Cyprus has implemented a comprehensive anti-money laundering (AML) and counter-terrorist financing (CTF) rules and framework that aligns fully with the European Union's Anti-Money Laundering Directives and the recommendations of the Financial Action Task Force (FATF). These regulations affect virtually every aspect of establishing and operating a business in Cyprus — from opening a bank account and forming a company to maintaining ongoing business relationships and filing annual accounts. For Non-Dom entrepreneurs and international business owners, understanding the AML framework is not just a compliance exercise — it is essential practical knowledge that determines how quickly and smoothly your Cyprus setup proceeds.
The good news is that Cyprus's AML framework, while thorough, is well-established and predictable. When you understand what the regulators and service providers require, and you prepare accordingly, the compliance process becomes a manageable administrative step rather than an obstacle. This guide explains the framework, the practical implications for business owners, and how to navigate the requirements efficiently.
The AML Legal Framework
Cyprus's AML regime is governed by the Prevention and Suppression of Money Laundering Activities Law (Law 188(I)/2007, as amended), which transposes the EU's AML Directives into Cypriot law. The current framework reflects the requirements of the EU's Fifth Anti-Money Laundering Directive (5AMLD) and incorporates elements of the Sixth Directive (6AMLD). The law establishes obligations for "obliged entities" — financial institutions, professional service providers, and other businesses that are vulnerable to money laundering risk — to implement robust compliance measures.
Several regulatory authorities share responsibility for enforcing AML compliance in Cyprus. The Central Bank of Cyprus (CBC) supervises banks and payment institutions. The Cyprus Securities and Exchange Commission (CySEC) supervises investment firms, fund managers, and crypto-asset service providers. The Institute of Certified Public Accountants of Cyprus (ICPAC) supervises accountants and auditors. The Cyprus Bar Association supervises lawyers. And the Real Estate Agents Registration Council supervises real estate agents. Each authority issues its own guidance and conducts inspections within its sector, but the underlying legal requirements are consistent across all sectors.
Key AML Obligations
The AML framework imposes several core obligations on regulated entities and, by extension, on their clients (i.e., you as a business owner).
Customer Due Diligence (CDD/KYC): Before establishing a business relationship with you — whether as a client of a bank, a law firm, an accounting practice, or a corporate service provider — the regulated entity must verify your identity, understand the nature of your business, identify the source of your funds, and assess the money laundering risk associated with the relationship. This process, commonly referred to as Know Your Customer (KYC), involves collecting identity documents (passport, proof of address), obtaining information about your business activities and income sources, and screening your name against sanctions lists and politically exposed persons (PEP) databases.
Beneficial Ownership Identification: Regulated entities must identify and verify the beneficial owners of any legal entity they deal with. For your Cyprus company, this means disclosing who ultimately owns or controls the company — even if shares are held through nominee arrangements, trusts, or intermediate holding companies. The identity of beneficial owners must be verified to the same standard as the identity of direct clients.
Ongoing Monitoring: AML obligations do not end after the initial due diligence. Regulated entities must continuously monitor their business relationships, update client information periodically, and scrutinise transactions that are inconsistent with the client's known business profile. If your business activities change significantly, your bank or service provider may ask for updated information.
Suspicious Transaction Reporting: Regulated entities are legally obligated to report any transaction or activity that they suspect may be connected to money laundering or terrorist financing. Reports are filed with MOKAS (the Unit for Combating Money Laundering), Cyprus's Financial Intelligence Unit. The reporting obligation is confidential — the entity cannot inform you that a report has been filed — and failure to report is a criminal offence.
Record Keeping: All AML-related records — identity documents, transaction records, due diligence files — must be retained for at least five years after the end of the business relationship. This requirement ensures that records are available for inspection by regulatory authorities and law enforcement if needed.
