CySEC Forex KYC Compliance Handbook 2026
Audit-ready remote onboarding for Cyprus Investment Firms.
A practitioner handbook for AMLCOs and MLROs at forex and CFD firms. RCOS and liveness rules, multi-script document verification, sanctions and PEP screening, EDD, and the customer evidence a CySEC audit expects.
What happens when CySEC asks for evidence?
Since 1 December 2024, the question a CySEC audit asks is no longer whether remote onboarding works. It is whether the firm can produce the evidence on demand.
Liveness records, document verification logs, AML screening trails, EDD files, and annual rescreening records all have to be present, dated, retrievable, and customer-specific. For firms with Russian, MENA, Indian, or Nepali client exposure, those records also have to show that script-aware verification and name-matching controls were in place at the point of capture.
The fine CySEC imposed on Exelcius Prime Ltd in August 2024 cited failure to provide required records, among other findings. The inability to produce records on demand is an enforcement risk in itself.
What Changed Under PS-01-2024 and RAD 282/2024?
The 1 December 2024 application date did not end the compliance cycle. It started the audit cycle.
RAD 282/2024 replaced the old video-call derogation and removed the deposit ceiling that capped remote onboarding. PS-01-2024 set the evidentiary standard: for unattended journeys with no staff interaction, liveness detection is required, because a static selfie alone does not prove a live person was present at capture.
| Control area | Before · pre-Aug 2024 | After · post-Dec 2024 RCOS |
|---|---|---|
| Remote ID method | Video call, capped at a €2,000 annual deposit | Any risk-assessed method, no deposit ceiling |
| Liveness | Static selfie or no face check accepted | Required for unattended journeys |
| CySEC notification | Not required | Advance informational notification, retained |
| Risk assessment | Not required | Documented, approved method risk assessment |
The notification is informational. CySEC does not approve RCOS methods in advance, so the regulatory risk sits with the firm’s choice of method and its ability to show that choice was properly risk-assessed.
Which Clients Drive Cyprus CIF Onboarding Risk?
Cyprus has one of the EU’s highest shares of foreign residents, which puts multi-script documents and sanctions screening at the centre of daily onboarding.
Foreign nationals made up roughly 24.8% of the resident population as of January 2025, and Russian nationals are about one in five of those foreign residents, the largest single non-EU group. That mix is why customer files routinely span Cyrillic, Arabic, Devanagari, and Latin-script documents in the same workflow.

Onboarding Risk Map, by Client Segment
Each segment maps to a verification tier, from standard EU CDD (Tier 1) through non-Latin script (Tier 2) and sanctions-adjacent EDD (Tier 3) to PEP and beneficial-owner identification (Tier 4).
| Segment | Documents | Script complexity | Primary screening risk | Verification tier |
|---|---|---|---|---|
Russian nationals / residents | Passport, residence permit | Cyrillic + Latin via ICAO transliteration | EU sanctions, PEPs, ownership links | Tier 2–3Elevated risk |
MENA clients | Passport, national ID | Arabic: no universal standard | OFAC, EU, UN list name variants | Tier 2–3Elevated risk |
Indian / Nepali clients | Passport, national ID | Devanagari: no ICAO standard | Standard AML, PEP screening | Tier 2Medium risk |
EU clients | Passport, national ID | Latin script | Standard AML, PEP screening | Tier 1Low risk |
Corporate / UBO structures | Corporate registration, director IDs | Varies by jurisdiction | Beneficial ownership, PEP, sanctions | Tier 4High risk |
What Evidence Does a CySEC Audit Expect to See?
CySEC audits are evidence-driven: teams assess whether specific records are present, dated, organised, and retrievable.
