CYPRUS Law and Practice Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
The regulatory framework is as follows. • Investment firms operate under the EU Markets in Financial Instruments Directive (MiFID II), which sets rules on conduct, governance and best execu - tion. • Payment and electronic money institutions oper - ate under PSD2 and the electronic money regime, including safeguarding of client funds and security requirements. • Crypto-asset services are governed by the Markets in Crypto-Assets Regulation, which introduced a formal authorisation regime with capital, govern - ance and disclosure standards. • Anti-money laundering rules apply across all sec - tors, including “Travel Rule” obligations for crypto transfers. • Digital resilience is governed by the Digital Opera - tional Resilience Act, which sets common ICT and outsourcing standards. Supranational Versus National Context Where EU law applies directly (such as MiCA and the Digital Operational Resilience Act – DORA), Cyprus cannot change the core rules. Local regulators focus on supervision and enforcement rather than rewriting the framework. 2.3 Compensation Models Permissible Compensation Models Fee structures in Cyprus depend on the firm’s licence and EU rules. Common models include: • transaction fees (per trade, transfer or volume); • spread-based pricing (especially in FX and CFDs), with transparency requirements; • subscription models for premium services; • asset-based portfolio fees, sometimes with perfor - mance elements, subject to conflict controls; and • merchant and interchange income for payment institutions, within EU limits. Mandatory Disclosures Firms must clearly explain all costs, including indirect or third-party charges. Before providing services: • investment firms must give a “Costs and Charges” breakdown showing the impact on returns; and
• crypto firms must publish their fee policy clearly. For ongoing services, clients must receive at least annual statements showing the actual costs paid. 2.4 Variations Between the Regulation of Fintech and Legacy Players The difference between fintech firms and legacy insti - tutions in Cyprus is based on activity, not label. • Banks may take deposits and lend, and are subject to full capital and liquidity rules. • Payment and electronic money institutions cannot lend client funds and must safeguard them instead. • Governance and digital resilience standards now apply across all sectors. • Bank deposits are covered by a guarantee scheme, while payment and e-money client funds rely on safeguarding, not deposit insurance. Cyprus launched its Regulatory Sandbox in June 2024 under CySEC, building on the earlier Innovation Hub and providing a formal testing framework. It is open to all types of financial innovation, with recent projects focusing on tokenisation, DeFi and AI-driven compli - ance. Eligibility and Participants 2.5 Regulatory Sandbox Establishment and Scope Both licensed firms and start-ups may apply. Unau - thorised entities must usually partner with a regulated firm or be close to authorisation, as the sandbox is not a licence-free space. Applicants must show genuine innovation, readiness for testing, consumer or market benefit and a clear regulatory uncertainty. Testing Process The process includes application, preparation of a testing plan, controlled live testing (typically up to six months) and a final evaluation with regulatory feed - back. Regulatory Approach The sandbox offers supervised flexibility, not exemp - tion from EU law. Core rules, including MiFID II, MiCA and AML requirements, continue to apply, and firms must maintain risk controls and exit plans.
171 CHAMBERS.COM
Powered by FlippingBook