Despite a clear strengthening of the supervisory framework to combat money laundering, Cyprus continues to face substantial challenges in operational effectiveness. This is the core finding of the new Audit Office report evaluating the functional efficiency of anti‑money laundering (AML) supervision in the banking sector, with a focus on the Central Bank of Cyprus (CBC) and Cyprus’ Unit for Combating Money Laundering and Financial Intelligence (MOKAS).
The audit was conducted jointly with the Supreme Audit Institutions of Germany, Spain, the Netherlands and Poland, based on a common audit framework aimed at comparability of results and the identification of systemic weaknesses in the European banking system. The report on the operational efficiency of AML supervision is published as Cyprus prepares for its next Moneyval evaluation in 2028.
In his foreword, Auditor‑General Andreas Papaconstantinou notes that both the Central Bank and MOKAS operate within an adequate institutional framework aligned with international standards, supported by risk‑based tools and methodologies. However, he stresses that weaknesses in staffing, internal organisation and the management of the volume of information undermine the full and timely implementation of supervisory strategy and, ultimately, the overall effectiveness of the AML system.
Cooperation issues during audit
The report also records problems in the cooperation of both authorities with the Audit Office during the audit process.
The Central Bank cited limitations, arguing that part of the requested data fell outside the Auditor‑General’s mandate. Following a meeting between the CBC Governor and the Auditor‑General, it was agreed that access to supervisory files would be granted only in the presence of a CBC officer. However, the report notes that it was not possible to fully address all questions at the required assurance level.
The Audit Office also encountered reservations regarding access to information from MOKAS, mainly due to personal data contained in suspicious transaction reports. Nevertheless, through alternative arrangements, sufficient evidence was secured to assess the quality of the reports.
Central Bank of Cyprus
In terms of outcomes, the audit notes that between 2020 and 2024 the Central Bank imposed fines of approximately €2 million on two credit institutions for three AML violations.
The CBC’s AML Service is described as operationally autonomous but suffering from staffing “constraints” relative to supervisory needs. These constraints are assessed as having affected the full application of the risk‑based approach, especially in relation to the nature, frequency, scope and intensity of inspections. The same limitations, alongside other organisational issues, appear to have affected the volume of supervisory work, implementation of annual planning and the time required to complete supervisory actions.
The Audit Office highlights particularly long intervals between on‑site inspections and the issuance of final decisions on administrative measures or sanctions. It attributes these delays mainly to lengthy internal procedures within the CBC and the multiple stages at which credit institutions have the right to present their positions. The recent organisational restructuring and the establishment of an AML Directorate in February 2025 are viewed as steps in the right direction, though their effectiveness must be assessed over time.
On governance, the report acknowledges that the AML Service was organisationally separate from other supervisory functions, but points to risks of diluted supervisory focus, noting that the head of the AML Service also held prudential supervision responsibilities over other types of institutions, while the department head simultaneously oversaw financial conduct issues.
At the same time, international assessments and supervisory findings indicate a “significant reduction” in money laundering risks in the Cypriot banking sector and improvements in due diligence practices, partly attributed to the practical impact of CBC guidance to credit institutions. However, the Audit Office warns of “de‑risking” practices that may lead to unjustified exclusion of customers, such as the non‑execution of incoming transfers for Russian nationals with residence permits who are not subject to sanctions, or obstacles faced by NGOs in accessing banking services without individualised risk assessments.
While the CBC has basic transparency mechanisms – publication of AML directives and circulars, disclosure of administrative sanctions, reporting to Parliament – the Audit Office notes that public information on supervisory effectiveness remains limited, as quantitative and qualitative indicators of AML performance are not systematically published.
MOKAS
Regarding the Unit for Combating Money Laundering (MOKAS), the Auditor‑General reports that it operates within a generally adequate institutional framework aligned with international standards, supported by defined processes, supervisory mechanisms and specialised information systems for managing and analysing suspicious transaction reports.
Between 2020 and 2024, MOKAS significantly strengthened both its human and technological resources, especially in its Analysis Division, adopting specialised tools and systems for more targeted use of information.
However, according to the report, in the 2020-2024 period, only an average of 5.5% of suspicious transaction reports submitted to MOKAS were forwarded to law enforcement authorities for further investigation, although this percentage rose gradually in 2023 and 2024. This figure excludes referrals linked to already ongoing police investigations or referrals made for purposes of additional information. Nonetheless, the data underscores the need to improve the quality and relevance of reports submitted by banks.
Despite the reinforcements, the report states that the increasing volume and evolving nature of suspicious transaction reports – particularly those involving crypto‑assets – place rising operational demands on MOKAS. A growing proportion of reports remain pending for long periods. This does not necessarily mean no analytical work has been done, but it highlights the need for continuous reassessment of resource allocation and specialisation.
Advisory Authority
The report also identifies weaknesses in the role of the Advisory Authority, which is responsible for coordinating the relevant agencies and preparing the National Risk Assessment (NRA). Despite its institutional significance, the Authority did not fully fulfil this role, with the most notable example being the failure to update the NRA since 2017. This limits the authorities’ ability to apply a coherent and evidence‑based risk‑based approach and points to underperformance in the system’s strategic coordination mechanism.
The process to update the NRA began in 2025, in view of Cyprus’s next Moneyval assessment in 2028.
Responses from supervised authorities
In a letter to the Audit Office, MOKAS responded that many reports concern low‑risk transactions, which explains the relatively low rate of cases forwarded for further investigation. MOKAS added that it applies a filtering process so that only reports with sufficient indicators move forward. It also noted that it has strengthened its staffing and technological tools, while new prioritisation mechanisms have improved the handling of high‑risk cases. The Unit acknowledged, however, the need to further improve report quality and enhance cooperation with other authorities.
The Central Bank, responding to the findings concerning its own operations, stated that it has already undertaken an organisational restructuring, including the creation of a new AML Directorate and the reinforcement of staffing with specialised personnel. Its goal, it said, is to strengthen supervisory effectiveness and improve implementation of the risk‑based approach. It added that actions are under way to improve internal processes, reduce delays and further enhance supervisory tools.