The matrix maps each compliance area to the evidence to retain, the severity if it is missing, and the Shufti control that closes the gap. Severity is colour-keyed by audit-exposure risk.
| Area | Evidence to retain | Shufti control |
|---|---|---|
| Critical · 3 items | ||
| Liveness detection recordsCritical | Timestamped method, outcome, anti-spoofing result, customer ID | Face Verification, 3D liveness (iBeta Level 3 conformance) |
| RCOS risk assessmentCritical | Signed, dated, approved assessment; version history | Workflow documentation; RCOS configuration evidence |
| CySEC notification evidenceCritical | Notification form with acknowledgement retained | RCOS implementation record |
| High · 5 items | ||
| HighDocument verification log | OCR result, type, country, confidence, decision, date | Document Verification, per-verification audit log |
| HighAML screening at onboarding | Lists checked, date, result, match status, override | AML Screening across OFAC, EU, UN with override log |
| HighEDD documentation | Source-of-funds, ownership, risk rating, review date | Due Diligence workflow + User Risk Assessment |
| HighAnnual rescreening records | Date, lists, result, reviewer, escalation decision | AML Screening, scheduled rescreening |
| HighSTR / SAR decision trails | goAML record, rationale, monitoring rule triggered | Transaction Screening and alert log |
| Medium · 1 item | ||
| Medium5-year record retention | Indexed customer file per AML Law 188(I)/2007 | Workflow logs + API records export |
Map your evidence gaps before the next CySEC audit
Walk a Shufti specialist through each row of the matrix against your current onboarding stack, and see where liveness, screening, and EDD records fall short of the standard a CySEC auditor applies.
Schedule a Cyprus KYC demoWhy Do Cyrillic, Arabic, and Devanagari Documents Break Generic KYC?
Multi-script verification is the most persistent KYC vulnerability for Cyprus CIFs, because a system that reads these documents without native script support turns one real person into several valid name variants.
Generic OCR reads the visible printed text instead of applying transliteration logic, so the name it extracts can differ from the one on a sanctions list. The figure below decodes a Russian passport to show where that divergence begins.

Three scripts, three different problems
| Script | Standard | Latin variant risk | Failure mode without script-aware OCR |
|---|---|---|---|
| Cyrillic | ICAO Doc 9303 (defined) | MRZ abbreviations produce 2–3 valid forms | Name-match false negatives |
| Arabic | None; phonetic convention varies | 5+ valid transliterations per name | Manual override on every MENA client |
| Devanagari | No ICAO equivalent | Romanisation varies by office and reissue | One person reads as two records |
| Latin | Not applicable | Diacritics dropped inconsistently | False negatives for some CEE nationals |
Shufti’s Document Verification supports 10,000+ document types across 240+ countries, with proprietary OCR across 150+ languages, including native Cyrillic, Arabic, and Devanagari processing.
Why a Single Transliteration Misses Sanctions Hits
The same person can sit cleanly on one sanctions list and be missed on another, purely because each list romanises the name differently.
OFAC’s SDN list carries Latin-script entries only. The EU consolidated list holds Latin and original-script entries for many Russian and MENA entities. UN Security Council lists vary by language coverage. Only the overlap, where one normalised form matches all three, catches the entity everywhere it appears.

How Should CIFs Screen Sanctions and PEPs Across Name Variants?
A name has to be normalised before screening, and that pipeline is where most false positives and false negatives originate in multi-script environments.
Normalisation removes diacritics, standardises spacing, and converts Cyrillic, Arabic, or Devanagari into Latin. Fuzzy matching then measures the edits between two name strings. A single global threshold does not hold across scripts, so firms calibrate by script and list source and keep QA evidence for grey-zone overrides.

Illustrative thresholds: Latin 95%+, Cyrillic 85–90%, Arabic 80–85%. Firms document their own calibration.
Shufti’s AML Screening queries 3500+ watchlist sources across OFAC, EU consolidated lists, and UN Security Council designations, logs override decisions per customer, and schedules rescreening across the portfolio with per-customer records on each cycle.
What Must a CySEC-Ready Liveness Record Contain?
The post-implementation audit question is not whether liveness was deployed, but whether the record for each customer evidences it.
A static selfie compares a still image to a reference. It does not confirm a live person was present, and presentation attacks (printed photos, video replay, deepfakes, masks) can defeat it. A file holding only a static selfie evidences no liveness method, no timestamped outcome, and no presentation-attack detection, which is the gap a CySEC auditor looks for.
