FINTECH 2024
CYPRUS
Vasilis Charalambous, Antonia Frangou, Marina Theodorou, Marina K Vassiliou, Natasa Aplikiotou
(George Z Georgiou & Associates LLC)
FINTECH LANDSCAPE AND INITIATIVES
General innovation climate
- What is the general state of fintech innovation in your jurisdiction?
Cyprus is experiencing a great wave of fintech advancements. The country boasts an advantageous regulatory framework, a robust banking sector and a highly skilled workforce, all of which have fueled its progress.
As an EU member state, Cyprus benefits from the harmonization of EU financial services rules, which provide the financial services sector with high-quality, cost-effective solutions. Leveraging the passporting principle, businesses can conveniently access the broader European Union market from Cyprus.
Notably, there has been an upsurge of new fintech startups in Cyprus, complemented by established financial institutions channeling investments into innovative fintech solutions. The country has witnessed a notable influx of cutting-edge tech ventures, encompassing pioneering software like software as a service (SaaS) platforms and facilitators of payment infrastructure. In the realm of fintech, Cyprus-based companies have garnered distinct expertise in specialized domains, including payments, artificial intelligence, blockchain technologies and cryptocurrencies.
Cyprus is also a leading hub for digital banking in the European Union. Many of the country’s banks have launched innovative digital banking platforms that offer customers a wide range of features and services, such as online banking, mobile banking and contactless payments.
Government and regulatory support
- Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?
Throughout the years, the Cyprus government has sought to foster innovation within the fintech sector. It actively encourages and supports fintech companies by creating a conducive regulatory environment and offering incentives to spur further advancements. This proactive approach has nurtured a thriving ecosystem, enabling fintech firms to innovate and contribute significantly to the country’s overall economic growth and technological advancement. In particular, Cyprus has:
- established the Deputy Ministry of Research, Innovation and Digital Policy in 2020;
- the Cyprus Securities and Exchange Commission’s plans for establishing a regulatory sandbox; and
- the Central Bank’s investment into an Innovation Hub initiative.
FINANCIAL REGULATION
Regulatory bodies
- Which bodies regulate the provision of fintech products and services?
The provision of fintech products and services is overseen by several regulators, depending on the provided services and their nature.
The Cyprus Securities and Exchange Commission (CySEC) is responsible for regulating the investment services market, transactions in transferable securities carried out in Cyprus, and the collective investments and asset management sector. Additionally, it oversees companies that provide administrative services beyond the purview of the Institute of Certified Public Accountants of Cyprus, the Cyprus Bar Association and cryptoasset services providers.
The Central Bank of Cyprus (CBC), as the country’s central monetary authority, also plays an important role in licensing and supervising the operation of payment institutions and electronic money institutions.
The Commissioner for personal data protection (CPDP) oversees compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation) and the respective Cyprus law on personal data (Law 125(I)/2018). The CPDP examines complaints, conducts inquiries, promotes awareness, drives compliance, offers guidance and cooperates with other authorities.
Regulated activities
- Which activities trigger a licensing requirement in your jurisdiction?
The licensing criteria under Cypriot law are relatively comparable to those of other EU countries because the majority of financial and banking law in Cyprus is drawn from EU directives and regulations. Depending on the nature and scope of the services offered, license requirements may be required.
Any investment services or activities that are listed in section A of Annex I of the MiFID II Directive (2014/65/EU) on markets in financial instruments or Annex I of Directive 2013/36/EU on access to the activities of credit institutions and the prudential supervision of credit institutions and investment firms require a license.
Based on their structuring and activities deployed in Cyprus, various licensing requirements can be triggered for a large number of financial activities. The following providers of financial services are regulated (among others): Cyprus investment firms (CIFs), collective investment schemes, administrative services companies, alternative investment funds, cryptoasset services providers, credit institutions, payment institutions and electronic money institutions.
The provision of electronic money and payment services from Cyprus requires authorization by the CBC for the operation of any of the respective institutions that will be providing the intended services. Electronic money institutions and payment institutions are regulated by the Electronic Money Laws (Law 81(I)/2012 and Law 31(I)/2018) and the Provision and Use of Payment Services and Access to Payment Systems Laws of 2018 to 2022 that implemented the second Payment Services Directive (2015/2366/EU) (PSD2).
