AML/CFT Obligations for CySEC-Licensed CASPs: Full Compliance Framework

The Dual-Layer AML Framework: MiCA and Cyprus National Law

AML/CFT obligations for CySEC-licensed CASPs operate on two distinct legal layers — a distinction that is frequently misunderstood and that has practical consequences for how programmes are designed and maintained.

Layer 1 — MiCA’s financial services framework. Regulation (EU) 2023/1114 establishes the authorisation, conduct, and governance requirements for CASPs across the EU. MiCA’s AML/CFT provisions are limited — the regulation references AML obligations but does not itself constitute an AML regime. MiCA Title VI (Articles 83–92) requires that CASPs detect and prevent market abuse including insider dealing and market manipulation, but the substantive AML/CFT obligations derive from a separate legislative track.

Layer 2 — EU AML directives and Cyprus national AML law. The substantive AML/CFT framework applicable to CySEC CASPs derives from:

• The Prevention and Suppression of Money Laundering and Terrorist Financing Law (Law 188(I)/2007) — Cyprus’s primary AML statute, implementing successive EU AML directives including the Fourth (AMLD4) and Fifth (AMLD5) Anti-Money Laundering Directives. This law designates CASPs as obliged entities subject to the full range of AML/CFT obligations.
• EU AML Directives — AMLD4 (Directive 2015/849) and AMLD5 (Directive 2018/843) as transposed into Cypriot law, setting the framework for CDD, EDD, beneficial ownership, STR obligations, and supervisory powers.
• FATF Recommendation 15 and its interpretive note — the international standard on virtual assets that Cyprus, as a FATF member via the EU, is committed to implementing.
• CySEC AML circulars and guidance — CySEC publishes AML-specific supervisory guidance for CASPs, including expectations on risk assessment methodology, CDD standards for crypto-specific client types, and transaction monitoring requirements. These circulars are binding supervisory guidance that CySEC will assess compliance against during examinations.
• The recast Transfer of Funds Regulation (EU) 2023/1113 — the EU’s Travel Rule framework, applying directly to crypto-asset transfers from 30 December 2024.

The practical implication of this dual-layer architecture is that CySEC CASPs must maintain an AML/CFT programme that satisfies both the MiCA governance framework and the substantive Cyprus AML law requirements. An AML programme calibrated only to MiCA’s conduct requirements — without addressing the Cyprus AML law obligations — is incomplete. An AML programme calibrated only to the AML law without addressing MiCA’s market abuse and governance requirements is equally incomplete.

For context on the broader global AML/CFT framework within which CySEC obligations sit, ComplyFactor’s top AML regulations and frameworks worldwide and ultimate guide to VASP compliance provide the international baseline.

The Upcoming EU AML Regulation: What CySEC CASPs Must Prepare For

The EU’s AML legislative architecture is undergoing its most significant reform since the Fourth AML Directive. The EU AML package — comprising the Anti-Money Laundering Regulation (AMLR), the Sixth Anti-Money Laundering Directive (AMLD6), and the Anti-Money Laundering Authority (AMLA) Regulation — will materially change the AML/CFT framework for CySEC CASPs.

The EU AML Regulation (AMLR). Unlike the directives it supplements, the AMLR is a directly applicable EU regulation — it will not require national transposition and will override national AML law provisions in its scope. For CySEC CASPs, the AMLR will standardise CDD requirements, beneficial ownership standards, PEP lists, and STR obligations directly, reducing the national variation that currently exists across EU member states. The AMLR is expected to apply from approximately mid-2027.

AMLA — the Anti-Money Laundering Authority. AMLA is being established as the EU’s central AML supervisory authority. It will directly supervise a defined population of obliged entities — including CASPs meeting certain thresholds — from approximately 2027-2028 (subject to AMLA’s operational implementation timeline). For CaSPs below the direct supervision threshold, AMLA will coordinate and oversee the national supervisory authorities, including CySEC.

Practical implication for CySEC CASPs. Firms building AML programmes today should be designing for AMLR compliance from day one — not calibrating to current national law requirements with a plan to upgrade later. The delta between the current Cyprus AML law framework and the forthcoming AMLR is not trivial. Programmes built for national law compliance will require material revision at AMLR application. Programmes built with AMLR requirements already in scope will require only minor adjustment.

ComplyFactor’s AML compliance programme services are structured with the AMLR transition in mind — ensuring programmes are built to the forthcoming standard from the outset.