Shufti’s Face Verification uses 3D liveness detection with iBeta Level 3 conformance (ISO/IEC 30107-3), the highest presentation-attack-detection level, recording the timestamp, method, outcome, anti-spoofing result, and face-match score that a CySEC-ready liveness pack needs.
When Does a Cyprus CIF Client Trigger Enhanced Due Diligence?
As exposure rises, so does the evidence the file has to carry. A generic risk-rating label is not an EDD record.
EU Russia sanctions under Regulation 833/2014 restrict specific transactions, entities, and securities; they do not ban servicing all Russian-national clients. A CIF documents client-specific indicators (nationality, residence, beneficial ownership, source of funds, payment route, product exposure) rather than a nationality-only decision.
EU national, low-risk jurisdiction, no PEP or sanctions match. Identity document, CDD assessment, onboarding screening result. Annual review.
Non-EU national, non-Latin script, no direct sanctions exposure. Standard CDD plus source-of-funds rationale. Annual review.
Russian national, MENA high-risk jurisdiction, FATF designation. Ownership structure, source-of-funds analysis, documented sanctions-risk assessment. Annual minimum, interim on trigger.
PEP, close associate, or family member. EDD plus source-of-wealth documentation and senior-management approval. Annual review.
MOKAS received 3,870 STRs and SARs in 2024, up 62% year on year, reflecting sharper detection of sanctions evasion, ownership masking, and third-party payment routing. Each submission needs a decision trail referencing a specific monitoring rule.
A 30-Day CySEC KYC Readiness Plan
A structured path from gap identification to documented controls, built around the four areas CySEC audits examine most closely.
Evidence inventory
- Inventory every area against the matrix
- Confirm each record exists, is dated and retrievable
- Assign an owner and deadline to each gap
Liveness & RCOS
- Confirm liveness produces per-customer records
- Check the RCOS risk assessment is current
- Spot-check 20 recent files
Multi-script & screening
- Sample non-Latin files for OCR logging
- Confirm OFAC, EU, UN queried together
- Audit overrides for case-specific rationale
EDD & rescreening
- Review Russia-linked files for risk indicators
- Run rescreening past cadence
- Compile the remediation report
How to Evaluate a KYC Vendor for CySEC Readiness
Before a CIF can build a CySEC-ready evidence layer, it has to confirm the vendor can support the standard. Score each area from 0 to 3 and total across vendors.
Scoring: 0 = not supported · 1 = partial or manual · 2 = supported, partial audit evidence · 3 = fully supported, exportable per-customer evidence.
| Evaluation area | Assessment question | Max | Scoring |
|---|---|---|---|
| Multi-script OCR | Processes Cyrillic, Arabic, Devanagari natively without manual escalation? | 3 | |
| Liveness detection | Independently tested anti-spoofing (iBeta Level 3 conformance)? | 3 | |
| Liveness record format | Timestamp, method, outcome, anti-spoofing, match score per record? | 3 | |
| AML screening coverage | OFAC + EU + UN with script-specific normalisation? | 3 | |
| Override documentation | Per-customer rationale linked to a documented methodology? | 3 | |
| Annual rescreening | Scheduled rescreening with per-customer records? | 3 | |
| KYC file export | Complete customer file as a single audit package? | 3 | |
| Certifications & deployment | ISO 27001, SOC 2, GDPR, on-premise option? | 3 |
Build and price your CySEC stack without a sales call
Configure document verification, liveness, and AML screening for your onboarding volume and see the plan that fits, at your own pace.
