Fintech 2022 Comparisons

The Fintech Market in Cyprus Over the Past 12 Months

Following a trend of constant and continuous development over these past years, the fintech market in Cyprus has significantly evolved. This follows the rise in fintech activity due to the pandemic and the turn to digital and innovative business solutions.

Crypto-activities constitute a developing area. As we explain below in this section, Cyprus has implemented a Crypto-Asset Service Provider (CASP) regime for the registration of crypto-service providers in a central registry for anti-money laundering (AML) purposes. Crypto-exchanges and cryptotrading platforms had already operated in Cyprus before the CASP regime and were given an opportunity to submit their registration documents by October 2021 to keep their operations until the examination and approval of their registration application. We expect a further increase in crypto-activities in Cyprus. Given this increased crypto-activity in Cyprus, it is unsurprising that Binance now holds a seat in Cyprus for its operations. Currently, there is no passporting for CASPs in the EU. The growth of the crypto industry manifests, also, in the adoption of government- and legislature-backed initiatives towards exploring the regulation and encouraging activity in that area. The Cyprus Securities and Exchange Commission (CySEC) has set up an Innovation Hub, where it has reported the operation of crypto-asset companies and distributed ledger technology-using trading platforms involved in the offer, transfer, and verification of financial instruments and financial instrument ownership. This Innovation Hub activity confirms the increased interest in cryptobusinesses in Cyprus.

Payment innovation is a developing fintech area attracting the interest and constituting a core business activity of both incumbents and new market entrants. Connected with the payment innovation development, banks are currently implementing digital solutions to enhance their services. Banks have focused on their digital transformation like never before: the Cyprus Banks’ Association has agreed on a Memorandum of Understanding with the government, via the Deputy Ministry of Research, Innovation and Digital Policy, on common initiatives to facilitate and expand digital transactions and banking services, aided by the use of electronic identification and electronic signature solutions, as explored by the government. In general, the banking sector is currently exploring the implementation and use of digital tools, such as remote onboarding, to improve their services, especially in the face of rising competition by start-up and emerging banking-related businesses.

The Cyprus government is currently developing an electronic identification scheme of a high assurance level to facilitate the online access to, and use of, public services by citizens. This is bound to affect the private sector, especially the banking sector (one of the strongest tenets of the domestic economy).   

Issues Bound to Impact Fintech in the Coming Year

The Cyprus government together with the House of Representatives, the assistance of other stakeholders and competent authorities (including the CySEC and the Central Bank of Cyprus (CBC)), have issued the National Strategy on Distributed Ledger Technologies (Blockchain), which constitutes a long-term plan on the deployment and increasing utilisation of distributed ledger technologies, including blockchain, in both the public and private sector. Suggesting initiatives and actions aimed at encouraging activity with blockchain, the national strategy contemplates the adoption of a distributed ledger technology-based law regulating, among others, crypto-assets and businesses operating in this area. Based on a distinction between utility, security, and payment tokens, the relevant law shall provide legal certainty to businesses engaged in crypto-activities. This, in turn, is expected to significantly increase the operation of cryptobusinesses in Cyprus.

The government has recently circulated a draft on a bespoke Blockchain Law (the consultation ended on 8 October 2021) that seeks to regulate matters such as token ownership and transfer, smart contracts and their interaction with contract law. It remains to be seen how this Blockchain Law will turn out and how it will interact with the prospective EU regulation on Markets in Crypto-Assets (MiCA) and other relevant laws. 

Recently, Cyprus transposed the fifth Anti-Money Laundering Directive (AMLD), whereby crypto-asset service providers are now considered obliged entities. The definition of crypto-asset service providers is more expansive than in the corresponding EU directive; providers of crypto-to-crypto and fiat-to-crypto exchange services, custodian wallet providers, and providers of a list of services related to crypto-assets as determined in the transposed AML law fall within the scope of the updated AML regime. Crypto-assets are defined as in the fifth AMLD with the added clarification that they explicitly exclude fiat currency, electronic money and financial instruments as defined in the applicable Investment Services Law.

The new AML law obliges crypto-asset service providers to register in a central registry before carrying out the provided crypto-asset-related services in or from Cyprus. CySEC is the competent body to oversee, monitor, and supervise the registration system and applications for the purpose of AML compliance. To that end, CySEC has issued a directive regarding the registration requirements and application conditions, and a detailed policy statement on its expectations in terms of the registration process. CySEC is currently examining the first batch of CASP applications.

The expanded scope of the transposed law follows the said National Strategy and a relevant consultation by CySEC that favoured a more comprehensive AML regulation of cryptoproviders. This indicates the will to render Cyprus a safe crypto jurisdiction. This is bound to increase crypto-activity in Cyprus.

CySEC Bespoke Rules

The CySEC has issued bespoke rules on the operation of Cyprus investment firms, authorised and operating under the relevant Investment Services Law, as crowdfunding platform operators matching fundraising, project owners with interested crowdfunding investors. These rules impose obligations on Cyprus investment firms additionally to the standard requirements for such investment firms, per the applicable investment laws. Again, this is meant to encourage crowdfunding activity, this way acknowledged as a valuable alternative financing model.

Crowdfunding providers are also regulated EU-wide through Regulation (EU) 2020/1503 on European Crowdfunding service providers for business, which has been in effect since November 2021. We expect CySEC to update its rules and applications for crowdfunding providers. The EU regulation covers investment-based and loan-based crowdfunding, and allows crowdfunding providers to offer their services in the EU upon authorisation. 

CBC Stance

The domestic fintech trend is positive. The stance of the CBC, which had been somewhat reserved in the past, is now, also, following this trend. The CBC maintained a more reserved, and cautious, position against cryptocurrencies. However, the recent implementation of the fifth AMLD in Cyprus and the adoption of a distributed technology law-centred law (that is currently in the works after the conclusion of the public consultation on the draft law as mentioned above) positively affected the CBC’s approach to cryptocurrencies. CBC is considering the setup of an Innovation Hub to help businesses under its supervision use fintech in a compliant and supervised way.     

Opening bank accounts for crypto-activities and crypto-services provision was challenging in the past, but given the more receptive approach of CBC, this has already started changing. The registration of the first CASPs in the CySEC registry is bound to facilitate the bank-account opening processed even more.

A significant business model emerging in Cyprus are fintech businesses engaged in the provision of services in relation to cryptocurrencies, mainly in cryptocurrency trading and exchange and custodian wallet providers.