Business-Wide Risk Assessment

The business-wide risk assessment (BWRA) is the foundation of a CASP’s entire AML/CFT programme. It is not merely a documentation exercise — it is the analytical output that should drive every subsequent element of the programme: the risk appetite statement, the CDD framework, the transaction monitoring parameters, the EDD triggers, and the resource allocation across the compliance function.

CySEC’s supervisory assessment of AML programmes begins with the BWRA. An inadequate BWRA — generic, undifferentiated, or clearly templated — signals an inadequate programme and generates immediate supervisory scrutiny. Conversely, a well-constructed BWRA that demonstrates genuine analytical engagement with the firm’s risk profile signals a compliance culture that CySEC views favourably.

What must the BWRA cover?

A BWRA for a CySEC CASP must systematically assess ML/TF risk exposure across five risk dimensions:

Client risk. Who are your clients? What is their expected profile — retail, institutional, HNW, business, VASPs/CASPs? What are the higher-risk categories within your expected client base — PEPs, high-risk nationals, cash-intensive businesses, clients with complex ownership structures, other VASPs? What is the anticipated distribution of client risk across low, medium, and high-risk categories?

Product and service risk. For each service in your authorisation, what are the inherent ML/TF vulnerabilities? Custody services create exposure to the risk of clients depositing illicitly sourced crypto-assets. Exchange services create exposure to layering through conversion. Transfer services create exposure to structuring and smurfing. Each service’s risk profile must be individually assessed.

Geographic risk. Where are your clients located? Where do transaction flows originate and terminate? What is your exposure to high-risk jurisdictions — FATF grey-listed or black-listed countries, jurisdictions with known AML/CFT weaknesses, sanctioned territories? For CASPs with global client bases, geographic risk is frequently the most complex dimension of the BWRA.

Delivery channel risk. How are clients onboarded and how are services delivered? Non-face-to-face onboarding — the standard for crypto platforms — carries inherently higher identity verification risk than in-person CDD. What digital identity verification tools are used and what is their failure rate? Are services accessible via API to other platforms, creating intermediary risk?

Transaction risk. What are the expected transaction typologies — volumes, sizes, frequencies, asset types? What unusual transaction patterns are inherent to your business model? For an exchange, large single-currency conversion volumes may be normal; for a custody provider, frequent small deposits may be anomalous. The BWRA must define what normal looks like so that anomalies can be identified.

BWRA governance requirements. The BWRA must be approved by the management body, reviewed at minimum annually, and updated promptly on any material change to the business model, client base, or risk environment. Version control and audit trail of all BWRA iterations must be maintained. CySEC will look for evidence that the BWRA is a living document — not a static artefact produced for the application.

For a structured approach to risk assessment methodology, ComplyFactor’s AML risk assessment calculator provides a practical framework applicable to CySEC CASP risk assessments.

AML/CFT Policies and Procedures

The AML/CFT policies and procedures manual is the operational expression of the BWRA. Where the BWRA identifies risks, the policies and procedures define how those risks are controlled. CySEC expects to see policies that are genuinely tailored to the firm’s risk profile — not generic templates adapted with minimal customisation.

The core policy documents required for a CySEC CASP include:

AML/CFT policy statement. A board-approved statement of the firm’s commitment to AML/CFT compliance, its risk appetite, and the governance framework for the AML programme. This document sets the tone for the entire programme and should reflect genuine board engagement.

CDD and EDD procedures. Detailed procedures covering: identity verification standards for individual and corporate clients, beneficial ownership determination methodology, reliance on third-party CDD, simplified CDD circumstances, EDD triggers and additional measures, PEP identification and treatment, and periodic review of client risk classifications.

Transaction monitoring procedures. The rules and scenarios implemented in the transaction monitoring system, the alert triage process, the escalation pathway from alert to MLRO review, and the documentation standards for alert disposals.

STR/SAR procedures. The internal suspicious activity reporting process — from frontline staff identification through MLRO review, the MLRO’s decision-making framework, external reporting to MOKAS, and the tipping-off prohibition.

Sanctions screening procedures. Lists screened, screening frequency (including real-time screening at onboarding and transaction level), match handling protocols, escalation for potential hits, and the process for dealing with sanctioned clients or transactions.

Travel Rule procedures. The procedure for collecting, transmitting, and receiving originator and beneficiary information for crypto-asset transfers under the TFR, including the policy for transfers where counterparty CASP information cannot be obtained.

Record-keeping procedures. Retention periods, storage format, retrieval requirements, and data protection considerations.

