Why this guide exists
The AML compliance environment for Cyprus Investment Firms has shifted more sharply between 2018 and 2027 than in the preceding decade. Three events compressed what had been a gradual, directive-driven evolution into something operationally disruptive: the transposition of EU 5AMLD into Cyprus national law via AML Law L.13(I)/2018, the CySEC August 2025 sanctions regime that mandated continuous technology-driven screening across all CIFs, and the arrival of EU AMLR (Regulation 2024/1624), which applies directly across all EU member states from July 10, 2027 without requiring local transposition.
Static rulebooks are not useful in this environment. Brokerage operators need a date-anchored playbook that maps each regulatory event to an operational obligation and flags where vendor infrastructure gaps create compliance exposure.
This guide is written for three audiences: CIF (Cyprus Investment Firm) operators holding a CySEC license, ASP (Administrative Service Provider) licensed entities supporting those operators, and prop-firm operators using CySEC umbrella structures who inherit the AML obligations of the licensing entity.
The 2018-2027 timeline
1. AML Law L.13(I)/2018 - the 5AMLD transposition
Cyprus transposed the EU Fifth Anti-Money Laundering Directive into national law via L.13(I)/2018, effective from January 2018 and progressively amended through 2020. The core operational shifts for CIFs were three: mandatory registration and disclosure of beneficial owners in the Registrar of Companies beneficial ownership register; expanded screening obligations for politically exposed persons (PEPs) including family members and known close associates, not just the PEP individually; and the formal codification of a risk-based approach (RBA) as the methodological standard - meaning CIFs were no longer permitted to apply uniform due diligence across client populations, but were required to calibrate CDD depth to a documented risk assessment. Firms that had been running flat-file screening against a single sanctions list were no longer compliant in principle, even if they had not yet been examined.
2. EU 6AMLD - December 2020
EU Directive 2018/1673 (6AMLD), transposed into Cyprus law effective December 3, 2020, extended criminal liability beyond direct perpetrators of money laundering to those who aid, abet, or facilitate it. The directive harmonised 22 predicate offences across member states - including cybercrime and environmental crime, which were absent from earlier frameworks - and introduced cross-jurisdictional liability so that an act committed in one member state and facilitated through a CIF in Cyprus creates exposure in both jurisdictions. The operational implication for brokers is that correspondent and introducer relationships require scrutiny that goes beyond the introducing entity’s own licensing status. A licensed IB in an opaque jurisdiction is no longer sufficient cover.
3. CySEC Directive DI144-2007-08 amendments - 2021 through 2023
CySEC issued a series of amendments to its foundational directive on AML/CFT obligations for CIFs across the 2021-2023 period, progressively tightening four specific areas: customer due diligence documentation standards; transaction monitoring frequency and alert thresholds for high-risk client segments; the format and timing requirements for suspicious transaction reports (STRs) filed with MOKAS (Cyprus Financial Intelligence Unit); and the governance obligations around the role of the Money Laundering Compliance Officer (MLCO). The practical implication of the 2021-2023 amendment cycle was that informal or partially documented CDD processes that had been tolerated in practice became examination targets - CySEC’s enforcement record in 2022 and 2023 reflects a marked increase in penalty notices citing deficient transaction monitoring documentation specifically.
4. August 2025 CySEC sanctions regime - the operational inflection point
The single most disruptive event in the 2018-2027 timeline. CySEC issued updated guidance in August 2025 that fundamentally changed the operational standard for sanctions screening. The August 2025 regime is covered in detail in the following section.
5. EU AMLR (Regulation 2024/1624) - applies July 10, 2027
EU Regulation 2024/1624, the Anti-Money Laundering Regulation, is directly applicable from July 10, 2027 across all EU member states. As a regulation rather than a directive, it requires no Cyprus-specific transposition - the same text applies identically in all 27 member states simultaneously. This is architecturally significant: the regulatory arbitrage that previously allowed CIFs to benefit from Cyprus-specific interpretations of directive-based requirements disappears for every obligation covered by the AMLR. The regulation establishes the new AMLA (Anti-Money Laundering Authority), harmonises customer due diligence standards, and sets EU-wide thresholds for cash transaction reporting.