Building on Existing Frameworks

The banking sector is an area that has seen and is expected to experience even further significant developments through technology. The EU Payment Services Directive (PSD II 2015/2366/EC) set the ground for the implementation of open banking channels directed at facilitating financial information exchange. Building on the relevant framework and supported by the exponential technological growth, incumbent banks develop technology-enabled strategies to increase their competitiveness against emerging businesses and new market participants.

The key areas of focus for banks’ are the establishment of their own application programming interface and the consideration of available technologies, such as biometric data and AI, to facilitate customer identification and authentication. The established framework has given rise to electronic money institutions and payment or account information service providers.

Fintech Developments

The Cypriot economy heavily relies on the banking sector, something that renders the domestic banks’ fintech orientation crucial to concurrent progress of fintech, in general, and the economy as a whole.

Connected with the fintech progress in banking services and activities, fintech businesses, especially start-ups, develop innovative and mobile payment solutions. Incumbent financial and credit institutions also integrate technology to enhance payments, thereby offering fintech-enabled payment solutions, products, and services. Incumbent banks implement remote onboarding for the engagement of new clients, and various banks have also introduced electronic signatures. A major bank has also introduced a peer-to-peer payment platform for businesses. International money transfer businesses also operate in the fintech space using new technologies for their services.

Foreign Exchange

Cyprus is a renowned and internationally recognised foreign exchange hub not least due to the early designation of foreign exchange as a regulated product under MiFID. The large and advanced foreign exchange market is a crucial component of the domestic financial services framework. Forex companies actively explore the use of technology, especially emerging technology, and the potential investment in technology-enabled products to transform their business, diversify their portfolio and venture into novel investment areas. There has been increased activity in CFDs in cryptocurrencies. Also, many investment firms engaging in forex are actively pursuing registration under the CASP regime to expand the scope of their operation.

The regulatory regime applicable to fintech industry participants in Cyprus essentially follows the regulatory regime applicable to “traditional” financial services and the Prevention and Suppression of Money Laundering and Terrorist Financing Law (AML) which, as said, specifically provides for the registration of entities as CASPs if the offer cryptoasset services in or from Cyprus.

Fintech activities, products, or services, are regulated under the existing financial services regime, depending on their nature, function, and model, and to the extent that they fall within the scope of such financial services regime, regardless of the technology they use.

The financial services framework in Cyprus consists of a complex nexus of laws, rules, and regulations, derived from EU and domestic laws. Fintech businesses could thus be subject to the existing financial services legal and regulatory framework that includes the following main laws:

• the Business of Credit Institutions Laws 1997 to 2018;
• EU banking regulations, including the EU Regulation 575/2013 on prudential requirements for credit institutions and investment firms;
• the Investment Services and Activities and Regulated Markets Law;
• for electronic money institutions, the Electronic Money Directive 2009/110/EC, as amended, and the Payment Services Directive (Directive EU 2015/2366), transposed by the domestic Electronic Money Laws;
• PSD II and the transposing law on the Provision and Use of Payments Services and Access to Payment Systems Law 2018 and 2019;
• the Securities and Cyprus Stock Exchange Laws and the Securities and Exchange Commission Law;
• the Public Offer and Prospectus Law;
• the Transparency Requirements Law;
• the Takeover Bids Law;
• the Open-ended Undertakings of Collective Investments in Transferable Securities Law;
• the Alternative Investment Funds Law and the Alternative Investment Fund Managers Law; and
• the Prevention and Suppression of Money Laundering and Terrorist Financing Law (AML).

Fintech providers can follow compensation models that are permitted based on their status determined by their licence/authorisation, the nature of their services, activities, customers. Fintech businesses would not be subject to bespoke disclosure requirements or type of compensation models but would follow the existing requirements for financial services.

CySEC has issued specific rules for investment-based crowdfunding, whereby crowdfunding platform providers (which can only be Cyprus investment firms) must provide clear and comprehensible information on the costs and charges related to the relevant crowdfunding services or investments. Further to the recent coming into force of the EU regulation on crowdfunding providers, CySEC is expected to update the relevant rules and applications. Investment- and loan-based crowdfunding providers will need to comply with the relevant regime.

Currently, the legal and regulatory framework does not distinguish between fintech industry participants and legacy players. In this sense, there are no differences between the two in terms of regulation.

Cyprus does not have a regulatory sandbox yet, but CySEC has introduced the Innovation Hub inviting regulated and non-regulated, innovative businesses to participate in a dedicated regulation-advancing, compliance-advancing and compliance-navigating space. The Hub seeks to act as the connecting block between the competent regulatory authority and innovative businesses operating in the fintech and regtech realm, encouraging the exchange of views and facilitating compliance and regulatory matters for both parties.

The requirements of participation indicate that CySEC focuses on genuine innovation connected with fintech and regtech.

Based on a recent update, CySEC will soon transform the Innovation Hub to a regulatory sandbox to expedite the growth of innovative business models. The regulatory sandbox will facilitate the operation of businesses by offering a controlled regulatory environment with oversight by the competent regulator. This is a welcome development that is bound to encourage both business and regulatory innovation. 

Fintech industry participants are subject to the supervision of different, competent regulators depending on the scope of their financial services, activities, and products. Broadly, these regulators have competence over distinct financial services sectors, banking, securities and investments, and insurance. Provided that Cyprus has not introduced a bespoke fintech regulation, thereby subjecting fintech businesses to the generally applicable financial services regime, the competence of these regulators carries on to fintech, too.

CySEC is the independent supervisory authority of the investment services market, transactions in securities, registration and supervision of CASPs for AML purposes, the Cyprus stock exchange and the other organised markets in Cyprus, and the collective investment and asset management sector.

The Central Bank of Cyprus, as part of the European System of Central Banks, contributes to the regulation of the European monetary policy. The CBC is entrusted with the general oversight of the financial system in Cyprus. Its supervisory and regulatory powers include regulating, licensing/authorising, and monitoring the operation of credit institutions, and supervising payment institutions and electronic money institutions.

The insurance sector is supervised by the Superintendent of Insurance. The Superintended of Insurance heads the Insurance Companies Control Services, which acts on the behalf and orders of the Superintended.

Service providers seeking to outsource regulated activities are subject to specific requirements emanating from applicable regulatory frameworks depending on the scope of their activity. Such service providers are usually required to obtain authorisation or pre-notify the outsourcing arrangements and report any material developments in terms of any outsourcing. Service providers must comply with the outsourcing requirements in MiFID II, PSD II, the EBA Guidelines issued on the matter, and the domestic directives, laws, and regulations issued by CBC and CySEC.