Training procedures. Frequency, content determination, delivery method, records maintenance, and consequences of non-completion.

Independent audit procedures. Frequency, scope, provider selection, reporting, and management response to findings.

All policies must be reviewed annually as a minimum and updated on any material change. CySEC expects documented evidence of policy reviews — including the date of review, the reviewer, and a record of changes made or the rationale for no change.

Customer Due Diligence

CDD is the operational frontline of AML/CFT compliance. For CySEC CASPs, CDD obligations under Cyprus AML law cover the full lifecycle of the client relationship — from onboarding through to exit.

Identity verification. CySEC CASPs must verify the identity of all clients before establishing a business relationship or carrying out an occasional transaction above applicable thresholds. For natural persons, identity verification requires: full name, date of birth, nationality, address, and documentary evidence (government-issued photo ID). For legal persons, verification requires: legal name, registration number, registered address, articles of incorporation, and determination of the beneficial owners (natural persons holding or controlling 25% or more of shares or voting rights, or exercising control through other means).

Electronic identity verification. Most CASP client onboarding is conducted non-face-to-face through digital channels. Cyprus AML law permits electronic identity verification through approved methods — video identification, electronic identity documents, or certified third-party providers — subject to risk-appropriate reliability standards. CySEC expects CASPs to document the eKYC methodology used, the failure and fraud rates of the method, and the additional controls applied for non-face-to-face onboarding.

Beneficial ownership. For corporate clients, determination of beneficial ownership is a critical and often complex CDD obligation. Where beneficial ownership is held through a chain of holding companies or trust structures, the CASP must trace through to the ultimate natural person(s) exercising control. CySEC will look for evidence that beneficial ownership has been genuinely determined — not accepted at face value from corporate documentation.

Source of funds and source of wealth. For higher-risk clients — PEPs, clients with unusual transaction profiles, clients from high-risk jurisdictions, and clients requesting large or complex services — source of funds and source of wealth verification is required as part of the CDD or EDD process. For crypto-native clients, source of wealth may include cryptocurrency investment gains — documentation of the wallet address history and transaction provenance may be appropriate.

Simplified CDD. Cyprus AML law permits simplified CDD for lower-risk clients — specifically where the client, product, or transaction qualifies as lower-risk under the risk assessment framework. For CASPs, simplified CDD is more rarely applicable than for traditional financial institutions, given the inherently higher-risk profile of crypto-asset services. Any simplified CDD decision must be documented with the risk rationale.

Timing of CDD. CDD must be completed before establishing a business relationship. Where verification cannot be completed before establishment — for operational reasons in limited circumstances — verification must be completed as soon as practicable and the business relationship must be restricted until verification is complete. CySEC does not accept post-transaction KYC as standard practice.

Ongoing CDD review. Client risk classifications must be reviewed periodically — annually for high-risk clients, at least every three years for standard-risk clients, and triggered by material changes in client behaviour or profile. CySEC expects documented evidence of periodic review cycles, not just at-onboarding CDD.

Enhanced Due Diligence

EDD is mandatory where higher ML/TF risk is identified — it is not discretionary. Cyprus AML law and CySEC’s supervisory guidance identify specific circumstances that automatically trigger EDD, alongside a general obligation to apply EDD wherever the risk assessment warrants it.

Mandatory EDD triggers under Cyprus AML law:

• Politically Exposed Persons (PEPs). Any client who is a PEP — a person entrusted with a prominent public function, domestically or internationally — or a family member or known close associate of a PEP requires mandatory EDD. This includes former PEPs for a minimum of 12 months following cessation of the prominent function, though a risk-based continuation of EDD beyond 12 months is often appropriate. For CaSPs, PEP identification must be automated — manual screening at onboarding is insufficient for any platform with meaningful client volumes.
• High-risk third countries. Clients from jurisdictions designated as high-risk by the EU Commission — currently including jurisdictions on the EU high-risk third countries list — require mandatory EDD. CySEC additionally expects heightened attention to FATF-listed jurisdictions. The EU high-risk third country list is updated periodically and CaSPs must ensure their EDD trigger framework is updated accordingly.
• Non-face-to-face business relationships. Where a business relationship or transaction is conducted non-face-to-face, EDD measures must be applied to address the elevated identity verification risk. For CASPs where all onboarding is digital, this EDD obligation effectively applies to all clients — the practical response is to design the standard CDD process to meet the EDD standard for non-face-to-face relationships, rather than treating every client as requiring exceptional escalation.
• Correspondent relationships with third-country institutions. Where a CASP enters into a correspondent or similar relationship with a VASP or financial institution in a third country, EDD on the counterparty institution is required — including assessment of the counterparty’s AML/CFT framework, supervisory status, and reputation.

