Category Archives: Articles

COVID-19: Balancing work life and parenting at home during these challenging times

Having kids can make you more productive – except when they’re there all the time. So how can you meet work obligations now that schools are closed?

A different view from BBC Worklife’s, Alina Dizik, giving tips on how to balance remote work and parenting during these challenging times.

Read the article here:

Prioritise your time …it is your most precious resource

The Thomson Reuters annual report on the cost of compliance, published late in 2018 for the 9th year, has again highlighted a major challenge faced by Compliance Officers as coping with continuing regulatory changes.[1]

The report states that during 2017, Thomson Reuters Regulatory Intelligence captured 56,321 regulatory alerts from over 900 global regulatory bodies averaging 216 updates a day.

Referring to the number of hours per week compliance teams expect to spend tracking regulatory developments the report states that, this year’s results show a slight uptick, with two thirds of firms (66 percent) expecting the amount of regulatory information published by regulators and exchanges to be slightly or significantly more over the next 12 months.

Two examples of the many legislations that companies need to comply with are The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007-2018 (enacting the EU’s 4th directive on AML), which came into effect in Cyprus on April 3rd 2018, and the General Data Protection Regulation (GDPR), which came into effect on May 25th, 2018. GDPR caused a lot of consternation and confusion across all businesses in Cyprus, about just what should be done to comply. The 4th AML Directive, though affecting a narrower spectrum of companies, spearheaded a change in approach from simple record keeping for AML purposes, to a more sophisticated risk based approach to AML.

Speaking at the AML & Compliance – Current Developments Seminar, in April 2019, Yiannis Pettemerides, Freelance Compliance Advisor, said, “The AML Directive is not a difficult law, but it is a very time-consuming law requiring compliance teams to gather a lot of information about companies, sources of finances, and background checks on associated persons.”

So how can compliance professionals cope?

They could take the advice offered by American lawyer Jason E. Brown, a Partner with Ropes & Gray LLP, in a paper published by the European Institute of Management and Finance who said “… [compliance officers] “need to understand regulators’ enforcement priorities and strategically deploy their compliance resources to address those priorities.” [2]

Of the varied resources available, our advice is to prioritise your time … it is your most precious resource.

Time is not an easily increased resource. Budgetary constraints may mean adding more personnel is prohibitive while on the other hand finding well-qualified and experienced personnel in the current market presents a recruitment challenge.  Therefore, if increasing resources is not an option, compliance officers need to deploy their time strategically and work to mitigate time-consuming activities.

“Divide your time according to the evaluated risk rating of your clients. Spend 90% of your time on your high risk clients, and the remaining 10% on your normal and low risk clients.” Yiannis Pettemerides, Freelance Compliance Advisor, advised the seminar attendees. But, even when you heed this advice you still need to create and maintain records for all your clients on which to base your evaluations.

Gathering data and ensuring its quality is key to deploying a risk-based approach to compliance. To reduce pressure on your time and optimise data capture, find tools that help you by removing the need for duplicating data entry. Data gathered by company administration and banking activities should be readily available for compliance assessments and reporting.

To benefit from this type of cross-disciplinary collaboration you need an integrated approach to storing and accessing your data. One that also provides you with tools for generating the required reports such as group structures, client statistics and auditors’ reports, delivers alerts about suspect transactions, companies nearing or exceeding their Economic Profile limits, and reduces the time required for compliance monitoring and reporting.

The less time you spend creating records, maintaining Excel and Visio files and calculating beneficial ownership percentages, the more time you have to research clients and sources of financial transactions, activities that should form the core of your compliance activities.

Author: Claire Philpott, Senior Business Consultant, Moebius Limited.

[1] COST OF COMPLIANCE 2018, Stacey English, Susannah Hammond,

[2] European Institute of Management and Finance, ‘challenges-for-todays-compliance-officers-in-investment-firms-alternative-investment-funds’ <>


August 03 2018 | Contributed by Elias Neocleous & Co LLC

Corporate Tax, Cyprus

Shell and letter-box companies
Tax factors
Fundamentals of substance and ways to enhance it

Recent developments have underlined the need for businesses to have real substance in order to operate and benefit
from tax residence in Cyprus. Lack of proper substance may not only lead to the denial of benefits under double tax
agreements or EU directives, but may also mean that the company is unable to operate a bank account in Cyprus.

Shell and letter-box companies

On 14 June 2018 the Central Bank of Cyprus issued a circular to credit institutions that it regulates, advising them
against opening new bank accounts or continuing existing accounts with companies that are regarded as so-called
‘shell’ or ‘letter-box’ companies. These guidelines are due to be incorporated into the Central Bank’s Anti-money
Laundering Directive in the near future.
A ‘shell’ company is defined in the circular as an entity which is not publicly traded and which:
• has no physical presence in its country of domicile, apart from a mailing address;
• has no established economic activity, little to no independent economic value and no documentary evidence to
the contrary;
• is registered in a jurisdiction in which companies are not required to file independently audited financial
statements; or
• has a tax residence in a jurisdiction recognised as a tax haven or has no tax residence.

