The 3rd MONEYVAL Follow-up Report; Cyprus upgrades AML/CFT level of compliance

In an attempt to tackle Money Laundering (ML) and Terrorism Financing (TF) while ensuring a global harmonized response, the Financial Action Task Force (FATF) has issued 40 Recommendations. The Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (MONEYVAL) is responsible for conducting assessments on EU Member States, that are not members of the FATF.  

Overall, Cyprus has achieved Compliance (C) or Large Compliance (LC) in most of the 40 recommendations with only 3 areas rated as Partially Compliant (PC), after its upgrade with regard to Recommendation 15. In more detail, the ratings are as shown below: 

21 areas rated as LC, 16 areas rated as C, 3 areas rated as PC and 0 as non-compliant. 

This commentary summarises the third Enhanced Follow-up Report conducted by MONEYVAL on the Republic of Cyprus. The report was in relation to FATF Recommendations 8 and 15, assessing the level of technical compliance, discussing the following:

1. Recommendation 8: Non-Profit Organisations
2. Recommendation 15: New Technologies
3. Areas for Improvement

VASP (Virtual Asset Service Providers) are the equivalent of CASP (Crypto-Asset Services Providers) introduced by the Cyprus Securities and Exchange Commission (CySEC), early in September 2021. VASP and CASP are used interchangeably within this article. 

We regularly share bite-sized insights on LinkedIn such as those found in this article

1. Recommendation 8: Non-Profit Organisations 

In respect of FATF Recommendation 8 for combating the abuse of Non-profit Organisations (NPOs), Cyprus authorities have requested a re-rating in the level of compliance. According to MONEYVAL’s 3rd enhanced follow-up report, Cyprus has demonstrated some improvement towards enhancing its level of compliance in addressing the technical deficiencies identified in the Mutual Evaluation Report (MER), and in previous follow-up reports.  

For instance, Cyprus has identified general TF threats arising from: 

  • the geographical location of Cyprus, 
  • NPOs’ activities, 
  • governance of NPOs, and 
  • flows of funds.  

However, it has not been re-rated, and it remains partially compliant, as further advancement is needed regarding the below matters:  

  • The risk-assessment covering non-profit companies is under development, 
  • An evaluation whether NPO risk-assessment has informed authorities in depth understanding of TF threats is revisited, 
  • Adequacy of measures related to NPOs is pending to be reviewed,  
  • Measures promoting the accountability, integrity, and public confidence of NPOs administration are currently being examined, 
  • Extensive focus on protection from terrorism financing risks is being explored. 

Upon completion of the first risk assessment of the NPO sector, Cyprus is bound to carry out a retrospection in respect of the abovementioned areas of improvement. Consequently, this review would be key to assess effectiveness, proportionality and dissuasiveness of sanctions for NPOs or their controllers, giving Cyprus a possible upgrade in the level of compliance. 

2. Recommendation 15: New Technologies 

Cyprus has significantly strengthened its AML and CFT compliance practices with regard to Virtual Assets (VA) and Virtual Asset Services Providers (VASP). MONEYVAL’s upgrade from Partially Compliant to Largely Compliant, confirms that the Republic’s efforts in establishing its securities market as one of the safest and most reliable, are successful.  

Contributing to this advancement, Cyprus Authorities have adopted a National Action Plan relating to VA and VASP to address the risks deriving from ML and TF. In addition, the Cyprus Securities and Exchange Commission (CySEC) placed limits on VA activities of financial institutions, using specialized blockchain tools for monitoring purposes and has developed an action plan to address the identified risks including: 

  • Updating and refining its risk-based supervisory framework, 
  • Training its staff, 
  • Recruiting additional staff, 
  • Detecting unauthorised activity. 

Furthermore, the actions taken that promoted the level of compliance, include but are not limited to: 

  • Cyprus has conducted a detailed and specific National Risk Assessment on ML/TF risks on VA and VASP activities in December 2021, identifying and rectifying weaknesses, 
  • CySEC is appointed as the responsible authority to evaluate the competency and honesty of CASP/VASP beneficiaries. 
  • CySEC published a comprehensive guidance on identifying, assessing and understanding TF risks in the context of CA activities. 
  • Cyprus has introduced a CASP registration regime, and a legislation change is proposed to mitigate any deficiencies. 
  • CASP/VASP are required to re-apply Customer Due Diligence (CDD) on occasional transactions ≥ €1,000 vs 15,000 EUR for fiat transactions. 
  • Regulatory actions may be imposed on any natural or legal person breaching the AML/CFT Law provisions, according to CySEC Law. These regulatory actions consist of: 
    • Administrative fine up to EUR 1,000,000, 
    • Modification, suspension or revocation of its authorities, 
    • Criminal sanctions applicable under specific circumstances, 
    • Prohibition on persons performing administrative duties, 
    • Application of administrative penalties to natural persons

3. Areas of Improvement

From MONEYVAL’s perspective, Cyprus has reached the general expectation of having remedied most of the technical compliance deficiencies in respect of Recommendation 15. Nonetheless, the below are certain areas of improvement that were discussed in the 3rd follow-up report and are expected to be further enhanced for Cyprus to prevail over any other jurisdiction with respect to new technologies: 

  • The implementation of appropriate AML/CFT measures, 
  • A range of sanctions that can be applied to registration requirement serious breaches,  
  • Preventive measures applying to CASP that fail to register as required, 
  • Mitigate deficiencies identified in Recommendations 13, 16 and 18 and how they influence overall compliance with Recommendation 15, 
  • Identify and examine risk arising in relation to newly developed business activities or technologies, 
  • Ensure that every legal person established in Cyprus, will be required to register as a CASP in the Republic. 


In light of this information, the fast-evolving technology of virtual assets is successfully integrated into the Cypriot financial system. The upgrade in Recommendation 15 adds up to the many benefits that Cyprus entails in establishing a CASP entity in the Republic. The SALVUS Crypto-Assets Licensing team also emphasises, that once the adoption of the Markets in Crypto-Assets (MiCA) Regulation by the European Council (EC) is fully applicable, Cyprus will be one step ahead in its implementation and in tackling ML and TF risks.  

SALVUS has unique experience, providing sophisticated advice and solutions to your licensing and compliance needs; our Crypto-Assets Licensing team, is ready to help with your company’s registration, as a CASP. 

Please feel free to contact us via email at info@salvusfunds.com or call us at +357 7000 7898 if you are interested to learn more about Crypto-Asset Services Providers or to discuss your crypto-compliance obligations. 


The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post