Risk-based EDD triggers:

Beyond the mandatory triggers, EDD must also be applied wherever the risk assessment or monitoring process identifies elevated ML/TF risk. Risk-based EDD triggers for CySEC CASPs typically include:

• Unusual transaction volumes or patterns inconsistent with the client’s stated profile
• Large single transactions above defined thresholds
• Transactions involving privacy coins or mixing services
• Clients with adverse media or negative reputational intelligence
• Complex or opaque ownership structures for corporate clients
• Geographic risk flags — transactions involving high-risk jurisdictions beyond the mandatory list
• Interactions with unhosted wallets above defined thresholds

EDD measures. EDD is not a binary add-on — it is a calibrated additional set of measures appropriate to the elevated risk. Measures may include: additional identity documentation, face-to-face verification, source of funds and source of wealth verification, enhanced transaction monitoring parameters, senior management sign-off for account approval, and more frequent periodic review. The specific measures applied and the rationale must be documented in the client file.

For a deeper understanding of the AML compliance officer roles responsible for managing EDD decisions, see ComplyFactor’s AML compliance officer roles and responsibilities guide.

Ongoing Monitoring

Ongoing monitoring is the continuous obligation to monitor client transactions and behaviour for consistency with the CASP’s knowledge of the client — and to update that knowledge when it changes. It sits between initial CDD and the transaction monitoring system as the mechanism for identifying when a client’s risk profile has changed and when anomalous activity requires investigation.

Ongoing monitoring for a CySEC CASP comprises three interconnected processes:

Behavioural monitoring. Tracking client transaction patterns against established baselines — flagging deviations that may indicate changed risk profile or suspicious activity. This is largely automated through the transaction monitoring system.

Periodic CDD refresh. Scheduled re-verification of client information and risk classification — annually for high-risk clients, every two to three years for standard clients, triggered on material change for all clients. CySEC expects this to be a systematic process with documented completion records — not an ad hoc exercise.

Event-triggered review. Specific triggers that prompt an unscheduled CDD review — changes in transaction behaviour, adverse media alerts, sanctions list additions, PEP status changes, client-initiated changes to account details or service scope, and STR filings. The CASP’s monitoring framework must be capable of receiving and acting on these triggers promptly.

Transaction Monitoring

Transaction monitoring is the technical cornerstone of AML/CFT compliance for a CASP. For any platform with meaningful transaction volumes, manual transaction review is neither scalable nor adequate — CySEC expects automated transaction monitoring systems calibrated to the firm’s specific risk profile.

System requirements. The transaction monitoring system must be capable of:

• Real-time or near-real-time screening of transactions against defined rules and scenarios
• Rule-based alerts — thresholds, velocity, geography, counterparty
• Behaviour-based alerts — deviations from established client patterns
• Alert triage and case management — structured workflow for alert review, disposition, and escalation
• Audit trail — complete records of alerts generated, reviewed, and dispositioned
• Reporting — management information on alert volumes, disposition rates, and escalation patterns

Rule calibration. The transaction monitoring rules and scenarios must be calibrated to the firm’s specific risk profile — not deployed as out-of-the-box defaults. Calibration requires: understanding of normal transaction behaviour for the client base, definition of anomalous patterns relevant to the firm’s services, and periodic review of rule performance (alert volumes, disposition rates, false positive rates). CySEC will assess rule calibration as part of AML programme reviews — generic, uncalibrated rule sets are a recurring finding.

Alert management. Every alert generated by the transaction monitoring system must be reviewed by a qualified analyst and dispositioned with documented reasoning. Alerts that are dismissed without documented rationale are a supervisory red flag. Alerts that meet the internal STR threshold must be escalated to the MLRO for consideration of external reporting.

Tuning and performance review. Transaction monitoring systems require regular tuning — adjusting thresholds and rules as the client base and transaction patterns evolve. CySEC expects evidence of periodic rule performance reviews and documented tuning decisions.

On-Chain Analytics

On-chain analytics is a crypto-specific component of the AML/CFT framework that has no direct equivalent in traditional financial services compliance. For CySEC CASPs providing exchange, custody, or transfer services, on-chain analytics tools are not optional — they are an expected element of a compliant AML programme.

