KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namedate of birthaddressoccupationsignature specimenphotographpermanent address

KYC to onboard international persons

namedate of birthaddressoccupationsignature specimenphotographpermanent address

corporate requirements

full nameregistration addresslatest reports&accountscertificate of incorporationcompany's memorandum copyarticles of associationidentification documents of directorsidentification of beneficiary shareholder

National ID card name

Cypriot Identity Card

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

E-sig law files

What year did the relevant AML laws and regulations become effective?

1996

Further details on AML regime

1996.

Who is the regulator for AML controls for Banking

Central Bank of Cyprus

Link to site

http://www.centralbank.gov.cy/

Other financial Services

Cyprus Securities and Exchange Commission (“CySEC”)

Website of Regulator

http://www.cysec.gov.cy/

Financial Sector regulator

http://www.law.gov.cy/law/mokas/mokas.nsf/index_en/index_en?OpenDocument

Practical Guidance for AML

The Institute of Certified Public Accountants of Cyprus (“ICPAC”) has issued a Directive for the Prevention & Suppression of Money Laundering & Terrorist Financing Laws of 2007 and 2010 that serves as

Is there a requirement to verify the identity of customers retroactively?

No.

Retroactive details

No.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Cyprus is being assessed by MoneyVal Council Of Europe. The latest report was released in September 2011

PDF of FATF review

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Yes, occasional transactions under EUR15,000 whether the transaction is carried out in a single operation or in several operations which appear to be linked.

What are the requirements for customer identification information for individuals

should provide documentary evidence for their full name, date of birth, the address at which they can be located, their profession or occupation and specimen signature. An official document bearing a photograph of the person should be obtained. It is important that the current permanent addres

Details to be Collected on Corporates

should provide documentary evidence of full name, registration address, a copy of the latest report and accounts, a copy of the certificate of incorporation/certificate of trade or equivalent, a copy of the company’s Memorandum and Articles of Association and other certificates issued by the Registrar of Companies, a group structure to identify individuals who control over 10% of the entity’s shares or voting rights, and the names of the directors. The identification of directors and beneficial shareholders is in line with the requirements for individual clients.

What are the high level requirements around beneficial ownership (identification and verification)?

Due diligence measures comprise identifying and verifying the identity of the beneficial owner owning or controlling more than 10% of the shares or voting rights of the client.

What circumstances are enhanced customer due diligence measures required?

According to paragraph 64-(1) of the Law: Enhanced due diligence measures should be in place in respect of the following customers: a) where the customer has not been physically present for identification purposes; b) in respect of cross-frontier correspondent banking relationships with current institutions to customers from third countries; and c) in respect of transactions or business relationships with politically exposed persons (‘PEPs’) residing in a country within the European Economic Area or a third country. According to paragraph 64-(2) of the Law: “Enhanced customer due diligence measures must be taken in all other instances which due to their nature entail a higher risk of money laundering or terrorist financing.”

How should FI's deal with Politically exposed persons

According to paragraph 5.61 of the Directive, if the prospective client is a PEP, the firm should obtain senior management approval for establishing business relationship. In addition, according to paragraph 4.55 of the Directive, the firm should establish the source of wealth and source of funds for PEPs and also conduct ongoing monitoring on the business relationship. Paragraph 5.62 of the Directive states that the firm should pay special attention when PEPs originate from a country which is widely known to face problems of bribery, corruption and financial irregularity and whose anti-money laundering laws and regulations are not equivalent to international standards. With regards to the issue of corruption, a useful source of information is the Transparency International Corruption Perceptions Index which ranks countries and territories based on how corrupt their public sector is perceived to be.

What enhanced due diligence must be performed for correspondent banking relationships?

According to 64 (b) of the Law, in respect of cross-frontier correspondent banking relationships with credit institutions to customers from third countries, it is required to: a) gather sufficient information about the credit institution customer to fully understand the nature of the business and the activities of the customer and to assess, from publicly available information, the reputation of the institution and the quality of its supervision; b) assess the systems and procedures applied by the credit institution customer for the prevention of money laundering and terrorist financing; c) obtain approval from senior management before entering into correspondent bank account relationships; d) document the respective responsibilities of the person engaged in financial or other business activities and of the credit institution customer; and e) with respect to payable-through accounts, it must be ensured that the credit institution-customer has verified the identity of its customers, and performed ongoing due diligence on the customers having direct access to the correspondent bank accounts and that it is able to provide relevant customers’ due diligence data to the correspondent institution, upon request.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

If the client is a non-Cypriot resident who is not seen face-to-face, then a professional adviser in the client’s home country could be used to confirm identity, or a copy of the passport authenticated by an attorney or consulate, or verification details covering true name, permanent address and verification of signature could be checked with a reputable credit or financial institution or professional advisor in the prospective client’s home country.

To whom are SAR's made? (suspicious activity reports)

MOKAS

Link to website of SAR reporting

http://www.law.gov.cy/law/mokas/mokas.nsf/mokas02_en/mokas02_en?OpenDocument

Other Suspicious or unusual transactions obligations.

According to 6.05 of the Directive, any knowledge or suspicion of money laundering or terrorist financing should be promptly reported to MOKAS.

Are there any de-minimis thresholds below which transactions do not need to be reported?

