Cyprus National Risk Assessment findings by sector

Cyprus National Risk Assessment 2021; Findings by Sector

The SALVUS Crypto-Assets team discussed the release of the National Risk Assessment (NRA) report concerning Virtual Assets (VA) and Virtual Asset Service Providers (VASP) in a previous article. The article, titled Cyprus NRA on VA and VASP highlighted the anticipated updates of the AML/CFT legal framework and the recommendations proposed by the NRA assessment team. This NRA was commissioned by the Advisory Authority for Combating Money Laundering and Terrorist Financing (ML/TF), in July 2020 and it was finalised in November 2021, taking into consideration both the 2018 National Risk Assessment and the 2019 Moneyval Report.

In the following commentary, the Crypto-Assets team at SALVUS summarises the NRA report’s key findings regarding the ML/TF risks posed by VA and VASP. VASP are the equivalent of CASP (Crypto-Asset Services Providers), as introduced and defined by the Cyprus Securities and Exchange Commission (CySEC) early in September 2021.

Both acronyms, VASP and CASP, will be used interchangeably within this article, which is divided between findings concerning the relevant authorities and findings concerning different sectors of the financial system, as follows:

1. Supervisory Authorities
2. Banking Sector
3. Securities Sector
4. Administrative Service Providers (ASP) Sector
5. Gaming Sector

1. Supervisor Authorities

The NRA indicated that the authorities directly related with the provision of VA services in Cyprus are the following:

  1. CySEC
  2. The Central Bank of Cyprus (CBC)
  3. The Police
  4. The Cyprus Financial Intelligence Unit (MOKAS)
  5. The Institute of Certified Public Accountants of Cyprus (ICPAC)
  6. The Cyprus Bar Association (CBA)
  7. The Customs Department
  8. The Ministry of Interior.

The assessment team considered other authorities as well, such as the Insurance Companies and Control Service (ICCS) the Cassino Commission and the National Betting Authority (NBA). Yet, the limited interest presented by their supervised entities for engaging in crypto-asset activities at the current stage positioned them as non-significant to the CASP sector.

In general, the VA activity in Cyprus compared to other jurisdictions can be characterised as significantly low. Thus, authorities are currently introduced to the functions of these emerging new technologies. Nonetheless, the NRA addresses the following deficiencies arising from the authorities’ assessment:

  • All authorities reported a significantly low volume of collected data and limited metrics designed for targeting crypto-asset activities.
  • Some of the authorities have gained experience with specialised AML compliance and intelligence forensics and transaction monitoring tools. Yet, the need for further training and capacity building due to the sector’s evolution is deemed necessary.
  • The system used by MOKAS for suspicious reporting has not incorporated any identifier fields to facilitate the automated tracking of VA related reports.
  • Authorities have not taken into consideration the 24/7 non-stop operation environment regarding the provision of AML/CFT updates to obliged entities outside the normal business hours.
  • In general, no registration, licensing or supervision practices relating to VA activities have been established by authorities, except by CySEC.
  • No procedures for exchanging information regarding AML/CFT best practices for the VASP sector have been considered. In addition, no authority has been designated responsible for ensuring cooperation and coordination between authorities for ML/TF matters within the CASP sector.
  • The exclusion of the Travel Rule from the recent update of the AML/CFT Law.
  • The Police’s protocol for maintaining evidence in its original state and in a digital form can obscure its ability to investigate and trace VA involved in a criminal case immediately.
  • The Police’s reliance on Europol, for investigations that require VA tracing and identification, may cause significant delays.
  • The CBC has not provided to its supervised entities any specific measures or practices promoting the clear understanding and management of the ML/TF risks relating to the crypto-asset services. In this respect, and as Electronic Money Institutions (EMI) and Payment Service Providers (PSP) are more likely to engage with VASP or VA customers, compared to banks, the CBC shall consider a thematic update to its AML/CFT Directive to cover all types of supervised entities in respect of measures specific to CASP.
  • Due to crypto-assets non-physical nature, the Customs Department considers crypto-assets outside of its authority. However, cases that involve hardware crypto-asset wallets like storage devices may need to be declared as a separate property item on the Department’s data collection forms.

On the other hand, it is worth mentioning that the Cyprus Police has established a new branch that is responsible for receiving, registering, and processing all Suspicious Activity Reports and Suspicious Transaction Reports (SARs/STRs) submitted by MOKAS. The Sub-Directorate of Combating Economic Crime (SDCEC) is adequately staffed, and it is believed that it will provide significant assistance to MOKAS, including cases that involve crypto-assets and CASP.