What This Means for You in Practice
As a business owner establishing yourself in Cyprus, you will encounter AML procedures at every stage of the process. Understanding what to expect — and preparing in advance — significantly reduces delays and frustration.
| Stage | AML Requirements You'll Encounter | Typical Documents Needed |
|---|---|---|
| Company formation | KYC by corporate service provider | Passport, proof of address, CV, source of funds declaration, bank reference letter |
| Bank account opening | Full CDD by the bank | Passport, proof of address (home and Cyprus), bank reference, source of wealth evidence, business plan, company documents |
| Engaging an auditor | KYC by the audit firm | Passport, proof of address, company documents, beneficial ownership information |
| Engaging a lawyer | KYC by the law firm | Passport, proof of address, nature of legal matter, source of funds for property purchases |
| Property purchase | CDD by lawyer and real estate agent | Passport, proof of address, source of funds for the purchase price, bank statements |
| Ongoing business | Annual/periodic updates | Updated passport copies, proof of address, annual confirmations, changes in beneficial ownership |
Source of Funds vs Source of Wealth
These two concepts are frequently confused but are distinct AML requirements. Source of funds refers to the origin of the specific money involved in a particular transaction or deposit — for example, the funds used to purchase a property or the initial deposit into a bank account. Documentation might include bank statements showing the funds, a sale agreement from a previous property disposal, or a dividend distribution record.
Source of wealth is broader — it refers to the origin of your overall financial position. How did you accumulate your wealth? This might be documented through employment history, business ownership records, investment portfolio statements, inheritance documentation, or a combination thereof. Banks, in particular, may ask for a comprehensive narrative explaining how your wealth was built, supported by documentation.
For most Non-Dom clients, the source of wealth explanation is straightforward: business ownership, professional income, investments, or a combination. The key is to have documentation ready and to present it in an organised, coherent package. A well-prepared source of wealth file — assembled proactively before you need it — saves enormous time across multiple AML processes.
Enhanced Due Diligence for Higher-Risk Profiles
Certain client profiles trigger Enhanced Due Diligence (EDD), which involves more intensive scrutiny and additional documentation requirements. EDD is required for Politically Exposed Persons (PEPs) and their family members and close associates, clients from countries identified as high-risk by the EU or FATF, complex or unusual transaction structures, and businesses in higher-risk sectors (including cryptocurrency, online gambling, and arms trading).
If you fall into an EDD category — most commonly because you or a family member holds or has held a public office — expect a more detailed and lengthy due diligence process. This does not mean you will be refused service, but it does mean that banks and service providers will require more extensive documentation, conduct more thorough background checks, and may involve senior compliance staff in the review. PEP status is not an obstacle to doing business in Cyprus, but it requires transparency and patience.
Practical Tip
Create a personal "AML folder" before you begin your Cyprus setup. Include certified copies of your passport, recent proof of address from your home country and Cyprus, a comprehensive CV, a source of wealth narrative (one to two pages explaining how you built your wealth, with supporting documentation), bank reference letters, and recent bank statements. Having this folder ready means you can respond to AML requests from banks, lawyers, accountants, and corporate service providers within hours rather than days — dramatically accelerating every process.
The Beneficial Ownership Register
Cyprus operates a central Beneficial Ownership Register in accordance with EU AML Directives. All Cyprus-registered companies must identify their beneficial owners and register this information. A beneficial owner is any natural person who ultimately owns or controls 25% or more of the company's shares or voting rights, or who otherwise exercises control over the company's management. The register is maintained by the Registrar of Companies and is accessible to regulatory authorities, financial intelligence units, and — in certain circumstances — the public. For details, see our Beneficial Ownership Register guide.
Frequently Asked Questions
AML compliance timelines are driven by the thoroughness of the regulated entity's review process, the completeness of the documentation you provide, and the complexity of your personal and business profile. The single most effective way to speed up the process is to arrive with a complete, well-organised documentation package. Incomplete or poorly presented documents trigger requests for additional information, each of which adds days or weeks to the timeline.
Yes. Banks have the right — and in some cases the obligation — to decline a business relationship if they cannot satisfactorily complete the AML due diligence process. This can happen if source of funds or source of wealth cannot be adequately documented, if the applicant has adverse media or sanctions exposure, or if the business model is considered too high-risk. If refused by one bank, it is worth trying another — different banks have different risk appetites.
Yes. AML obligations include ongoing monitoring of existing relationships. Banks and service providers periodically request updated documentation — typically annually or when there is a significant change in your business or personal circumstances. Failure to respond to these update requests can result in account restrictions or even account closure.
Yes. Cyprus is rated compliant or largely compliant with FATF recommendations and fully implements EU AML Directives. The thorough AML processes that businesses encounter are evidence of this compliance — not a sign of dysfunction. Cyprus's commitment to AML standards is one of the factors that gives its tax regime credibility and sustainability within the EU framework.
Related: Beneficial Ownership Register, Company Bank Account Opening, Personal Bank Account, Substance Requirements.