Generally, service providers must, at all times, ensure to comply with their legal obligations regardless of any existing outsourcing arrangements, including their duties against their clients. Outsourcing arrangements cannot undermine their internal control or the supervisory role of the competent regulators. In outsourcing activities, providers must consider and manage the outsourcing risks. Any outsourcing arrangements do not absolve the service providers from their obligations.

Distinguishing between Critical, Important and Non-critical Functions

The applicable frameworks distinguish between critical and important functions and non-critical functions imposing stricter requirements for the former functions. Services providers must ensure to retain access, audit, and monitoring rights to the outsourced functions, and that the entities receiving the outsourced functions are, among others, properly qualified, adhering to appropriate security and operational requirements. The EBA Guidelines on outsourcing are also relevant in this regard. They apply to credit institutions, some investment firms, payment, and electronic money institutions. These Guidelines provide specific terms and conditions that need to be in place when outsourcing critical or important functions.

Third country (meaning outside Cyprus and the EU) outsourcing might be subject to specific requirements. Special regard should also be paid to data protection under GDPR, since the transfer of personal data to third countries is subject to strict requirements. Outsourcing regulated activities of critical operation function to third-country entities might require the authorisation of these entities by their competent home authorities.

The extent of fintech providers’ responsibility as gatekeepers for any activities on their platform depends on the type of platform and activity they enable thereof. In the absence of a fintech regulation, the existing financial rules and regulations apply to fintech providers depending on the type of services they offer and enable.

Despite the lack of a comprehensive fintech regulation resulting in the application of the existing laws and regulations, CySEC has issued a directive on investment-based crowdfunding (see 2.3 Compensation Models) containing specific rules of operation for crowdfunding platform providers and indicating its approach to the supervision and regulation of fintech business models. The issued bespoke directive regulates investment-based crowdfunding and substantiates the applicable investment law. Based on this directive, only Cyprus investment firms (CIF) can act as investment-based crowdfunding providers offering platforms that enable project owners to match with interested investors. CIF must comply with the general investment law requirements and these new bespoke rules.

These rules require the CIF acting as crowdfunding platform providers to abide by transparency obligations and monitor the transparent behaviour of project owners, prevent any conflict of interest, protect investors’ funds, and safeguard the involved financial instruments, monitor the fair pricing of the crowdfunding offers, and conduct due diligence on the project owners. These rules indicate that CIF as crowdfunding fintech providers are deemed to be gatekeepers of these crowdfunding platforms. Crowdfunding providers now have to comply with the EU regulation on investment-based and lending-based crowdfunding. The relevant domestic applications and rules will need to be updated to reflect the new regulation that has come into force.

Current knowledge suggests that no significant enforcement actions have been taken by regulators for any fintech providers or the provision of fintech products. CySEC enforcement actions have largely targeted non-compliant CIF, therefore, the involvement of CIF with fintech activities is an area where enforcement actions might focus on. 

Fintech providers may be subject to other non-financial services regulations. Currently, these frameworks do not differentiate between new fintech providers and legacy players.

Privacy Obligations

Fintech providers are likely to be subject to privacy obligations having to comply with the relevant framework regulating the protection of personal data. The main legislation that subjects a wide range of businesses, including, thus, fintech providers, to data processing obligations is the EU General Data Protection Regulation (2016/679) (known as GDPR) and the respective Cyprus Law 125(I)/2018 that mainly reiterates and substantiates certain aspects of the GDPR. This privacy framework encompasses a very wide scope of processing activities and introduces heightened compliance obligations for transfer to third-country jurisdictions or the processing of sensitive data (such as biometric data that are currently extensively used and explored for fintech and regtech purposes).

Anti-money Laundering Regime

The AML regime might also apply to fintech providers. The AMLD and the relevant domestic, transposing laws apply in Cyprus and require businesses (obliged entities) to carry out checks and assessments of their clients in terms of AML risks. As explained in 1.1 Evolution of the Fintech Market, Cyprus has implemented the fifth AMLD in an encompassing way intended to encourage the safe and confident deployment of various cryptoservices and cryptobusinesses in Cyprus. A CySEC-supervised registry is setup for AML-compliance purposes. Cryptoasset service providers must apply for registration and, upon CySEC approval, register in the registry before conducting their cryptobusiness.

The scope of cryptoservice providers brought within the AML regime is quite wide, including providers of exchange services between crypto-assets and fiat to crypto-assets, custodian wallet providers, and providers of other defined services regarding crypto-assets. The new, updated AML regime opens the door for the rise of cryptoservices.

The more comprehensive and wide approach in Cyprus is consistent with the FATF recommendations and the European Commission’s proposal for a regulation in Markets in Crypto-Assets (MiCA). Cyprus, thus, seeks to impose heightened AML obligations in anticipation of a crypto-encompassing EU-wide and international standard of regulation. 

Cybersecurity Requirements

Cybersecurity requirements are relevant for fintech providers. These security requirements derive from regimes such as the PSD II for payment and open banking services and activities, and other, wider regulations. Cybersecurity requirements in Cyprus are found in various regulations, including the Electronic Commerce Law, the Law Regulating Electronic Communications and Postal Service, the Regulation and respective domestic law on electronic identification and trust services for electronic transactions in the internal market (eIDAS regime) and the privacy framework, including the GDPR. Other cybersecurity-related EU regulations are also applicable to fintech providers. eIDAS is bound to enhance the security of electronic transactions and interactions.

Marketing and Advertising Rules

Any social media content by fintech providers could be subject to the marketing and advertising rules applicable to existing financial and investment firms. In general, social media content containing marketing and advertising material must be clear, fair, and not misleading, and clearly identifiable as such. Other consumer protection laws could also apply to social media content, depending on the recipient of the content (consumer laws protect natural persons in Cyprus). The GDPR applies as well imposing specific requirements for marketing material disseminated through the use of clients’ personal data.

Software

For any software developed for use in the provision of fintech services and products, no specific regulations apply in Cyprus. Software developers should consider the implication of any cybersecurity laws and requirements, and privacy laws as described herein. Legal or economic owners of software in Cyprus may benefit from the intellectual property (IP) box regime for software developed in Cyprus which provides for up to 80% exemption from corporate income tax. 

