CYPRUS Law and Practice Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
11.2 Concerns Raised by Open Banking Open banking risks in Cyprus such as privacy, cyber - security and fraud are addressed through a securi - ty-by-design model under GDPR, PSD2/PSD3 and DORA. Institutions now treat data protection as a core compliance and trust feature rather than a technical add-on. Data Privacy and Consent Banks use granular consent dashboards allowing cus - tomers to control which TPP accesses which data and for how long. Regulators apply a “reasonably nec - essary” standard, limiting data collection to what is required for the specific service. Operational Resilience Under DORA Banks must maintain ICT third-party registers and assess vendor resilience before API integration. Sys - temic institutions conduct threat-led penetration test - ing to ensure open banking interfaces do not create Screen scraping is being phased out in favour of secure APIs. Strong Customer Authentication increas - ingly relies on biometrics, and payment initiation is monitored through real-time transaction risk analysis. Liability and Co-Ordination Contracts shift liability to TPPs where breaches arise from their failures, and industry participants share threat intelligence to reduce ecosystem-wide risk. systemic vulnerabilities. Technical Safeguards In Cyprus, fraud is addressed through civil law, crimi - nal law and financial market legislation rather than a single statute. In fintech, the analysis usually falls into four categories. Civil Fraud (Tort of Deceit) To prove civil fraud, a claimant must show a false statement of fact made knowingly or recklessly, reli - ance on that statement, and resulting financial loss. All elements must be established cumulatively. 12. Fraud 12.1 Elements of Fraud
Criminal Fraud (Criminal Code Cap 154) Criminal offences include obtaining property or credit by false pretences, falsification of company accounts by directors or officers, and broader “cheating” provi - sions covering fraudulent tricks used to obtain money or goods. Market Abuse and Financial Services Fraud In regulated markets, fraud overlaps with market abuse rules under MAR and related laws. This includes market manipulation, dissemination of false informa - tion and use of deceptive devices to influence prices, including crypto-assets. Technology-Related Fraud (2026 Focus) Regulators now treat AI-based deepfakes, spoofed communications and algorithmic wash trading as clear indicators of fraudulent intent. Where trading systems are designed to manipulate markets, liability arises regardless of whether a human directly trig - gered the transaction. 12.2 Areas of Regulatory Focus Cyprus regulators have intensified action against tech-enabled fraud, aiming to close gaps created by instant payments and AI-driven scams. The focus is shifting from reactive investigation to preventative controls and liability allocation. Authorised Push-Payment (APP) Fraud APP scams are a priority for the Central Bank of Cyprus. Under updated PSD2/PSD3 and PSR prac - tice, banks face increased liability, especially in imper - sonation cases – eg, deepfake “bank employee” calls. Failure to implement tools such as confirmation of payee may result in full reimbursement obligations. AI-Powered Scams and Deepfakes Following CySEC Circular C751, regulators treat AI- generated investment promotions and highly person - alised phishing as high-risk threats. Firms are expect - ed to upgrade transaction risk analysis systems to detect social-engineering patterns in real time. Crypto Market Abuse Under MiCA With full MiCA implementation, CySEC is targeting wash trading, spoofing and misleading token disclo -
188 CHAMBERS.COM
Powered by FlippingBook