Cyprus -- AML/CFT Compliance Regulatory Overview

**Regulator Name:** Cyprus Securities and Exchange Commission (CySEC)

**Entity Targeted:** eToro (Europe) Ltd (a major global trading platform also offering crypto services)

**Violation Type:** Non-compliance with regulatory requirements related to organizational requirements, safeguarding clients' funds, and prevention of money laundering and terrorist financing (AML/CFT). This included deficiencies in operational risk management, internal controls, and measures taken to prevent money laundering and terrorist financing.

**Date:** January 29, 2024 (The decision covered violations from January 2020 to December 2022).

**Outcome:** Imposition of an administrative fine. eToro (Europe) Ltd stated it has taken corrective measures.

**Source URL:** CySEC Official Announcement - eToro (Europe) Ltd

**Entity Targeted:** Bitpanda GmbH (a well-known European digital investment platform operating as a registered VASP in Cyprus)

**Violation Type:** Non-compliance with the AML/CFT Law, specifically regarding internal controls and measures for the prevention of money laundering and terrorist financing, and deficiencies in customer due diligence procedures.

**Date:** July 10, 2023 (The decision covered violations from December 2020 to September 2022).

**Source URL:** CySEC Official Announcement - Bitpanda GmbH

**Cyprus Securities and Exchange Commission (CySEC)**

Role: The primary regulator responsible for supervising and registering Virtual Asset Service Providers (VASPs) under the AML/CTF framework. It ensures compliance with AML directives, assesses the fitness and propriety of VASP management, and oversees operational requirements.

**Unit for Combating Money Laundering (MOKAS)**

**Role:** Cyprus's Financial Intelligence Unit (FIU), responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and other information regarding potential money laundering and terrorist financing activities. While not a direct regulator of VASPs, it is central to the AML/CTF ecosystem.

**The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (L. 188(I)/2007), as amended.**

**Date:** Originally enacted in 2007, but significantly amended over time, particularly in **2021**, to transpose the **5th Anti-Money Laundering Directive (AMLD5)** and bring VASPs under its scope. These amendments defined "Virtual Assets" and "Virtual Asset Service Providers" (VASPs) and designated CySEC as the supervisory authority.

**Key Provisions:** Requires VASPs to register with CySEC, implement robust AML/CTF measures (KYC, transaction monitoring, risk assessments), report suspicious activities, and adhere to internal control procedures.

**CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (Regulatory Administrative Act No. 466/2021)**

**Date:** Issued by CySEC in **June 2021**.

**Key Provisions:** This directive provides the detailed operational requirements and guidelines for VASPs registered with CySEC. It covers:

Categorization of VASP services (e.g., exchange between virtual assets and fiat, transfer of virtual assets, safekeeping, initial coin offerings).

Specific AML/CTF obligations (customer due diligence, record-keeping, risk management, internal controls, reporting obligations).

Organizational requirements (management, capital adequacy, professional indemnity insurance).

**EU Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114**

**Date:** Adopted by the EU in **May 2023**.

**Impact:** MiCA will be the overarching, harmonized regulatory framework for crypto-assets across the EU, including Cyprus. It will replace the existing national AML-driven frameworks for certain aspects and introduce comprehensive rules for crypto-asset issuance, operation, and services.

Rules concerning asset-referenced tokens (ARTs) and e-money tokens (EMTs) will apply from **30 June 2024**.

Rules concerning other crypto-assets and crypto-asset service providers (CASPs) will apply from **30 December 2024**.

**Cyprus's Stance:** CySEC is actively preparing for the implementation of MiCA, which will streamline the regulatory landscape and shift certain aspects from an AML-only focus to a broader prudential and market integrity framework.

**Permitted and Regulated:** Crypto trading and the operation of crypto exchanges (classified as VASPs) are **permitted** in Cyprus, provided they are properly **registered and supervised by CySEC**.

**Registration Requirement:** Any entity wishing to offer services related to virtual assets in or from Cyprus must apply for registration with CySEC as a VASP.

**Compliance Obligations:** Registered VASPs are subject to stringent AML/CTF requirements, including:

**Customer Due Diligence (KYC):** Verifying the identity of their customers.

**Transaction Monitoring:** Monitoring transactions for suspicious patterns.

**Risk Assessments:** Conducting regular risk assessments related to money laundering and terrorist financing.

**Reporting:** Reporting suspicious transactions to MOKAS.

**Operational Requirements:** Adhering to organizational, governance, and capital adequacy requirements set by CySEC.

**Consumer Protection:** While the current framework is heavily AML-focused, CySEC's oversight aims to instill a degree of market integrity and consumer protection through the fitness and propriety assessment of management and operational controls. MiCA will significantly enhance consumer and investor protection.