Industry participants including fintech businesses usually need to appoint auditors to review their financial statements. Further to this, there are no requirements for industry participants to be subject to review, therefore, no other parties review the activities of industry participants, except where industry participants undergo such reviews voluntarily.        

Regulated industry participants may offer unregulated products/services or conduct unregulated activities alongside regulated products/services or activities. However, they usually do so in the same legal entity if such services may be considered as directly connected to their regulated products/services and/or activities.

It is important to note that ancillary operations which may have an adverse impact on the regulated participant, such as an increase in financial or operational risk, may be required by CySEC to be operated in a separate legal entity.

Anti-money laundering (AML) rules are a significant consideration in operating a fintech company. The new Crypto-Asset Service Provider (CASP) regime, regulating providers of crypto-services (see 1.1 Evolution of the Fintech Market) requires fintechs to register with CySEC for AML purposes and comply with all applicable AML obligations.

Fintechs, regardless of the technology they are using, might operate in areas that are regulated under the AML law. Fintechs that operate under, and fall within, the financial services regime within the remit of CySEC supervision must comply with AML obligations. This is because CySEC-regulated providers are obliged entities under the relevant AML law; hence, they must comply with AML rules.

It is good practice for fintechs to comply with AML even if they are unregulated and fall outside the scope of CySEC supervision and regulation (especially for novel business models that are for the time being outside any regulatory scope). 

Regardless of the specific business models using or deployed for robo-advice systems, robo-advisers could fall within the scope of MiFID II as investment services for financial instruments. This will trigger the application of MiFID II meaning that robo-advisers would need to be MiFID authorised. Robo-advisers have not been otherwise or further regulated in Cyprus and there has, generally, been limited guidance on the matter by domestic competent authorities.

Robo-advisers and robo-advice have been the subject of the European Securities and Markets Authority’s (ESMA) Guidelines on certain aspects of the MiFID II suitability requirements. The relevant Guidelines define the “robo-advice”, as the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system used as a client-facing tool, anticipating that investment advice and portfolio management services are mostly connected with robo-advice.

The Guidelines require entities relying on such advice to properly inform their clients of the extent and implications of so relying on robo-advice. ESMA Guidelines seek to include robo-advice to suitability assessment, and address and guard against the risks engendered by the lack of human interaction associated with advice provided using automated or semi-automated robo-advice systems.

Thus far, there has been no implementation of robo-advice solutions by legacy players.

In case robo-advisers fall within the scope of MiFID II, then the rules on customer trading will apply. These rules entail the “best execution” obligations requiring entities to hold an order execution policy, to make orders (proper recordation/execution of those orders) on the most favourable termsfor their investment clients, complying with the handling of client order rules.

The regulation of loans presents differences between individuals on the one hand, and business on the other hand (including small businesses).

Business to business lending is not prohibited or subject to specific restrictions of authorisation in Cyprus, whereas loans to individuals are subject to several consumer regulations, including the Consumer Credit Law 106(I)/2010 that transposes the Directive 2008/48/EC. This law protects consumers that include natural persons and imposes requirements on the provision of credit for up to EUR75,000. Additionally, natural persons also benefit from the protection of Unfair Contract Terms Law 93(I)/1996 that prohibits the imposition of unfair terms by credit providers.

Online lending is not common in Cyprus and has not been the subject of specific regulation.

Industry participants conduct the credit assessment of their clients pursuant to relevant directives issued by CBC. The directives provide details on specific limitations and factors that credit institutions must consider in assessing the suitability and creditworthiness of their clients.

Credit institutions must conduct proper due diligence processes and comply with the anti-money laundering regime before lending funds to any client. These obligations arise from the applicable AML regime as transposed into the domestic framework, including the recent transposition for the fifth AMLD. CBC has issued a directive on the proper risk and impact assessment that banks must conduct before accepting to onboard and grant any loans to potential clients. 

The main sources of funds for loans are deposits or other forms of repayable funds, securitisation, and own funds. Peer-to-peer lending is not particularly developed in Cyprus.

Only credit institutions licensed by the CBC can fund their lending activities by taking deposits. Cyprus banks’ primary source of their lending activities remains the deposit-taking. Online lending has yet to be deployed by any incumbent commercial bank in Cyprus.

Consistent with the limited activity in online lending, syndication of online lending does not take place in Cyprus.

Credit institutions, payment institutions, and e-money institutions can process payment activities in accordance with the respective frameworks regulating their operation. The relevant regulations enable these institutions to operate and implement payment systems, subject to applicable requirements. In practice, the payment processors use the systemic payment infrastructure for payment processing. 

Cyprus regulates payments by reference to PSD II and the domestic, transposing law. The Cyprus payment services law does not make specific provisions for cross-border payments and remittances. This law does, however, require compliance with the EC Regulation 924/2009 which obliges banks to levy the same charges on electronic payment transactions for both national and EU cross-border payments. 

Fund administration services may be provided internally by the regulated entities under the AIFM and the UCITS laws but may be delegated or outsourced to third parties, to fund administrators. Fund administrators need not be authorised by CySEC but the outsourcing arrangement must be notified with CySEC. Fund administration services usually include the provision of administrative accounting and bookkeeping services, the fund’s record keeping, maintenance of shareholder register, calculation of net asset value. While fund administration services are not regulated or licensable, fund administrators will be under the obligation to comply with certain conditions and contractual duties as determined in the applicable laws.

For portfolio management services, any outsourcing may only be carried out by a duly CySEC-authorised entity for both UCITS and AIF. 

Before any outsourcing arrangement is allowed, the outsourcing regulated entity needs to comply with certain conditions, which must and are enforced through a written agreement with the third-party. The precise conditions and requirements depend on the type of fund involved.

The outsourcing entity should ensure that the third-party is qualified or hosts employees with sufficiently good repute and experience to carry out the outsourced activities. The outsourcing entity should make sure that the outsourcing arrangements do not undermine the effective supervision of the fund or its management or activities especially towards the interests of investors. The regulated entity must be able to monitor, instruct and withdraw the outsourcing arrangements at any time, and review the provision of the outsourced services, at all times.

Essentially, the regulated entity cannot outsource such services to a such degree or nature so that it is rendered a letter-box entity. In this sense, the regulated entity’s contract must make relevant provisions to allow it to comply with its obligations and retain control over the outsourced activities. The stipulated legal conditions have a direct effect on the content of the contract.