‘Physical presence’ implies having real management located within a country, carried out by individuals possessing
the knowledge and experience needed to run the business. The existence of employees is another factor indicating
physical presence. While it may be necessary and useful for other reasons, representation by means of nominee
services provided by agents (eg, lawyers or corporate service providers) does not constitute physical presence.
The guidelines stipulate that trading companies with no effective place of business and management, and hence no
substance, will not be permitted to maintain bank accounts in Cyprus. Further, trading companies incorporated in
jurisdictions recognised as tax havens must become tax resident in an appropriate tax jurisdiction in order to
continue banking in Cyprus.
These restrictions do not apply to holding companies which own investments in shares, intangible or other assets,
including real estate or ships, companies undertaking group financing activities or acting as group treasurer or
companies established to facilitate currency trades, asset transfers or corporate mergers, provided that their
beneficial ownership is identifiable and they demonstrate that they are engaged in legitimate business.
Banks may opt to engage in a business relationship with a shell-company client, but must be able to justify their
decision and record this justification in the client file. They will need to follow a risk-based approach in dealing with
such clients. Banks are required to carry out a review of their customers to identify such companies, and must inform
the Central Bank by 31 July 2018 of the results of the review and whether they intend to continue their business
relationship with the entities concerned.

Tax factors

In addition to pressures from the banking authorities, tax authorities around the world are becoming increasingly
assertive and sophisticated, and are ready to challenge what they perceive to be abusive structures and arrangements.
With increased transparency and automatic exchange of information, Cyprus companies which do not have real
substance run tax risks, including the risk of:
• having their Cyprus tax residency status questioned;
• losing the benefits of Cyprus tax residence; and
• becoming liable to tax elsewhere.
A company lacking sufficient management and capital may be entirely disregarded by foreign tax authorities, running
the risk that – in addition to any taxes payable by the company in Cyprus – its income is imputed to the beneficial
owners in their own country and taxed there. The availability of a notional interest deduction in Cyprus incentivises
companies to increase their capital and economic substance, and to benefit from reduced taxation on new equity.
Companies with transactions with related parties increasingly face transfer pricing challenges, making transfer
pricing a compliance priority for entities carrying out cross-border transactions. Under the detailed transfer pricing
rules introduced in 2017, companies must demonstrate real substance in Cyprus in the form of adequate management
and capital.

Fundamentals of substance and ways to enhance it

The key pillars of substance are sufficiency of management and capital.
‘Sufficient management’ means having adequate corporate governance arrangements and directors with the skills,
knowledge and experience to run the business, who demonstrably make the important business decisions in Cyprus.
They must spend adequate time on the business of the company and must have real decision-making powers. They
must not be directed by company shareholders, but rather should act independently in the interests of the company.

Depending on the size of the business, the existence of an office in Cyprus, facilities and employees can be key to
enhancing substance. The operation of bank accounts, accounting and HR functions should take place in Cyprus. The
company may also actively take part in the local business community by joining:

• the Chamber of Commerce;
• the Cyprus International Businesses Association; or
• similar bodies.

The optimum degree of presence will be determined by the needs of the business. For example, if a holding company
holds only one investment and the only decision is to declare a dividend once a year, or if a financing company has
only one loan which is assessed once a year, the physical presence required is much less than for a larger business.
‘Sufficiency of capital’ means that the company has enough capital buffer to assume the risks of its operations.
Therefore, the company is not a mere conduit or proxy, and the profits or losses from the operations evidently belong
to it alone.

Any decisions made to enhance substance in Cyprus may also have an effect in other jurisdictions. Consequently,
these issues should be considered altogether, in the context of the entity or the group of which it is a part.
For further information on this topic please contact Michalis Loizou at Elias Neocleous & Co LLC by telephone (+357
25 110 110) or email ([email protected]). The Elias Neocleous & Co LLC website can be accessed at

The materials contained on this website are for general information purposes only and are subject to the
ILO is a premium online legal update service for major companies and law firms worldwide. In-house
corporate counsel and other users of legal services, as well as law firm partners, qualify for a free

Michalis Loizou
Elias Neocleous & Co LLC

Intellectual Property (IP) Tax Regime


Cyprus proposed new legislation for its intellectual property (IP) tax regime, known as the IP box regime. This is an amendment of the regime introduced by Cyprus in 2012, bringing it in line with new EU requirements and OECD (Organisation for Economic Co-operation and Development) rules against base erosion and profit shifting.