Consumer lending
- Is consumer lending regulated in your jurisdiction?
Consumer lending in Cyprus is regulated by the Consumer Credit Contracts Law of 2010 (Law 106(I)/2010), which mainly deals with consumer loans, current accounts and credit cards; and the Credit Agreements for Consumers in relation to Residential Immovable Property Law of 2017 (Law 41(I)/2017), which deals with mortgages and housing loans. Furthermore, the Consumer Protection Law of 2021 (Law 112(I)/2021) is relevant as it provides several articles for the protection of consumers when trading with businesses. All three laws stem from European regulations and directives.
These laws provide for, inter alia, the prohibition of unfair practices and terms in the agreements by credit institutions; provision of information concerning the agreement prior to its execution; disclosure of information on costs and charges; credit assessments that aim to prevent consumers’ over-indebtedness, etc.
Secondary market loan trading
- Are there restrictions on trading loans in the secondary market in your jurisdiction?
In relation to secondary market loan trading in Cyprus, the general principles of contract law and freedom of contracting apply, except where The Sale of Credit Facilities and Related Matters Laws of 2015 to 2022 (Law 169/2015) (the Law) applies.
This Law applies to the sale or acquiring of any credit facilities by a creditor who is:
- a credit institution authorized by the CBC;
- a credit institution that is authorized and supervised by the competent authority of another member state that has the right to provide services or to establish a branch in Cyprus;
- a financial institution that is a subsidiary of a credit institution incorporated in a member state that has the right to provide services or to establish a branch in Cyrus;
- a non-credit institution duly licensed under the Credit Agreements for Consumers relating to Residential Property Law of 2017 (Law 41(I)/2017);
- a credit acquiring company; or
- any legal entity other than the ones mentioned above that is duly authorized by the CBC to conduct and provide such services in the jurisdiction.
The Law also applies to the assignment of the management of portfolios of credit facilities to a servicer, by any of the entities described above.
According to the provisions of the Law, only the entities listed above are permitted to engage in the activity of acquiring or servicing of portfolios of credit facilities. Moreover, according to the Law, any entity intending to assume the activity of the acquisition of credit facilities in Cyprus or intending to assume the management of a portfolio of credit facilities in Cyprus, is obliged to obtain the prior approval of the CBC, except for the entities listed in points (1) to (4) above.
Collective investment schemes
- Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.
Collective investment schemes are regulated entities in Cyprus, supervised by CySEC. The exact nature of the business of a fintech company is crucial to ascertain whether the latter falls within this regime. For example, a fintech company managing assets on a pooled basis on behalf of investors should examine whether it is operating a collective investment scheme and must ensure compliance with all the regulatory obligations. On the other hand, fintech companies providing advice or payment services may be less likely to count as a collective investment scheme. Peer-to-peer lenders, marketplace lenders and crowdfunding platforms could potentially fall within the scope of the Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD), to the extent that they would qualify as (managers of) collective investment schemes.
Alternative investment funds
- Are managers of alternative investment funds regulated?
Yes, the managers of alternative investment funds are regulated under the AIFMD, the requirements of which have been transposed into national law in the Alternative Investment Fund Managers Law 2013 56(I)/2013.
Peer-to-peer and marketplace lending
- Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.
Although there is no specific regulation relating to peer-to-peer or marketplace lending in Cyprus, depending on the exact activity it might count as a regulated activity under the broader financial services industry.
Crowdfunding
- Describe any specific regulation of crowdfunding in your jurisdiction.
Securities laws apply to fintech businesses that use crowdfunding to generate funds. Cyprus has proactively initiated measures aimed at creating a specialized set of laws to govern the activities of crowdfunding service providers operating under its authority.
On 5 October 2020, the European Parliament issued the Regulation (EU) 2020/1503 (the Crowdfunding Regulation), which focuses on crowdfunding services. The Crowdfunding Regulation, which became directly effective in Cyprus, establishes common guidelines for the provision of crowdfunding services across the EU, allowing crowdfunding service providers (CSPs) to apply for an EU passport in accordance with a standardized and improved framework for investor safety. Additionally, the Crowdfunding Regulation imposes certain operational and corporate behavior standards on European CSPs in their dealings with investors.
To comply with the Crowdfunding Regulation, CySEC released Policy Statement PS-01-2023 on 13 March 2023, which, among other things, broadens the eligibility requirements and range of operations for companies looking to serve as crowdfunding service providers.