On-chain analytics tools — such as those provided by established blockchain intelligence providers — analyse blockchain transaction histories to:

• Assess the risk profile of crypto-asset wallet addresses (through clustering, entity identification, and exposure analysis)
• Identify transactions involving wallets associated with known illicit activities — darknet markets, ransomware, mixers, scam operations, sanctioned entities
• Provide risk scoring for incoming and outgoing transactions
• Support investigation of suspicious transaction alerts
• Generate evidence for STR filings involving on-chain activity

Integration requirements. On-chain analytics must be integrated into:

• The client onboarding process (wallet screening at CDD stage)
• The transaction monitoring process (screening of depositing and withdrawing wallet addresses)
• The alert investigation process (deep-dive analysis of flagged transactions)

Unhosted wallet policy. CySEC expects CASPs to have a documented unhosted wallet policy — defining the risk assessment approach for transfers to and from wallets not held at regulated VASPs or financial institutions. For transfers above defined thresholds involving unhosted wallets, enhanced screening and potential EDD may be required. The FATF guidance on virtual assets and the Travel Rule’s treatment of unhosted wallets are the reference standards.

Suspicious Transaction Reporting

The obligation to report suspicious transactions to Cyprus’s Financial Intelligence Unit (MOKAS) is one of the most operationally significant AML obligations for a CySEC CASP. Getting it right requires both a sound internal escalation process and a clear understanding of the reporting threshold.

The reporting threshold. A suspicious transaction report (STR) must be filed with MOKAS where the MLRO knows, suspects, or has reasonable grounds to suspect that a transaction or activity involves the proceeds of criminal conduct or is related to terrorist financing. The threshold is suspicion — not certainty. CASPs must not wait for proof of criminality before filing. If there is genuine suspicion, the STR obligation is triggered.

The internal STR process. The internal process for STR consideration runs as follows:

• Frontline staff or automated system identifies a potential suspicious indicator
• Internal suspicious activity report (SAR) is submitted to the MLRO
• MLRO reviews the internal SAR and supporting information, including transaction records and CDD file
• MLRO makes a documented decision: file an external STR with MOKAS, or decline to file with documented reasoning
• If filing, the STR is submitted through MOKAS’s designated reporting channel
• Client is not informed of the STR — the tipping-off prohibition under Cyprus AML law applies strictly

MLRO decision documentation. Every internal SAR must generate a documented MLRO decision — either to file or not to file. The reasoning must be recorded. Undocumented MLRO decisions are a CySEC finding and signal an inadequate STR management process.

The tipping-off prohibition. Under Cyprus AML law, a person who knows or suspects that an STR has been or is about to be filed must not disclose this to the client or any other person likely to pass it on. This prohibition is absolute — breaching it is a criminal offence. CASPs must ensure that staff training covers the tipping-off prohibition explicitly and that account freezing or restriction actions do not inadvertently signal an STR filing to the client.

For a comprehensive overview of STR typologies relevant to CASPs, ComplyFactor’s understanding AML compliance guide and 6 AML trends compliance officers must follow provide practical context.

Sanctions Screening

Sanctions compliance is a parallel obligation to AML/CFT — related but distinct. For CySEC CASPs, sanctions screening obligations derive from EU sanctions regulations (which are directly applicable) and Cyprus national implementing legislation.

Lists to screen. CySEC CASPs must screen against:

• EU consolidated sanctions list — maintained by the European External Action Service (EEAS), covering all persons, entities, and bodies subject to EU restrictive measures
• UN sanctions lists — UN Security Council consolidated sanctions list
• OFAC lists — while not directly binding on EU entities, OFAC sanctions (particularly SDN list) carry significant secondary sanctions risk and correspondent banking implications; CySEC CASPs with USD exposure or US counterparty relationships should screen against OFAC lists as a matter of risk management

Screening frequency. Screening must occur at onboarding (real-time), at each transaction (real-time where operationally feasible), and on update of the sanctions lists (batch re-screening of the client base against any new designations).

Match handling. A sanctions match — whether a true match or a potential match requiring investigation — must be escalated immediately. True matches require: transaction blocking or freezing, account suspension, escalation to senior management and legal counsel, and notification to the relevant authority (in Cyprus, the Unit for Combating Money Laundering (MOKAS) and the Ministry of Finance). CySEC expects a documented sanctions match handling procedure that is clearly distinct from the STR process.

Sanctions evasion. CySEC and EU supervisors are increasingly alert to sanctions evasion through crypto-asset channels — including the use of mixing services, privacy coins, and cross-chain transfers to obscure the origin of funds subject to sanctions. On-chain analytics plays a critical role in identifying potential sanctions evasion patterns.