Additionally, other contractual issues might arise, such as adhering to cybersecurity standards, the provision of services with due care and skill, following best practices, compliance with data protection laws.   

The permissible trading platforms in Cyprus are determined by reference to MiFID II, the applicable EU regime in financial instruments. Cyprus, in accordance with this regime, operates a regulated market, the Cyprus Stock Exchange), and enables trading in authorised multilateral trading facilities (MTF) and organised trading facilities (OTF). The Cyprus Stock Exchange is governed by the Securities and Cyprus Stock Exchange Laws and is supervised, as a regulated market, by CySEC.

MTF and OTF are governed by the investment services law (87(I)/2017). Market operators seeking to operate an MTF or an OTF should obtain the prior authorisation of CySEC after complying with a list of strict requirements, relating to organisational measures, transparency and non-discrimination requirements, management of technical operations, etc. The EU DLT pilot regime currently in the works will provide a controlled and regulated environment for market infrastructures based on distributed ledger technology. These market infrastructures will be DLT MTF or a DLT securities settlement system. Cryptocurrency trading or exchange in secondary venues and exchanges also trigger the application of existing or prospective regulatory regimes and will also be affected by the operation of the DLT pilot regime. 

Crowdfunding platforms also concern the regulatory framework in Cyprus. Investment- and loan-based crowdfunding on financial instruments may be only carried out by authorised providers under the EU regulation on crowdfunding providers. Cyprus had a specific regime in place, providing that only Cyprus investment firms could offer investment-based crowdfunding services, which now needs to be updated to reflect the new EU regime.

Different asset classes falling under the scope of financial instruments are largely subject to the same regulatory regime. Crypto-assets currently seem to follow this approach to the extent that they qualify as financial instruments. For now, the existing financial services laws will apply to such crypto-assets. Also, cryptocurrencies that qualify as e-money may only be issued by licensed electronic money institutions under PSD II and the national transposing law. 

Crypto-assets (falling under the definition of the CASP regime) will fall under the CASP regime. Cryptocurrencies that qualify as payment tokens are subject to this regime. See 1.1 Evolution of the Fintech Market and 2.10 Implications of Additional, Non-financial Services Regulations.

Currently, cryptocurrency exchanges are not regulated under a single, comprehensive, and tailored crypto-exchanges regime, but are regulated for AML purposes under the CASP regime. Relevant guidance by CySEC seems to suggest that cryptocurrencies falling within the scope of features and functionalities of “traditional” financial instruments would be subject to the applicable financial services regime. Further to this approach, operating a trading platform with cryptocurrencies qualifying as financial instruments could trigger the application of existing financial laws, depending on the type of cryptocurrency. Trading in such cryptocurrencies could thus constitute a regulated activity requiring authorisation or imposing specific requirements. Cryptocurrencies qualifying as e-money would also fall within the e-money regime, requiring the authorisation of an Electronic Money Institution.

Cryptocurrency exchanges are also regulated under the AML law and the CASP regime (see 1.1 Evolution of the Fintech Market and 2.10 Implications of Additional, Non-financial Services Regulations) Cryptocurrencies that qualify as payment tokens would fall under this regime and require registration with CySEC. Again, Cyprus includes both fiat-to-crypto and crypto-to-crypto exchanges in the CASP regime. 

The Emergence of Cryptocurrency

The emergence and rise of cryptocurrency exchanges have been the subject of lengthy and collaborative deliberation between the government, the legislature, and competent authorities. The domestic authorities intend to update the existing framework on cryptocurrency exchanges. For now, exchanges would be regulated if they are crypto-to-crypto or crypto-to-fiat exchanges for crypto-assets under the CASP regime. Exchanges of blockchain-based financial instruments would also be regulated under the financial services law.

The domestic bespoke blockchain law currently in the works will distinguish between payment, security, and utility cryptocurrencies will clarify and provide requirements for entities using these cryptocurrencies, including exchanges and trading platform providers. It is worth noting that the European Commission is currently proposing a Markets in Crypto-assets regulation (MiCA) that intends to cover the operation of cryptocurrency exchanges in the EU crypto-assets market for all types of crypto-assets.

The AML Directive

The fifth AMLD has also regulated aspects of cryptocurrency exchanges since it has brought entities engaging in the exchange of virtual currencies to fiat currencies within the relevant regulatory scope. Cyprus has also transposed Directive (EU) 2018/1673 on combating money-laundering by criminal law. As explained in 1.1 Evolution of the Fintech Market and 2.10 Implications of Additional, Non-financial Services Regulations, Cyprus has transposed the fifth AMLD, expanding the scope of the EU Directive to include further services offered by cryptoproviders (exchanges between crypto-assets and between fiat currencies to crypto-assets, custodian wallet providers, and providers of a set list of services determined by the AML law). 

Listing to the Cyprus Stock Exchange presupposes the publication of a prospectus per the Prospectus Regulation. The listing requirements and standards are provided by the applicable securities laws. Interested companies must abide by general listing requirements and specific-market requirements depending on the kind of regulated market and the securities to be listed (main market, alternative market, corporate bonds market, collective investment schemes markets (tradable and non-tradable)). Trading in MTF or OTF also requires meeting certain legal requirements, which are, however, less strict than the regulated market requirements.

Listing to unregulated exchanges is not subject to specific laws and regulations. It depends on the contractual terms imposed by the unregulated cryptocurrency exchange.

The rules on order handling in Cyprus stem from MiFID II requiring the adoption of such measures that allow the prompt, fair, and expeditious execution of client orders, considering other clients’ orders. 

Investment-based crowdfunding is subject to a specific CySEC-issued directive. For details, see 1.1 Evolution of the Fintech Market. The recent coming into force of the EU regulation on crowdfunding allows crowdfunding providers to offer crowdfunding services across the EU after authorisation on investment-based and loan-based crowdfunding. For other types of peer-to-peer platforms, no specific regulation or guidance has been issued. The type of crowdfunding instruments, the involvement, and the extent of involvement of participants and crowdfunding platform providers are most likely to impact the potential regulation of crowdfunding.

For now, peer-to-peer trading platforms have not been widely used in Cyprus. CySEC has authorised providers who are interested in launching a peer-to-peer trading platform for binary options. Based on the general fintech market trend in Cyprus, peer-to-peer is expected to first impact and encourage adoption by new fintech players. 