6. EU AMLD 6 / Directive 2024/1640 - transposition deadline July 10, 2027
Directive 2024/1640 runs parallel to the AMLR and governs the supervisory architecture: how national competent authorities (CySEC, in Cyprus’s case) are structured, resourced, and coordinated with the new AMLA. Cyprus must transpose this directive into national law by July 10, 2027. For CIF operators, the practical implication is that CySEC’s own supervisory mandate, examination procedures, and penalty framework will be updated by that date to reflect Directive 2024/1640 requirements. Operators should expect updated CySEC circulars on supervisory expectations in the 12-18 months preceding the deadline.
The August 2025 sanctions regime - what changed operationally
The August 2025 CySEC guidance on sanctions screening obligations is the single event in this timeline that forced immediate operational change for the most CIFs. The previous standard - periodic screening against an approved sanctions list, often implemented as a daily or weekly batch run against a static database - was clarified as insufficient for high-risk client populations.
Continuous screening became the operative requirement. CySEC’s position, consistent with FATF guidance on targeted financial sanctions, is that a CIF which onboards a client who subsequently appears on a sanctions list is responsible for identifying that match and acting on it within a timeframe that reflects the risk profile of the client. For high-risk segments - non-EU nationals, clients from high-risk jurisdictions, clients with elevated transaction volumes, PEPs - overnight batch screening creates a window of exposure that CySEC no longer accepts as adequate. Real-time or near-real-time screening against live sanctions feeds became the operational benchmark.
PEP screening expanded beyond the direct PEP. The August 2025 regime made explicit what had been implicit in the risk-based approach since 2018: PEP screening obligations extend to family members and known close associates of PEPs, not only the PEP individually. For a CIF operating in markets with high concentrations of politically connected individuals - the Gulf, Eastern Europe, parts of Africa - this meaningfully increases the screening surface and the volume of alerts that require human review.
Adverse media moved from an optional enhancement to a required input to the ongoing monitoring process. A CIF’s CDD framework must now include a documented mechanism for incorporating adverse media (negative news, enforcement actions, reputational exposure) into the ongoing risk assessment for active client relationships. The practical standard is not that a CIF must subscribe to a specific adverse media data feed, but that it must be able to demonstrate to an examiner that adverse media is systematically considered rather than reviewed ad hoc.
The technology implication of the August 2025 regime is direct: spreadsheet-based or manual sanctions screening is no longer a defensible implementation for any CIF with a materially sized client book. The combination of continuous screening, expanded PEP coverage, and adverse media integration requires a vendor relationship with an AML-specialist provider. The compliance officer who maintained a manual process before August 2025 cannot maintain it after without accepting documented examination risk.
The vendor implication for the stack decisions covered on this site is that pure-play AML specialists became category-mandatory rather than optional upgrades. ComplyAdvantage - the primary pure-play AML data and screening vendor in the review set - moved from a premium enhancement to baseline infrastructure for CIFs with any material exposure to high-risk client segments. KYC-first vendors with structurally weaker AML coverage, such as SEON (which occupies the fraud prevention pre-filter role), cannot serve as standalone AML solutions under the August 2025 standard - their screening depth and data freshness commitments are not calibrated to the continuous-screening requirement.
EU AMLR (2027) - what brokers should be doing now
AMLR (Regulation 2024/1624) enters into force on July 10, 2027. That date is 13 months from the publication of this guide. The preparation window is real but not generous, particularly for CIFs that have not yet conducted a gap analysis against the regulation text.
The most important structural feature of AMLR is that it is directly applicable - the same requirements apply in Cyprus as in France, Germany, and every other EU member state simultaneously. There is no Cyprus-specific interpretation layer, no local transposition variance, no CySEC circular that modifies the substance of what the regulation requires. For operators who have historically relied on Cyprus’s relatively accessible regulatory environment, this is a meaningful change to how compliance risk is managed.