Invoice trading
- Describe any specific regulation of invoice trading in your jurisdiction.
Invoice trading is not subject to bespoke regulation in Cyprus.
Payment services
- Are payment services regulated in your jurisdiction?
In Cyprus, payment services are regulated by the Provision and Use of Payment Services and Access to Payment Systems Laws of 2018 to 2022 (the Payment Services Laws), which transposed the PSD2 into national law.
The Payment Services Laws have provisions regulating:
- the transparency of conditions and requirements for payment services;
- the rights and obligations of payment service users and payment service providers; and
- the granting of authorization, operation, and supervision of payment institutions.
The CBC is responsible for granting authorizations for the operation of payment institutions and examining applications for registration as an account information service provider.
The CBC maintains a public register that lists the payment institutions to which authorization was granted; the agents and branches acting on their behalf; the EU member states in which they have passported their activities; and the payment institutions that have been authorized by an EU competent authority and have exercised their right of establishment or freedom to provide payment services from within Cyprus.
Open banking
- Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?
The Payment Services Laws open the EU payment market to payment service companies (third-party providers), allowing them to access information on payment accounts, as long as they have obtained the license required by the Payment Services Laws to provide these types of payment-related services.
Consumers can provide their consent to their banks to allow a third-party provider of the consumer’s choice to initiate online payments to beneficiaries, such as merchants and others, directly from their bank account, and to collect and consolidate information on all of their bank accounts, so that consumers to have comprehensive information on all of their financials in a secure and regulated manner.
Robo-advice
- Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.
There is currently no specific regulatory regime in place for robo-advisers that provide retail customers with automated access to investment products in Cyprus.
It is worth noting that the Joint Committee of European Supervisory Authorities defines robo-advisers as ‘automated financial advice tools directly used by the customer’.
As MiFID II covers investor protection, it thus provides protection to customers of robo-advisers since modern robo-advisers offer a combination of investment advice and portfolio management.
The Digital Operational Resilience Act also introduced rules that regulated financial entities should follow to enhance the security of their digital financial infrastructure.
Insurance products
- Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?
Entities engaged in the business of insurance and reinsurance in Cyprus need to obtain an authorization to operate such insurance and reinsurance services, in accordance with the provisions of the Law on Insurance and Reinsurance Business and Other Related Issues of 2016 (38(I)/2016) (the Insurance and Reinsurance Law), which transposed EU Directive 2009/138/EC into national law.
The Insurance and Reinsurance Law regulates matters relating to the taking-up, pursuit and supervision of insurance and reinsurance services and the taking-up, pursuit and supervision of insurance and reinsurance products’ distribution businesses.
Credit references
- Are there any restrictions on providing credit references or credit information services in your jurisdiction?
In accordance with the Business of Credit Institutions Law of 1997 (Law No. 66(I)/1997, as amended) (the Credit Business Law) all credit institutions are obliged to participate and provide data in the exchange of data platform called Artemis. The data provided by the credit institutions (as such are defined in the Credit Business Law) in Artemis are determined by the instructions of the CBC and include data on the customer’s loans, performing or not. Such credit institutions have the right to access the data with the main purpose of evaluating the credit of their customers and more efficiently managing credit risk or other related risks.
CROSS-BORDER REGULATION
Passporting
- Can regulated activities be passported into your jurisdiction?
Yes, since Cyprus is a member state of the European Union, entities that maintain a license to contact regulated activities in any European Economic Area (EEA) country may passport their activities, either by establishing branches in other EEA countries or by providing services across the EEA on a cross-border basis without having a physical presence.
Requirement for a local presence
- Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?
A fintech entity license can be granted to a fintech company with an established presence in Cyprus, however, other fintech entities holding a license in another EEA country can passport their activities in Cyprus either by establishing branches in that other EEA country or by providing services across the EEA on a cross-border basis without having a physical presence, subject to following the applicable procedure.
For example, for the provision of electronic money services in Cyprus, an authorization must be granted by the Central Bank of Cyprus or by any other member state of the European Union pursuant to the right of establishment and the freedom to provide services, in accordance with the provisions of the applicable law.
SALES AND MARKETING
Restrictions
- What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?
