The new Directive supplements the provision of the Prevention and Suppression of Money Laundering and Terrorist Financing Law 2017, as amended (the AML Law). The CBC AML Directive was published to the Official Gazette of the Republic of Cyprus on 2 May 2025 and entered into force on 2 June 2025.

• Extended scope of application: The Directive is addressed to all  obliged entities under the supervision of the CBC, including electronic money institutions, payment institutions, credit servicers, bureaux de change and financial leasing companies. The previously applicable AML Directive of the CBC was only addressed to credit institutions, resulting in ambiguity as to the obligations of other types of obliged entities. This also allows the Directive to differentiate between credit institutions and other types of obliged entities in certain areas, such as the content of the compliance officer’s annual report to the CBC.
• Revamped governance requirements: Clear obligations are placed on the board of directors, senior management, internal audit function, and compliance officers of obliged entities – complete outsourcing of the compliance officer function is now expressly prohibited.
• Extended scope of CDD obligations: CDD obligations not only apply in the instances provided in the AML Law, but also in other instances, including representatives/distributors with which the obliged entity contracts and third parties acting on behalf of an obliged entity’s customer.
• Enhanced recognition of the risk-based approach principle: There is a clear focus on providing flexibility on the CDD procedures adopted by obliged entities when justified by the risk of a particular business relationship/transaction. The Directive allows for the updating of client due diligence records on specific business relationships at a frequency which is proportional to the risk level of each customer, without specifying any minimum frequency for updating business relationships for customers with a low likelihood of involvement in money laundering activities have been repealed.
• Modernised CDD and KYC procedures: Building on the existing framework, the Directive contains detailed provisions on CDD and KYC procedures, including a number of updates such as:
  • Remote onboarding practices in line with relevant guidelines issued by the EBA;
  • Permitting the use of copies for identification cards for KYC refreshes;
  • Collecting CDD from persons with health issues and physical disabilities;
  • Provisions on non-discrimination in access to bank accounts and collecting CDD from persons with asylum seeker or other protected status in Cyprus;
  • Detailed rules on what constitutes a “shell company” and restrictions on providing services to them;
  • Express provisions on client accounts held by investment firms, gaming and betting operators, law firms, accounting firms and others.
• Acknowledgement that CBC-regulated entities may provide services to crypto-asset service providers (CASPs): The CBC Directive now expressly provides that CBC-regulated entities, importantly including Cyprus banking institutions, may open accounts for CASPs which are licensed under EU Regulation 2023/1114 on markets in crypto-assets (MiCA). This marks an important step in strengthening the integration of CASPs with the Cyprus banking system. Additional provisions apply for CASPs, which are not licensed under MiCA.
• Updated internal and external suspicion reporting obligations: The Directive contains templates for internal reporting of suspicious activities and their assessment, as well as updated related record keeping and other ongoing obligations.

The directive represents the culmination of extensive consultations between the CBC, industry professionals, and the Data Protection Commissioner of Cyprus. Their cooperative efforts have ensured the framework’s practicality and alignment with both national and international compliance standards.

Finally, it should be recalled that the EU Single Rulebook Regulation, which aims to harmonise various AML-related issues across all EU Member States, will become applicable on 10 July 2027 as part of the EU’s latest AML legislative package. At present it is unclear whether it is intended for the Directive to be adjusted in the near future to ensure consistency with the EU Single Rulebook Regulation but we are keeping track of developments and will continue to cover this important area in future blogs.

CBC’s press release can be found here and the Directive in Greek can be accessed here.

The CBC published a Frequently Asked Questions (FAQs) document, providing clarifications on key provisions of the Directive. This document, available in Greek, can be found here.