Similar to order handling rules, the best execution of customer trade rules derive from MiFID II. These rules are reiterated in the national investment services law. Investment firms shall take measures to ensure that when executing orders for their clients they obtain the best possible result for their clients considering certain factors stipulated in the applicable law. The best execution principle does not apply where the client determines how to carry out the trade order. 

Regulated investment firms in Cyprus are subject to the inducement regime entailed in MiFID II. Specifically, investment firms should not receive any remuneration, discount, or non-monetary benefit for routing client orders to a particular trading venue.

The basic principles of market integrity against market abuse are based on the Market Abuse Regulation, (EU) 596/2014 and the Directive 2014/57/EU on criminal sanctions for market abuse, the Market Abuse Directive. The principles apply to the regulated market, and the entities operating an MTF or OTF.

The applicable regime seeks to protect the markets against insider dealings and the unlawful disclosure of inside information, and market manipulation. At the same time, this regime seeks to protect legitimate market practices to prevent the undue restriction of market practices.   

High-frequency and algorithmic trading are regulated by MiFID II and the investment services law in Cyprus. Consequently, algorithmic trading is regulated in relation to financial instruments, and not asset classes that are outside the scope of these instruments.

Any investment firm engaging in algorithmic trading is under specific requirements connected with this trading technique. These requirements relate to the algorithmic system’s resilience and capacity, appropriate trading thresholds and limits, and the prevention of any order sending or operation of the system that could contribute to a disorderly market. The algorithmic trading-engaging investment firm must also have effective plans to deal with any potential failure of the system, monitor and test the system, and ensure that effective systems and risk controls are in place to prevent the use of algorithmic trading against the market integrity.

These firms must notify CySEC of their participation in any trading venue and, in turn, CySEC may require the regular or ad-hoc provision of details on their use of algorithmic trading. Investment firms engaging in high-frequency algorithmic trading must also keep a full record of the placed, cancelled, and executed orders and trading quotations which they should be able to make available to CySEC upon request.

Regulated markets may impose higher fees to higher-frequency algorithmic trading-using firms and must be able to flag with the market participants any orders made by algorithmic trading.

The investment services law framework regulates the players seeking to implement a market making strategy using algorithmic trading. According to MiFID II and the Cyprus investment services law, after considering a number of factors relating to the liquidity, scale, and nature of the relevant market and the features of the traded instrument, must act as a market maker during a provided portion of the trading venue’s trading hours and enter into a binding written agreement with the trading venue to regulate these trading hours and ensure that effective systems and controls are and remain in place.

The applicable law on algorithmic trading does not distinguish between funds and dealers.

Current knowledge suggests that no specific rules apply to algorithmic trading developers as software programmers/developers. In case the programmers develop software of algorithmic trading that grants them control over the trading practice or extends beyond the scope of mere software development, they could be subject to the provision of investment services as a regulated practice. 

Investment research and financial analysis are ancillary services per MiFID II. Further to this, no specific authorisation is granted by CySEC for the sole provision of ancillary services. Investment firms may be authorised for the provision of core investment services and extend the scope of authorisation to ancillary services, such as the investment research and financial analysis services.

Spreading rumours and other unverified information relating to financial instruments regulated under MiFID II can trigger the application of the market abuse framework (see 7.9 Market Integrity Principles). False, unverified, or rumour-based information circulating could amount to market manipulation or disrupt the market integrity.

Cyprus does not specifically regulate financial research platforms and the posting of any information by third parties. The operators of financial research platforms, to the extent applicable to financial instruments, must abide by the principles of the market abuse regulation preventing the spreading of inside information or the operation of any market manipulative actions in the platform. Any such activity must be reported.

The Law on Insurance and Reinsurance Businesses regulates the activities of insurance companies, and insurance brokers, agents, mediators. In terms of underwriting, the law offers general conditions on underwriting risks for life or non-life insurance products. In this sense, industry participants use various underwriting processes ensuring to comply with the general and wide principles of underwriting provided in the law.

The law on insurance and reinsurance businesses in Cyprus differentiates between life and non-life (general) insurance. Under each of these categories, specific types of insurance apply. Both types of insurance are regulated and require the authorisation of the Superintendent of Insurance. While for the most part, the authorisation remains distinct for the pursuit of either life or non-life insurance activities, entities authorised for life insurance may obtain authorisation for a part of non-life insurance activities and vice versa. 

Regtech providers are not likely to be regulated in Cyprus. Regtech providers usually rely on technology to offer technical support and services that facilitate compliance with applicable regulatory obligations. This means that for the most part, regtech providers will not engage in financial regulated activities.

This is not absolute since where regtech providers offer services that could be covered under any applicable financial regulatory framework, this would render them, regulated providers. In this sense, the precise type of activities carried out by regtech providers might result in the application of specific regulations.

Regtech providers could also be subject to non-financial regulations such as the applicable privacy and GDPR obligations.

Financial services firms seeking to engage technology providers for part of their services need to comply with the applicable outsourcing arrangements. As explained, the type of function outsourced to the regtech/technology provider, meaning if it is critical or important, or not, creates distinct obligations on the financial services firm. As per the EBA Guidelines, the financial services firm may be a credit institution, a payment or e-money institution, and some kinds of investment firms. For more details on outsourcing arrangements see 2.7 Outsourcing of Regulated Functions.

Blockchain has yet to be implemented by traditional players in the financial industry, but traditional industry participants have demonstrated interest in exploring the potential use of blockchain. The incumbents’ interest has increased in anticipation of the DLT-focused legislation that the government and the house of representatives have proposed to implement in their collaborative National Strategy. The relevant legislation is currently in the drafting process, has concluded its consultation period, and is expected in the near future.

The academic sector in Cyprus has been particularly active in implementing or promoting the use of blockchain. The University of Nicosia became the first university in the world to offer a Master’s degree in digital currency and has established the Institute of Future, aimed at exploring the use of blockchain together with other emerging technologies, such as artificial intelligence and the internet of things.   

Financial services providers use blockchain and blockchain-based assets (cryptocurrencies) for their services. Trading activities have increased in this respect. Start-up projects are also using blockchain to provide innovative services. NFTs are becoming increasingly popular within the domestic blockchain sector.

Local regulators hold diverse views and take varying actions in response to blockchain. For the time being, blockchain used in financial services is not subject to comprehensive or bespoke regulations other than the CASP regime that regulates crypto-assets for AML purposes. In the area of blockchain assets that qualify as financial instruments or e-money, our understanding of local regulators’ views on blockchain is informed by reference to various warnings, circulars, piecemeal rules, and strategy plans.

