CYPRUS Law and Practice Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
Key Reviewers External auditors, ICT security testers and specialist consultants regularly assess financial controls, safe - guarding, resilience and compliance environments. Professional Bodies The Institute of Certified Public Accountants of Cyprus influences outsourced accounting and AML standards; the Cyprus Bar Association oversees legal professionals acting as gatekeepers; and the Digital Security Authority reviews cybersecurity posture of designated digital service providers. Industry Standards Voluntary standards materially shape practice: the Cyprus Fintech Association promotes sector codes, and ISO/IEC 27001 and ISO 22301 certifications are commonly required by institutional counterparties. Tax Oversight Since 1 January 2026, the Cyprus Tax Department actively monitors crypto-asset and e-money reporting under DAC8. Market Expectations In practice, market expectations often drive compli - ance standards beyond formal statutory requirements. 2.13 Conjunction of Unregulated and Regulated Products and Services Hybrid Models Cyprus fintechs often combine regulated and unregu - lated services within a single ecosystem, such as bro - kerage with education tools, crypto exchanges with NFTs or loyalty tokens, and e-money issuance with Regulators allow mixed models within one entity if unregulated activities are ancillary, do not affect finan - cial stability or safeguarding, and are clearly separated operationally and in accounting. Higher-risk activities are often ring-fenced in separate group entities. Regulatory Focus Supervisors concentrate on: merchant analytics. Structural Approach
• clear distinction between regulated and unregu - lated products; • resilience of shared ICT infrastructure under DORA; and • continuous AML obligations across the full client relationship. MiCA Impact The 2025–26 MiCA roll-out has reduced the scope of previously unregulated crypto activities, making early classification analysis essential before launch. 2.14 Impact of AML and Sanctions Rules AML and sanctions compliance is a central opera - tional driver for fintech firms in Cyprus and increas - ingly affects hybrid and adjacent digital businesses. Regulated Firms Investment firms, payment institutions, EMIs and CASPs must apply risk-based due diligence, ongo - ing monitoring, sanctions screening and suspicious activity reporting. In crypto, the Travel Rule requires originator and beneficiary data to accompany transfers, increasing operational and technological demands. Sanctions screening now extends to ownership and control structures, with boards expected to demonstrate active oversight. Unregulated and Hybrid Firms Even where not directly licensed, technology providers and digital platforms are indirectly captured through regulated partners. Enhanced due diligence, contrac - tual AML clauses and audit rights are common. In hybrid models, AML obligations apply to the full client relationship and cannot be limited to regulated product lines. Sanctions and De-Risking Firms must document geographic, politically exposed person (PEP) and sectoral risk assessments. While blanket de-risking is discouraged, regulators expect proportionate, defensible onboarding decisions sup - ported by effective screening and escalation frame - works.
174 CHAMBERS.COM
Powered by FlippingBook