Savva & Associates Cyprus
SUBSCRIBE
CONTACT US
  • AML

Practical AML Verification Steps for Directors of Cyprus-Registered Companies

Running a firm incorporated in Cyprus brings considerable advantages. Low corporate tax, access to European markets, and a strong legal tradition rooted in English common law all contribute to the appeal. Yet those benefits come with responsibilities that many directors underestimate. At the top of that list sits anti-money laundering verification, a process that demands ongoing attention and careful documentation.

This article presents practical steps for directors who want to stay on the right side of regulatory expectations. We will walk through the customer verification framework, explain what standard and enhanced checks entail, and provide guidance on maintaining records that demonstrate a genuine commitment to compliance. If you hold a board seat or plan to take one, this material deserves close reading.

The Legal Framework Directors Must Understand

Cyprus has built its anti-money laundering regime around the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (Law 188(I)/2007). This statute has been amended multiple times to incorporate evolving EU directives and recommendations from the Financial Action Task Force. The result is a framework that places specific obligations on entities operating within the jurisdiction, including corporate service providers, accountants, law firms, and financial institutions.

Several articles within this law shape day-to-day compliance activities:

  • Article 61 requires every legal entity to identify and assess potential exposure to illicit financial flows. This risk-based approach means resources must be allocated according to identified vulnerabilities rather than applied uniformly.
  • Article 64a imposes strict reporting duties when there is knowledge or reasonable suspicion that funds originate from criminal activity.
  • Article 70 establishes formal channels for communicating concerns about suspicious transactions to the appropriate oversight body.

Beyond the primary statute, sector-specific regulators issue directives that add further detail. The Central Bank of Cyprus released a new AML/CFT Directive (Κ.Δ.Π. 120/2025) in May 2025, which entered force on 2 June 2025. This directive applies to all obliged entities under CBC supervision, including credit institutions, electronic money institutions, payment institutions, and bureaux de change. It introduced clearer obligations for boards, senior management, internal audit functions, and compliance officers.

CySEC, meanwhile, updated its own requirements through Directive R.A.D 282/2024 in August 2024. That directive clarified acceptable identification documents, introduced updated internal suspicion report templates, and formally recognised electronic verification methods.

Regulatory Bodies and Their Roles

Understanding who supervises what is essential for directors. The primary authorities include:

AuthoritySupervised Sectors
Central Bank of Cyprus (CBC)Credit institutions, EMIs, payment institutions, and credit servicers
Cyprus Securities and Exchange Commission (CySEC)Investment firms, fund managers, crypto-asset service providers, ASPs
MOKAS (Financial Intelligence Unit)Receives and analyses suspicious activity reports from all sectors
Institute of Certified Public Accountants of Cyprus (ICPAC)External accountants, auditors, tax advisors, and insolvency advisors
Cyprus Bar Association (CBA)Lawyers and law firms

Each body publishes its own guidance and conducts inspections. Directors should familiarise themselves with the authority that has supervisory responsibility for their firm’s activities.

Penalties for Non-Compliance

The consequences of failing to meet obligations are significant. Administrative fines can reach €1,000,000 or more, depending on the severity and nature of the breach. The Central Bank’s 2025 directive increased certain penalties from €100,000 to €350,000 for specific lapses. Beyond financial penalties, authorities can revoke licences, and responsible officers may face criminal prosecution. A conviction for money laundering can result in up to 14 years’ imprisonment and fines of up to €500,000.

These are not abstract threats. In recent years, CySEC and MOKAS have intensified inspections and imposed record penalties. Directors cannot afford to treat compliance as someone else’s problem.

Understanding the Three Tiers of Client Verification

Due diligence checklists are vital tools for organising tasks and ensuring nothing falls through the cracks. But before building a checklist, directors need to understand the different levels of scrutiny that may apply depending on customer characteristics and assessed risk.