No, because according to paragraph 6.01 of the Directive for the Prevention & Suppression of Money Laundering & Terrorist Financing Laws of 2007 and 2010, the types of transactions which may be used

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

According to the Law: “(27-(1)) A person who a) knows or reasonably suspects that another person is engaged in laundering or financing of terrorism offences; and b) the information on which that knowledge or reasonable suspicion is based, comes to his attention in the course of his trade, profession, business or employment shall commit an offence if he does not disclose the said information to the Unit as soon as is reasonably practicable after it comes to his attention. 27-(3) No criminal proceedings shall be brought against a person for the commission of the offences referred to in subsection (1), without the expressed approval of the Attorney General. 27-(4) An offence under this section shall be punishable by imprisonment not exceeding five years or by a pecuniary penalty not exceeding EUR5,000 or by both of these penalties.”

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

According to paragraph 70 of the Law: “Persons engaged in financial and other business activities refrain from carrying out transactions which they know or suspect to be related with money laundering or terrorist financing before they inform the Unit of their suspicion. It is provided that, if it is impossible to refrain from carrying out the transaction or is likely to frustrate efforts to pursue the beneficiaries of a suspected money laundering or terrorist financing operation, the persons engaged in financial or other business activities, must inform the Unit immediately afterwards.”

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Local legislation does not cover monitoring transactions outside Cyprus

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

In accordance with the Central Bank of Cyprus "Directive on a Framework of Principles of Operation and Criteria of Assessment of Banks’ Organisational Structure, Internal Governance and Internal Control Systems of 2006 to 2012" (“the CBC Directive”) banks should submit to the Central Bank of Cyprus a report prepared by external auditors/consultants every three years, on the assessment of the adequacy of the internal control System on an individual company as well as consolidated group basis. Under the CBC Directive, the external auditor/consultant assesses the internal control environment (including systems) with regard to the banks' management of the risk of money laundering and terrorism financing

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

the report must be provided every 3 years

To whom should the report on AML systems be submitted?

the report is submitted by the external auditor/consultant to the Bank. The Bank is subsequently responsible for its submission to the Central Bank of Cyprus

Is an AML system part of the financial statement audit?

under a financial statement audit, a bank's AML systems and controls are not explicitly reported on

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

Under the CBC Directive, it is not explicitly required for the external auditor/consultant to perform sample testing of KYC files and SAR reports, or to examine risk assessments. However, the external auditor/consultant may judge it necessary to perform such sample testing in the assessment of the Bank's internal control environment with regard to the management of the risk of money laundering and terrorism financing.

Data Protection Laws And Personal Data

yes

Data Protection for Corporate Data

Data protection for "sensitive Data" and additional protections.

yes there is a separate definition of “sensitive data”. Sensitive data means data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, participation in, association and trade union membership, health, sex life and sexual orientation, as well as on criminal charges or convictions. The collection and processing of sensitive data is prohibited. Any collection or processing of sensitive data requires the consent of the data subject, e.g. in order to go through with a contract with the consent of the data subject e.g. in employment contracts, insurance contracts etc.

Do any restrictions on the transfer of credit reports exist?

For KYC purposes the Law provides that the processor can process personal and sensitive data with the consent of the data subject. Personal data can be processed without the consent of the data subject in case that the processing is necessary in order for the processor to be in compliance with a law or regulation of the EU and in case the processing is necessary for the performance of a contract to which party is the data subject or to take steps at the request of the data subject prior to entering an agreement (s 5.) In addition, according to the Anti-Money Laundering Law in terms of processing of data: a) persons engaged in financial or other business must apply adequate and appropriate systems and procedures in relation to the identification and due diligence as to the customer in accordance with the provisions of this Law; and b) criminal records and medical data fall under the definition of sensitive data. As stated in question 29(c), the collections and processing of sensitive data is prohibited. However, under section 6(2), as mentioned above, there are some exceptions to this prohibition. Those exceptions include medical data and criminal records. Section (6)(2)(f) Medical data: processing of medical data is allowed when the processing of that data related to medical data and is executed by a person whose profession is to provide health services and who is subject to a duty of confidentiality or other related codes of conduct, provided that such processing is necessary for medical prevention, diagnosis, cure or management of health. Section 6(2)(g) Criminal data: processing of criminal records is allowed when such processing is concerned with the detection of offences, criminal convictions, security measures and investigation of mass destruction and is necessary to serve national need and national security, to serve the needs of forensic or correctional policy of the Republic or organisation or institution that is authorised for that purpose by the Republic.

Regulator Acronym

CySEC

Year of last FATF mutual evaluation

2011

Field 67

professional adviser at homecopy of passportverification details w/ true namepermanent addressverification of signature

National ID card details

Compulsory at 12.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Cypriot_identity_card

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Yes

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

MOKAS

shell banks

Yes

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

EUR 15,000

Min transaction USD

16394

Personal Data protection

Personal Data Protection Act

http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/697e70c0046f7759c2256e8c004a0a49/f8e24ef90a27f34fc2256eb4002854e7/$FILE/138(I)-2001_en.pdf

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

Unit for Combating Money Laundering (“MOKAS”)

Does the country have a risk based approach?

Yes.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

The documents must be certified true copies of the originals

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

Transfer of personal data within the EU is free. For a transfer to a third country, a license must be obtained from the Commissioner of Protection of Personal Data.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

The Data Protection Law applies here the same way as described above. The Banking Law 66(I)/1997 (as subsequently amended) allows a licensed credit institution to obtain information from their customers in order to open an account such as their identification i.e. name, identity number or passport number. All persons that work for the Central Bank and their representatives of the Central Bank auditors or experts are bound by the obligation of professional secrecy. The Central Bank may exchange information with the competent authorities of different Member States in accordance with this law and in accordance with other laws or instructions or regulation applicable to credit institutions by the EU like Article 31 and 35 of Regulation (EU) No 1093/2010.