1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
The existing legal and regulatory framework in Cyprus regulates the fintech sector, with bespoke rules applicable to specific fintech activities. The main laws relating to financial and investment services – which, by extension, will apply to fintech activities to the extent that these fall within the regulatory criteria and do not benefit from an exemption – are as follows:
- the Business of Credit Institutions Laws 1997–2018 and EU banking regulations, including EU Regulation 575/2013 on prudential requirements for credit institutions and investment firms;
- the Electronic Money Directive (2009/110/EC), as amended, and the Payment Services Directive (EU 2015/2366), transposed by the domestic Electronic Money Laws;
- the Securities and Cyprus Stock Exchange Laws and the Securities and Exchange Commission Law;
- the Public Offer and Prospectus Law;
- the Transparency Requirements Law;
- the Takeover Bids Law;
- the Investment Services and Activities and Regulated Markets Law transposing the Second Directive on Markets in Financial Instruments (MiFID II);
- the Open-ended Undertakings of Collective Investments in Transferable Securities Law;
- the Alternative Investments Fund Managers Law and Alternative Investment Funds Law; and
- the Prevention and Suppression of Money Laundering and Terrorist Financing Law.
1.2 Do any special regimes apply to specific areas of the fintech space?
In 2018 the Cyprus Securities and Exchange Commission (CySEC) established an Innovation Hub with the aim of supporting businesses which are introducing innovative financial products or services – principally by advancing their understanding of applicable regulations and compliance requirements, and establishing a dialogue to help them identify and accelerate their business models in line with its commitment to ensuring investor protection.
From a regulatory point of view, CySEC has issued a consultation paper proposing the introduction of a set of complementary rules on investment-based crowdfunding in the Investment Services and Activities and Regulated Markets Law, and transposing MiFID II. CySEC has now finalised these rules, which have been issued by means of a directive (the Crowdfunding Directive). Cyprus investment firms (CIFs) may operate as crowdfunding platforms pursuant to the specific rules introduced by CySEC and the investment law requirements.
The National Strategy on Distributed Ledger Technologies is a plan on the development and use of distributed ledger technologies, including blockchain, in both the public and private sectors, which should further promote crowdfunding activity in Cyprus.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
Fintech industry participants are subject to supervision by different regulators, depending on the scope of their services, activities and products. Broadly, these regulators have competence over distinct sectors of the financial services industry, such as banking, securities and investments, and insurance. Given that Cyprus has not yet introduced a specific fintech regulation and fintech businesses are thus subject to the generally applicable financial services regime, the competence of these regulators also extends to fintech businesses.
CySEC is the independent supervisory authority that regulates:
- the investment services market;
- securities transactions;
- the Cyprus Stock Exchange and other organised markets; and
- the collective investment and asset management sector.
CySEC is responsible for the supervision and control of the Cyprus Stock Exchange, and regulates licensed investment services companies, collective investment funds, fund management companies and consultants. CySEC has the power to grant licences to investment firms and brokers, and to impose disciplinary penalties for deviations from the stock market legislation.
The Central Bank of Cyprus (CBC), as part of the European System of Central Banks, contributes to the regulation of European monetary policy. The CBC is entrusted with the general oversight of the financial system in Cyprus. Its supervisory and regulatory powers include:
- regulating, licensing/authorising and monitoring the operation of credit institutions; and
- supervising payment institutions and electronic money institutions.
The insurance sector is supervised by the superintendent of insurance, who heads the Insurance Companies Control Services, which acts on the behalf and under the orders of the superintendent.
1.4 What is the regulators' general approach to fintech?
Both the government and the regulators have adopted new approaches, measures and strategies to promote the development and use of fintech in Cyprus, as well as the establishment of fintech businesses. The aim is to establish Cyprus as a global fintech hub and ensure that it develops the attributes needed to make it a worldwide fintech leader.
As a result, the fintech market has made significant advancements this year. One reason for this is the COVID-19 pandemic and the associated need for innovative digital business solutions; another is the friendly ecosystem that the competent authorities have sought to establish. CySEC has moved ahead with the creation of an electronic platform for the digital submission of applications – beginning with licensing applications for CIFs – to simplify the application process. It will then create a digital registry for crypto-asset service providers, as stipulated in the Amending Law on Anti-money Laundering and Combating the Financing of Terrorism, which was passed in February 2021.