There is no one-size-fits-all regulation with respect to the sales and marketing of financial services, and each area has its own requirements with respect to sales and marketing. For example, the Cyprus Securities and Exchange Commission issues sector-specific circulars from time to time, following updates from the European Securities and Markets Authority. For example, circular 473 (13 October 2021) addressed certain regulated entities and provided, inter alia, guidelines on fair, clear and not misleading marketing.
CRYPTOASSETS AND TOKENS
Distributed ledger technology
- Are there rules or regulations governing the use of distributed ledger technology or blockchains?
Cyprus is especially concerned with the disruptive implications of blockchain technology in its public and private sectors, and is laying the groundwork for the widespread use of blockchain technology. Strong private initiatives, an attractive framework and tech-friendly policies have propelled blockchain growth in the country, and this growth must be accompanied by measures that will protect investors and maintain financial stability.
Following an initiative by the Parliament of Cyprus, the implementation of decentralized technology in Cyprus was considered on a national basis for the first time in 2018. In order to support public and private initiatives using blockchain applications, the usage of distributed ledger technology (DLT) and its industrial innovation and development, the Council of Ministers adopted and published the National Strategy on Blockchain and Distributed Ledger Technologies in June 2019.
On 24 September 2020, the European Commission released the digital finance package, encompassing a proposal for a draft regulation that consists, among other things, of a pilot regime concerning distributed ledger market infrastructures. This proposal aims to facilitate experimentation by offering temporary derogations for employing DLT in the trading and post-trading activities of cryptoassets that are categorized as financial instruments, therefore bypassing any existing restrictions on their use. The provision of these temporary derogations will afford regulators an opportunity to accumulate knowledge and expertise regarding the utilization of DLT in market infrastructures. Simultaneously, these measures will guarantee that regulators are equipped to address the potential risks associated with investor protection, market integrity and financial stability. The said Regulation 2022/858 of the European Parliament of the Council on a pilot regime for market infrastructures based on distributed ledger technology was published in June 2022 and applies from 23 March 2023.
Cyprus stands as one of the early adopters of the European Blockchain Services Infrastructure (EBSI), actively engaged in the development of a fully operational national EBSI under the supervision of the Deputy Ministry of Research, Innovation and Digital Policy.
Additionally, the Innovation Hub established by the Cyprus Securities and Exchange Commission (CySEC) in 2018, with a specific focus on fintech, incorporates the application of blockchain and other DLT.
Cryptoassets
- Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?
Before the introduction of the Markets in Crypto-Assets Regulation (MiCA), the EU framework for the regulation of cryptoassets was mostly restricted to anti-money laundering requirements placed on cryptoasset service providers (CASPs) under the 5th Anti-Money Laundering Directive 2018/843, and for Cyprus specifically the Prevention and Suppression of Money Laundering Activities Laws of 2007, the CySEC Directive for the register of CASPs the CySEC Directive for the prevention and suppression of money laundering and terrorist financing, and other requirements emerging from traditional EU financial services legislation (the Markets in Financial Instruments Directive 2014 (MiFID II), the E-Money Directive and the Payment Services Directive (2015/2366/EU)).
The European Commission’s Digital Finance Package, which was announced in September 2020, included a set of policies relating to digital finance in the EU. The package included the following legislative proposals:
- MiCA;
- the Regulation on a pilot regime for market infrastructures based on DLT; and
- the Digital Operational Resilience Act (Regulation (EU) 2022/2554).
MiCA, which was implemented in June 2023 and is projected to be in full effect by 2024, aims to make the financial industry in the EU more innovative and competitive, to make Europe a worldwide standard-setter, and to provide consumer protection for digital finance and modern payments. It covers a wide range of topics, including supervision, consumer protection, the regulation of CASPs, asset-referenced tokens, electronic money tokens, and safeguards against market manipulation and financial crime.
MiCA creates a unified set of regulations for cryptoassets, associated activities and services, as well as the first legal framework for cryptoassets that fall outside the purview of current European financial legislation and regulations. Any cryptoassets falling into categories already regulated, like ‘financial instruments’ as outlined in MiFID II and ‘electronic money’ as defined by the E-Money Directive, will not be within the scope of MiCA, as existing legislation will still apply.
The Transfer of Funds Regulation, which was officially published in the Official Journal of the European Union on 9 June 2023, is also relevant here as it requires CASPs to accompany transfers of cryptoassets with information on the originators and beneficiaries. The Transfer of Funds Regulation will apply from 30 December 2024.