AML Framework Overview
Cyprus's anti-money laundering (AML) framework is governed by the Prevention and Suppression of Money Laundering and Terrorist Financing Law (Law 188(I)/2007, as amended), which transposes the EU's Anti-Money Laundering Directives into national law. The framework imposes obligations on a wide range of entities classified as "obliged entities," including banks, accountants, lawyers, corporate service providers, real estate agents, and any person trading in goods where payment is made in cash exceeding EUR 10,000.
For Non-Dom entrepreneurs, AML regulations affect virtually every interaction with the financial and professional services system. When you open a bank account, form a company, engage an accountant, or purchase property, the professionals you work with are legally required to conduct customer due diligence (CDD) on you and your business. Understanding these requirements helps you prepare the right documentation and navigate the process efficiently rather than being surprised by requests for information.
The supervisory authority for AML compliance varies by sector: the Central Bank of Cyprus oversees banks and payment institutions, CySEC oversees investment firms and funds, the Cyprus Bar Association oversees lawyers, and ICPAC oversees accountants and auditors. A separate Financial Intelligence Unit — known as MOKAS (Unit for Combating Money Laundering) — receives, analyses, and disseminates suspicious transaction reports from all obliged entities.
Customer Due Diligence: What to Expect
Customer due diligence (CDD) is the process by which obliged entities verify your identity, understand the nature of your business, and assess the risk of money laundering or terrorist financing associated with the business relationship. CDD is conducted at the start of a new business relationship and updated periodically thereafter.
Standard CDD documentation: For individual clients, expect to provide: valid passport (certified copy), proof of residential address (utility bill or bank statement, less than three months old), source of wealth documentation (explaining how your assets were accumulated), source of funds documentation (explaining the specific funds being used in the transaction), and professional or business references.
Enhanced Due Diligence (EDD): If you are classified as a higher-risk client — which includes politically exposed persons (PEPs), clients from high-risk jurisdictions, and complex multi-layered ownership structures — additional documentation and scrutiny applies. EDD may include more detailed source of wealth investigations, additional reference checks, senior management approval for the relationship, and ongoing enhanced monitoring of transactions.
Ongoing monitoring: CDD is not a one-time exercise. Obliged entities must monitor your transactions on an ongoing basis and update your CDD file periodically. You may be asked for updated documentation annually or whenever there is a material change in your business activities, ownership structure, or risk profile. Responding promptly to these update requests maintains smooth relationships with your bank and service providers.
Prepare Your CDD Package in Advance
Before engaging any professional service in Cyprus, prepare a comprehensive CDD package: certified passport copies, proof of address, a clear narrative explaining your source of wealth (career history, business ownership, investments, inheritance), bank statements showing the funds available, and any relevant professional references. Having this package ready accelerates every engagement — from bank account opening to property purchase to professional service appointments. CMC provides a CDD checklist to all new clients during onboarding.
Obligations for Cyprus Company Owners
As the owner and director of a Cyprus company, you have specific AML obligations that go beyond your personal CDD requirements:
Know Your Customer procedures: If your company provides services that fall within the scope of AML regulations (financial services, professional services, real estate dealing, or high-value goods trading), your company must implement its own CDD procedures for its clients. This includes verifying client identity, understanding the purpose of business relationships, and monitoring transactions for suspicious activity.
Suspicious transaction reporting: If you become aware of or suspect that a transaction may involve the proceeds of criminal activity or may be related to terrorist financing, you are legally required to file a Suspicious Transaction Report (STR) with MOKAS. Failure to report a genuine suspicion is a criminal offence. The obligation applies regardless of whether the transaction is actually completed — even attempted suspicious transactions must be reported.
Record-keeping: All CDD documentation, transaction records, and correspondence must be retained for a minimum of five years after the end of the business relationship or the completion of the transaction. These records must be available for inspection by the relevant supervisory authority upon request.
Internal procedures: Companies within the scope of AML regulations must establish written internal AML policies and procedures, appoint a Money Laundering Compliance Officer (MLCO), provide regular AML training to staff, and conduct periodic risk assessments of their business activities and client base.
For most Non-Dom entrepreneurs operating trading companies, e-commerce businesses, or consultancy firms, the primary AML impact is on the receiving end — you are subject to CDD by your bank, accountant, and service providers, rather than being an obliged entity yourself. However, if your business activities bring you within the scope of AML regulations, compliance obligations are serious and require proper implementation from the outset.