• 1000

The Central Bank of Cyprus (CBC) has issued a new Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) Directive, officially published on 2 May 2025 (R.A.A. 120/2025, No. 5943), which has entered into force on 2 June 2025.

Directive 120/2025 aligns Cyprus with evolving EU standards, reinforcing financial crime prevention while improving efficiency. It introduces stricter compliance measures, advanced risk management, and stronger enforcement, enhancing corporate accountability and due diligence for financial institutions.

Key updates in the 2025 AML/CFT Directive

Strengthened Corporate Governance & Accountability

  • Boards and senior management take direct responsibility for compliance oversight and risk controls.
  • Clarity on previous requirements for the Compliance Officers (CO) to report directly to the Board, ensuring transparency and independence.
  • Requirement for the Board to define the obliged entity’s AML risk appetite policy.
  • Regular compliance reports are mandatory to the Board and annual internal audits are required. Though in practice this obligation existed before, it now becomes mandatory.
  • Explicitly mandates that the designated Board member must possess specific expertise, skills, and professional experience in AML/CTF risk identification, assessment, and management. More clarity is also provided on the roles and responsibilities of the designated Board Member.
  • Group-wide compliance enforcement with official reference for the CO to coordinate with subsidiaries.
  • Explicit reference for the appointment of a deputy CO to achieve continuity of the function’s operations.
  • Requirement for a Central Point of Contact (CPoC) for overseas establishments in Cyprus to facilitate AML oversight.
  • Requirement for ongoing monitoring of agent relationships, via regular on-site visits to evaluate compliance, continuous scrutiny of transaction patterns and location-based risks, as well as advanced risk management and flexible review schedules.
  • Institutions must conduct mandatory risk assessments before launching financial products to mitigate exposure.
  • Customer relationship reviews can now be tailored to risk levels, relaxing periodic reviews for low-risk individuals.
  • More detailed and granular requirements are provided on staff training and awareness programmes.

Enhanced Compliance Monitoring & Internal Controls

  • Continuous audits replace periodic reviews, ensuring proactive compliance oversight.
  • Immediate regulatory reporting is required for compliance breaches, reducing reaction time.

Risk-Based Approach & Stricter Oversight of High-Risk Clients

  • The new Directive formally integrates proportionality, while the previous version implied it indirectly through risk assessments.
  • Compliance policies must differentiate between low, medium, and high-risk customers, focusing resources on higher-risk cases.
  • Explicit requirement that shell companies, complex structures, and high-risk jurisdictions require Enhanced Due Diligence (EDD), while cross-border transactions face enhanced scrutiny.
  • Focuses of the business-wide risk assessment enforcing the utilisation of the four assessment pillars (customer, geography, distribution channel and products / services risk) and the utilisation of the national and supranational risk assessments.

Improved Identification & Documentation Processes

  • Copies of identification documents are now acceptable in more cases, reducing onboarding burdens.
  • Existing validated customer information can be re-used for record updates, provided it remains relevant.
  • Customers with health or mobility limitations can provide alternative documentation, such as proof of residence via government records or electronic utility bills.
  • Triggers for re-evaluation now also include: Unusual transactions; Changes in client legal status (e.g., directors, shareholders); Negative media or database findings, etc.
  • Dual-mail verification or physical visits for high-risk clients is now required.
  • Unregulated Crypto Asset Service Providers face stringent checks, including: Business model evaluation; Verification of regulatory compliance in their jurisdiction; Enhanced scrutiny of transactions involving high-risk countries.
  • Electronic systems must maintain a log of the person who scanned supporting documents, record the date/time of scanning, and prevent tampering or alteration.

Adoption of innovative technological solution monitoring tools

  • Automated detection systems must be implemented to flag suspicious transactions.
  • Machine learning models refine risk profiling and strengthen security measures.

Acceptance of Third-Party Verification & Electronic Formats

  • Electronic documentation is recognised as valid, supporting streamlined compliance procedures.

