, ASPs, CASPs; CBC (Central Bank of Cyprus) for credit institutions
- Primary AML law
- Prevention and Suppression of Money Laundering Activities Law of 2007 (Law 188(I)/2007)
- FIU
- Unit for Combating Money Laundering (MOKAS) at the Attorney General's Office
- Recent enforcement
- CySEC imposed €2.3 million in fines in 2025; recent thematic inspections focused on CASP onboarding KYC, CIF PEP controls
- EU supervisor
- European Banking Authority (EBA); European Securities and Markets Authority (ESMA)
The Regulatory Landscape
Cyprus's AML/CFT framework is built on the Prevention and Suppression of Money Laundering Activities Law of 2007 (Law 188(I)/2007), which transposes EU directives and sets out obligations for a wide range of entities. The Cyprus Securities and Exchange Commission (CySEC) regulates investment firms, CIFs, AIFs, ASPs, and CASPs, while the Central Bank of Cyprus (CBC) oversees credit institutions. The Unit for Combating Money Laundering (MOKAS), located within the Attorney General's Office, serves as the Financial Intelligence Unit (FIU).
Recent amendments to the Law 188(I)/2007, including the 2021 transposition of the 5th Anti-Money Laundering Directive (5AMLD), have strengthened Cyprus's AML/CFT regime. The European Banking Authority (EBA) and European Securities and Markets Authority (ESMA) also play a supervisory role, ensuring compliance with EU regulations.
CySEC's Updated Guidance
In 2025, CySEC issued updated guidance on AML/CFT, emphasizing the need for documented customer due diligence, timely suspicious activity reporting, and effective sanctions screening. The guidance highlights the importance of a risk-based approach and the need for entities to maintain adequate internal controls and procedures.
Customer Due Diligence and KYC
Cyprus entities are required to implement customer due diligence (CDD) measures, including verifying the identity of customers and beneficial owners. The Prevention and Suppression of Money Laundering Activities Law of 2007 sets out specific requirements for CDD, including the need to obtain verified data on a customer's full name, place and date of birth, nationality, and residential address.
CySEC has emphasized the importance of ongoing monitoring and timely updating of customer information. Entities are also required to implement enhanced due diligence (EDD) measures for high-risk customers and to maintain records of CDD and EDD activities.
Sanctions Screening
Cyprus entities are required to implement sanctions screening measures to prevent the facilitation of sanctioned individuals or entities. The CBC and CySEC have emphasized the importance of screening against EU, UN, and national sanctions lists.
Entities are expected to maintain up-to-date sanctions lists and to implement effective screening procedures to detect and report suspicious transactions. CySEC has highlighted the importance of integrating sanctions screening into overall AML/CFT risk-management frameworks.
SAR/STR Reporting
Suspicious Activity Reports (SARs) must be filed with the Unit for Combating Money Laundering (MOKAS) via the goAML platform. The CySEC and CBC emphasize the importance of timely reporting, with expectations for same-day or next-working-day filing in most cases.
CySEC has taken enforcement action against entities that have failed to meet SAR/STR reporting requirements. In 2025, the regulator imposed fines on entities for systemic failures to file suspicious activity reports in a timely manner.
Risk-Based Approach
The Prevention and Suppression of Money Laundering Activities Law of 2007 requires entities to implement a risk-based approach to AML/CFT. CySEC and CBC expect entities to maintain a documented institution-wide risk assessment and to implement controls and procedures proportionate to their risk profile.
Crypto-Assets: CASPs and MiCAR
Cyprus has been actively regulating crypto-asset service providers (CASPs). The CySEC has issued guidance on the regulatory framework for CASPs, emphasizing the need for documented AML/CFT controls and procedures.
The Markets in Crypto-Assets Regulation (MiCAR) will apply directly from 2026, setting out a full regulatory framework for CASPs. Entities are expected to comply with MiCAR requirements, including those related to AML/CFT and risk management.
Recent Enforcement
CySEC has taken enforcement action against entities for AML/CFT failures, including imposing fines and issuing warnings. In 2025, the regulator imposed €2.3 million in fines on entities for systemic failures to comply with AML/CFT regulations.
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| 2025 | CIF | €2.3m | Systemic failure to file SARs, inadequate CDD |
| 2024 | CASP | €150k | Inadequate AML/CFT controls |
| 2023 | Credit Institution | €50k | Failure to report suspicious transactions |
Practical Compliance Checklist
Minimum Documentation Set Under CySEC Guidance
- Institution-wide risk assessment, refreshed annually and on material change.
- Internal safeguards manual covering customer due diligence, ongoing monitoring, sanctions screening, training, and reporting.
- Written CDD procedures aligned with CySEC guidance.
- Sanctions screening policy covering EU, UN, and national lists.
- SAR/STR procedures referencing CySEC guidance and the goAML platform.
- PEP identification and EDD procedure.
- Designated AML Officer and deputy notified to CySEC.
- Staff training programme.
- For CASPs: documented AML/CFT procedures and MiCAR compliance.
Common Pitfalls
Three patterns dominate recent enforcement files. The first is SAR latency: entities that have built escalation processes around weekly compliance committees rather than daily filing capacity find themselves systemically late. CySEC's view is that "without undue delay" is a real-time standard, not a weekly one.
The second is fragmented governance: where AML investigations sit across multiple business lines or entities, CySEC treats the resulting coordination failures as substantive breaches.
The third is over-reliance on commercial screening tools without documented rationale. CySEC accepts the use of third-party PEP and sanctions databases but expects entities to evidence the matching algorithms applied, the false-positive thresholds set, and the data quality controls in place.
The European AML Regulation (AMLR) will apply directly from a date to be determined and will replace much of the Law 188(I)/2007's substantive content. Institutions should treat the period to implementation as a transition window: build now to AMLR standards using CySEC guidance.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for Cyprus institutions, citing the Prevention and Suppression of Money Laundering Activities Law of 2007 and applicable EU regulations directly in the text. Generated documents include institution-wide risk assessments, AML/CFT policy manuals, CDD procedures, sanctions screening policies, SAR/STR procedures, and staff training programs.
Generate your Cyprus AML documentation in minutes
Stop paying for templated consultancy outputs. RegMantle produces audit-ready, Law 188(I)/2007-compliant documentation in under ten minutes.
Start Free →