Standard Customer Verification (CDD)

This is the baseline that applies to most business relationships. When a client’s risk profile suggests neither unusually low nor elevated concerns, standard procedures suffice. These typically involve:

  • Collecting and verifying identification for natural persons (passport copy, national id, proof of residential address dated within three months)
  • Obtaining corporate documents for legal entities (certificate of incorporation, memorandum and articles of association, shareholder register, register of directors)
  • Identifying the ultimate beneficial owner, meaning any natural person who holds more than 25% of shares or voting rights, or who otherwise exercises control
  • Gathering information about the purpose and intended nature of the relationship
  • Conducting screening against sanctions lists, PEP databases, and adverse media sources

The KYC form should capture all this information in a structured way, making it straightforward to update and review.

Simplified Due Diligence (SDD)

When circumstances present a demonstrably low danger of illicit activity, regulators permit a streamlined approach. Simplified due diligence means collecting basic identification without necessarily verifying it through independent sources. However, this relaxed standard applies only in limited situations.

Typical candidates for SDD include:

  • Financial institutions supervised by recognised authorities and subject to their own anti-money laundering obligations
  • Government administrations or public enterprises
  • Entities listed on regulated stock exchanges
  • Certain low-value transactions below specified thresholds

Even when SDD applies, firms must continue monitoring the relationship. If anything changes and raises the risk profile, complete verification procedures become mandatory.

Enhanced Due Diligence (EDD)

High-risk situations demand more thorough investigation. Under Cyprus law and CySEC directives, enhanced due scrutiny is legally required for:

  • Politically exposed persons (PEPs), their family members, and close associates
  • Customers from high-risk third countries identified by the EU or FATF
  • Cross-border correspondent banking relationships
  • Unusually complex or large transactions lacking a clear commercial rationale
  • Opaque ownership structures designed to obscure beneficial ownership

Enhanced measures go beyond basic identification. They require:

  • Detailed evidence of the source of wealth and funds
  • Senior management approval is required before establishing the relationship
  • More frequent reviews after onboarding, typically at least annually
  • Additional background checks on all connected parties

The extra documentation takes time and resources, but it protects both the firm and the broader financial system from exploitation.

Building an Effective Compliance Checklist

A well-designed compliance checklist transforms abstract obligations into concrete, auditable steps. For directors, ensuring such a checklist exists and gets followed is both a legal duty and a practical safeguard.

Initial Client Onboarding

The first stage covers everything that happens before accepting a new relationship:

For Individual Clients:

  • Certified passport or national id with photograph
  • Proof of residential address (utility bill, bank statement) dated within three months
  • Curriculum vitae or professional background summary
  • Source of wealth declaration explaining how assets were accumulated
  • Source of funds declaration for the specific transaction or relationship
  • Screening against the EU Consolidated Sanctions List, UN Security Council Resolutions, and OFAC’s SDN list
  • PEP screening using FATF-aligned databases
  • Adverse media search across relevant news sources

For Corporate Clients:

  • Certificate of Incorporation from the Registrar
  • Certificate showing registered office address
  • Memorandum and Articles of Association
  • Register of shareholders with percentage holdings
  • Register of directors and secretary
  • Good Standing certificate (for entities registered for more than two years)
  • Organisational chart showing ownership layers
  • Identification documents for all UBOs holding more than 25%
  • Identification documents for all directors and authorised signatories
  • Business description explaining planned activities
  • Sample contracts or invoices demonstrating trading relationships
  • Regulatory licences if operating in a controlled sector

Risk Categorisation:

  • Assign an initial risk rating (low, standard, high) based on customer type, geographic factors, and transaction profile.
  • Document the reasoning behind the assigned category
  • Obtain senior management approval for any high-risk relationships

Ongoing Monitoring

Client verification does not end after onboarding. Continuous oversight is essential:

  • Review transaction patterns against expected activity profiles
  • Flag unusual or unexplained transactions for further investigation
  • Re-screen all clients periodically against updated sanctions and PEP lists
  • Update customer documentation when information changes (new directors, altered ownership, address moves)
  • Reassess risk profiles biannually for high-risk clients, annually for others
  • Maintain systems capable of detecting suspicious activity in real time

Record Keeping

Documentation must be retained for at least five years after the relationship ends. This includes:

  • All identification documents collected during onboarding
  • Records of verification procedures and their outcomes
  • Transaction records showing dates, amounts, currencies, and counterparties
  • Internal communications about risk assessments and decisions
  • Suspicious activity reports submitted to MOKAS
  • Training records showing staff attendance and topics covered

The ability to reconstruct individual transactions, including amounts and currencies, is specifically required by law.