Travel Rule Compliance

The Travel Rule — formally the requirement to transmit originator and beneficiary information with virtual asset transfers — applies to CySEC CASPs from 30 December 2024 under the recast Transfer of Funds Regulation (EU) 2023/1113.

The EU approach. The EU adopted a zero-threshold approach — the TFR applies to all crypto-asset transfers regardless of amount, with no de minimis exemption. This is more demanding than the FATF standard, which sets a USD/EUR 1,000 threshold, and more demanding than the UK regime, which applies to transfers of £1,000 or more.

What information must travel?

For the originating CASP:

• Originator’s full name
• Originator’s account number (wallet address or account identifier)
• Originator’s address, national identity number, customer identification number, or date and place of birth

For the beneficiary CASP:

• Beneficiary’s full name
• Beneficiary’s account number (wallet address or account identifier)

Unhosted wallets. Transfers to or from unhosted wallets — wallets not held at a regulated VASP or financial institution — require enhanced risk assessment under the TFR. For transfers above €1,000 involving unhosted wallets, CySEC CASPs must collect and verify originator/beneficiary information and assess the transaction for ML/TF risk. CySEC expects a documented unhosted wallet policy defining the treatment of transfers involving self-custody wallets.

Technical implementation. Travel Rule compliance requires a technical solution for transmitting and receiving the required information between counterparty CASPs. Several inter-VASP messaging protocols and network providers have emerged — CySEC expects CASPs to have a Travel Rule solution deployed and operational from day one of providing transfer services. For a practical implementation guide, see ComplyFactor’s Travel Rule guide.

The MLRO: Role, Obligations, and CySEC Requirements

The Money Laundering Reporting Officer is the keystone of a CySEC CASP’s AML/CFT programme. CySEC’s expectations for the MLRO role are substantive — not merely administrative — and the quality of the MLRO appointment is a significant indicator of the quality of the AML programme overall.

CySEC MLRO requirements:

• The MLRO must be a member of the management body or a senior officer with direct access to the management body. This is not a junior compliance role — it requires genuine seniority and organisational authority.
• The MLRO must be notified to CySEC before assuming the role. CySEC will assess the MLRO’s qualifications and experience as part of this notification process.
• The MLRO must have sufficient resources — staff, systems, budget — to discharge the function effectively. A MLRO without analytical support, adequate transaction monitoring access, or sufficient time to review internal SARs is not a compliant MLRO regardless of their qualifications.
• The MLRO must have operational independence — the ability to make STR filing decisions without management interference or commercial pressure. CySEC is alert to MLROs who are subject to inappropriate pressure from senior management on STR decisions.
• Changes to the MLRO appointment must be notified to CySEC without undue delay. There must be no gap in MLRO coverage — succession arrangements must be documented.

MLRO responsibilities. The MLRO’s core responsibilities include:

• Receiving and reviewing all internal suspicious activity reports
• Making documented decisions on external STR filings to MOKAS
• Maintaining the STR and SAR register
• Overseeing the transaction monitoring function
• Reporting to the management body on AML/CFT programme performance
• Engaging with CySEC on AML matters
• Overseeing AML training
• Commissioning and managing the response to independent AML audits

For firms that require MLRO support — whether as a standalone fractional appointment or as part of a broader compliance function — ComplyFactor’s global MLRO services are structured to meet CySEC’s requirements for genuine senior-level MLRO capability. Our 5 reasons to outsource your MLRO sets out the model in detail.

AML Training

AML/CFT training is a mandatory element of the compliance programme under Cyprus AML law. CySEC expects training that is role-appropriate, documented, and genuinely effective — not a box-ticking annual completion exercise.

Who must be trained? All staff whose role involves client-facing activity, transaction processing, compliance, or management oversight must receive AML/CFT training. This includes directors, the MLRO, compliance officers, customer service staff, operations staff, and technology staff with access to client data or transaction systems.

Minimum content. Training must cover at minimum: the legal framework (Cyprus AML law, FATF standards, TFR), the firm’s specific AML/CFT policies and procedures, recognition of suspicious activity indicators relevant to the firm’s business, the internal SAR process, the tipping-off prohibition, and sanctions screening obligations.

Role-appropriate calibration. CySEC expects training to be calibrated by role — a customer service agent needs to understand CDD procedures and suspicious activity recognition; the MLRO needs to understand the full legal framework and STR filing obligations; the board needs to understand their governance responsibilities. Generic, one-size-fits-all training that does not address role-specific obligations is a recurring supervisory finding.

