If you’re opening a bank account in Cyprus, forming a company, or working with financial institutions on the island, you’ll encounter something called source of funds verification. It’s a phrase that tends to make people nervous, though it shouldn’t. The process exists for straightforward reasons, and once you understand what’s actually being asked, the whole thing becomes far less intimidating.
Cyprus has positioned itself as a significant financial hub within the European Union, and that status comes with obligations. Service providers across the country must follow strict anti-money laundering protocols that align with EU directives and international standards set by the Financial Action Task Force (FATF). The goal isn’t to make life difficult for legitimate clients. Instead, it’s about ensuring that the financial system remains transparent and free from abuse.
This article breaks down what happens during source-of-funds verification, why it matters, and how to prepare for the documentation requirements you’ll face.
The Legal Framework Behind These Checks
Cyprus AML legislation centres on the Prevention and Suppression of Money Laundering and Terrorist Financing Law, initially enacted in 2007 as Law No. 188(I)/2007. This law has been amended numerous times to incorporate EU directives, most recently the Fifth and Sixth Anti-Money Laundering Directives (5AMLD and 6AMLD).
The law applies to what regulators call “obliged entities.” This broad category includes:
- Banks and credit institutions
- Investment firms regulated by CySEC
- Trust and company service providers (TCSPs), also known as Administrative Service Providers (ASPs)
- Lawyers providing certain transactional services
- Accountants and auditors
- Real estate agents involved in high-value transactions
- Insurance companies offering life or investment products
These organisations must conduct customer verification before establishing any business relationship. They cannot simply take your word for it; they need documentation proving both your identity and the legitimate origin of any money you bring into the relationship.
The Unit for Combating Money Laundering (MOKAS) serves as Cyprus’s Financial Intelligence Unit, receiving and analysing suspicious transaction reports from these obliged entities. Meanwhile, supervisory authorities like the Central Bank of Cyprus, the Cyprus Securities and Exchange Commission (CySEC), and the Cyprus Bar Association oversee compliance within their respective sectors.
Source of Funds vs. Source of Wealth: Understanding the Distinction
People often confuse these two concepts, but they’re asking fundamentally different questions. Getting this distinction right will save you time when gathering your documents.
The source of wealth refers to how you accumulated your overall net worth over your lifetime. It’s the big picture. Did you build a successful business? Inherit family money? Work for decades in a high-paying profession? This explains your general financial position.
Source of funds, on the other hand, focuses specifically on the source of the money for a particular transaction. If you’re depositing €100,000 to open an account, the service provider wants to know: where exactly did that specific €100,000 originate?
Perhaps you sold a property. It may have come from a dividend payout. You may have liquidated some investments. The source-of-funds question is narrow and transaction-specific.
Both matter to compliance officers, though different situations trigger different levels of scrutiny. Standard due diligence might focus primarily on the source of funds, while enhanced scrutiny for higher-risk clients typically demands a thorough understanding of both.
When These Checks Get Triggered
Not every interaction with a Cyprus service provider triggers intensive source-of-funds verification. The law specifies specific circumstances in which CDD measures become mandatory.
Customer due diligence applies when:
- Establishing a new business relationship
- Conducting occasional transactions above €15,000 (or equivalent)
- Suspicion arises regarding money laundering or terrorist financing
- There are doubts about previously obtained customer data
- Transactions in certain sectors hit specific thresholds
Those sector-specific thresholds deserve attention. For gambling services or casino transactions, the trigger is €2,000 or more. Goods trading involving cash hits the threshold at €10,000. Crypto-asset service providers must apply full CDD measures for transactions of €1,000 or above, and fund transfers exceeding €1,000 fall under Regulation (EU) 2015/847.
| Trigger Situation | Threshold Amount |
| General occasional transactions | €15,000 |
| Gambling/casino activities | €2,000 |
| Cash transactions (goods trading) | €10,000 |
| Crypto-asset services | €1,000 |
| Fund transfers | €1,000 |
These aren’t arbitrary numbers. They reflect EU-wide standards designed to catch potentially suspicious activity while avoiding excessive burden on low-value, low-risk transactions.
What Documents You’ll Typically Need
The documentation requirements vary depending on your stated source of funds, but there’s a typical pattern to what service providers request. They’re looking for independent verification that your story matches reality.