While the amended IP box regime may not benefit businesses quite as extensively as before, it still gives Cyprus a competitive edge and safeguards Cyprus’ future as a center for IP structuring.

Key provisions of the new IP box regime

The new regime applies to intangible assets developed after 1 July 2016, owned by a Cyprus entity, registered in its name either in Cyprus or abroad, and that satisfies the following criteria:

1. Qualifying intangible assets

Previously, qualifying assets were widely defined and included copyrights (literary works, dramatic works, musical works, scientific works, artistic works, sound recordings, films, broadcasts, published editions, databases, publications and software programs); patented inventions; trademarks and service marks; and designs or models applicable to products.

The new regime narrows the range of assets that qualify. Broadly speaking, a ‘qualifying intangible asset’ now means an asset which is acquired, developed or exploited by a person  to further a business (excluding intellectual property associated with marketing) and which is the result of research and development activities.

These assets include patents (as defined in the Patents Law); computer software; and other IP assets that are non-obvious, useful and novel. The person exploiting the asset must not generate annual gross revenue over €7.5 million, and if the person is a group company, the group’s revenue must not exceed €50 million.

2. Qualifying profits

Not all of a business’s profits will qualify for a favourable tax treatment. ‘Qualifying profits’ are defined as the proportion of a business’s overall income equivalent to the portion of the qualifying expenditure incurred for the qualifying intangible asset.

3. Overall income

80% of the overall income derived from the qualifying intangible asset is treated as a deductible expense.

Overall income includes royalties from the use of a qualifying intangible asset; license fees from the operation of a qualifying intangible asset; and capital gains from the sale of a qualifying intangible asset.

4. Qualifying expenditure

One of the main reasons for introducing the new regime is to ensure an entity only benefits from favourable tax treatment on IP profits if that same entity has incurred expenditure developing the IP.

‘Qualifying expenditure’ is defined as the total research and development costs incurred in any tax year, wholly and exclusively for the development, improvement or creation of a qualifying intangible asset, providing such costs directly relate to the qualifying intangible asset.

This includes wages and salaries; direct costs; general expenses relating to installations used for research and development; expenses for supplies relating to research and development; and costs associated with research and development that have been outsourced to non-related persons.

Excluded from the definition are costs for the acquisition of intangible assets; interest paid or payable; costs relating to the acquisition or construction of immovable property; amounts paid or payable directly or indirectly to a related person to conduct research and development, regardless of whether these amounts relate to a cost sharing agreement; and costs which are not directly connected to a qualifying intangible asset.

Transitional arrangements

Under Cyprus’s previous IP box regime, businesses could reduce their tax on gross income derived from an intangible asset by 80% (after deduction of direct costs and amortisation over five years). This could result in an effective tax rate of 2.5% or lower.

For businesses within the regime before the proposed changes on 1 July 2016, transitional provisions allow them to continue benefiting on the same basis until 30 June 2021 for intangible assets which were:

  1. acquired before 2 January 2016;
  2. acquired from a related person between 2 January 2016 and 30 June 2016 and at the time of acquisition were benefiting under the IP box regime or a similar scheme in another state;
  3. acquired from an unrelated person between 2 January 2016 and 30 June 2016; or
  4. developed between 2 January 2016 and 30 June 2016.

The transitional rules only apply to assets which were already generating income or had completed development as at 30 June 2016.

Conclusion: an international context for the IP box regime

In today’s digital age, countries battle to attract leading technology, design and media businesses. Alongside robust protection for intellectual property (IP), monetary incentives are a key tactic. The most notable of these is favourable tax treatment on profits generated from IP exploitation.

In light of such IP regimes, the OECD and the EU have both introduced rules to prevent businesses exploiting loopholes in local and international tax law. In particular, they want to ensure businesses only benefit from a favourable IP income tax rate if those businesses have incurred expenses developing the IP.

Cyprus, together with many other jurisdictions, has now amended its IP box regime so it complies with the new international provisions. With these changes, Cyprus continues its compliance of OECD requirements for tax transparency and information sharing and demonstrates active support for the OECD’s global measures to tackle aggressive tax planning and avoidance.

The IP tax regime was introduced on 1 July 2016.


Laura Michael
Director of Client Accounting – Vistra (Cyprus) Ltd
Member of the CFA Tax & VAT Committee 

Know Your Customer: Will technology provide the ultimate solution?

A business challenge of escalating complexity and business risk

In the past, before the globalization of banking, the 9/11 terrorist attacks, and the financial crisis of 2008 increased the pressure to clamp down on money laundering activities, KYC procedures and regulations were more relaxed and less complex.

Nowadays, professional and financial services companies face a dual challenge of enhancing customer experience and increasing their satisfaction, while at the same time they are required to fulfil a complex set of constantly changing legal, KYC and due diligence requirements.

According to a survey[1] conducted by Thomson Reuters in 2016, a very high percentage (89%) of corporate customers has claimed that they did not have a good KYC experience. Moreover, the particular survey highlighted a 22% increase in the time required for on-boarding a new client, and it is estimated that this will further increase by an additional 13% in 2017 mainly due to increased pressure from regulatory authorities. Another interesting finding of the study is that service providers recognize the need to continuously adjust their processes in order to keep-up with changes in regulations. More specifically, 87% of banks and 56% of investment managers consider regulation changes the most influential factor for their KYC services.

Given the high level of customers who are reporting that they have not had a good KYC experience, it is clear that service providers are facing challenges that need to be overcome so that they avoid losing customers or engaging them into a process that has a negative impact on their overall experience.

What are the main challenges?

Creating a balance between the need to undergo an administration intense exercise of collecting KYC information without sacrificing either the efficiency or the experience when on-boarding new clients, is a challenge that needs to be addressed by all service providers.

Another challenge that must be addressed is the need to keep records up-to-date as requested by the regulatory authorities and to review them properly in a timely manner – a complex administrative process that needs to be based on accurate and timely reminders. As far as KYC documents are concerned, companies are required to ensure accuracy of their records whilst at the same time controlling access to them. Namely, a balance between making documents available to part of the organisation without exposing sensitive information to unauthorised personnel should be maintained so that organisations avoid data leaks and protect confidentiality.

Finally, the collection of information from multiple sources that provide access to due diligence data and the addition of these to the relevant data storage is another challenging task that organisations need to address if they are to optimise the whole KYC process. This is a challenge that should be addressed wisely as it can raise the relevant costs of the whole process.

In response to the above challenges, companies are seeking tools that will enable them to reduce the impact of the KYC process on their business by increasing their KYC effectiveness. In recent years we have observed a shift in the data collection process of the Compliance Officer from being predominantly paper based to being on-line and system based. The technology market has been quick to identify an opportunity for software solutions, with a plethora of KYC and compliance solutions promoted in the market place.

Parameters that shape a comprehensive technology solution

The abundance of advertised KYC solutions requires businesses to carefully assess and decide which one can support their organisation’s efforts for optimising their KYC processes.

An organisation that is able to optimise, both in terms of cost and time, their KYC process will without a doubt differentiate from the rest and thus have a competitive advantage. To capitalise on this opportunity each organisation should assess the KYC solutions available to identify the best fit to optimise their process and suit their business needs.

The list below consists of the parameters for optimisation that should be taken into consideration through the assessment process.

  • A KYC solution should be easily configurable so that it integrates all the business units that interact in the client on-boarding process.
  • A KYC solution needs to be flexible enough to provide the ability for automating complicated business workflows.
  • A KYC solution needs to be able to integrate with multiple, well-reputed sources that are being used for the collection of KYC specific data (e.g. Sanctions, PEPs, etc.). More specifically, it needs to be a solution that efficiently captures, stores and presents KYC data with limited disruption or input of the end user.
  • Finally, a KYC application should be flexible enough so that it can be easily adjusted to the changes that are commonly introduced by regulators.

A look into the possible future

Although today there are sophisticated solutions that can satisfy the basic needs of a mainstream organisation, there is nothing that solves the issue of the replication of the work that exists when establishing a new business relationship. To be specific, at the moment there is no option of cross-institution identity verification and as a result, each institution must individually verify the identity of its clients

Blockchain, an emerging technology of a distributed database, appears to promise a solution to this issue. Essentially, with Blockchain, the verification of a client takes place only once and the final result is cryptographically stored in Blockchain and available for anyone with access to the Blockchain to use during their verification purposes. This offers professional service providers the opportunity to get rid of labour intensive multi-step KYC processes as they could have the option to access a distributed database that will provide them with the requested results of these processes. More specifically, all the information relating to the client’s identity will become available to organisations with the appropriate permissions via a distributed database considered as a single source of “truth”.

While Blockchain technology appears to provide a dream solution to every Compliance Officer there is still a long way to go before it will become generally adopted. Even though this emerging and growing technology has strong advocates, its value still needs to be proven since there are serious challenges that need to be considered before its general adoption becomes a reality.

Whilst compliance is gradually moving from a paper based to a computerised process, the ultimate technological solution will only be available if the relevant authorities support the move to a single solution that institutions can access/update.

To conclude, the KYC process poses a challenge that organisations need to carefully address. For service providers the adoption of innovative solutions that automate the on-boarding of new clients can unlock the opportunity for differentiation. The high demand for KYC solutions is at the same time an incentive for the technology industry to develop innovative, integrated KYC solutions that will help organisations overcome this challenge.


Chrysostomos Filippou
Business Development Manager | Moebius Limited (CFA Supporter 2017)

[1] Thomson Reuters, 2016. Thomson Reuters 2016 Know Your Customer Surveys Reveal Escalating Costs and Complexity, London/New York: Thomson Reuters.

Criminal Liability under Cyprus Law for the Infringement of EU Restrictive Measures

On 31 July 2014, the European Union (EU) adopted a package of restrictive measures targeting sectorial cooperation and exchanges with the Russian Federation. The package consists of measures aimed at limiting access to EU capital markets for Russian State-owned financial institutions, an embargo on trade in arms, an export ban for dual-use goods for military end use and end users, and restrictions on access to certain sensitive technologies, particularly in the oil sector. The main EU Regulation is 833/2014 of 31 July 2014 concerns restrictive measures in view of Russia’s actions destabilizing the situation in Ukraine, as amended (the “Regulation”). The Regulation has, inter alia, applied restrictions on access to the capital markets for certain financial institutions and other entities (the “Listed Entities”), which are listed in the annexes to the Regulation.

The Regulation applies within the territory of the EU or to any EU nationals, whether inside or outside EU territory, and covers any legal person or entity incorporated under the laws of any member state and also any legal person in respect of any business done within the EU. Such persons or entities are not allowed to provide investment services to Listed Entities. The term “investment services” has been defined broadly as to include the reception and transmission of orders in relation to one or more financial instruments, execution of orders on behalf of clients, dealing on own account, portfolio management, investment advice, underwriting of financial instruments and/or placing of financial instruments on a firm commitment basis and any service in relation to the admission to trading on a regulated market or trading on a multilateral trading facility. It is suggested that the use of broad definitions in the Regulation is deliberate and is intended to apply to a wide range of activities. The definitions of transferable securities and money-market instruments are also broadly drafted, as the EU aims to ensure that the relevant sanctions have an extensive effect.

The restrictive measures imposed by the Regulation do not themselves create criminal offences but it is for the member states to create criminal offences while implementing the relevant sanctions in their domestic legal systems. The Regulation provides that member states shall lay down the rules on penalties applicable to infringements of the provisions of the Regulation and shall take all measures necessary to ensure that they are implemented. In April 2016, the Republic of Cyprus enacted the Law concerning the Application of the Provisions of the Resolutions or the Decisions of the UN Security Council (Sanctions) and the Decisions and Regulations of the Council of the European Union (Restrictive Measures) (the “Sanctions Law”) under which Cyprus has introduced specific measures and penalties for the breach and/or non-compliance with the Regulation and any sanctions approved by the executive or legislative bodies of the EU.

Pursuant to the Sanctions Law, the competent authorities, as those are defined by Article 59 of the Prevention and Suppression of Money Laundering Activities Law (2007-2016), are those responsible for monitoring and supervising in their respective area of responsibility.

The Sanctions Law provides that the penalties for breach of the sanctions or the restrictive measures of the EU are imprisonment not exceeding two years or a fine not exceeding €100,000 or both for natural persons and a monetary fine not exceeding €300,000 for legal entities.

EU regulations are in their entirety part of the acquis and are binding and of immediate application in the internal legal order of the EU member states. Therefore, the possible criminal liability for infringement of the restrictive measures prior to the enactment of the Sanctions Law must also be examined. It is commonly argued that any breaches of the restrictive measures prior to April 2016 constituted criminal offences under section 136 (disobedience of law) and 137 (disobedience of legal orders) of the Cyprus Criminal Code. The penalties under section 136 are up to two years of imprisonment and/or a maximum of €2,563 fine, while section 137 provides for imprisonment of two years, unless otherwise expressly provided.

It is important to note that no cases have been prosecuted for possible breach of the EU restrictive measures in Cyprus so far. It is also worth noting that the Regulation provides that actions by natural or legal persons shall not give rise to liability of any kind on their part, if they did not know, and had no reasonable cause to suspect, that their actions would infringe the measures set out in the Regulation.

The Ministry of Foreign Affairs has underlined that it is the responsibility of every EU citizen to verify and ensure that their activities do not infringe and/ or circumvent the EU restrictive measures. CFA members are advised to remain updated with the latest developments on this matter and perform rigorous checks on their clients to ensure that all services offered by them are in compliance with the applicable laws and the Regulation. Also, the relevant checks should be undertaken to establish that their clients, or affiliated or controlled entities thereof, are not sanctioned or Listed Entities.


Stella Strati
Limited Partner – Corporate Finance, Pageserve Ltd
President of the Legal & Corporate Affairs Committee

Stylianos Trillides
Legal Consultant, Pageserve Ltd

Compliance, AML and the 4th Directive: ‘The Only Constant in Life is Change’

The multiple developments and changes of the last couple of years in relation to the Service Providers’ financial environment, together with actions that need to be taken in order to ensure prevention on the one hand and monitoring on the other,  are enough to make one understand completely what Heraclitus meant by his famous statement that  “The only constant in life is change”.

Since the implementation of  Law 196(I)/2012 regulating Companies providing Administrative Services (ASPs) and Related Matters, ASPs and their Regulators have also come within the scope of the Prevention and Suppression of Money Laundering Activities Law of 2007 and its relevant amendments.

Recent local and international developments show that money laundering and terrorist financing threats are changing rapidly and the evolution of technology providing easy access to everyone, including criminals, imposes the necessity for the constant change of international and local legislation in order to counter these new threats. The leaked ‘Panama Papers’, terrorist attacks, corruption at all levels of authority and country sanctions are just some of the recent events and issues which have affected the international financial sector, without taking into consideration the additional social and other negative effects on society.

Following the adoption of a new set FATF (Financial Action Task Force) recommendations in February 2012, the European Union proceeded in May 2015 with the issuance of directive 2015/849 (The 4th EU AMLD) which all member states are obliged to implement by 26/6/2017.

The main changes of the 4Th Directive and how they affect ASPs’ day-to-day work:

1. Risk

ASPs are required to identify, understand, and mitigate their risk, documenting any such risk assessment and keep records of the assessments/updates of risk they undertake. Regulators should be in the position to understand the reasoning of each risk assessment upon any supervision. Each client will need to be assessed according to a specific documented procedure taking into consideration as a minimum risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels

The above change abolishes the existing High Risk categories i.e. Trusts, Bearer Shares, non-face-to-face clients and obliged entities will be fully accountable for any decision they make as to the Risk categorisation of each client.

Under the 4th Directive only Politically Exposed Persons – local and international – will by default remain marked as High Risk.

2. Public access to Beneficial Ownership of legal entities.

ASPs should hold available information on the beneficial ownership of all entities under their administration which information will be available to both competent authorities and their regulators.

With the implementation of the 4th directive, Cyprus, must allow public access to beneficial ownership information in an adequate, coherent and coordinated way, through central registers.  The EU directive also requests that this information remain publicly available through the national registers for 10 years after the striking off of a company from the company register. Although the final decision on how the Cyprus public register will be held and the terms and conditions under which access will be allowed are not yet specified, this is an issue that ASPs should definitely take into consideration and maintain updated records, which can be easily uploaded upon implementation.

3. Tax Crimes

These are now considered as a predicate offence for money laundering. Although under Cyprus AML law, this is already applicable, ASPs should ensure that, through their Manual Procedures and monitoring of transactions, suspicious actions of tax evasion are investigated and necessary supportive documents/measures be kept on record to avoid any such risk.

4. Gambling

Whereas until now only casino-related services were considered high-risk and thus extra care should be applied, the new era includes the entire gambling sector. ASPs should be alert for any entities related to gambling and ensure that such entities are duly regulated and their transactions monitored.

5. High-Risk Third Countries

The EU 4th Directive and EU regulation 2016/1975 empower the European Union to identify high-risk third countries, instead of maintaining a list of acceptable third countries, as exists today. Although an initial list of high-risk third countries has been drafted, no conclusive list is still available, so ASPs should ensure that, upon the risk assessment of their entity, a client’s country risk is evaluated taking into consideration whether it presents substantial money laundering and terrorist financing risks, if it fails to address these deficiencies and the level of corruption is high.

6. Administrative Sanctions.

The revised Directive contains a range of sanctions that Member states should ensure are available for systematic breaches of key requirements of the Directive, mainly in relation to customer due diligence, record keeping, suspicious transaction reporting and the internal monitoring and controls of client transactions.

Considering that the above points are only a handful of the measures that need to be taken by ASPs, who face a real danger of being exploited and of facing not only administrative sanctions but, most importantly, of jeopardizing their reputation and facing legal action, ASPs should ensure that they work in an ethically correct environment, even though, as many have observed, no system will ever be totally immune to money laundering.


Athena Yiallourou
Compliance Officer, Trident Trust Company (Cyprus) Ltd
President of the CFA AML & Compliance Affairs Committee

The Treatment of Trusts under the Common Reporting Standard: A Brief Overview

In general, a trust is affected by the Common Reporting Standard (CRS) when it is categorized as either a reporting financial institution (FI) or a non-financial entity (NFE) that maintains a financial account with a reporting FI. Reporting FIs have a duty to report either their “account holders” or the “controlling persons” if their account holders are passive NFEs, as defined by the CRS.

The CRS provides a methodology for its application to a trust. This is summarized in the following five steps that FIs (broadly comprising depositary institutions, custodial institutions, specified insurance companies and investment entities) must follow in order to ensure that the relevant information is collected and reported: (i) identification of the reporting FI; (ii) review of its financial accounts; (iii) identification of its reportable accounts; (iv) application of due diligence rules; and (v) reporting of the relevant information.

This methodology is followed below, firstly in the case of trusts that are FIs and secondly in the case of trusts that are NFEs.

A Trust as a Reporting Financial Institution (FI)

Most often, a trust will be a FI if it has gross income primarily (more than 50%) attributable to investing, reinvesting, or trading in Financial Assets and is managed by another Entity that is a FI. The words “managed by” imply that the FI has some discretionary authority to manage the assets of the trust, either in whole or in part.

In practice the words “primarily attributable to investing…” imply that the gross income attributable to the said activities of the trust should amount to 50% or more of the trust’s gross income during the shorter of:

  1. The three-year period ending on 31 December of the year preceding the year in which the determination is made, or
  2. The period during which the trust has been in existence.

A trust categorized as an FI will qualify as a reporting FI (i.e. it will have reporting obligations in respect of its account holders) if its trustees are resident in one or more participating jurisdictions, provided that these trustees are not a reporting FI themselves. In this latter case, the trustees and not the trust itself is responsible for reporting. Also, a trust categorized as a FI may not be a reporting FI in the case of retirement funds, whether broad- or narrow- participation.

A trust which is a reporting FI will have reporting obligations as far as the account holders or the controlling persons (those who hold the relevant financial accounts) are concerned. Financial accounts are defined by the CRS as “a debt or equity interest” in the trust; whilst “debt interest” is not defined in the CRS, “equity interest” effectively covers the settlors and beneficiaries plus any other natural person exercising ultimate effective control over the trust. This definition is wide enough to additionally cover the trustees(s) and even – somewhat paradoxically – the protector(s). Importantly, a discretionary beneficiary (defined as one who has no right to receive mandatory distributions) will only be treated as an account holder in the years during which it receives discretionary distributions from the trust.

The above financial accounts will be reportable if the debt and equity interests of the trust are held by a person resident in a participating or reportable jurisdiction. The due diligence rules stipulated under the CRS will need to be applied in order to identify the account holders and the jurisdiction in which they are resident. In a case where the account holder is an entity, the trust is required to identify and report the controlling person of this entity and, therefore, appropriate KYC/ AML procedures will need to be undertaken.

A trust which is a reporting FI will report the name and identification number of the trust, information about all the reportable persons. These are, typically, their name, address, tax residence, date of birth, tax identification number (TIN) and account number, the account balance (the total value of trust property – nil for discretionary beneficiaries) and any financial activity carried out during the year (value of payments or distributions made in the reporting period).

A Trust as a Non-Financial Entity (NFE)

 If a trust is not a FI, it will be a NFE. NFEs are categorised as either active NFEs (e.g. trading trusts or regulated charities) or passive NFEs, depending on their activities.

The account of a trust which is a passive NFE and which has a financial account with a reporting FI will be reportable either if (i) the trust is a reportable person or (ii) the trust has one or more controlling persons that are reportable persons.

In the event of a trust being a reportable person, the reporting FI is required to report the name and identification number of the reporting financial institution plus information about each reportable person (name, address, tax residence, TIN, date of birth and account number). Where a trust is a passive NFE, the reporting FI will report the controlling persons of the trust, as defined above.

For each of the controlling persons, the reporting FI will report the total account balance or value and the gross payments made or credited to their account. In case the financial account held by the trust is closed during the year, the fact of closure and not the financial activity will need to be reported.

A settlor is always reported, irrespective of whether the trust is revocable (i.e. where the settlor has maintained some interest or rights in the trust) or irrevocable. Unlike the case of a trust that is a FI, beneficiaries are also always reported regardless of whether they are mandatory or discretionary. However, reporting FIs may have the option to report discretionary beneficiaries in the year in which they receive distributions from the trust.

Where the controlling persons are themselves entities, the reporting FI must identify the natural persons that are ultimate controlling persons. Only a controlling person resident in a participating jurisdiction – but not the same jurisdiction as the reporting FI – is reported.

The reporting FI must carry out appropriate due diligence measures for AML/ KYC purposes in order to determine whether the account held by the trust is reportable.

More detailed guidance is given in “The CRS Implementation Handbook”, published by the Organization for Economic Co-operation and Development (OECD) with a view to assisting in the understanding and implementation of the standard. It is expected that the Cyprus Tax Department (CTD), which has been working for some time on drafting Cyprus-specific CRS provisions, will soon issue its own guidelines.


Michalis Loizou
Manager & Compliance Officer, E. Neocleous Trust Company Limited
Member of the CFA AML & Compliance Affairs Committee

Personal Data Protection: Why All the Fuss?

Data protection has become a major challenge for all kinds of organisations, both private and public, and it is one that needs to be addressed diligently. We now live in an era in which data are collected, stored, processed and used on an unprecedented scale, enabling individuals and organisations alike to carry out their day-to-day functions more efficiently. Therefore, individuals need to protect their privacy and personal data more than ever before.

Personal data relates to any type of personal information that can be used to establish your identity, either directly or indirectly. Examples of personal data are a persons’ name, passport number, e-mail address, place and date of birth. Personal data protection aims to protect the individual from the unauthorised collection and processing of such data.

In Cyprus, the Processing of Personal Data (Protection of Individuals) Law of 2001 transposes the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In May 2016, a comprehensive package of two EU data protection Acts came into force: the General Regulation (EU) 2016/679 which repeals Directive 95/46/EC (the GDPR) and Directive 2016/680, which applies specific data protection rules in the area of law enforcement. The Regulation will be implemented as of 25 May 2018 and the Directive must be transposed into national legislation by 6 May 2018.

How Are Administrative Service Providers (ASPs) Affected?

In their everyday work, ASPs inevitably collect and process the personal data of employees, clients or other individual business associates. For the purposes of the Processing of Personal Data Law, ASPs processing personal data are considered to be Data Controllers, whose obligations include ensuring that:

  • Personal data is collected for specified and legitimate purposes and that it is not further used for incompatible purposes;
  • This data is necessary and proportional to the purposes of ASPs;
  • Personal data remains accurate and up-to-date and only for the period necessary;
  • Confidentiality and security of the processing;
  • The Commissioner for Personal Data Protection is notified of the processing of such data;
  • A license is obtained from the Commissioner before any transfer of personal data takes place to third countries outside the EU and the EEA and to countries with an adequate level of protection.[1]

How Do ASPs Ensure Compliance With Current Legislation?

For ASPs that simply collect personal data and keep a register:

  • In these cases, the Commissioner of Personal Data Protection needs to be notified in writing of the keeping of such a register.
    • The form found in Appendix I must be used for this purpose and all the details required on the form must be provided.
  • For ASPs that, in addition to the keeping of a register as identified above, process data due to the nature of their work outside the EU or EU equivalent countries (e.g., providing passport copies of individuals for the opening and managing of a bank account),
    • They must apply to the Commissioner of Personal Data Protection for the granting of a licence.
    • The form found in Appendix II must be used for this purpose and all the details required on the form must be provided.
    • A separate application needs to be made if the data is to be transferred to the USA. The form found in Appendix II is used.
    • The license will usually only be granted if the Commissioner considers that the countries ensure an adequate level of protection for the individuals.
  • A fee of €42.50 per application is payable to the Commissioner once permission is granted. The license has an expiry date where a renewal application needs to be filed accompanied by the fee of €42.50.
  • In cases where the personal data of employees is being transmitted by the ASP, the ASP can request the employee’s consent, although this consent may not be accepted in court in the course of legal action. (Please refer to Appendix III for a specimen consent form.)
  • It is also recommended that ASPs include special clauses on personal data protection in their employment contracts for new recruits, thus removing the need for written consent. Similar clauses can be also included in Customer Services agreements or engagement letters for new customers.

Your Rights As An Individual

The Law grants individuals the following rights (amongst others):

  • The right to know that your personal data is being processed;
  • The right of access to your personal data;
  • The right to correct your personal data;
  • The right to file a complaint with the Commissioner for Personal Data Protection.

The current Commissioner for Personal Data Protection is Mrs Irene Loizidou Nicolaidou. She may be contacted at:

1, Iasonos Street., 1082 Nicosia
P. O. Box 23378, 1682 Nicosia
Tel: (+357) 22818456
Fax: (+357) 22304565
e-mail: [email protected]                                                                                         

[1] According to the European Commission, the EU equivalent countries are the following: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Appendix 1

Appendix 2

Appendix 3


The information provided in this paper is for general guidance. While the author has made every attempt to ensure the accuracy of the information, the CFA and the author is not responsible for any errors, omissions or for the results obtained from the action taken from this paper. For a more detailed provision of the law, please refer to “The Processing of Personal Data (Protection of the Individuals) Law 138(I) 2001”.   


Maria Hadjivassiliou
Compliance Director, First Names (Cyprus) Ltd
Member of the CFA AML & Compliance Affairs Committee