Cyprus AML Compliance Services for Businesses

Pick a fixed‑fee package that delivers regulator‑ready policies in 10 working days and a full rollout in 90 days; handled by accredited specialists with 10+ years in EU financial regulation.

Pricing: €3,900 (launch), €7,500 (growth), €12,900 (complete). SLA: first draft in 5 days; responses within 24–48 hours; onsite visit on request within 5 days. No retainers unless requested.

Scope: enterprise‑wide risk map; anti–money‑laundering policy; KYC/KYB checklists; transaction rules; sanctions/PEP screening; SAR/STR templates; record keeping plan (5 years); Board pack; annual review plan.

Regulatory alignment with the 6th EU directive on anti–money‑laundering and FATF 40 Recommendations; local FIU liaison during assessments; UBO register setup; suspicious activity handling within 24 hours.

Technology stack: World‑Check, Dow Jones, OFAC, EU/UN lists; API links to core systems; alert tuning to reach under 5% false positives within 30 days; auditable case log with role‑based access.

Training: 2‑hour live sessions in English/Greek; onboarding and refresher sets; exam pass mark 80%; certificates issued same day.

Tax and local context: corporate rate 15%; no withholding on many outbound dividends; substance guidance included (office, staff, Board meetings on island).

Book a 30‑minute readiness check now; get a gap snapshot in 24 hours; kickoff within 3 working days. Availability this week.

AML program setup for Cyprus: enterprise risk assessment, policy suite, and STR procedures to MOKAS

Appoint an MLRO with a written mandate; within 15 working days, complete an entity-wide risk map and a policy pack aligned to Law 188(I)/2007 and sectoral directives, and put a rapid STR pathway to MOKAS in place.

Enterprise-wide risk assessment

Scope the review across client segments (retail, corporate, PEP), products (accounts, payments, e-money, virtual assets), delivery channels (remote, agent), geographies, counterparties, and technology stack.

Method: score inherent risk 1–5 by dimension; score control strength 1–5 (screening, onboarding verification, monitoring, training, governance). Compute residual risk as: residual = inherent × (1 − control/5). Bands: ≤1.5 low; 1.6–3.0 moderate; ≥3.1 high. Document data sets, assumptions, and owners; retain version history.

Data inputs: onboarding attributes, hit rates on sanctions/PEP/adverse media, alert volumes, STR counts, regulator notices, typologies from FATF and MOKAS, law‑enforcement requests, and results of QA/testing.

Update cadence: annual cycle plus triggers (new market, product, distribution model, material incident, or major control change). Produce outputs: heat map, top risks with accountable owners, remediation plan with deadlines and budget, and KPI/KRI set (alert→ISAR ≤24h; ISAR→MLRO decision ≤48h; STR submission ≤1 business day after decision unless a consent regime applies). Board approval minutes required.

Policy suite and STR workflow to MOKAS

See also: Panama IBC Corporation.

Core documents: risk appetite statement; CDD/EDD standard; sanctions and PEP screening rules; onboarding and verification checklists; transaction monitoring rules; escalation matrix; record‑keeping standard; training plan; independent review protocol.

See also: Steps for Complying with Anti-Money Laundering Regulations in....

Customer due diligence: natural persons – government ID, liveness/selfie, proof of address ≤3 months; legal entities – registration extract, UBO to 25% or control rights, directors, authorization chain. Validate against reliable sources (registries, credit bureaus, notarized documents). Apply EDD to PEPs, high‑risk regions, complex ownership, or adverse media.

Screening: sanctions, PEP, adverse media at onboarding and daily thereafter. Tune fuzzy‑match thresholds to reduce false positives; record rationale on every disposition. Maintain dual‑control on whitelist decisions.

Monitoring: scenarios covering structuring near reporting limits, third‑party payments without clear purpose, rapid movement across high‑risk regions, virtual asset on/off‑ramps, dormant‑to‑active spikes, merchant refund abuse, and unusual cash intensity. Calibrate with backtesting, precision/recall metrics, and post‑alert QA.

Internal escalation: staff submit an ISAR to the MLRO immediately after suspicion arises, attaching transaction records, counterparties, rationale, and supporting files. Enforce secrecy obligations; no tipping‑off.

Decision and external filing: the MLRO documents analysis, indicators, and legal basis; where suspicion stands, send an STR to MOKAS without delay. Include identifiers (names, DOB, addresses, IDs, account numbers, IBAN/BIC), transaction data (amount, currency, date/time, channel, counterparties), narrative explaining red flags and expected vs observed activity, links across related parties, and attachments (PDF, CSV, screenshots). Capture attempted transactions as well. Use English or Greek; translate key attachments where needed.

