The Cost of Non-Compliance

Cyprus supervisory authorities (CySEC, the Central Bank of Cyprus, ICPAC, and the Bar Association) have each increased the frequency and depth of their inspections. The shift reflects both EU-level pressure and Cyprus's own interest in protecting its position as a credible financial centre.

Several factors are driving heightened scrutiny across all sectors:

• AMLD6 transposition: extending criminal liability for money laundering to legal persons, not just individuals, and expanding the list of predicate offences
• FATF mutual evaluation pressure: Cyprus's ongoing monitoring cycle creates upstream pressure on domestic regulators to demonstrate effectiveness
• DORA and AML/CFT convergence: for financial institutions, operational resilience and financial crime risk frameworks are now reviewed together
• Beneficial ownership transparency: the UBO registry is actively verified, and discrepancies attract immediate regulatory attention

Financial penalties in Cyprus are tiered by severity, recurrence, and the size of the entity involved. The following reflects the current administrative sanctioning framework applicable to regulated entities.

These figures represent administrative maxima. In practice, regulators exercise discretion based on cooperation, prior history, and whether the failure was systemic or isolated. Firms that self-identify deficiencies and engage proactively consistently receive more favourable treatment than those identified through examination.

The fine is often the smallest element of non-compliance's total cost. The categories below consistently exceed the penalty itself in engagements we have been involved in:

• Management distraction: a CySEC inspection or ICPAC enquiry typically consumes 200–400 hours of senior management time across documentation, response preparation, and follow-up
• Remediation programmes: rebuilding a deficient compliance function from the ground up costs materially more than maintaining one that works, often by a factor of five to ten
• Banking relationships: correspondent banks and domestic financial institutions conduct their own due diligence on clients. A regulatory action on record can trigger account terminations across multiple institutions simultaneously
• Client attrition: regulated counterparties, institutional clients, and fund managers are required to conduct periodic due diligence on their service providers. A public sanction can trigger mandatory offboarding
• Insurance and bonding: PI cover and fidelity bonds are priced on regulatory history. A single material finding can increase premiums for three to five policy cycles
• Recruitment: compliance talent avoids employers with poor regulatory records. The cost of attracting and retaining capable compliance officers in a constrained market rises sharply after a public action

Through our work supporting regulated entities across Cyprus, we observe recurring patterns in how compliance frameworks fail. Most failures are not the result of wilful misconduct. They are the result of frameworks that were adequate at inception but were never maintained.

Beyond these, we frequently encounter deficiencies in transaction monitoring calibration, absence of enhanced due diligence for PEP relationships, inadequate record-keeping under Cyprus's five-year retention requirement, and insufficient board-level engagement with compliance reporting.

Cyprus-domiciled entities face a layered set of compliance obligations that often exceed what their principals encounter in other jurisdictions. The principal frameworks relevant to most businesses are listed below, with ASPs (Administrative Service Providers) operating under a dual obligation: they are both regulated entities with their own compliance requirements and gatekeepers responsible for the compliance posture of the structures they administer.

• Prevention of Money Laundering Law (2021): Risk-based AML/CFT programme, CDD, record-keeping, SAR filing. Applicable to all obliged entities.
• CySEC AML Directives: Compliance function, MLCO appointment, annual reporting. Applicable to CIFs, ASPs, and crypto entities.
• ICPAC AML Standards: Client risk profiling, EDD for high-risk mandates, staff training. Applicable to accountants, auditors, tax advisors.
• UBO Registry (Law 188(I)/2007, as amended): Accurate disclosure, timely updates within 60 days of change. Applicable to all Cyprus companies and partnerships.
• DAC6 / MDR: Reporting of cross-border tax arrangements with hallmarks. Applicable to intermediaries and promoters.
• GDPR (Regulation 2016/679): Lawful basis, privacy notices, breach notification, retention limits. Applicable to all entities processing personal data.

Regulators have become explicit about what they expect to find during inspection. The following are no longer optional enhancements. They are baseline requirements for regulated entities operating in Cyprus:

• A documented and current Business Risk Assessment: reviewed at least annually and whenever there is a material change to products, services, or client profile
• A functioning compliance function: with a named MLCO, clear reporting lines to the board, and documented escalation procedures
• Risk-rated customer files: with documented rationale, source of wealth evidence for high-risk relationships, and a schedule for periodic review
• Staff training records: demonstrating that all relevant personnel have been trained on current obligations, with refresher cycles aligned to regulatory updates
• An internal audit or independent review function: that tests the compliance framework against actual operations, not just against the policy documents
• Board engagement: evidenced by compliance reporting to the board, board minutes discussing material compliance matters, and senior management accountability structures