2. Banking Sector

The CBC has been very reluctant to authorise and supervise its obliged entities in servicing VASP and other customers engaged in VA activities. In this context, the NRA has reported the following shortcomings within the banking sector:

  • As the VA activity in Cyprus increases and the Cyprus banks insist on not transferring, disbursing, or accepting VA, their customer relationships could be potentially challenged.
  • Due to the restrictions imposed for servicing the crypto-assets sector, the employed staff lacks experience and knowledge regarding the ML/TF risks arising from the sector.
  • Additionally, VASP need to maintain foreign bank accounts for their operations. Taking this into consideration, entities servicing the sector cannot utilise the efficient Customer Due Diligence (CDD) measures adopted by Cyprus banks, as an additional level of defence.

3. Securities Sector

A limited number of CySEC supervised entities, were granted special permission to engage in VA activities according to Circular C244. The NRA highlighted the below findings concerning the operations and supervision of these entities:

  • By engaging with VA activities, the entities were able to present a significant understanding of the ML/TF risks that may arise. In addition, the obliged entities beyond classifying these activities as highly risky, proceeded with implementing mitigating procedures specific to the risks, in coordination with CySEC.
  • CySEC used this opportunity to familiarise itself with the supervisory practices of entities engaged in crypto-asset activities and set the foundations to become the CASP supervisory authority in Cyprus.
  • CySEC’s AML Department revised its risk evaluation approach to incorporate questions regarding the complexity and the value and size of the crypto-asset related products offered by its supervised entities.

4. Administrative Service Providers (ASP) Sector

According to Moneyval’s report, the ASP sector is determined as the second most critical, behind the banking sector, concerning ML/TF vulnerabilities. Different ASP entities confirmed, to the assessment team, their interest in servicing the fast-growing sector of crypto-asset activities. Furthermore, the assessment team reported the below findings:

  • The ASP sector is supervised by three different authorities the CySEC, the ICPAC and the CBA. This could potentially lead to supervisory deficiencies if authorities provide different guidance for addressing the ML/TF risks related to the CASP sector.
  • Among the three supervisory authorities, only ICPAC proceeded with updating its AML/CFT Directive for ML/TF risks related to virtual assets. More specifically, the Directive includes typologies that would suggest Enhanced Due Diligence (EDD) measures on ML/TF activity. Similarly, ICPAC published the General Circular 23/2020 giving attention to the Financial Action Task Force’s (FATF) red flag indicators regarding ML/TF risks related to crypto-assets activities.
  • CySEC and the CBA are currently revisiting their AML/CFT Directives to address the VA ML/TF risks.
  • The ICPAC has already initiated data collection procedures from its supervised entities that have been involved with crypto-asset activities.
  • CBA’s perception of the involvement of ASP in the CASP sector consists of two scenarios:
    • Firstly, ASP may act as legal advisors to CASP, indicating low ML/TF risk for the service.
    • Secondly, ASP may provide administrative services like the introduction of corporate directors, trustee services, and secretary services which are more likely to carry additional ML/TF risks for the ASP sector.

5. Gaming Sector

The gaming sector in Cyprus falls under the supervision of the recently established NBA. The sector is served primarily by PSP and EMI registered and licensed by the CBC. Beyond establishing an AML/CFT department, the NBA has developed an automated monitoring system to receive alerts directly from the betting platforms.

In this respect, if the gaming sector decides to accept virtual assets as a method of payment, PSP and EMI should establish procedures to detect and stop virtual assets before being converted to e-money. Additionally, the NBA should incorporate in its monitoring system, mechanisms for tracing and recording VA activity.


Following the release of the CySEC Policy Statement (PS-01-2021) on Crypto-Asset Services Providers and the importance of the Travel Rule, the assessment team indicated that the CASP industry is still developing solutions to achieve compliance with the Travel Rule from a technological and operational perspective, and has yet to develop a single approach concerning best practices. The following are a few of the implemented approaches:

  • InterVASP Messaging Standard,
  • Travel Rule Information Sharing Architecture (TRISA),
  • Travel Rule Protocol (TRP),
  • OpenVASP,
  • Tatoshi Professional,
  • NetKi,
  • Sygna Bridge,
  • BIP75 Protocol,
  • Nota Bene.

In our opinion, the fast-evolving technology of virtual assets will be rapidly adapted into the Cypriot financial system. This will be further enhanced by CySEC’s newly introduced CASP registration framework, giving CASP the credibility of compliance with AML/CFT laws. Therefore, both supervisory authorities (CBC and CySEC) and their supervised entities, need to be engaged immediately and respond to the developing ML/TF risks.

SALVUS has a unique experience, providing sophisticated advice and solutions to your licensing and compliance needs. By submitting the first-ever CASP application to CySEC, our Crypto-Assets team is ready to help with your company’s registration, as a CASP.

Please feel free to contact us via email at [email protected] or call us at +357 7000 7898, if you are interested to learn more about Crypto-Asset Services Providers or to discuss your crypto-compliance obligations.


Should you be interested to read more about crypto-assets, blockchain, or Anti-Money Laundering, please visit the selected articles below:

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post