Harmonised CDD requirements under AMLR cover identification, verification, beneficial ownership transparency, and ongoing monitoring in a standardised framework. The risk is not that the requirements are more demanding than current CySEC expectations in isolation - for well-run CIFs, the gap should be manageable - but that the uniformity removes the flexibility that compliance teams have used to calibrate obligations to Cyprus-specific conditions.
AMLA - the new EU-level supervisor established by AMLR - will directly supervise the highest-risk obliged entities initially: large credit institutions and crypto-asset service providers operating across multiple member states. FX and CFD brokers that are not in scope for direct AMLA supervision will remain under CySEC oversight, but CySEC will operate within a harmonised supervisory framework defined by Directive 2024/1640. The indirect effect is that CySEC’s examination standards will converge upward toward AMLA-set benchmarks over the 2026-2028 period.
The EUR 10,000 cash transaction threshold for mandatory reporting becomes EU-wide under AMLR, eliminating member-state variation. For most CIF operators processing electronic payments, this has limited direct operational impact - but CIFs with physical office operations or that accept transfers from non-bank payment methods should confirm their transaction monitoring rules reflect the threshold.
Beneficial ownership transparency under AMLR maintains the 25% ownership threshold for identifying ultimate beneficial owners, but introduces new disclosure obligations around complex corporate structures and nominee arrangements. The practical implication for KYB workflows is that three-layer UBO discovery - tracing ownership through at least three tiers of corporate structure - becomes a baseline expectation, not an enhanced-diligence option.
The operational implication for vendor RFPs opened between now and mid-2027: AML stack vendors need to demonstrate AMLR readiness explicitly. Sanctions list coverage, PEP database scope, and ID document acceptance all need to function across all 27 EU member states without gaps. A vendor whose EU coverage is anchored to the four or five largest member states and is thin on Bulgaria, Romania, or the Baltic states creates a compliance exposure for any CIF that onboards clients from those markets.
CIFs that built their AML stack around Cyprus-specific tooling - particularly vendors who entered the market specifically to serve the CySEC corridor and have not invested in EU-wide data infrastructure - should treat the 2027 AMLR deadline as a vendor evaluation trigger. The time to identify a gap in EU-wide coverage is 2026, not Q2 2027.
Vendor stack implications
The 2018-2027 regulatory timeline maps to four decisions in the vendor stack. Each has a different urgency profile based on where the obligation is now versus where it is heading.
Primary IDV layer needs to demonstrate EU-27 document coverage without meaningful gaps. Under AMLR, the prior practice of accepting a vendor’s “European coverage” claim at face value - without probing coverage depth for smaller member states - is no longer adequate. Sumsub and Veriff both have strong EU document acceptance records across the full member-state population. Jumio and Onfido cover enterprise-tier volumes with correspondingly enterprise-tier procurement weight and minimum-commitment thresholds that are unsuitable for mid-market CIFs operating below the transaction volume that justifies the contract structure.
AML and sanctions screening layer is no longer optional infrastructure under the August 2025 regime. The question is not whether a CIF needs a dedicated AML vendor; it is which vendor’s data freshness and screening architecture matches the continuous-screening requirement. ComplyAdvantage is the pure-play specialist in the review set, with sanctions list refresh rates and PEP coverage depth specifically built for the financial services compliance use case. Sumsub’s bundled AML capability - expanded through the Mesh AI integration as of March 2026 - provides a viable option for operators who prefer a single-vendor approach, with the trade-off that AML coverage is shallower than a pure-play specialist. ShuftiPro bundles AML at a lower cost point but with a shallower underlying sanctions database; adequate for lower-risk client populations, but not a fit for CIFs with high-risk segment exposure.
KYB workflow was elevated by AMLR from a supplementary process to baseline CDD. The beneficial ownership transparency requirements and three-layer UBO discovery expectation mean that KYB can no longer be handled through a manual registry lookup. Trulioo carries the deepest KYB coverage among the vendors in the review set, with programmatic access to business registries across a materially wider geography than alternatives. Other vendors in the set offer KYB modules as add-ons, with variable depth and inconsistent freshness guarantees for EU member-state registries.