The eighth Directive on administrative cooperation in the field of taxation (DAC8) should also be taken into account as it contains provisions on the reporting and exchange of information on cryptoassets for direct tax purposes. DAC8 establishes guidelines for the reporting of data by CASPs and operators, without regulating organizations in the traditional sense.
Token issuance
- Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?
MiCA establishes the first legal framework for cryptoassets that are exempt from existing European financial legislation and regulations. Any cryptoassets that come under currently regulated categories, such as financial instruments as defined by MiFID II or electronic money as described by the E-Money Directive, are not covered by MiCA.
Security tokens are considered financial instruments. Any entity that offers security tokens will be governed by one of the following laws, depending on the type of financial instrument it represents:
- Law 87(I)/2017 regarding the provision of investment services, the exercise of investment activities and the operation of regulated markets;
- Regulation (EU) 2020/1503;
- Regulation (EU) 2017/1129; and
- the Alternative Investments Funds Law of 2018.
ARTIFICIAL INTELLIGENCE
Artificial intelligence
- Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?
Currently, there are no specific regulations relating to artificial intelligence in Cyprus.
In January 2020, the Council of Ministers launched the National Artificial Intelligence Strategy of Cyprus. Cyprus has outlined its priorities, which involve developing human talent and lifelong learning, and boosting business competitiveness through research, innovation and networking opportunities. Cyprus also seeks to enhance public services using digital and AI applications, establish national data areas, and promote the responsible and reliable development of AI.
Furthermore, on 21 April 2021, the European Commission proposed the first EU regulatory framework for artificial intelligence. The recently introduced AI framework in the European Union aims to establish a definition of AI systems that is not limited to specific technologies. It also adopts a risk-based approach, which sets out distinct requirements and responsibilities for the development, market entry and usage of AI systems within the EU.
The General Data Protection Regulation (GDPR) and other laws aiming at the protection of individuals with regard to the processing of their personal data include rules that govern the use of artificial intelligence. AI systems often rely on vast amounts of data to function, and this data may include personal information. The GDPR sets guidelines and requirements for organizations using artificial intelligence to ensure that individuals’ privacy rights are protected.
CHANGE OF CONTROL
Notification and consent
- Describe any rules relating to notification or consent requirements if a regulated business changes control.
In general, if a regulated business changes control, this triggers a notification or a consent requirement. The specific notification and consent requirements will vary depending on the type of regulated business and the relevant regulator.
In the case of an acquisition of a qualifying holding in an authorized credit institution (ACI) incorporated in Cyprus, any proposed acquirer who has taken a decision to acquire or to increase, directly or indirectly, a qualifying holding in an ACI should submit all the necessary information for the assessment of the notification in accordance with the Business of Credit Institutions Law of 1997.
In a similar manner, any natural or legal person that proposes to acquire, directly or indirectly, a qualifying holding in a Cyprus investment firm, or to further increase, directly or indirectly, such a qualifying holding, as a result of which the proportion of the voting rights or of the share capital held would reach or exceed specific minimum limits, should file a notification to the Cyprus Securities and Exchange Commission (CySEC) in accordance with Law 87(I)/2017 regarding the provision of investment services, the exercise of investment activities and the operation of regulated markets.
Notification to CySEC should also be filed in the case of changes to the membership of the management body of a Cyprus investment firm, in accordance with Commission Implementing Regulation (EU) 2017/1945 laying down implementing technical standards with regard to notification by and to applicant and authorized investment firms according to Directive 2014/65/EU of the European Parliament and of the Council.
FINANCIAL CRIME
Anti-bribery and anti-money laundering procedures
- Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?
The Prevention and Suppression of Money Laundering and Terrorist Financing Law (Law 188 (I)/2007) as amended, is the primary legislation in Cyprus in relation to money laundering and terrorism financing. It introduced the fifth Anti-Money Laundering Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 into the Cypriot legal system. It provides for the establishment of specific supervisory authorities in Cyprus, some of which are responsible for the overseeing of fintech companies, and further imposes obligations on several obliged entities, some of which are fintech companies, regarding the prevention of money laundering and terrorism financing.