Consent and hold: where prior consent is required, pause execution, log the request and timestamps, and act per instructions from the authority. Record any freezing measures and subsequent actions.

Record retention: keep KYC, monitoring outputs, ISAR/STR packages, system logs, and regulator correspondence 5 years after relationship end or single transaction, extended on request by authorities. Apply GDPR controls: purpose limitation, access control, and secure deletion schedules.

Training: induction within 10 days of start, annual refresh, and targeted sessions after incidents. Test knowledge with scenario‑based quizzes; track pass rates and remedial actions.

Independent audit: yearly review covering governance, ERA method, monitoring models, STR timeliness and quality. Report to the board with actions, owners, and due dates. Measure quality with KPIs such as average time to file, return rate due to missing data, false‑positive ratio, and proportion of alerts escalated.

KYC and UBO verification: onboarding checklists, risk scoring, and Beneficial Ownership Register filings

See also: Changes in Compliance Regulations and What They Mean for....

Approve onboarding only after ID, address, and ownership evidence pass screening (sanctions, PEP, adverse media) and risk acceptance is recorded.

Onboarding checklists and risk scoring

Individuals: passport or national ID (photo + MRZ), selfie liveness check, proof of address dated ≤ 3 months (utility bill, bank statement, rental agreement), tax ID, source of funds and source of wealth evidence (salary slips, 12‑month bank statements, sale contracts, dividend vouchers). Run sanctions, PEP, and adverse media screening; store screenshots or vendor references.

Legal entities: certificate of incorporation, articles, registers of directors and shareholders, LEI (if any), tax number, recent financials or management accounts, and a structure chart down to natural persons with ≥25% ownership or control via voting rights or board appointment rights. If nobody reaches the threshold, record the senior managing official.

Special cases: trusts – identify settlor, trustees, protector (if any), beneficiaries, any individual exercising control; foundations – founder, council members, beneficiaries; partnerships – partners with control or ≥25% profit share.

100‑point model suggestion: geography 25% weight (FATF high‑risk +35; sanctioned state +50), customer type 20% (state‑owned entity +25; charity +15), delivery channel 15% (non face‑to‑face +15; introduced by intermediary +10), offering/use case 15% (cross‑border payments +20; cash‑intensive activity +20), ownership/control complexity 15% (layers >3 or bearer shares +25), PEP/adverse media 10% (+10 to +40). Bands: 0–30 low, 31–60 medium, 61–100 high.

Actions by band: high – senior management approval, two independent proofs of wealth, lower limits at onboarding, manual monitoring setup; medium – one extra document, manager sign‑off, periodic checks; low – standard pack. Refresh cycle: low 36 months, medium 24 months, high 12 months or on trigger events (new PEP hit, sanctions change, ownership change, unusual activity).

Beneficial Ownership Register filings

Data set typically required by a Beneficial Ownership Register: entity name, registration number, address, legal type, activity code (NACE/NAICS), UBO full name, date of birth, nationality, residence state, ID type/number, ownership and control percentage, date of becoming UBO, method of control, contact email. Keep supporting evidence: registry extracts, shareholder lists, trust deeds, cap table, board minutes.

Submission window: within 30 days after incorporation and within 30 days after each change; confirm annually by 31 December. Maintain an auditable trail: who verified, when, sources consulted, scoring outcome, approvals taken. Retention: 5 years after relationship ends.

Process tips: match UBO names to passports exactly; ensure totals of direct and indirect ownership equal 100%; attach a structure chart that shows every link; map control rights (veto, board appointment); run registry searches on each corporate shareholder; reconcile spelling across documents; timestamp screenshots from public databases; apply a 4‑eyes check prior to submission.

Frequent mistakes and sanctions: missing chain‑of‑ownership proof, expired IDs, totals below or above 100%, late updates. Many registrars impose daily fines, block statutory filings, and may escalate cases to regulatory bodies; directors can face personal liability.

Screening configuration tips: use UN, EU, OFAC, HMT, and local lists; apply fuzzy name matching at 85–90% similarity plus phonetic algorithms; set date‑of‑birth and nationality as hard filters; auto‑clear low‑quality hits; require analyst review on PEP class 1–2 and negative media categories A–B.

Governance: document risk rationale, retain copies of all decisions, and assign owners by role; apply segregation of duties (maker–checker) and automate reminders on review dates.

Q&A: