Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.217.71

CySEC Forex KYC Compliance Handbook 2026 — Cyprus whitepaper cover with Shufti certifications
For AMLCOs & MLROs at Cyprus CIFs

CySEC Forex KYC Compliance Handbook 2026

Audit-ready remote onboarding for Cyprus Investment Firms.

A practitioner handbook for AMLCOs and MLROs at forex and CFD firms. RCOS and liveness rules, multi-script document verification, sanctions and PEP screening, EDD, and the customer evidence a CySEC audit expects.

Schedule a Cyprus KYC Demo

What happens when CySEC asks for evidence?

Since 1 December 2024, the question a CySEC audit asks is no longer whether remote onboarding works. It is whether the firm can produce the evidence on demand.

Liveness records, document verification logs, AML screening trails, EDD files, and annual rescreening records all have to be present, dated, retrievable, and customer-specific. For firms with Russian, MENA, Indian, or Nepali client exposure, those records also have to show that script-aware verification and name-matching controls were in place at the point of capture.

850+CySEC on-site and remote thematic audits in 2024
€2.12MAdministrative fines on Cyprus Investment Firms in 2024
3,870STRs & SARs filed with MOKAS in 2024, up 62% year on year
Compliance officer reviewing records — the €740K fine on Exelcius Prime Ltd
€740K

The fine CySEC imposed on Exelcius Prime Ltd in August 2024 cited failure to provide required records, among other findings. The inability to produce records on demand is an enforcement risk in itself.

What Changed Under PS-01-2024 and RAD 282/2024?

The 1 December 2024 application date did not end the compliance cycle. It started the audit cycle.

RAD 282/2024 replaced the old video-call derogation and removed the deposit ceiling that capped remote onboarding. PS-01-2024 set the evidentiary standard: for unattended journeys with no staff interaction, liveness detection is required, because a static selfie alone does not prove a live person was present at capture.

Control areaBefore · pre-Aug 2024After · post-Dec 2024 RCOS
Remote ID methodVideo call, capped at a €2,000 annual depositAny risk-assessed method, no deposit ceiling
LivenessStatic selfie or no face check acceptedRequired for unattended journeys
CySEC notificationNot requiredAdvance informational notification, retained
Risk assessmentNot requiredDocumented, approved method risk assessment

The notification is informational. CySEC does not approve RCOS methods in advance, so the regulatory risk sits with the firm’s choice of method and its ability to show that choice was properly risk-assessed.

Which Clients Drive Cyprus CIF Onboarding Risk?

Cyprus has one of the EU’s highest shares of foreign residents, which puts multi-script documents and sanctions screening at the centre of daily onboarding.

Foreign nationals made up roughly 24.8% of the resident population as of January 2025, and Russian nationals are about one in five of those foreign residents, the largest single non-EU group. That mix is why customer files routinely span Cyrillic, Arabic, Devanagari, and Latin-script documents in the same workflow.

Resident composition, January 2025 — EU & Cypriot residents ~75.2%, other foreign nationals ~19.8%, Russian nationals ~1 in 5 of foreign residents

Onboarding Risk Map, by Client Segment

Each segment maps to a verification tier, from standard EU CDD (Tier 1) through non-Latin script (Tier 2) and sanctions-adjacent EDD (Tier 3) to PEP and beneficial-owner identification (Tier 4).

SegmentDocumentsScript complexityPrimary screening riskVerification tier
Russian nationals / residentsPassport, residence permitCyrillic + Latin via ICAO transliterationEU sanctions, PEPs, ownership linksTier 2–3Elevated risk
MENA clientsPassport, national IDArabic: no universal standardOFAC, EU, UN list name variantsTier 2–3Elevated risk
Indian / Nepali clientsPassport, national IDDevanagari: no ICAO standardStandard AML, PEP screeningTier 2Medium risk
EU clientsPassport, national IDLatin scriptStandard AML, PEP screeningTier 1Low risk
Corporate / UBO structuresCorporate registration, director IDsVaries by jurisdictionBeneficial ownership, PEP, sanctionsTier 4High risk

What Evidence Does a CySEC Audit Expect to See?

CySEC audits are evidence-driven: teams assess whether specific records are present, dated, organised, and retrievable.

The matrix maps each compliance area to the evidence to retain, the severity if it is missing, and the Shufti control that closes the gap. Severity is colour-keyed by audit-exposure risk.

AreaEvidence to retainShufti control
Critical · 3 items
Liveness detection recordsCriticalTimestamped method, outcome, anti-spoofing result, customer IDFace Verification, 3D liveness (iBeta Level 3 conformance)
RCOS risk assessmentCriticalSigned, dated, approved assessment; version historyWorkflow documentation; RCOS configuration evidence
CySEC notification evidenceCriticalNotification form with acknowledgement retainedRCOS implementation record
High · 5 items
HighDocument verification logOCR result, type, country, confidence, decision, dateDocument Verification, per-verification audit log
HighAML screening at onboardingLists checked, date, result, match status, overrideAML Screening across OFAC, EU, UN with override log
HighEDD documentationSource-of-funds, ownership, risk rating, review dateDue Diligence workflow + User Risk Assessment
HighAnnual rescreening recordsDate, lists, result, reviewer, escalation decisionAML Screening, scheduled rescreening
HighSTR / SAR decision trailsgoAML record, rationale, monitoring rule triggeredTransaction Screening and alert log
Medium · 1 item
Medium5-year record retentionIndexed customer file per AML Law 188(I)/2007Workflow logs + API records export

Map your evidence gaps before the next CySEC audit

Walk a Shufti specialist through each row of the matrix against your current onboarding stack, and see where liveness, screening, and EDD records fall short of the standard a CySEC auditor applies.

Schedule a Cyprus KYC demo

Why Do Cyrillic, Arabic, and Devanagari Documents Break Generic KYC?

Multi-script verification is the most persistent KYC vulnerability for Cyprus CIFs, because a system that reads these documents without native script support turns one real person into several valid name variants.

Generic OCR reads the visible printed text instead of applying transliteration logic, so the name it extracts can differ from the one on a sanctions list. The figure below decodes a Russian passport to show where that divergence begins.

Russian passport MRZ decode — the patronymic truncates to the fixed 44-char width under ICAO Doc 9303, so each transliterated form hits a sanctions list differently unless script-aware fuzzy matching is applied

Three scripts, three different problems

ScriptStandardLatin variant riskFailure mode without script-aware OCR
CyrillicICAO Doc 9303 (defined)MRZ abbreviations produce 2–3 valid formsName-match false negatives
ArabicNone; phonetic convention varies5+ valid transliterations per nameManual override on every MENA client
DevanagariNo ICAO equivalentRomanisation varies by office and reissueOne person reads as two records
LatinNot applicableDiacritics dropped inconsistentlyFalse negatives for some CEE nationals

Shufti’s Document Verification supports 10,000+ document types across 240+ countries, with proprietary OCR across 150+ languages, including native Cyrillic, Arabic, and Devanagari processing.

Why a Single Transliteration Misses Sanctions Hits

The same person can sit cleanly on one sanctions list and be missed on another, purely because each list romanises the name differently.

OFAC’s SDN list carries Latin-script entries only. The EU consolidated list holds Latin and original-script entries for many Russian and MENA entities. UN Security Council lists vary by language coverage. Only the overlap, where one normalised form matches all three, catches the entity everywhere it appears.

OFAC SDN (Latin only), EU consolidated (Latin + original), and UN Security Council (varies by language) sanctions lists — only the central overlap where one normalised form matches all three catches an entity everywhere it appears

How Should CIFs Screen Sanctions and PEPs Across Name Variants?

A name has to be normalised before screening, and that pipeline is where most false positives and false negatives originate in multi-script environments.

Normalisation removes diacritics, standardises spacing, and converts Cyrillic, Arabic, or Devanagari into Latin. Fuzzy matching then measures the edits between two name strings. A single global threshold does not hold across scripts, so firms calibrate by script and list source and keep QA evidence for grey-zone overrides.

Primary flow, steps 1–5: OCR extract, Script detect (Cyrillic/Arabic/Devanagari/Latin), Normalise to Latin, Query lists (OFAC + EU + UN simultaneously), Threshold (script-specific fuzzy-match score)
Step 6a · No matchPass & logRecorded in the customer file
Step 6b · Potential matchDocumented overrideCase-specific rationale, not a generic note
Step 7 · TerminusAudit log
Stored in the customer file, retrievable on demand

Illustrative thresholds: Latin 95%+, Cyrillic 85–90%, Arabic 80–85%. Firms document their own calibration.

Shufti’s AML Screening queries 3500+ watchlist sources across OFAC, EU consolidated lists, and UN Security Council designations, logs override decisions per customer, and schedules rescreening across the portfolio with per-customer records on each cycle.

What Must a CySEC-Ready Liveness Record Contain?

The post-implementation audit question is not whether liveness was deployed, but whether the record for each customer evidences it.

A static selfie compares a still image to a reference. It does not confirm a live person was present, and presentation attacks (printed photos, video replay, deepfakes, masks) can defeat it. A file holding only a static selfie evidences no liveness method, no timestamped outcome, and no presentation-attack detection, which is the gap a CySEC auditor looks for.

Shufti’s Face Verification uses 3D liveness detection with iBeta Level 3 conformance (ISO/IEC 30107-3), the highest presentation-attack-detection level, recording the timestamp, method, outcome, anti-spoofing result, and face-match score that a CySEC-ready liveness pack needs.

When Does a Cyprus CIF Client Trigger Enhanced Due Diligence?

As exposure rises, so does the evidence the file has to carry. A generic risk-rating label is not an EDD record.

EU Russia sanctions under Regulation 833/2014 restrict specific transactions, entities, and securities; they do not ban servicing all Russian-national clients. A CIF documents client-specific indicators (nationality, residence, beneficial ownership, source of funds, payment route, product exposure) rather than a nationality-only decision.

Standard CDD

EU national, low-risk jurisdiction, no PEP or sanctions match. Identity document, CDD assessment, onboarding screening result. Annual review.

Elevated CDD

Non-EU national, non-Latin script, no direct sanctions exposure. Standard CDD plus source-of-funds rationale. Annual review.

EDD · sanctions-adjacent

Russian national, MENA high-risk jurisdiction, FATF designation. Ownership structure, source-of-funds analysis, documented sanctions-risk assessment. Annual minimum, interim on trigger.

EDD · PEP

PEP, close associate, or family member. EDD plus source-of-wealth documentation and senior-management approval. Annual review.

MOKAS received 3,870 STRs and SARs in 2024, up 62% year on year, reflecting sharper detection of sanctions evasion, ownership masking, and third-party payment routing. Each submission needs a decision trail referencing a specific monitoring rule.

A 30-Day CySEC KYC Readiness Plan

A structured path from gap identification to documented controls, built around the four areas CySEC audits examine most closely.

1
Week 1Days 1–7

Evidence inventory

  • Inventory every area against the matrix
  • Confirm each record exists, is dated and retrievable
  • Assign an owner and deadline to each gap
2
Week 2Days 8–14

Liveness & RCOS

  • Confirm liveness produces per-customer records
  • Check the RCOS risk assessment is current
  • Spot-check 20 recent files
3
Week 3Days 15–21

Multi-script & screening

  • Sample non-Latin files for OCR logging
  • Confirm OFAC, EU, UN queried together
  • Audit overrides for case-specific rationale
4
Week 4Days 22–30

EDD & rescreening

  • Review Russia-linked files for risk indicators
  • Run rescreening past cadence
  • Compile the remediation report

How to Evaluate a KYC Vendor for CySEC Readiness

Before a CIF can build a CySEC-ready evidence layer, it has to confirm the vendor can support the standard. Score each area from 0 to 3 and total across vendors.

Scoring: 0 = not supported · 1 = partial or manual · 2 = supported, partial audit evidence · 3 = fully supported, exportable per-customer evidence.

Evaluation areaAssessment questionMaxScoring
Multi-script OCRProcesses Cyrillic, Arabic, Devanagari natively without manual escalation?3
Liveness detectionIndependently tested anti-spoofing (iBeta Level 3 conformance)?3
Liveness record formatTimestamp, method, outcome, anti-spoofing, match score per record?3
AML screening coverageOFAC + EU + UN with script-specific normalisation?3
Override documentationPer-customer rationale linked to a documented methodology?3
Annual rescreeningScheduled rescreening with per-customer records?3
KYC file exportComplete customer file as a single audit package?3
Certifications & deploymentISO 27001, SOC 2, GDPR, on-premise option?3
Readiness gauge from 0 to 24 with scoring bands: 0–16 significant gaps, 17–20 partial readiness, 21–24 positioned to support a CySEC-ready evidence layer

Build and price your CySEC stack without a sales call

Configure document verification, liveness, and AML screening for your onboarding volume and see the plan that fits, at your own pace.

Build and price your stack

Pre-Audit KYC Readiness Checklist

A self-assessment across four areas. Three or more gaps in any combination signal exposure a CySEC audit is likely to find.

Critical Immediate remediationHigh Audit exposureMedium Control weakness
AreaCheck itemSeverity
Document verificationICAO Cyrillic-to-Latin transliteration for Russian passportsCritical
Arabic documents matched without defaulting to manual overrideCritical
Devanagari handled without manual escalationHigh
OCR results and decisions logged with timestampsHigh
Sanctions & PEP screeningOFAC, EU, and UN lists queried simultaneouslyCritical
Override decisions documented with case-based rationaleHigh
All customers rescreened on a documented scheduleHigh
Fuzzy-match calibration documented by scriptMedium
RCOS & livenessUnattended RCOS includes genuine liveness, not static selfieCritical
Liveness records timestamped and stored per customerCritical
CySEC notification evidence retainedHigh
RCOS risk assessment reviewed since 1 December 2024High
EDD & record retentionHigh-risk files carry a documented sanctions-risk assessmentCritical
UBO identification at the 25% thresholdHigh
Complete customer file exportable as a single packageHigh
Records retained five years and indexed per customerMedium

Shufti for CySEC-Regulated Onboarding

For Cyprus CIFs, the goal is not only faster onboarding. It is a defensible KYC evidence layer that supports cross-border growth while cutting manual review and audit-preparation time.

Shufti combines document verification, face verification, AML screening, and workflow management in one platform. It processes Russian passports using ICAO Document 9303 transliteration, Arabic IDs with script-normalised matching, and Indian and Nepali passports in Devanagari without manual escalation. Zero-shot AI recognises new document variants without manual template configuration, and every verification record carries the OCR output, document type, country, confidence score, decision, and timestamp a customer file needs.

10,000+Actively Processed Documents Types
240+Countries and territories covered
150+Languages & scripts - Cyrillic, Arabic, Devanagari
3500+Watchlist sources for AML screening
CySEC Forex KYC Compliance Handbook 2026 — cover CySEC Forex KYC Handbook — guide page CySEC Forex KYC Handbook — guide page CySEC Forex KYC Handbook — guide page
Previous
01 - 04
Next

Certifications

Independently audited and certified for enterprise-grade security and data protection.