The former chairwoman of CySEC recently stated: "Through the Innovation Hub, we will actively support businesses and businesspeople who develop green fintech solutions. CySEC actively supports new fintech-based products, services and infrastructure projects, especially those that can contribute to financing the real economy." She added: "The continuous upgrade and simplification of CySEC's operations and procedures is still our priority, in order to turn Cyprus into one of the safest, most reliable and attractive investment destinations."
Payment innovation is another burgeoning fintech area and banks are increasingly focused on digital transformation. On 8 May 2020, the Association of Cyprus Banks (ACB) entered into a memorandum of understanding with the government – via the Deputy Ministry of Research, Innovation and Digital Policy – which aims to facilitate and promote digital transactions and banking services, assisted by the use of electronic identification and electronic signature solutions. The banking sector has also launched a utilisation scheme for digital tools.
1.5 Are there any trade associations for the fintech sector?
- Fintech Cyprus: Fintech Cyprus provides a unique platform through which Cypriot and international fintech companies, and those with an interest in supporting the fintech industry, can network with Cypriot and international fintech leaders, influencers and industry experts.
- Cyprus Tech Association: The Cyprus Tech Association provides a strong platform for international information and communications technology companies established in Cyprus to promote new opportunities and partnerships. It also formally represents its members at all forums and offers direction on key strategic issues, including the economic importance of the sector and policy advocacy. Additionally, it acts as a bridge of communication with world-class technology centres, advancing the country's efforts to become an attractive investment destination for foreign investors and a competitive business hub.
- ACB: The ACB was established in 1969 as a non-profit organisation which represents the Cyprus banking sector. Since 2000, it has acted according to its constitutional requirements for the benefit of member banks and the domestic banking industry.
- Association of Cyprus International Financial Firms (ACIFF): The Association of Cyprus International Financial Firms (ACIFF) – formally known as the Association of Cyprus International Investment Firms – was founded on 18 December 2009 and currently has more than 80 regulated firms as members. As the largest representative body of CIFs regulated by CySEC, ACIFF has now expanded its scope to include other financial firms which are regulated in Cyprus as its members. Its mission is to represent members' views and interests in all aspects of their activities, including through prompt and reliable briefings on legislation, regulations, directives and other relevant information which relates to their day-to-day operations.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
The fintech sector in Cyprus encompasses all kinds of regulated and unregulated activities, with crypto-activities among the most prominent. A considerable number of crypto-exchanges and crypto-trading platforms are now operating in Cyprus; and foreign crypto companies have also established their headquarters in Cyprus. The Cyprus Securities and Exchange Commission (CySEC) has set up an Innovation Hub, through which it reports on the operation of crypto-asset companies and crypto-asset trading platforms involved in the offer, transfer and verification of financial instruments and financial instrument ownership. The Innovation Hub reflects this increased interest in crypto-business in Cyprus.
Cyprus is also an internationally recognised foreign exchange hub, due to the early designation of foreign exchange as a regulated product under the Directive on Markets in Financial Instruments (MiFID). Its sophisticated foreign exchange market is an important sector of the domestic financial services framework. Foreign exchange companies are actively exploring the use of technology – especially emerging technology – and potential investment in technology-enabled products to transform their businesses, diversify their portfolios and venture into novel investment areas.
2.2 What products and services are offered?
- Automated financial portfolio management;
- Virtual currencies;
- Blockchain technology;
- Equity crowdfunding and crowdlending;
- Innovative insurance products;
- Payroll processors; and
- Crypto-asset trading platforms or funds.
2.3 How are fintech players generally structured?
The most common structure is a limited liability company by shares, which operates as a Cyprus investment firm. Foreign shareholders of fintech players enjoy the tax benefits of non-domiciled status in Cyprus (ie, there is no dividend tax) and a 12.5% corporation tax rate. Profits earned from the development of intellectual property and research also benefit from an 80% tax exemption under the IP Box tax regime. Thus, only 20% of this income is subject to corporate tax at a rate of 12.5%; as a result, Cyprus resident companies may benefit from an effective tax rate of 2.5%.
2.4 How are they generally financed?
- Personal savings;
- Loans (from incumbent banks);
- Financing through friends, family or angel investors;
- Financing from institutional investors;
- Convertible loans;
- Venture capital; and
- EU funding.
2.5 How are they positioned within the broader financial services landscape?
Although fintech companies have not yet disrupted the stability of the Cypriot financial system, the fintech industry is growing rapidly – both globally and in Cyprus. Fintech companies are increasingly gaining ground in the broader financial services landscape. The Second Payment Services Directive (PSD II) encourages the broader acceptance of fintech advancements; while incumbents are also championing the potential of fintech solutions. It would thus appear that fintech does not constitute a threat to the traditional financial institutions in Cyprus, but is instead enabling them to integrate and adjust to a new era. Many banks in Cyprus have launched their own fintech divisions or engaged the services of fintech companies.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
Start-ups usually outsource their back-office functions and there are professionals in Cyprus who undertake such functions. In doing so, however, they must comply with the provisions and requirements of MiFID II, PSD II, the European Banking Authority Guidelines and domestic directives, laws and regulations issued by CySEC and the Central Bank of Cyprus.
Generally, service providers must comply with their legal obligations regardless of any outsourcing arrangements, including their duties towards clients. Outsourcing arrangements cannot undermine their internal controls or the supervisory role of the competent regulators. Service providers must consider and manage all outsourcing risks. Any outsourcing arrangements do not release them from their obligations.
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
The Distance Marketing of Financial Services for Consumers Law covers contracts relating to retail financial services (banking, insurance, payment and investment, including pension funds) that are negotiated at a distance (eg, by telephone, fax or online) – that is, by means which do not require the simultaneous physical presence of the parties to the contract. It transposed EU Directive 2002/65/EC into national law. Pursuant to the law, a supplier must:
- provide certain information to the consumer – such as its identity, address, contact details and value added tax number – before concluding a distance contract or offer; and
- give the consumer the right to reflect before concluding a contact with it.
The law also provides that a consumer has the right to withdraw from a distance contract within 14 calendar days without penalty and without giving any reason.
(b) Mobile (m-commerce)
No specific directives, regulations or laws govern mobile commerce in Cyprus. Mobile applications for the purchase of goods and services are governed by the same regulations which apply to e-commerce.
(c) Big data (mining)
No specific regulations govern big data or mining data in Cyprus. The EU General Data Protection Regulation (2016/679) (GDPR) is the most important statute when it comes to data protection. Persons and entities that obtain and process personal data should adhere to its provisions. However, the GDPR applies exclusively to the personal data of natural persons, and regulates the processing and storage of such data. Thus, it does not apply where the data used for data mining does not include personal data.
The GDPR aims to protect personal data, prevent data leaks and restrict the use of personal data to specific purposes. In this regard, data processors and controllers (ie, companies and persons that collect such information) must obtain the specific consent of data subjects, specifying how and why their personal data will be used.
(d) Cloud computing
In the context of increased digitalisation and the growing importance of the fintech sector, financial institutions are adapting their business models to embrace cloud technologies. As a result, they are increasingly outsourcing their business activities to cloud service providers in order to reduce costs and enhance flexibility and productivity. Outsourcing affords them easy access to new technologies and enables them to achieve economies of scale. However, the management body of a financial institution always remains responsible for the institution and its activities.
The European Banking Authority (EBA) has issued guidelines on outsourcing to cloud service providers in addition to those issued by the Committee of European Banking Supervisors, in the specific context of institutions that outsource to cloud service providers. The EBA's guidelines aim to enable firms to evaluate the benefits of using cloud services while ensuring that all related risks are adequately recognised and managed. In particular, they address five key areas:
- the security of data and systems;
- the location of data and data processing systems;
- access and audit rights;
- chain outsourcing; and
- contingency plans and exit strategies.
The guidelines – which are applicable as of 30 September 2019 and revise recommendations initially issued in 2017 – are targeted at credit institutions, investment firms and competent authorities.
(e) Artificial intelligence
On 21 April 2021, the European Parliament and the Council proposed a regulation setting out harmonised rules on artificial intelligence (AI), to facilitate the development of an ecosystem of trust through a legal framework for reliable AI. The main concerns of the regulation include enhanced human wellbeing and the social and ethical implications of AI. According to the regulation, a European Artificial Intelligence Board will be established, comprised of representatives of all member states; and each member state will designate one or more national competent authorities to supervise the application and enforcement of the regulation.
In Cyprus, an Innovation Hub has been established in order to explore and evaluate the risks and benefits of the fintech and regtech sectors, and to draft adequate laws and regulations. AI is part of this Innovation Hub, as it is in the forex industry; and the Cyprus Securities and Exchange Commission (CySEC) is assisting these businesses with compliance requirements. Also, businesses that use AI to improve payment methods through personalised payment systems have emerged of late. AI in Cyprus is mainly regulated within the scope of the GDPR, the relevant domestic law and the Second Directive on Markets in Financial Instruments.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Cyprus is participating in important blockchain initiatives, such as:
- the European Blockchain Partnership;
- the Declaration on Utilisation of Distributed Ledger Technology (DLT) (with France, Portugal, Italy, Greece, Malta and Spain); and
- Blockchain Technology for Algorithmic Regulation and Compliance.
The competent authorities in Cyprus have established a DLT (Blockchain) National Strategy, which comprises a comprehensive strategic plan for the use of blockchain and other forms of DLT in the public and private sectors, in preparation for the introduction of dedicated legislation. CySEC is also interested in the regulatory implications of share-distributed ledgers. CySEC has recognised initial coin offerings (ICOs) as a means of generating funds to finance start-ups and has stated that it intends to concentrate on this sector. Although ICOs are not currently regulated, ICO founders must comply with a number of single market regulations. Under the strategy, an ad hoc committee has been established to advance the objectives identified therein; while a sub-committee has been set up to assess DLT in the financial industry.
DLT became widely known through its use in relation to crypto-assets. This is a challenging area for regulators, due to its novelty and the risks it presents for end investors. Therefore, Cyprus is in the process of exploring all aspects of the industry and the needs and requirements of industry players, with the aim of establishing laws, guidelines and regulations for the adoption of best practices and the smooth operation of this sector.
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
Crowdfunding can serve as an alternative method to bank financing, through which small and medium-sized enterprises (SMEs) can access financing through the issuance of transferable securities (typically shares or debt instruments), among other things. Investors can access these investment opportunities through an internet-based electronic information system, or platform, which allows the crowdfunding service provider to match SMEs seeking financing with funding investors. In return for financing a business interest, a potential economic return is generated.
On 15 November 2019, the Cyprus Securities and Exchange Commission (CySEC) issued a consultation paper proposing the introduction of a set of complementary rules on investment-based crowdfunding in the Investment Services and Activities and Regulated Markets Law, and transposing MiFID II. Based on the feedback received, CySEC has now finalised these rules, which have been issued by means of a directive (the ‘Crowdfunding Directive'). The Crowdfunding Directive related solely to investment-based crowdfunding through transferable securities and excludes loan-based, reward-based and donation-based crowdfunding.
Cyprus investment firms (CIFs) that act as crowdfunding service providers will be subject to additional provisions aimed at ensuring investor protection. These address issues such as:
- conflicts of interest;
- customer due diligence;
- transparency obligations;
- safeguarding of clients' funds;
- financial instruments; and
- exit opportunities.
Peer-to-peer lending is not particularly developed in Cyprus. Only financial institutions that are duly licenced by the Central Bank of Cyprus can fund their lending activities by taking deposits. Deposit taking remains the primary source of lending activities by Cyprus banks.
(b) Online lending and other forms of alternative finance
Online lending is not common in Cyprus and has not yet been regulated.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and Airbnb)
In Cyprus, payment services are regulated by:
- the Provision and Use of Payment Services and Access to Payments Law (L 31(I)/2018), which transposed the EU Payment Services Directive (2015/2366/EC); and
- the Electronic Money Law of 2012, which transposed provisions of the EU Directive 2009/110/EC.
Payment services in Cyprus can be provided by payment institutions and electronic money institutions, in accordance with the law. Payment institutions and electronic money institutions must obtain a licence and authorisation from the Central Bank of Cyprus before offering any payment services. By using their passporting rights, authorised institutions from other European Economic Area (EEA) states can offer payment services in Cyprus.
Foreign exchange is quite advanced in Cyprus, due to the early establishment of foreign exchange as a regulated product under the Directive on Markets in Financial Instruments (MiFID). Foreign exchange companies are subject to the provisions of MiFID II. CySEC regulates member firms, which must be licensed by, and report to, CySEC.
Foreign exchange companies that are licensed by a competent authority of another EEA member state may offer their services by establishing branches, subsidiaries or representative offices in Cyprus, without needing to obtain an additional licence.
Non-EEA businesses may also provide forex services in Cyprus by establishing a branch or a subsidiary, subject to the approval of the relevant authority.
Trading in financial instruments must be conducted by CIFs or credit institutions duly licensed by CySEC. Licensed trading platforms in Cyprus are governed by MiFID II. According to this legal framework, Cyprus operates a regulated market – the Cyprus Stock Exchange – and enables trading in authorised multilateral trading facilities (MTFs) and organised trading facilities (OTFs). The Cyprus Stock Exchange is governed by the Securities and Cyprus Stock Exchange Laws and is supervised by CySEC as a regulated market.
MTFs and OTFs are regulated by the Investment Services Law (87(I)2017). The operation of MTFs and OTFs must be approved and authorised by CySEC after fulfilling the requirements relating to:
- organisational measures;
- transparency and non-discrimination requirements; and
- management of technical operations.
However, activities relating to trading in cryptocurrencies are not regulated by CySEC unless a virtual currency falls under the existing regulatory framework, as per CySEC's announcements, which introduced the following new rules for trading in Bitcoin and digital currencies:
- Brokers must leverage the limit at a ratio of 5:1 for trading in contracts for difference in relation to virtual currencies, provided that the total volume of digital currency trading for each broker does not exceed 15% of the total broker volume each quarter;
- Brokers must use more than one feed provider for each cryptocurrency; and
- Virtual currency instruments are not automatically subject to MiFID I passporting rights.
(f) Investment and asset management
The investment funds industry is regulated by CySEC and the law relating to this industry derives from the transposition of EU directives. The most popular type of investment fund in Cyprus is the alternative investment fund (AIF). AIFs are collective investment undertakings, including their investment compartments, which:
- raise capital from a number of investors with a view to investing it in accordance with a defined investment policy for the benefit of the investors; and
- do not require authorisation pursuant to the laws on undertakings for collective investment in transferable securities.
The following types of AIFs are offered in Cyprus pursuant to the law:
- AIFs with an unlimited number of persons (AIFUNPs);
- AIFs with a limited number of persons (AIFLNPs); and
- registered AIFs (RAIFs).
AIFUNPs and RAIFs may take any of the following legal forms:
- a mutual/common fund;
- a fixed capital investment company (FCIC) or variable capital investment company (VCIC); or
- a limited partnership registered subject to the General and Limited Partnership and Business Names Law. An anticipated amendment to this law will afford the possibility to register a limited partnership with separate legal personality which may be either internally managed by the general partner or externally managed by an external manager appointed by the general partner.
AIFLNPs may take any of the following forms:
- a FCIC or VCIC; or
- a limited partnership registered subject to the General and Limited Partnership and Business Names Law. An anticipated amendment to this law will afford the possibility to register a limited partnership with separate legal personality which may be either internally managed by the general partner or externally managed by an external manager appointed by the general partner.
All types of AIFs can be open-ended or closed-ended, and may be structured as single or umbrella schemes with one or more investment compartments where each investment compartment corresponds to separate assets and liabilities of the AIF.
In Cyprus, the most common structure is an umbrella AIF in the form of a VCIC or limited partnership.
The competent authority responsible for the authorisation and ongoing prudential supervision of AIFUNPs and AIFLNPs is CySEC, and prior authorisation is required before they can be established. RAIFs are not subject to prior authorisation or supervision by CySEC; however, they must be registered on the RAIF register maintained by CySEC following their incorporation with the Registrar of Companies.
(g) Risk management
CySEC, as the supervisory authority, has issued guidelines on risk management to ensure compliance with Article 76 of EU Directive 2013/36/EC, with which all CIFs must comply. These address:
- the responsibilities of the board of directors in relation to risk management;
- the establishment of a risk committee, for CIFs that are significant in size, internal organisation and the nature, scale and complexity of its activities;
- the qualifications and responsibilities of members of the risk committee; and
- the establishment of a risk management department, which is appropriate and proportionate in view of the nature, scale and complexity of the activities of the CIF, and the nature and range of its investment services.
CySEC has stressed that board members and senior management of CIFs are responsible for ensuring risk management compliance. In case of any violation due to omission, negligence or fault, a CIF will be subject to administrative sanctions.
‘Roboadvice' is the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system which is used as a client-facing tool. This sector thus falls within the scope of MiFID II, and all of its provisions and requirements are therefore applicable to firms that provide these services.
The European Securities and Markets Authority has issued guidelines on certain aspects of the MiFID II suitability requirements, including further guidelines for firms that provide roboadvice services. The guidelines state that firms should inform clients and explain:
- the exact degree and extent of human involvement;
- the risks involved in the decisions recommended or undertaken on their behalf; and
- the measures and steps that are taken to protect clients and minimise the risks.
The term ‘insurtech' is not defined in Cyprus law. However, such activities are governed by the Law on Insurance and Reinsurance Affairs, which provides that all companies that a business operates as an insurance or reinsurance agent or broker or mediator should obtain a licence from the superintendent of insurance.
The superintendent is responsible for supervising the insurance sector in Cyprus and exercises all powers granted to him under the Law on Insurance and Reinsurance Affairs and Other Related Issues (38(I) 2016) and the relevant regulations, as amended from time to time, in order to protect policyholders and policyholders.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
Data protection in Cyprus is governed by the General Data Protection Regulation (2016/679) (GDPR) and the relevant domestic law (Law 125(1)/2018).
The GDPR is an EU regulation and as such, all EU member states are bound to adhere to its provisions on the processing of personal data. The provisions of the GDPR apply to data processors and controllers that processing data relating to natural persons. Pursuant to the GDPR, the transfer of data to countries outside the European Economic Area (EEA) is restricted and must comply with the prescribed requirements of such transfers.
‘Personal data' is broadly defined to cover any information relating to a natural person – including biometric data – which may be used by fintech businesses to remotely identify their clients. The relevant legal framework sets out rules and policies for the use and processing of such personal data by fintech players that provide services to consumers and other businesses.
Entities that transfer data outside the EEA must implement specific standards, as provided by the relevant law. These require:
- the provision of standard contractual terms;
- the establishment of binding corporate rules for transfers within a group of undertakings;
- the consent of the data subjects; and
- for special categories of personal data as defined in the GDPR, consultation with the domestic competent data protection authority or an impact assessment.
Sanctions may be imposed by the competent authority for non-compliance with these requirements.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
Comprehensive provisions on cybersecurity are set out in the legislative and regulatory frameworks governing information and communications technology, which also apply to fintech businesses.
The following laws and regulations include provisions concerning cybersecurity:
- the Electronic Commerce Law (156(I)/2004);
- the Law for the Protection of Confidentiality of Private Communications (92(I)/1996);
- the Law Regulating Electronic Communications and Postal Services (112(I)/2004), as most recently amended by Law 76(I)/2017;
- the Law Transposing Regulation 910/2014/EC on electronic identification and trust services for electronic transactions in the internal market (Law 55(I)/2018); and
- the GDPR and the domestic law (Law 125(I)/2018).
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
Cyprus has put in place all of the necessary mechanisms for the prevention and suppression of money laundering and terrorist financing activities.
The provisions of the EU Fourth Anti-money Laundering (AML) Directive (2015/849/EC) regarding the prevention of the legalisation of the proceeds from illegal activities or terrorist financing were transposed on 3 April 2018 through an amendment to the Prevention and Suppression of Money Laundering Activities Laws 2007 to 2016.
Financial services providers that constitute obliged entities under the AML framework, including fintech businesses, must implement adequate AML procedures and mechanisms. These include measures to identify and report suspicious transactions and conduct know-your-client checks, according to the risk-based approach set out in the AML framework. Obliged entities must adhere to and apply strict procedures for maintaining complete, adequate, accurate and up-to-date records of their clients.
Further to the recent transposition of the Fifth AML Directive to Cyprus and the respective updated to the domestic law, ‘crypto-asset service providers' are defined as obliged entities for AML purposes. Crypto-asset service providers that offer an extensive scope of services in relation to crypto-assets – broadly, crypto-assets in the form of digital assets that do not constitute fiat currency, electronic money or financial instruments – must now register with the Cyprus Securities and Exchange Commission and comply with AML obligations to offer these services.
Fintech businesses may be subject to other regulatory regimes depending on the nature of the services they offer. A specific regime that often applies to the offer of fintech services and products is the consumer protection regime.
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
The provision of fintech products or services raises no particular competition regulatory concerns, provided that the businesses providing such products or services comply with the relevant national and EU laws and regulations.
8.1 How is innovation in the fintech space protected in your jurisdiction?
Innovation in Cyprus is protected under IP laws and regulations. Innovation – including fintech innovation – is protected at a national, EU and international level, due to Cyprus's membership of the European Union and participation in leading international conventions on IP protection. Specific IP rights (eg, copyright, patents, trademarks and industrial designs) are granted to the creators, authors and inventors of innovative products.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
The Cyprus Securities and Exchange Commission (CySEC) has established an Innovation Hub and invited regulated and non-regulated innovative businesses to participate in order to advance regulation and compliance in this space; it is also contemplating the launch of a regulatory sandbox. The Innovation Hub seeks to act as a bridge between CySEC and innovative businesses operating in the fintech and regtech realms, encouraging the exchange of views and facilitating compliance and enhanced understanding of regulatory matters.
The requirements for participation indicate that CySEC is focusing on genuine innovation connected with fintech and regtech.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
Employment relationships are usually governed by the contractual terms agreed between the employer and employee. Although oral agreements are generally allowed under Cyprus law, employment contracts are always executed in writing. Collective agreements may apply in specific industries. Their content may determine the terms of employment relationships where employers have entered into such agreements with trade unions.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
Certain basic benefits are provided to employees, as follows:
- A limited number of occupations are subject to a minimum wage;
- Employees are entitled to 20 or 24 days' paid leave (based on a five-day or six-day working week, respectively); and
- Employees are entitled to unpaid parental leave of 18 weeks.
The Council of Ministers recently adopted a new set of incentives relating to the immigration rules applicable to technology companies that wish to establish a presence in Cyprus. Each such company is entitled:
- to employ up to 15 third-country nationals as directors and middle-management executives; and
- to employ any number of qualified third-country nationals who possess the necessary information and communications technology skills.
The maximum number of third-country nationals that may be employed under the New Immigration Framework for Tech Companies is based on annual turnover. Companies with an annual turnover of more than €30 million fall under a special category which allows for the relocation of up to 200 non-European specialists through a simplified procedure, under which work permits may be granted within six weeks.
The key benefits for companies with regard to third-country nationals are as follows:
- no restrictions on the maximum duration of stay;
- no requirement for a sealed employment contract from the Department of Labour;
- the right to family reunification with the employee's spouse and minor children; and
- conversion of a visa entry to a temporary residence permit and issue of an employment permit upon arrival in Cyprus.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
In order to explore the risks and advantages of technological advancements and enhance the regulatory and supervisory treatment of innovative new financial activities, the Cyprus Securities and Exchange Commission (CySEC) launched an Innovation Hub in 2018. The work conducted through this Innovation Hub has highlighted the need for further guidance and additional safeguards, and CySEC is thus evaluating the pros and cons of fintech from a regulatory perspective. The aim is to effectively manage the risk associated with new financial innovation, taking into consideration the benefits that it is intended to afford. In this respect, CySEC is also contemplating the introduction of a regulatory sandbox.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
Cyprus has laid solid fintech foundations, as the government has committed to double its expenditure on the development of technology and increase the private contribution in this sphere as part of its 2019–2023 National Strategy on Research and Innovation. The strategy, called "Innovate Cyprus", is designed to attract fintech and blockchain start-ups as well as global companies looking for a practical and advanced business hub. The strategy aims to stimulate the Cypriot economy in the coming years through research, scientific excellence, innovation, technological development and entrepreneurship.
Fintech businesses that are considering launching operations in Cyprus should conduct a regulatory assessment of their project as early as possible. Although the Cyprus Securities and Exchange Commission (CySEC) supports financial innovation and has created an Innovation Hub to promote it, the provision of regulated investment, payment or banking services in Cyprus without the requisite licence and authorisation is prohibited. Therefore, regulatory and compliance policies must be drafted; new entrants should be aware that it usually takes between four to twelve months to obtain a licence, depending on the additional information and/or clarifications that CySEC may request upon examining the relevant application.
Fintech companies which already possess a licence to provide regulated services in another EU or European Economic Area member state can also use the passport mechanism to provide services in Cyprus, without having to apply for a licence to CySEC.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.