Build and price your stackPre-Audit KYC Readiness Checklist
A self-assessment across four areas. Three or more gaps in any combination signal exposure a CySEC audit is likely to find.
| Area | Check item | Severity |
|---|---|---|
| Document verification | ICAO Cyrillic-to-Latin transliteration for Russian passports | Critical |
| Arabic documents matched without defaulting to manual override | Critical | |
| Devanagari handled without manual escalation | High | |
| OCR results and decisions logged with timestamps | High | |
| Sanctions & PEP screening | OFAC, EU, and UN lists queried simultaneously | Critical |
| Override decisions documented with case-based rationale | High | |
| All customers rescreened on a documented schedule | High | |
| Fuzzy-match calibration documented by script | Medium | |
| RCOS & liveness | Unattended RCOS includes genuine liveness, not static selfie | Critical |
| Liveness records timestamped and stored per customer | Critical | |
| CySEC notification evidence retained | High | |
| RCOS risk assessment reviewed since 1 December 2024 | High | |
| EDD & record retention | High-risk files carry a documented sanctions-risk assessment | Critical |
| UBO identification at the 25% threshold | High | |
| Complete customer file exportable as a single package | High | |
| Records retained five years and indexed per customer | Medium |
Shufti for CySEC-Regulated Onboarding
For Cyprus CIFs, the goal is not only faster onboarding. It is a defensible KYC evidence layer that supports cross-border growth while cutting manual review and audit-preparation time.
Shufti combines document verification, face verification, AML screening, and workflow management in one platform. It processes Russian passports using ICAO Document 9303 transliteration, Arabic IDs with script-normalised matching, and Indian and Nepali passports in Devanagari without manual escalation. Zero-shot AI recognises new document variants without manual template configuration, and every verification record carries the OCR output, document type, country, confidence score, decision, and timestamp a customer file needs.
Frequently Asked Questions
RCOS (Remote Customer Onboarding Solutions) lets Cyprus Investment Firms onboard customers remotely using risk-assessed digital verification. Under Policy Statement PS-01-2024 and Directive RAD 282/2024, unattended journeys must include liveness detection and produce retrievable audit evidence. The framework entered application on 1 December 2024.
Yes. For unattended RCOS journeys with no human staff interaction, liveness detection is required. A static selfie alone does not evidence that a live person was present at capture, which is the standard CySEC audit teams apply when they examine the verification record.
Cyprus forex and CFD firms regularly onboard customers presenting Cyrillic, Arabic, and Devanagari identity documents. Without script-aware OCR and name normalisation, the same person can produce several valid name variants, which raises false positives, false negatives, and manual review volume during sanctions screening.
Firms should retain timestamped liveness records, OCR extraction logs, AML screening results, override rationales, EDD documentation, rescreening history, and customer-level audit trails, all in retrievable formats and held for at least five years under Cyprus AML Law 188(I)/2007.
Rescreening cadence depends on customer risk rating, sanctions exposure, and the firm’s documented AML policy. Higher-risk, sanctions-adjacent, and PEP clients generally need more frequent screening, with each cycle recording the date, lists checked, result, reviewer, and escalation decision per customer.
No. EU Russia sanctions under Regulation 833/2014 and later amendments restrict specific transaction types, entities, and securities; they do not create a blanket ban on servicing all Russian-national clients. CIFs should document client-specific risk indicators (nationality, residence, beneficial ownership, source of funds, payment route, and product exposure) rather than a nationality-only determination.
A customer-level pack that lets an auditor reconstruct every decision: customer identifier, document type and country, verification timestamp, OCR result, authenticity decision, liveness method and outcome, anti-spoofing result, AML screening result, override rationale where applicable, EDD status, rescreening date, final decision and reviewer, and single-package export status.
1 December 2024, the application date for the RCOS framework introduced by PS-01-2024 and RAD 282/2024. Firms that implemented liveness, filed RCOS notifications, and updated risk assessments must now show those controls are documented, consistent, and auditable.
Form submitted successfully!
Thank you for your interest — your report is loading now.
Put Audit-Ready Onboarding in Place for Cyprus CIFs
Since 1 December 2024, CySEC’s RCOS requirements have been in active application. Explore how Shufti handles liveness, multi-script documents, AML screening, EDD, and customer-file export for Cyprus forex and CFD operator workflows.

Back
Russian nationals / residents
MENA clients
Indian / Nepali clients
EU clients
Corporate / UBO structures