**Adopted:** Yes, the Travel Rule is considered adopted in Cyprus through its direct application of EU law and the integration of FATF standards into its national AML/CFT framework.

**EU Level:** The primary legal basis for the Travel Rule for crypto-assets across the EU, including Cyprus, is **Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (recast Transfer of Funds Regulation - TFR 2023)**. This regulation repeals the previous TFR (EU) 2015/847 and is part of the EU's AML/CFT legislative package alongside the Markets in Crypto-Assets Regulation (MiCA). As an EU Regulation, it is **directly applicable** in all member states, including Cyprus, without requiring national transposition, though national authorities issue guidance.

**URL:** Regulation (EU) 2023/1113 on EUR-Lex

**National Level:** The overarching national AML/CFT framework in Cyprus is the **Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2000 (Law 188(I)/2007, as amended)**. This law incorporates various EU AML Directives (AMLDs) and grants regulatory powers to authorities like CySEC. CySEC issues directives and guidance under this national law to ensure compliance.

**URL (CySEC's page referencing AML/CFT law):** CySEC - Prevention and Suppression of Money Laundering and Terrorist Financing Law

For the EU as a whole, **Regulation (EU) 2023/1113 applies from 30 December 2024.**

Therefore, this is the de jure effective date for the full application of the Travel Rule for crypto-asset transfers in Cyprus as per the EU regulation. Cypriot Crypto Asset Service Providers (CASPs) must be fully compliant by this date.

**No lower threshold:** TFR 2023/1113 significantly amends the Travel Rule for crypto-asset transfers by eliminating the de minimis threshold. This means that for **all crypto-asset transfers, regardless of amount**, CASPs must obtain and verify originator and beneficiary information if they are involved in the transfer.

This removes the previous €1,000 threshold that existed for traditional wire transfers in earlier iterations of the TFR for the specific case of crypto-assets.

The TFR 2023/1113 applies to **Crypto-Asset Service Providers (CASPs)** as defined under the upcoming MiCA Regulation.

In Cyprus, these entities are currently registered with the Cyprus Securities and Exchange Commission (CySEC) as **Crypto Asset Service Providers (CASPs)** under the Prevention and Suppression of Money Laundering and Terrorist Financing Law.

This includes, but is not limited to, entities that:

Are involved in the transfer of crypto-assets on behalf of a customer.

Provide other services related to crypto-assets that facilitate transfers.

**URL (CySEC CASP Register):** CySEC - Register for Crypto Asset Services Providers

Crypto-asset account number of the originator (or unique transaction identifier).

Address of the originator (or national identification number, or customer identification number, or date and place of birth).

Crypto-asset account number of the beneficiary (or unique transaction identifier).

**Information Verification:** CASPs must verify the accuracy of the originator information on the basis of documents or data obtained from a reliable and independent source.

**Information Transmission:** The required information must be transmitted with the crypto-asset transfer (or immediately after) to the beneficiary CASP, using secure and reliable communication channels. Interoperability solutions (e.g., TRP, OpenVASP, Travel Rule Universal Protocol - TRUP) are expected for efficient information exchange between CASPs.

**Record Keeping:** CASPs must retain the collected information for a period of five years, in line with general AML/CFT record-keeping requirements.

**Sanctions Screening:** CASPs are required to screen originator and beneficiary information against relevant sanctions lists.

**Missing or Incomplete Information:** CASPs must have policies and procedures for handling transfers with missing or incomplete information. This may include:

Restricting the availability of the crypto-assets.

Reporting suspicious activity to the Unit for Combating Money Laundering (MOKAS), Cyprus's Financial Intelligence Unit (FIU).

CySEC's existing directives on AML/CFT compliance for CASPs (e.g., Circular C367 and Circular C446) set the broader expectation for robust internal controls, risk assessment frameworks, and the use of appropriate technology to manage AML/CFT risks.

**URL (CySEC Circulars - search for AML/CFT and CASP):** CySEC Circulars

**Monetary Fines:** Substantial fines can be imposed. For legal persons (CASPs), fines can reach up to **€5 million or 10% of their total annual turnover**, whichever is higher, or even up to twice the amount of the benefit derived from the breach, if that can be determined. For individuals, fines can reach up to **€1 million**.

**Withdrawal or Suspension of Authorization/Registration:** CySEC has the power to suspend or completely withdraw a CASP's registration if serious breaches occur, effectively preventing them from operating in Cyprus.

**Public Reprimands:** Disciplinary measures can include public statements identifying the non-compliant entity and the nature of the breach.

**Cease and Desist Orders:** Orders requiring the CASP to stop specific non-compliant activities.

**Referral for Criminal Prosecution:** In cases involving severe breaches, particularly those linked to actual money laundering or terrorist financing, the matter can be referred to the Attorney General's Office for criminal investigation and prosecution, which may lead to imprisonment for individuals.