Internal Reporting

When employees suspect something irregular, there must be a clear path for escalation:

  • Updated internal suspicion report templates (as mandated by the August 2024 CySEC directive)
  • Designated compliance officer to receive and assess reports
  • Defined timelines for evaluation and decision
  • Records of all internal reports and their resolution

Director Responsibilities Under Cyprus Law

Directors in Cyprus-registered companies carry specific duties under the Companies Law (Cap. 113), particularly Sections 171-197. These duties extend to ensuring the firm meets its regulatory obligations, including those related to financial crime prevention.

Board-Level Accountability

The Central Bank’s 2025 directive places explicit obligations on boards of directors. Key requirements include:

  • A designated board member must be responsible for implementing compliance policies
  • The board must approve the appointment of the AML compliance officer
  • Senior management must receive regular reports on the effectiveness of controls
  • High-risk relationships require board or senior management approval before establishment

The directive prohibits the complete outsourcing of the compliance officer function. While firms can engage external support, ultimate accountability remains internal.

Personal Liability Considerations

Directors are jointly and severally liable for damages arising from their failure to comply with their duties. In the context of anti-money laundering obligations, this means:

  • A director who knowingly permits non-compliance may face personal prosecution
  • Ignorance is not a defence if the director should reasonably have known about deficiencies
  • Proper delegation of tasks does not eliminate oversight responsibility
  • Documented evidence of genuine supervision can provide protection

Most importantly, directors must avoid conflicts of interest that compromise their willingness to enforce compliance policies. A board member with financial ties to a questionable client faces obvious difficulties maintaining objectivity.

Practical Steps for Directors

Given these responsibilities, directors should:

  • Ensure a qualified compliance officer is appointed and adequately resourced
  • Receive and genuinely review periodic compliance reports
  • Ask probing questions when information seems incomplete or unclear
  • Document their oversight activities in board minutes
  • Attend training on anti-money laundering obligations at least annually
  • Escalate concerns to supervisory authorities if internal remediation fails

The goal is not to become a compliance expert but to demonstrate active engagement with the firm’s regulatory posture.

Implementing a Risk-Based Approach

The regulations consistently emphasise that resources should be allocated based on assessed risk rather than applied uniformly. This risk-based approach requires firms to make judgments about where threats are most likely to materialise.

Risk Factors to Consider

Multiple variables feed into the client risk assessment:

Customer-Related Factors:

  • Type of entity (individual, listed company, trust, foundation)
  • Reputation and track record
  • Connection to politically exposed persons
  • Nature of business activities
  • Expected transaction volumes and patterns

Geographic Factors:

  • Country of incorporation or residence
  • Countries where the customer operates
  • Whether any jurisdictions appear on high-risk lists
  • Presence of effective local anti-money laundering regimes

Product and Channel Factors:

  • Complexity of the proposed relationship
  • Degree of anonymity involved
  • Whether non-face-to-face onboarding is used
  • Involvement of cash-intensive transactions

Transaction-Related Factors:

  • Size and frequency of expected transactions
  • Unusual patterns that lack a commercial explanation
  • Cross-border payments to or from high-risk jurisdictions

Documenting Risk Decisions

Every risk categorisation should be documented with supporting reasoning. If a customer is rated low risk despite one elevated factor, the file should explain why the overall assessment remains acceptable. Similarly, if enhanced procedures are applied, the specific concerns triggering that decision should be recorded.

This documentation serves two purposes. First, it demonstrates to supervisory authorities that decisions are thoughtful rather than arbitrary. Second, it creates an institutional memory that helps future reviewers understand past judgments.

Periodic Review

Risk assessments are not static. Circumstances change: a client may acquire a subsidiary in a high-risk jurisdiction, a director may become a politically exposed person, or adverse media may surface about a beneficial owner. Firms must have mechanisms to detect these changes and adjust their approach accordingly.

Common Pitfalls and How to Avoid Them

Even well-intentioned firms stumble when implementing verification procedures. Recognising frequent mistakes can help directors avoid them.