For employment income:
- Recent payslips covering several months
- Employment contract showing salary terms
- Bank statements reflecting regular salary deposits
For business profits:
- Audited financial statements
- Tax returns showing business income
- Dividend distribution documentation
- Bank statements demonstrating consistent business revenue
For property sales:
- Sale and purchase agreement
- Title deed transfer documentation
- Conveyancing lawyer’s completion statement
- Bank records showing receipt of sale proceeds
For inheritance:
- Probate documentation or grant of letters of administration
- Will or testament (where applicable)
- Bank statements showing receipt of inherited funds
- Death certificate of the deceased
For investments:
- Brokerage statements showing the sale of securities
- Documentation of capital gains
- Records from investment platforms
- Bank statements showing credit from investment activity
For gifts or family wealth transfers:
- Signed gift declaration identifying the donor
- Proof of the donor’s relationship to you
- Evidence of the donor’s own source of wealth (in some cases)
- Bank records showing the transfer
The key point here is corroboration. Simply telling your service provider “I sold some shares” isn’t enough. They need statements from your broker, bank records showing the credit, and potentially documentation of your original ownership of those assets.
The Risk-Based Approach to Scrutiny
You may be wondering why your colleague breezed through account opening while you faced endless document requests. The answer lies in risk assessment.
Cyprus service providers must adopt a risk-based approach to customer due diligence. Not all clients present the same level of concern from a money laundering perspective, and treating everyone identically would be both inefficient and ineffective.
Factors that increase a client’s risk profile include:
- Connection to high-risk jurisdictions (countries with weak AML frameworks)
- Complex ownership structures involving multiple layers of companies
- Involvement in sectors known for elevated laundering risk
- Politically exposed person (PEP) status
- Adverse media coverage or negative information in databases
- Unusual transaction patterns that don’t match the stated business purpose
When any of these risk factors are present, service providers must apply enhanced due diligence (EDD). Under CySEC Directive R.A.D 282/2024 and the underlying AML law, this means more detailed verification of the client’s source of wealth and funds, senior management approval for the relationship, and intensified ongoing monitoring.
For PEPs specifically, Cypriot institutions must continue monitoring accounts for 12 months even after the individual ceases to be politically exposed. Close family members and associates of PEPs face similar scrutiny.
Simplified Due Diligence: When Less Is More
On the other end of the spectrum, certain low-risk relationships qualify for simplified due diligence. This doesn’t mean no verification at all; it simply means reduced requirements while maintaining basic monitoring for unusual activities.
Simplified CDD might apply to:
- Clients who are themselves regulated entities subject to AML obligations
- Listed companies whose ownership is transparent
- Transactions with EU government bodies
- Certain standardised, low-value products with limited laundering potential
Even with simplified measures, service providers must remain watchful. If circumstances change or suspicious patterns emerge, they’re obligated to immediately escalate to standard or enhanced procedures.
How Banks and Financial Institutions Handle Verification
Banks operating in Cyprus follow directives issued by the Central Bank of Cyprus, which supervises credit institutions. The KYC procedures include establishing an economic profile for each customer, along with verification of the source of wealth and the source of funds.
Cyprus banks are required to submit monthly reports to the Central Bank covering:
- Cash deposits exceeding €10,000 (or equivalent)
- Incoming and outgoing fund transfers above €500,000
These reporting obligations exist separately from the duty to file suspicious transaction reports when something genuinely concerning arises.
In practice, opening a bank account in Cyprus requires presenting identity documents (a passport or national ID card), proof of address (a utility bill dated within the last 3 months), and documentation supporting your source of funds. For larger deposits or business accounts, expect additional requests for tax returns, company registration documents, shareholder registers, and financial statements.
Record-keeping requirements require banks to retain customer identification documents and transaction details for at least 5 years after the end of the relationship. This allows authorities to trace activity if an investigation becomes necessary years later.
Why Payment Services Like Revolut Ask for Verification
If you use digital payment services in Cyprus, you’ve likely encountered source-of-funds requests from platforms like Revolut. These companies aren’t being nosy for entertainment; they’re meeting the same regulatory obligations as traditional banks.
Revolut, which operates across the EU and has specific Cyprus registration for its crypto services through CySEC, conducts source of funds checks for several stated reasons:
- Verifying that the account holder actually completed transactions
- Protecting users from fraud or connection to illegal activities
- Complying with laws that permit operation as a financial company
The company uses automated systems to flag accounts requiring verification based on factors it doesn’t publicly disclose. This means some users pass through without interruption, while others face detailed document requests seemingly at random. It isn’t personal; it’s algorithmic risk assessment combined with regulatory compliance.
Ongoing Monitoring: Verification Doesn’t End at Onboarding
Think of source-of-fund verification as more than a one-time hurdle. Cyprus service providers maintain obligations throughout the business relationship, not just at its inception.