Blockchain-Enabled Activities

As a starting point, blockchain-enabled activities, services, and products, including cryptocurrencies, initial coin offerings, decentralised finance, non-fungible tokens and activities in the Metaverse are not prohibited, or restricted by any specific law but depending on the nature of the activity, service and products, may or may not trigger certain regulatory frameworks. The most obvious, positive reception of blockchain by regulators is the Strategy issued for Distributed Ledger Technologies including Blockchain. There, the national executive and legislative branches lay down a national plan on promoting the use of blockchain across the public and private sector, describing specific use cases and delineating their future actions. The Strategy prioritises the improvement of the provision of financial services using blockchain as demonstrated by the set-up of an ad-hoc committee that is explicitly empowered to assess the use of blockchain in the financial industry, and since the Strategy contemplates the adoption of legislation that will govern the use of cryptocurrencies. The said legislation has completed the consultation process and will regulate wider DLT and blockchain relevant matters, thereby facilitating the use of blockchain.

Initial coin offerings may be offerings of a security, utility, payment or hybrid token. Providers must carefully assess the nature, function, and characteristics of the type of token they offer to determine which, if any, regime applies. For security token offerings the traditional financial services law apply, while for crypto-assets, as defined in the domestic AML law (see 12.7 Virtual Currencies), the relevant CASP regime applies. This basically brings payment tokens and, potentially hybrid tokens, within scope. Utility tokens seem to fall outside the CASP regime, thereby keeping offerings of utility tokens, for the time being, outside the regulatory perimeter.

Regulatory Interest

Local financial regulators have focused their regulatory interest in blockchain uses that involve cryptocurrencies. Both CySEC and CBC have issued warnings, recommendations, and clarifications for blockchain-enabled cryptocurrencies.

CBC holds a cautious approach against cryptocurrencies and does not authorise any activities involving cryptocurrencies even if they apparently fall within CBC’s competence. CBC has repeatedly issued warnings to the public for the risks involved in using cryptocurrencies. Their volatility, the lack of relevant protections to their users, and money-laundering risks constitute the main cryptocurrency risks highlighted by CBC. As explained, the recent transposition of the fifth AMLD to the domestic framework is expected to change CBC’s cautious approach to a more receptive stance. The reserved stance was possibly because the lack of regulation, especially in terms of AML protection, posed considerable risks; these risks are now mitigated by the operation of the CySEC-supervised crypto-asset service providers’ registry and the AML obligations imposed on these providers.

CySEC has issued similar warnings to potential investors stressing the uncertain framework around cryptocurrencies. Still, CySEC has acknowledged the beneficial prospect of blockchain-using products and services by establishing the Innovation Hub to help with the regulatory and compliance matter arising by the use of innovative business models, including blockchain models. The Hub will soon transform to a regulatory sandbox. Again, the fifth AMLD is bound to influence the approach of CySEC towards crypto-activities in a positive way. CySEC is now responsible to consider and register CASPs that provide crypto-services, per the AML law. 

Regulations

In terms of regulation, CySEC has clarified that initial coin offerings could be regulated per the EU and national capital markets laws in case their structure falls within the scope of the existing regulations. Initial coin offerings for crypto-assets as defined in the AML law would be regulated under the CASP regime (1.1 Evolution of the Fintech Market and 2.10 Implications of Additional, Non-financial Services Regulations).

For derivatives on cryptocurrencies, CySEC, consistent with the relevant European Securities and Markets Authority (ESMA) decision, has issued a circular clarifying that they may constitute financial instruments under the applicable investment services law.

Consequently, investment firms interested to offer services relating to derivatives on cryptocurrencies must be properly authorised by CySEC, obliging to the general investment law requirements and the bespoke restrictions and rules issued on cryptoderivatives by ESMA, as assumed and extended by CySEC. Lately, in November 2020, and following a relevant EBA report on crypto-assets, CySEC has issued a circular dealing with the prudential treatment of crypto-assets and financial instruments relating to crypto-assets and the applicable, enhanced risk management procedures imposed on Cyprus investment firms.

As explained in 12.2 Local Regulators’ Approach to Blockchain, blockchain assets are not specifically regulated in Cyprus, other than crypto-assets under the AML law.  Blockchain assets qualifying as financial instruments, or e-money would fall under the respective financial services laws and e-money regimes. Crypto-assets defined in the AML law would also be subject to regulation; providers of such crypto-assets must be registered as CASPs. As stated in 12.2 Local Regulators’ Approach to Blockchain, derivatives on cryptocurrencies may qualify as financial instruments and trigger the applicable investment services legal framework.

Offerings of cryptocurrencies could be subject to the existing financial services laws and regulations where their structure meets the conditions of such laws and regulations. In this sense, not all blockchain assets are a form of regulated financial instruments. Only to the extent that they present financial instrument features and functionalities would the Cyprus authorities regard them as financial instruments. Offerings of crypto-assets would similarly fall under the CASP regime. Providers must carefully analyse their crypto-assets since utility tokens probably fall outside the scope of the CASP regime.

The DLT-focused law described in the Strategy anticipates a formal distinction between crypto-assets. These will be separated into security and non-security tokens (which consist of utility and payment tokens). Security tokens will present security features and qualify as transferable securities per the applicable investment services law. Utility tokens will constitute a promise for the provision of a service/product that is paid in advance with the said token, while the payment token will constitute a means of payment for acquiring services/products.

This formal distinction maintained in the Strategy seems to offer the grounds for certainty and predictability in the crypto-area, even though the precise scope and details on these tokens would need to be clarified. At the same time, the increasing use of stable coins gives rise to further questions on the formal distinction between various types of tokens, and whether the anticipated distinction would be adequate. These matters will be addressed in the adopted, blockchain-centred law pursued by the government and the MiCA Regulation. 

Issuers of blockchain assets and initial sales of blockchain assets are regulated in Cyprus in accordance with the classification of the blockchain assets. Initial coin offerings in Cyprus could trigger the application of existing financial services laws where the coins are structured in such a way that falls within the scope of the said laws. Consequently, firms involved in initial coin offerings could be subject to, among others, the Prospectus Directive, MiFID II, the Alternative Investment Fund Managers Directive, and the AMLD.

Initial sales of blockchain assets qualifying as crypto-assets under the CASP regime would need to be carried out by providers that are registered with CySEC. Therefore, issuers of such assets who offer them for sale can only do so if they are registered with CySEC. Other firms involved in the provision of services specifically listed in the AML law for CASP purposes must also register with CySEC.

