CYPRUS Law and Practice Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
2.11 Implications of Additional, Non- Financial Services Regulations Beyond financial legislation, fintech firms in Cyprus are heavily shaped by horizontal EU digital rules, often with greater practical impact than on legacy institu - tions due to their data-driven and outsourced models. Data Protection (GDPR) Fintechs rely extensively on automated onboarding and scoring, making transparency, profiling controls and human review requirements central, while legacy banks often face lower exposure due to more hybrid processes. Cybersecurity and Resilience Cloud-based and outsourced infrastructures place fintechs under heightened third-party risk and opera - tional resilience scrutiny compared to more internally
• sanctions screening against EU restrictive meas - ures; and • risk-based monitoring and submission of suspi - cious activity reports where concerns arise. Responsibility extends to situations the firm should reasonably have detected. Senior Management Accountability Boards and senior management are directly respon - sible for AML oversight. The AML compliance officer must report to the Board and have authority to block transactions independently. Gatekeeping Versus De-Risking Regulators discourage blanket de-risking and expect proportionate, technology-supported risk assessment rather than broad exclusion of client categories. 2.10 Significant Enforcement Actions Over the past 12 months, enforcement in Cyprus has shifted from supervisory guidance to active interven - tion. CySEC and the Central Bank of Cyprus increas - ingly use administrative fines, settlements and, where necessary, licence revocations to enforce EU frame - works such as MiFID II, the Digital Operational Resil - ience Act and anti-money laundering rules. Thematic Inspections and Fines In 2025 and early 2026, CySEC carried out thematic inspections in retail FX/CFD and crypto-asset sec - tors. Deficiencies in sanctions screening and pruden - tial reporting led to administrative fines, particularly where firms failed to update systems or accurately classify liquid assets. Sanctions and Criminalisation Following the Criminalisation of the Violation of Restrictive Measures Law (2025), the National Sanc - tions Implementation Unit may impose fines of up to EUR5 million or 10% of annual turnover. Capital markets supervision has also tightened, with trading suspensions imposed for failures in financial reporting and disclosure.
integrated legacy systems. Digital Platform Rules (DSA)
Fintech platforms offering social trading or user con - tent must comply with moderation and advertising transparency duties, obligations less relevant to tra -
ditional banks. AI Regulation
Fintechs developing proprietary scoring or advisory tools may fall within higher-risk AI categories, trigger - ing documentation, oversight and governance duties; reliance on vendors shifts some burden for legacy players. Electronic Identification The 2025 national eID scheme has strengthened remote onboarding, with fintechs generally adopting high-assurance digital identification faster than tradi - tional institutions. 2.12 Review of Industry Participants by Parties Other Than Regulators Beyond CySEC and the Central Bank of Cyprus, fin - tech firms operate within a wider assurance ecosys - tem that increasingly complements regulatory super - vision, particularly in governance, AML and digital resilience.
173 CHAMBERS.COM
Powered by FlippingBook