Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

Fintech products and services are currently treated in the same way as traditional financial products and services. In other words, there is no specific regulatory framework in relation to fintech products and services, which are thus subject to the financial laws and regulations currently in existence. Fintech businesses and their products and services therefore fall under the regulatory regime that regulates the provision of financial products and services when conducting certain financial activities as provided for in the relevant legislation.

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

Cyprus has no fintech-specific laws or regulations in existence. The Cyprus Securities and Exchange Commission (CySEC) is in the process of assessing draft legislation on the introduction of a crowdfunding mechanism for start-ups. However, the draft legislation does not cover initial coin offerings. Further legislation may be introduced as the fintech sector in Cyprus matures and evolves, most likely in relation to digital currencies, crowdfunding and initial coin offerings.

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

The provision of fintech products and services is regulated by the same government regulators and authorities which regulate traditional financial services institutions and products, including:

  • the Central Bank, which is responsible for the authorisation, operation and supervision of all payment institutions, including all commercial banks incorporated in Cyprus;
  • the superintendent for insurance control; and
  • CySEC, which is the financial regulatory agency responsible for the supervision and control of the Cyprus Stock Exchange and controls licensed investment services companies, collective investment funds, fund management companies and consultants.

CySEC grants licences to investment firms and brokers and has the authority to impose disciplinary penalties for deviations from stock market legislation.

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

No regulatory framework applies to fintech businesses. Instead, they are subject to Cyprus’s financial and other relevant laws and regulations. Legislation governing the provision of financial services may apply to fintech businesses provided that they:

  • are not covered by an exemption; and
  • engage in or carry out certain activities specified or provided for by the relevant law – including:
    • the Business of Credit Institutions Laws 1997 to 2017;
    • various EU regulations (which have direct effect in Cyprus) dealing with banking regulation, including EU Regulation 575/2013 on prudential requirements for credit institutions and investment firms;
    • the Law on Electronic Money;
    • the Provision and Use of Payments Services and Access to Payment Systems Law 2018;
    • the Securities and Exchange Commission Law;
    • the Transparency Requirements Law;
    • the Investment Services and Activities and Regulated Markets Law;
    • the Takeover Bids Law;
    • the Public Offer and Prospectus Law;
    • the Open-ended Undertakings of Collective Investments in Transferable Securities Law;
    • the Alternative Investment Fund Managers Law;
    • the Alternative Investment Funds Law;
    • the Securities and Stock Exchange Law; and
    • the Prevention and Suppression of Money Laundering and Terrorist Financing Law.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

Whether a licence is required will depend on the proposed activity and whether such activity is regulated. If the activity falls under the regulated activities, the conditions to which the fintech business may be subject depends on the category or type of fintech activity.

For example, different licensing requirements apply depending on whether the fintech business wishes to be authorised and conduct regulated activities as a:

  • banking or credit institution;
  • credit acquiring company;
  • financial leasing company or payment institution;
  • electronic money company;
  • foreign exchange company;
  • alternative investment fund; or
  • insurer.

Further, fintech businesses are subject to different conditions where they wish to set up:

  • a representative office in Cyprus;
  • as a branch or subsidiary of an entity established abroad; or
  • a representative office abroad of a fintech business incorporated and licensed in Cyprus (ie, passporting provisions).

Passporting can occur in one of two ways:

  • establishing branches in other European Economic Area (EEA) countries; or
  • providing services across the EEA on a cross-border basis.

The following entities can passport their single licence across the European Union:

  • alternative investment fund managers;
  • credit intermediaries;
  • credit institutions;
  • electronic money institutions;
  • insurers and reinsurers;
  • insurance intermediaries;
  • investment firms;
  • payment institutions; and
  • Undertakings for Collective Investment in Transferable Securities managers.

The procedure to be followed and the time required to obtain a licence or permit for the grant of a required licence therefore depends on what the proposed activity is, the relevant laws governing the same and the requirements of the relevant regulatory authority.

Are any fintech products or services prohibited in your jurisdiction?

No fintech products or services are prohibited in Cyprus. However, the majority of fintech products and services are currently unregulated and ,depending on the activities carried out or to be carried out by a fintech business, such products or services may be considered to fall under the existing regulatory framework. Thus, in such case the fintech business will need to comply with certain conditions or be licensed to conduct such activities (unless it is exempt).

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The processing and transfer of data relating to fintech products and services is governed by the EU General Data Protection Regulation (GDPR) (2016/679). The GDPR applies from 25 May 2018.

The GDPR applies to controllers or processors established in the European Union. It also contains express extra-territorial provisions and applies to controllers or processors based outside the European Union that:

  • offer goods or services to individuals in the European Union; or
  • monitor individuals within the European Union.

Controllers and processors covered by these provisions will need to appoint an EU representative, subject to certain limited exemptions.

What cybersecurity regulations or standards apply to fintech businesses?

Cyprus has implemented comprehensive provisions on cybersecurity through its information and communications technology legislative and regulatory frameworks, which also apply to fintech businesses.

Specific legislation and regulations concerning cybersecurity have been enacted through the following laws:

  • the Electronic Commerce Law (156(I)/2004);
  • the Law for the Protection of Confidentiality of Private Communications (92(Ι)/1996);
  • the Law Regulating Electronic Communications and Postal Services (112(I)/2004), last amended by Law 76(I)/2017;
  • the Legal Framework for Electronic Signatures and for Relevant Matters Law (188(I)/2004); and
  • the Processing of Personal Data Law (138(I)/2001).

Cyprus is also party to the Council of Europe Convention on Cybercrime, which was incorporated into domestic law through Law 22(III)/2004. The law deals with, among other things:

  • illegal access;
  • illegal interception;
  • data interference;
  • system interference;
  • the misuse of devices;
  • computer-related forgery;
  • computer-related fraud;
  • offences relating to child pornography;
  • offences relating to copyright infringement and related rights; and
  • penalties and measures.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

Cyprus has put in place all of the necessary mechanisms for the prevention and suppression of money laundering and terrorist financing activities.

The provisions of the EU Fourth Anti-money Laundering Directive (2015/849/EC) regarding the prevention of the legalisation of proceeds from illegal activities or terrorist financing have been transposed into national legislation through the 3 April 2018 amendment to the Prevention and Suppression of Money Laundering Activities Law 2007 to 2016.

What precautions should fintech businesses take to ensure compliance with these provisions?

Fintech businesses and generally all physical and legal persons that conduct financial services activities must establish adequate procedures and mechanisms to protect themselves, their companies and Cyprus’s financial system from money laundering. The necessary procedures and mechanisms include:

  • measures to identify and report suspicious transactions; and
  • the know-your-client principle, which requires the industry to adhere to and apply strict procedures for maintaining accurate and up-to-date records.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

Cyprus has a wide range of consumer protection laws, which apply to fintech products and are in line with EU consumer protection legislation, including:

  • the Sale of Goods Law;
  • the Consumer Rights Law;
  • the Unfair Commercial Practices from Businesses to Consumers Law;
  • the Consumer Credit Laws of 2010 to 2017; and
  • the Law on Credit Agreements for Consumers Relating to Residential Immovable Property.

Competition

Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

The provision of fintech products or services raises no particular competition regulatory concerns, provided that the businesses providing such products or services respect the relevant national and EU laws and regulations.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (e.g. operating jurisdiction rules and currency controls)?

No particular regulatory issues concern the provision of fintech products and services other than those which would normally apply to other businesses (eg, anti-money laundering and data protection). Exchange control limitations have been abolished in Cyprus.

Click here to view the full article.