Incomplete Documentation

Missing or outdated documents are the most common cause of regulatory findings. Files may lack recent proof of address, omit identification for minority shareholders who collectively exceed the beneficial ownership threshold, or contain expired passports that were never refreshed.

Solution: Establish calendar reminders for document renewals and conduct periodic file reviews to identify gaps before inspectors do.

Over-Reliance on Third Parties

Some firms rely heavily on introducing agents or corporate service providers to conduct client verification. While the law permits specific reliance arrangements, ultimate responsibility remains with the firm accepting the client.

Solution: Verify that any third party relied upon operates under equivalent supervision and actually performs the required procedures. Request and retain evidence of their work.

Insufficient Adverse Media Monitoring

Sanctions screening often receives proper attention, but adverse media monitoring gets neglected. A customer may not appear on any official list yet feature prominently in news reports about fraud, corruption, or other concerning matters.

Solution: Implement systematic media screening using tools that can search across multiple languages and update continuously.

Static Risk Assessments

Assigning a risk rating at onboarding and never revisiting it ignores the dynamic nature of business relationships. A customer rated low risk five years ago may present very different concerns today.

Solution: Build periodic reassessment into standard operating procedures. Trigger additional reviews whenever significant changes occur.

Inadequate Training

Staff who do not understand their obligations cannot fulfil them effectively. Training limited to a single onboarding session leaves employees unprepared for evolving threats and regulatory expectations.

Solution: Provide annual refresher training, document attendance, and test comprehension through practical exercises.

Frequently Asked Questions

What is an AML checklist, and why do Cyprus directors need one?

An AML checklist is a structured tool that outlines specific verification steps required when onboarding clients or monitoring existing relationships. For directors of Cyprus-registered companies, such checklists ensure nothing is overlooked during customer identification, beneficial ownership determination, and sanctions screening. The Prevention and Suppression of Money Laundering Law imposes personal accountability on directors for compliance failures, making documented procedures essential protection. A well-maintained checklist demonstrates to supervisory authorities that the firm takes its obligations seriously and follows a systematic approach.

What penalties can directors face for AML non-compliance in Cyprus?

Directors may face both administrative and criminal consequences for failing to meet anti-money laundering requirements. Administrative fines can reach €1,000,000 or more, and the Central Bank’s 2025 directive increased certain penalties to €350,000 for specific lapses. Beyond financial penalties, authorities can revoke business licences, effectively shutting down operations. Individual directors may face criminal prosecution, with money laundering convictions carrying a potential imprisonment of up to 14 years and personal fines of up to €500,000. These consequences underscore why board-level engagement with compliance matters.

How often should customer risk assessments be updated in Cyprus?

The frequency depends on the assigned risk level. High-risk customers require reassessment at least biannually, while standard-risk relationships typically warrant annual review. However, any significant change in circumstances should trigger an immediate reassessment, regardless of the scheduled timing. Such changes include new adverse media coverage, alterations in ownership structure, directors becoming politically exposed persons, or expansion into high-risk jurisdictions. The risk-based approach mandated by CySEC and FATF means firms must remain alert to evolving circumstances throughout the relationship.

Which documents are mandatory for corporate client verification in Cyprus?

For corporate clients, essential documents include the Certificate of Incorporation, Certificate of Registered Office, Memorandum and Articles of Association, register of shareholders showing percentage holdings, register of directors and secretary, and identification documents for all beneficial owners holding more than 25%. Directors and authorised signatories also require identification. Additionally, firms should obtain a Good Standing certificate for entities registered for over two years and organisational charts showing complex ownership structures. All documents must typically be certified, dated within the past 3 months, and provided in Greek or English.

Get Expert Guidance on Compliance Requirements

Meeting anti-money laundering obligations demands both technical knowledge and practical experience. Directors juggling multiple responsibilities benefit from professional support that keeps verification procedures up to date and documentation complete. C.Savva & Associates LTD, based in Nicosia, provides tailored advisory services for Cyprus-registered companies navigating these requirements.

Contact our team to discuss how we can support your firm’s compliance posture and reduce regulatory risk.