Ongoing monitoring involves:
- Continuously reviewing transactions for unusual or suspicious patterns
- Updating customer information periodically (identity documents, addresses, beneficial ownership details)
- Reassessing risk levels when circumstances change
- Periodic screening against sanctions lists, PEP databases, and adverse media sources
If you become a PEP after establishing a relationship, expect your service provider to upgrade their scrutiny accordingly. Similarly, if news stories emerge linking you to controversial activities, that adverse media screening will flag you for review.
The Central Bank’s directive specifically requires supervised institutions to periodically check their customer base for negative press coverage and update risk profiles accordingly. Banks that discover concerning information cannot simply ignore it.
Consequences of Non-Compliance
For service providers who fail to meet AML obligations, the penalties are severe. Supervisory authorities can impose administrative fines of up to €1,000,000 or even cancel operating licences for serious violations.
Individual liability exists, too. Natural persons who breach sanctions regulations face up to 2 years’ imprisonment or a fine of €100,000. Legal entities can face penalties of €300,000 for similar violations.
In 2024, CySEC conducted over 850 audits and issued fines totalling €2.76 million to firms that failed to meet regulatory standards. Several investment firms had their licences revoked or suspended. This isn’t theoretical enforcement; it’s active supervision with real consequences.
For clients, providing false or misleading information about the source of funds can result in account closures, reported suspicious activity, and potential referral to law enforcement. It’s simply not worth attempting to circumvent these checks.
How to Prepare for a Smooth Verification Process
Understanding the process is half the battle. Here’s how to make things easier on yourself when dealing with Cypriot service providers.
Gather documentation proactively. Before you approach a bank or service provider, assemble the documents you’ll likely need. Recent bank statements, tax returns, employment records, or business financials should be readily accessible.
Be consistent. The information you provide verbally should match the information in your documentation. Inconsistencies raise red flags, even when innocent.
Expect follow-up questions. Compliance officers aren’t trying to trap you. If something isn’t clear, they’ll ask for clarification or additional supporting documents. Respond promptly and thoroughly.
Keep your records organised. Maintain clear records of significant financial transactions, property sales, inheritances, or significant gifts. You never know when you’ll need to demonstrate the trail.
Understand the timeline. Account opening can take longer than you expect, especially for complex structures or higher-risk profiles. Factor this into your planning.
Frequently Asked Questions
How do I check my own source of funds before submitting? Review your bank statements from the past 3–6 months to identify where significant credits originated. Trace each deposit back to its origin, whether employment, business revenue, asset sales, or other sources. Gather supporting documentation for each category before approaching a service provider. If a large credit came from another account you control, you may need to demonstrate the trail further back. The goal is to create a clear, documented path that any compliance officer can follow without confusion.
What payment service providers operate in Cyprus? Cyprus hosts numerous payment service providers, including traditional banks like Bank of Cyprus and Hellenic Bank, as well as digital platforms such as Revolut, Wise, and Paysera. Electronic money institutions and payment processors regulated by the Central Bank of Cyprus also serve the market. Each must comply with the same AML framework, though their specific verification processes may differ slightly. CySEC additionally oversees investment-related payment services, while crypto-asset service providers now fall under MiCA regulations for their particular activities.
Why does Revolut keep asking to verify my source of funds? Revolut, like all financial service providers operating in Cyprus and the broader EU, must comply with anti-money laundering regulations. Their automated systems flag accounts for verification based on various risk indicators, including transaction volume, transaction types, geographic factors, and other criteria they don’t fully disclose. Being asked for verification doesn’t mean you’ve done anything wrong. It simply means their systems identified your account for a periodic or triggered review. Providing requested documents promptly typically resolves these requests within days.
What are the main AML laws governing Cyprus? The primary legislation is the Prevention and Suppression of Money Laundering and Terrorist Financing Law (Law No. 188(I)/2007), which has been amended to incorporate EU directives, including 5AMLD and 6AMLD. Supplementary regulations include directives from the Central Bank of Cyprus for credit institutions, CySEC directives for investment firms, and sector-specific guidance from professional bodies like ICPAC for accountants. Cyprus also directly applies EU and UN sanctions. MOKAS coordinates intelligence gathering and suspicious activity reporting across all regulated sectors.
Get Expert Support for Your Cyprus Compliance Needs
If you’re establishing a business relationship with Cyprus service providers or need guidance on meeting AML documentation requirements, professional support makes a meaningful difference. The verification process becomes significantly smoother when you understand precisely what’s expected and prepare accordingly.
C. Savva & Associates LTD, based in Nicosia, provides expert assistance with corporate services, AML compliance, and regulatory requirements for individuals and businesses operating in Cyprus. Contact the team today to discuss your specific situation and ensure your documentation meets all necessary standards.