Fraud prevention as pre-filter remains a valid role in the onboarding stack but must be scoped correctly. SEON occupies a specific lane: pre-IDV fraud screening that catches synthetic identity signals, device anomalies, and behavioral risk indicators before an application reaches the document verification and AML screening layers. This role is meaningful and defensible - reducing the load on more expensive downstream processes and catching application fraud that AML vendors are not designed to detect. What SEON cannot do is substitute for primary IDV document verification or for the continuous sanctions screening required under the August 2025 regime. It is a pre-filter, not a primary compliance control.
The total cost trade-off across the anchor trio - Sumsub, ShuftiPro, and Veriff as the most commonly evaluated options for mid-market CIFs - varies significantly by verification volume and geography mix. The TCO calculator at /setup/kyc-aml/calculator/ can model cost outcomes across those three anchors at the operator’s actual volume assumptions.
Three vendor RFP questions to pressure-test AMLR readiness
Any IDV or AML vendor being evaluated for a 2026 contract that will run through the AMLR effective date needs to demonstrate preparation, not just intent. These three questions are designed to surface gaps that generic marketing materials will not disclose.
Question one: AMLR roadmap by quarter. “Provide your AMLR (Regulation 2024/1624) alignment roadmap by quarter. Which specific features or coverage expansions will ship before July 10, 2027? What is explicitly out of scope for your current product roadmap, and what will require a separate commercial arrangement?” A vendor that responds with a general commitment to compliance rather than a named feature list with dates has not done the work. AMLR is not new - the regulation text has been available since 2024. A vendor in this market should be able to name what they are building and when it lands.
Question two: Continuous sanctions screening architecture. “How do you support continuous sanctions screening for high-risk client populations under the CySEC August 2025 regime? State your screening cadence - real-time, hourly, or daily - for existing active clients, not just at the point of onboarding. How is that cadence documented for MOKAS audit purposes, and what is the evidence trail you generate?” Vendors will often conflate onboarding-time screening with ongoing monitoring. The CySEC August 2025 requirement applies to the active client book, not only to new applications. A vendor who cannot answer the audit documentation question specifically does not have a MOKAS-ready product.
Question three: KYB depth and data freshness for EU beneficial ownership registers. “What is your KYB coverage for EU member-state beneficial ownership registers? Specifically: can you programmatically discover UBOs through three layers of corporate structure for a company registered in each of the 27 EU member states? What is your data freshness commitment - how often are registry extracts refreshed - and what happens when a registry is unavailable or provides no UBO data?” The three-layer requirement under AMLR is not met by a vendor who can look up a company in a registry and return a single layer of director information. CIFs with complex client corporate structures - common in the institutional and introducing broker segments - need genuine multi-layer traversal with documented freshness.
How this guide will be updated
This guide serves as the canonical long-form anchor for CySEC AML compliance chronology on Brokerage Atlas. The regulatory timeline it covers - L.13(I)/2018 through AMLR July 2027 - is not static. CySEC issues circulars, AMLA publishes guidelines, and vendor capabilities change on timescales shorter than an annual publication cycle.
Material updates will be published at /corrections/ when an event crosses one of two thresholds: a regulatory development that changes an operational obligation described in this guide, or a vendor-stack change that affects the accuracy of the coverage characterisation in the Vendor stack implications section. Cosmetic corrections, minor clarifications, and link updates will be reflected in the guide directly with an updated last_updated date in the frontmatter.
The visual companion to this guide - the timeline diagram at /setup/kyc-aml/cysec-aml-2026/ - presents the same chronology in a structured format suitable for use in compliance documentation and internal briefings. The diagram and this prose guide are maintained in parallel.
The editorial standards governing the accuracy claims, vendor coverage characterisations, and scoring methodology applied across this guide are documented at the methodology page. Readers who want to understand how vendor assessments are formed - and what the limitations of those assessments are - should read the methodology before relying on vendor characterisations for procurement decisions.