Frequency. Annual training is the baseline expectation. Additional training must be provided on material changes to the legal framework, the firm’s policies, or the risk environment. New staff must be trained before they assume client-facing responsibilities.

Records. Training completion records must be maintained — including the content delivered, the date, the attendees, and completion certificates. CySEC will request training records as part of AML programme assessments.

ComplyFactor’s AML training programmes are designed for CASP and regulated entity staff — role-appropriate, jurisdiction-specific, and documented to the standard CySEC expects.

Record-Keeping

Record-keeping obligations under Cyprus AML law are specific and non-negotiable. CySEC CASPs must retain AML/CFT records for a minimum of five years from the end of the business relationship or the date of the occasional transaction.

Records that must be retained include:

• CDD documentation — identity verification documents, beneficial ownership determination, source of funds/wealth evidence
• Transaction records — full records of all transactions processed, in a format that allows reconstruction of individual transactions
• Correspondence with clients related to transactions
• Internal SAR records — internal suspicious activity reports, MLRO decisions, and STR filings
• AML programme documentation — BWRAs, policies and procedures (all versions), training records
• MLRO decision log — documented decisions on all internal SARs
• Sanctions screening records — screening results, match handling records

Records must be stored in a format that allows prompt retrieval upon request by CySEC or law enforcement authorities. CySEC has the power to request records at any time — the five-year retention obligation is the minimum; CySEC’s ability to request records is not time-limited in the same way.

Data protection considerations — particularly under the EU GDPR — interact with record-keeping obligations. CaSPs must ensure their record-keeping and data protection frameworks are aligned — the AML record-keeping obligation provides a legal basis for retaining personal data beyond normal GDPR retention periods, but this legal basis must be properly documented in the CASP’s data protection framework.

Independent AML Audit

CySEC expects CySEC-licensed CASPs to commission independent AML effectiveness reviews at appropriate intervals. This is not merely an internal review — the independence requirement means the review must be conducted by persons who are not responsible for the AML function being reviewed.

What is an independent AML audit? An independent AML audit is a structured assessment of the AML/CFT programme’s effectiveness — not merely its documentation. It assesses whether the policies are adequate, whether they are being implemented in practice, whether controls are operating effectively, and whether the programme is proportionate to the firm’s risk profile. For a detailed comparison of internal and independent reviews, see ComplyFactor’s AML review vs AML audit guide.

Frequency. CySEC’s expectation is that independent AML audits are conducted at least annually for higher-risk CASPs — those providing custody, exchange, or trading platform services with significant volumes. For lower-risk service profiles, an 18-month to two-year cycle may be acceptable, subject to the MLRO’s assessment of programme risk. Following any material change to the business model, client base, or regulatory framework, an out-of-cycle audit is appropriate.

Scope. The independent AML audit should cover all material elements of the AML programme: the BWRA, CDD and EDD implementation, transaction monitoring effectiveness, STR process, sanctions screening, Travel Rule compliance, training, record-keeping, and MLRO function. The audit should include sample testing — reviewing actual CDD files, transaction monitoring alerts, and MLRO decision records — rather than relying solely on policy documentation review.

Reporting and management response. The audit findings must be reported to the management body. Management must produce a documented response to each finding, committing to remediation actions with defined timelines. CySEC expects to see evidence that audit findings are tracked to closure — not merely acknowledged.

Regulatory significance. CySEC may request sight of independent AML audit reports as part of its supervisory engagement. A well-structured independent audit that identifies and remediates weaknesses proactively is significantly preferable to weaknesses identified first by CySEC during a supervisory examination. The former demonstrates compliance culture; the latter creates enforcement risk.

ComplyFactor’s AML audit services provide CySEC CASPs with independent assurance that is genuinely independent, practitioner-delivered, and calibrated to CySEC’s supervisory expectations. Our AML audit checklist for 2025 and 15 critical areas compliance officers must review set out the scope framework in detail.

CySEC Supervisory Expectations: What the Regulator Actually Looks For

Understanding what CySEC actually scrutinises during AML programme assessments — drawn from supervisory practice and the patterns visible in CySEC’s published enforcement actions and thematic reviews — helps CASPs calibrate their programmes to the real standard, not just the documented one.