CySEC has raised the risks of initial coin offerings stressing the potential risk of investors losing their whole investment capital and lacking any regulatory protection. The Strategy also raises the significant risks associated with initial coin offerings, as indicated in ESMA’s guidance on Initial Offerings and Crypto-assets, which include the risk of fraud, cyber-attacks, money laundering, and market manipulation. The Strategy recognises that once these risks are addressed, possibly through regulation, initial coin offerings could be useful and more extensively used as alternative fundraising means.   

Should the blockchain assets fall within the scope of the existing financial and investment services regime, regulators would impose the existing framework’s regulatory requirements on the trading platforms.. The provisions of the law transposing the fifth AMLD apply to entities engaging in the exchange of crypto to fiat and crypto to crypto currency services and custodian wallet providers, as well as providers of crypto-related services defined in the transposing law. These providers must apply for registration and register with CySEC before offering crypto-asset services.

The Strategy and the proposed legislation therein suggest the regulation of crypto-asset trading and exchange platforms. In this sense, crypto-asset trading platforms could be subject to bespoke provisions soon. 

Regulated funds are authorised as UCITS or Alternative Investment Funds. Funds seeking to invest in crypto assets must ensure that such assets are permitted by applicable law (for example, UCITS must only invest in transferable securities and/or other liquid financial instruments, the “permitted investments” under Section 40 of the domestic UCITS law). Funds must carefully consider the liquidity and valuation of crypto assets to ensure they qualify as permitted investments. The UCITS and AIFM Directives would apply. This is where crypto-assets do not meet the definition of a financial instrument and fall under the category of other assets under the relevant directives. In this case, depositaries must safekeep the assets. The operation of blockchain in these crypto-assets might pose difficulties in effectively safekeeping and complying with the applicable law.

The EU recognises the difficulties in safekeeping and custody requirements in its digital package proposal. In this context it seeks to introduce legislation (MiCA and the DLT pilot regime on market infrastructures) to properly classify all crypto-assets (that are not financial instruments or e-money) and regulate the custody and safekeeping to ensure that providers are able to comply with these obligations where they are dealing with blockchain assets.

CySEC has issued a circular whereby Cyprus investment firms that invest in crypto-assets need to follow the applicable prudential framework, including the obligations under the CRR Regulation (EU) 575/2013.

Any regulatory treatment of virtual currencies or blockchain assets is determined by their function, features, and structure.

The domestic fifth AML law defines a crypto-asset as “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by persons as a means of exchange or investment and which can be transferred, stored and traded electronically and it is not:

• fiat currency, or
• electronic money, or
• financial instruments as defined in Part III of Schedule 1 of the Law regarding the provision of investment services, the exercise of investment activities and the operation of regulated markets.” 

In 12.2 Local Regulators’ Approach to Blockchain and in 12.3 Classification of Blockchain Assets, it is clarified that providers of crypto-asset services must carefully assess and examine their blockchain asset. This is because utility tokens probably fall outside the scope of this definition and would therefore fall outside the scope of the AML law and the corresponding CASP regime.

The Strategy discusses virtual/crypto-assets and refers to tokens, cryptocurrencies, without delineating the precise scope of any of these terms. The adoption of formal legislation will clarify the limits and nature of all relevant terminologies, probably considering the definition of crypto-assets in the AML law. 

The Cyprus regulatory framework neither defines nor specifically regulates DeFi (Decentralised Finance). There is limited guidance on the regulation of DeFi platforms in Cyprus by competent authorities.

While DeFi is not defined in the regulation, in practice it is usually understood to refer to blockchain-based, decentralized financial services/products based on digital assets, making use of smart-contracts or decentralised applications. The unique feature of DeFi platforms and the greatest regulatory hurdles are associated with the lack of oversight or monitoring by a central authority, and the reliance on decentralised processes to operate the relevant platforms. Financial services and transactions carried out in decentralised finance platforms include the making of deposits, lending, and borrowing, receiving/charging interest, and transferring, staking, trading, and exchanging value.

Based on the kind of transactions operating in the DeFi platforms different regulatory frameworks could apply (taking deposits, for example, is a CBC-regulated activity). Other regulatory regimes that might be triggered include the anti-money laundering regime, the privacy framework, the consumer protection framework, the securities and investment services laws. DeFi-specific issues, connected with the use of a decentralised system, such as the application, and the validity and enforceability of smart contracts per the Cyprus contract law, and the attribution of liability in a decentralised network are also not clear from a legal and regulatory perspective in Cyprus.

Although there is no regulation or guidance on the way DeFi platforms are governed, many legal and regulatory issues, some raised here, will need to be analysed and addressed by the competent authorities. Such endeavour will probably require a case-by-case analysis to determine the regulatory categorisation of the activities involved as well as the applicable law and jurisdiction.

There is no official regulation on, or formal acknowledgment in a law or official guidance of, NFTs and NFT platforms in Cyprus. Yet, as with other tokens, NFTs could fall in the regulatory perimeter to the extent they present characteristics and functions of regulated instruments.

NFTs could be security or payment or insurance instruments or products, if they meet the criteria set in the existing regulation. NFT issuers and providers of services relating to NFTs would need to consider various factors around NFTs. Some of these include whether NFTs give rise to any passive proceeds/profit, how they are tradable, whether they represent insurance products, and other relevant considerations that determine the nature of NFTs. If NFTs qualify for regulated products, the existing laws and regulations will apply.

NFTs might also trigger the AML rules, even if they are not regulated under any financial services regime. NFTs might represent art, which could bring them within AML scope.        

Open banking in Cyprus is largely regulated by the EU Payment Services Directive (PSD2) and the transposing national Payment Services Law. The domestic laws do not pose specific restrictions or requirements in terms of open banking not least beyond what is contemplated by the relevant EU directive. Essentially, the relevant regulatory framework obliges credit institutions, mainly banks, in Cyprus to grant authorised third-party providers access to their clients’ data via Application Programming Interfaces (APIs).

Open banking is currently expanding in Cyprus.

Open banking is still not quite developed in Cyprus. Commercial banks, including the Bank of Cyprus and the Hellenic Bank, the two largest domestic commercial banks, have opened their APIs to developers alongside sandbox initiatives (to encourage testing and address any privacy and security concerns). There is expected to be progress in the banks opening their APIs and data to developers, since this is relatively recent.