  • GDPR
  • GDPR Fundamentals
  • ISO 27001 Certified
  • CCPA
  • iBeta Level 1 — ISO 30107-3 Compliant
  • iBeta Level 2 — ISO 30107-3 Compliant
  • PCI DSS Compliant
  • Shufti SOC 2 Type 2 Compliant

Frequently Asked Questions

RCOS (Remote Customer Onboarding Solutions) lets Cyprus Investment Firms onboard customers remotely using risk-assessed digital verification. Under Policy Statement PS-01-2024 and Directive RAD 282/2024, unattended journeys must include liveness detection and produce retrievable audit evidence. The framework entered application on 1 December 2024.

Was This Content Helpful ?

Yes. For unattended RCOS journeys with no human staff interaction, liveness detection is required. A static selfie alone does not evidence that a live person was present at capture, which is the standard CySEC audit teams apply when they examine the verification record.

Was This Content Helpful ?

Cyprus forex and CFD firms regularly onboard customers presenting Cyrillic, Arabic, and Devanagari identity documents. Without script-aware OCR and name normalisation, the same person can produce several valid name variants, which raises false positives, false negatives, and manual review volume during sanctions screening.

Was This Content Helpful ?

Firms should retain timestamped liveness records, OCR extraction logs, AML screening results, override rationales, EDD documentation, rescreening history, and customer-level audit trails, all in retrievable formats and held for at least five years under Cyprus AML Law 188(I)/2007.

Was This Content Helpful ?

Rescreening cadence depends on customer risk rating, sanctions exposure, and the firm’s documented AML policy. Higher-risk, sanctions-adjacent, and PEP clients generally need more frequent screening, with each cycle recording the date, lists checked, result, reviewer, and escalation decision per customer.

Was This Content Helpful ?

No. EU Russia sanctions under Regulation 833/2014 and later amendments restrict specific transaction types, entities, and securities; they do not create a blanket ban on servicing all Russian-national clients. CIFs should document client-specific risk indicators (nationality, residence, beneficial ownership, source of funds, payment route, and product exposure) rather than a nationality-only determination.

Was This Content Helpful ?

A customer-level pack that lets an auditor reconstruct every decision: customer identifier, document type and country, verification timestamp, OCR result, authenticity decision, liveness method and outcome, anti-spoofing result, AML screening result, override rationale where applicable, EDD status, rescreening date, final decision and reviewer, and single-package export status.

Was This Content Helpful ?

1 December 2024, the application date for the RCOS framework introduced by PS-01-2024 and RAD 282/2024. Firms that implemented liveness, filed RCOS notifications, and updated risk assessments must now show those controls are documented, consistent, and auditable.

Was This Content Helpful ?

    search_cross_mobile

    Please complete the information below 
to download the whitepaper

    By clicking the "Submit" button, you are agreeing 
to the Terms & Conditions and Privacy Policy

    n-img-roi-cross

    Form submitted successfully!

    Thank you for your interest — your report is loading now.

    Put Audit-Ready Onboarding in Place for Cyprus CIFs

    Since 1 December 2024, CySEC’s RCOS requirements have been in active application. Explore how Shufti handles liveness, multi-script documents, AML screening, EDD, and customer-file export for Cyprus forex and CFD operator workflows.

      Let’s Tailor Your Journey

      Which products would you like to check out?

      VideoIdent

      Address Verification

      eIDV (Docless)

      KYB

      AML Screening

      Deepfake Detection

      Face and ID Verification

      Age Verification

      Others

      What is your expected yearly verification volume?

      1 to 1,000

      1,001 to 5,000

      5,001 to 20,000

      20,001 to 50,000

      50,001 to 100,000

      100,001 to 1,000,000

      1,000,000+

      Valid Invalid number

      By clicking Submit, you accept our Privacy Policy and consent to marketing communications.