Programme substance over documentation. CySEC’s AML supervisory team is experienced in distinguishing genuine AML programmes from well-dressed compliance theatre. The key indicators of substance: the BWRA is specific and analytical; CDD files show evidence of genuine investigation rather than box-ticking; transaction monitoring alerts are documented with reasoning; MLRO decisions are recorded; training records are complete and role-appropriate.

The MLRO’s judgment trail. CySEC reviewers pay close attention to the MLRO decision log — the record of every internal SAR considered and the MLRO’s reasoning for filing or not filing. A MLRO who consistently declines to file STRs without documented reasoning, or who documents reasoning that is superficial, signals a compliance function that prioritises business relationships over regulatory obligation.

Calibration of transaction monitoring. Generic, out-of-the-box transaction monitoring rules that have never been tuned to the firm’s actual transaction patterns are identifiable to experienced supervisors. CySEC expects evidence of rule calibration — documentation of threshold-setting decisions, alert volume analysis, and periodic rule performance reviews.

Governance engagement. CySEC assesses whether the management body is genuinely engaged with AML/CFT oversight — not just the MLRO. Board papers should include regular AML/CFT programme updates, risk reports, and audit finding responses. A management body that has no documented AML/CFT agenda items in its board papers has a governance gap that CySEC will note.

Proactive regulatory engagement. CySEC views favourably CASPs that engage proactively — filing STRs promptly when required, notifying CySEC of material compliance incidents without waiting to be asked, commissioning independent audits without supervisory prompting, and responding to supervisory queries thoroughly and on time. The relationship with CySEC as supervisor is a long-term one — the compliance culture established in the early years of authorisation shapes the supervisory relationship for years to come.

For a comprehensive view of what good AML programme design looks like across the full lifecycle — from initial build through to ongoing maintenance and independent audit — ComplyFactor’s complete AML programme blueprint and AML advisory services provide the framework and practitioner support that CySEC-licensed CASPs need.

Frequently Asked Questions

When does the AML/CFT programme need to be in place — at application or at authorisation?

The AML/CFT programme documentation must be submitted as part of the CASP application pack to CySEC. However, the programme is expected to be operationally active from the point of commencement of services — not merely documented. CySEC will assess during post-authorisation supervision whether the programme described in the application is the programme actually being operated.

Does CySEC require a specific format for the business-wide risk assessment?

CySEC does not prescribe a specific template for the BWRA. What CySEC requires is that the BWRA is comprehensive, risk-based, specific to the firm, board-approved, and regularly updated. The methodology should be documented — explaining how risk factors were identified, weighted, and scored — so that CySEC reviewers can follow the analytical reasoning.

Can the MLRO role be outsourced to an external provider?

Partially. CySEC requires a named, notified MLRO who is a senior officer of the entity with direct management body access. This individual must be genuinely responsible for MLRO functions — they cannot be a figurehead with the substance outsourced entirely. However, the MLRO can be supported by external compliance advisers — and in some structures, the named MLRO may be a qualified practitioner provided on a fractional basis by a compliance firm. ComplyFactor’s global MLRO services are structured to provide genuine substantive MLRO capability within CySEC’s requirements.

How does AMLA affect existing CySEC CASP AML programmes?

AMLA, once operational, will either directly supervise large CASPs or coordinate the supervisory approach of national authorities like CySEC for smaller ones. The AMLR — expected from mid-2027 — will standardise AML/CFT obligations directly across all member states, overriding some national law provisions. Programmes built now should already incorporate AMLR-standard requirements where these exceed current Cyprus national law requirements. ComplyFactor’s AML programme development services are built with the AMLR transition in mind.

What are the penalties for AML/CFT non-compliance for CySEC CASPs?

CySEC has broad enforcement powers under Cyprus AML law — including administrative fines, public censure, suspension of the CASP authorisation, and referral to law enforcement for serious breaches. At the EU level, MiCA empowers national competent authorities to impose sanctions including financial penalties and revocation of CASP authorisation. Cyprus AML law provides for criminal penalties for intentional AML violations. The Monzo and Barclays cases analysed in ComplyFactor’s Monzo AML failures article and Barclays AML failures article illustrate the scale of enforcement consequences for material AML programme failures.

How does ComplyFactor help CySEC CASPs build and maintain AML/CFT programmes?

ComplyFactor provides end-to-end AML programme support for CySEC CASPs — from initial programme design and BWRA development through to MLRO appointment, policy drafting, transaction monitoring framework design, Travel Rule implementation advisory, AML training, and independent audit. Our team includes practitioners with direct CySEC regulatory experience and deep EU AML/CFT expertise. Contact us to discuss your AML programme needs.