Stronger Data Retention & Reporting Standards

  • Requirement for immediate reporting procedures of suspicious transactions.
  • Clearer customer data quality standards and retention policies.
  • Compliance records for high-risk accounts must now be retained for 10 years (previous requirement was for 5 years).
  • Regulators may demand enhanced transaction history disclosures to ensure financial transparency.
  • Special focus is placed on identifying transactions linked to terrorism financing, even if they involve small amounts.
  • Requirement to flag transactions possibly related to ML or TF.
  • Restrictions on cash transactions are extended, providing more guidance on verification process and supporting documentation that needs to be obtained from obliged entities.

More Severe Sanctions & Regulatory Enforcement

  • Higher financial penalties and legal consequences for non-compliance.
  • The CBC strengthens audit frequency and enforcement authority over financial entities

What obliged entities should do

Review and update internal policies
Ensure governance structures align with the Directive’s stricter compliance obligations while incorporating new flexibility in risk assessments and review cycles.

Implement advanced technological driven Monitoring Systems
Deploy automated fraud detection, AML risk scoring, and real-time suspicious activity tracking to strengthen oversight.

Conduct Mandatory Risk Assessments
Assess new products and services before launch, focusing on financial exposure and AML vulnerabilities, with an emphasis on differentiated risk levels.

Enhance Due Diligence Procedures
Apply increased scrutiny to PEPs, corporate ownership structures, and third-party transactions, directing resources where risks are highest.

Train Compliance Teams
Provide certified education for AML officers and customer service staff to ensure they understand the Directive’s practical applications.

Enhance Digital Onboarding
Utilise electronic documentation and previously verified customer records where permitted, streamlining compliance processes.

Update Procedures for Vulnerable Customers
Implement accessible compliance options, allowing alternative documentation methods for individuals facing health or mobility challenges.

Prepare for Stricter Reporting Standards
Ensure compliance filings are accurate and timely, with long-term record retention requirements integrated into internal procedures.

How ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø can support you

Comprehensive Impact Assessments
Evaluating the effect of Directive 120/2025 on financial operations, ensuring organisations remain compliant while identifying strategic opportunities.

Tailored Compliance Solutions
Providing regulatory alignment strategies with CBC requirements, integrating advanced data analytics to optimise monitoring and reporting processes.

AI-Driven Risk Mitigation & Automation
Leveraging analytics, machine learning, and automated transaction monitoring to strengthen fraud prevention and AML risk management.

Advanced Tools & Technology Implementation
Supporting financial institutions in adopting Data Marts, Dashboards, and AI-powered solutions to enhance financial crime detection and prevention.

Holistic Investigations & Regulatory Insights
Utilising analytics and automation to conduct efficient, in-depth financial crime investigations while benchmarking practices against global market trends.

Strategic Training Programmes
Delivering customised education for executive teams and compliance officers, ensuring practical understanding of evolving regulatory obligations.

Implementation Support & Action Planning
Assisting organisations in executing compliance strategies effectively, including updating governance frameworks, onboarding digital solutions, and optimising due diligence procedures.

Risk Based Approach
Advisory on proved methodological approaches on entity-wide and client specific risk-based approach methodology and supporting tools implementation.

Get in touch

Marios Lazarou

Board Member

Head of Advisory 

ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø in Cyprus

Eleni Poyiadji

Principal

Regulatory Compliance

ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø in Cyprus

Eleni Georgiou

Senior Manager

Risk Consulting

ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø in Cyprus

Connect with us

Explore

triangular-cube-banner
Risk consulting

Risk management should be embedded within the culture of the organization so that every...

circle on ring
Regulatory and risk advisory

Manage the regulatory landscape and mitigate risks.

purple-graph
Forensic

Achieve integrity with prevention, detection and investigation.

Internal Audit and Enterprise Risk Management
Governance, Risk & Compliance Services

Assurance across the three lines of defense.

subscriptions
Join our world of information

Stay up to date with valuable industry-specific insights, top trends & upcoming seminars