      Product Guide

      Cyprus 2026 KYC Operators Guide to Improve First Pass Rate

      Product Guide

      Philippines KYC & Account-Owner Verification Playbook | Shufti

      philippines-account-owner-verification-ftr-image
      Product Guide

      Digital Lending KYC Guide for Mexico: INE/IFE, CURP, RFC, Liveness and AML Controls

      Product Guide

      Singapore KYC & AML Compliance Guide 2026 | Shufti

      Product Guide

      Mexico 2026 KYC Handbook to Improve First Pass Rate

      Product Guide

      Where Can Identity Data Legally Live? 2026 Guide | Shufti

      Product Guide

      Deepfake-Powered Identity Fraud Is Surging in 2026: Shufti’s Identity Fraud Index Report Reveals

      Product Guide

      KYC Compliance and Identity Fraud Challenge Across APAC

      Product Guide

      Brazil Bets KYC Playbook for .bet.br Operators 2026 | Shufti

      Product Guide

      Malta iGaming KYC & AML Readiness Guide 2026| Shufti

      Product Guide

      Brazil 2026 KYC Playbook to Improve First Pass Rate

      Product Guide

      Malta 2026 KYC Playbook to Improve First Pass Rate

      Product Guide

      The Deepfake Detection Gap

      Product Guide

      Choosing the Right Identity Verification Vendor for the Forex Sector

      Product Guide

      A Comprehensive Guide to Address Verification in Complex Markets

      Whitepaper

      Beyond Benchmark Accuracy: Making Deepfake Detection Work for IDV Systems

      Beyond Benchmark Accuracy: Making Deepfake Detection Work for IDV Systems
      Product Guide

      Human – Assisted Video KYC for Regulated Businesses:

      Video KYC Guide
      Whitepaper

      Re-Thinking RegTech for KYC Compliance

      KYC WhitePaper
      Product Guide

      Enterprise Guide to Choose Right Identity Verification Solution

      report

      Global Age-Verification Laws 2025 Snapshot

      report

      The Backbone of Global Trust

      report

      State of Global AML Compliance 2025

      Product Guide

      Strategic ID Verification Vendor for Crypto Industry

      report

      Market Positioning and Commercial Assessment Results Presentation

      Whitepaper

      Preventing Account Takeover Fraud with Multilayered Defense

      n-img-whitepaper-thumbnail
      Whitepaper

      The Critical 1% Closing Systemic Gaps In Global Identity Verification

      report

      Outsmarting the Deepfake Threat to Identity Trust

      n-img-outstand
      Product Guide

      Scale Without Borders

      n-img-scale-without
      report

      Streamlining Identity Verification: How Shufti Secure Capture Enhances Accuracy and Trust

      new report feature iamge
      report

      Top 10 Most Difficult Countries for Identity Verification

      n-img-report-top-10
      Whitepaper

      KYC & AML IN THE MENA Region White Paper 2023

      Frame 976
      Whitepaper

      Shufti Pro’s iGaming White Paper 2023

      Frame 995
      report

      Shufti Pro Identity Fraud Report 2022

      Frame 953
      report

      Shufti Pro Fraud Report 2021

      Frame 953 (1)
      report

      Holiday Season – The Prime Time for ID Thieves and Financial Criminals

      Frame 996
      report

      Shufti Pro Completes 4 Years of Fighting ID Fraud

      Frame 997
      report

      On-premises Identity Verification for the Banking Sector

      Frame 998
      report

      Shrinking the Space for Travel Industry Scams with Biometric Verification

      Frame 999
      Whitepaper

      Global Gambling Compliance: Regulations, Age Checks & Financial Safety

      Frame 1000
      report

      A comprehensive guide to KYC and AML compliance in Canada

      Frame 1001
      n-img-roi-cross

      Form submitted successfully!

      Thank you for your interest — your report is loading now.

      Take the next steps to better security.

      Contact us

      Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

      Contact us

      Get the Shufti newsletter

      Stay ahead of the curve with fresh takes on the latest identity innovations.

        Take the next steps to better security.

        Contact us

        Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

        Contact us

        Request demo

        Get free access to our platform and try our products today.

        Get started