The legislation provides for several procedures to be followed that aim to combat money laundering, such as conducting ‘know-your-client’ identification, ongoing monitoring and screening, internal and external reporting of suspicious actions or transactions (Suspicious Activity Reports and Suspicious Transaction Reports), application of anti-money laundering and countering the financing of terrorism policies and procedures, implementation of a risk-based approach, annual reporting of the obliged entities to their supervisory authority, etc.
In addition to the above, secondary legislation issued by each supervisory authority (e.g, guidelines, notes, circulars) applies to each obliged entity, providing in this way for specific procedures and steps to be followed for combating both money laundering and bribery.
Guidance
- Is there regulatory or industry anti-financial crime guidance for fintech companies?
There is a plethora of general guidance for all regulated entities that operate in different sectors, including fintech companies, issued by the Cypriot supervisory authorities (e.g, the Cyprus Securities and Exchange Commission, the Central Bank of Cyprus, the Superintendent of Insurance). The guidance provides for best practices and steps to be followed by companies in order to achieve high levels of compliance in many different areas.
DATA PROTECTION AND CYBERSECURITY
Data protection
- What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
The EU General Data Protection Regulation (GDPR) came into effect across the entire EU on 25 May 2018. The GDPR regulates how corporations may gather, store, access, utilize and otherwise handle data pertaining to a living individual.
On 31 July 2018, the national law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (Law 125(I)/2018), was published in the official gazette of Cyprus. Oversight of compliance with the GDPR and national legislation is carried out by the Office of the Commissioner for Personal Data Protection.
Cybersecurity
- What cybersecurity regulations or standards apply to fintech businesses?
Cyprus has an information and communication technology regulatory framework that addresses cybersecurity. The relevant legislation includes the Electronic Commerce Law (156(I)/2004) to safeguard consumers from online business malpractice, the Law for the Protection of the Confidentiality of Private Communications (92( )/1996), the Law Regulating Electronic Communications and Postal Services (112(I)/2004) as amended by Law 76(I)/2017, Law 55(I)/2018 transposing Regulation 910/2014/EC on electronic identification and trust services for electronic transactions, and the Data Protection Framework encompassing GDPR and domestic law (Law 125(I)/2018).
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) also introduced rules that regulated financial entities should follow to enhance security for their digital financial infrastructure.
Cyprus also implemented the Directive on security of network and information systems (NIS Directive) through the Digital Security Authority. To enhance cybersecurity capabilities, Cyprus established the Digital Security Authority and the National Computer Security Incident Response Team for Cyprus. Incident notification requirements are imposed on relevant entities.
Additionally, Cyprus follows the Council of Europe Convention on Cybercrime through Law (22(III)/2004), which addresses various cyber offenses, such as illegal access, data interference, forgery or fraud, and offenses related to child pornography and copyright infringement. Fintech businesses operating in Cyprus must comply with these cybersecurity laws and regulations to ensure the protection of sensitive information and prevent cybercrimes.
OUTSOURCING AND CLOUD COMPUTING
Outsourcing
- Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?
The Cyprus Securities and Exchange Commission (CySEC) issued a circular on 29 November 2022, addressed to various regulated entities, regarding the publication by the European Banking Authority (the EBA) on 14 June 2022 of Guidelines (EBA/GL/2022/05) on policies and procedures in relation to compliance management and the role and responsibilities of anti-money laundering and countering the financing of terrorism (AML/CFT) compliance officers under article 8 and Chapter VI of Directive (EU) 2015/849 (the Guidelines). The Guidelines complement and interact with, but do not replace, very relevant guidelines issued by the European Supervisory Authorities on wider governance arrangements and suitability checks, such as, inter alia, the EBA guidelines on outsourcing arrangements (EBA/GL/2019/02), the European Insurance and Occupational Pensions Authority guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002) and the European Securities and Markets Authority guidelines on outsourcing to cloud service providers (ESMA50-157-2403). The Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA) also introduced rules that regulated financial entities should follow.
The Guidelines set clear expectations of the role, tasks, and responsibilities of the AML/CFT compliance officer and the management body and describe the tasks and functions of the management body as well as their roles and responsibilities, including but not limited to provisions on outsourcing.
Cloud computing
- Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?
The Cyprus Securities and Exchange Commission (CySEC) has adopted the ESMA Guidelines on outsourcing to cloud services providers. These Guidelines aim to establish consistent and effective supervisory practices within the European System of Financial Supervision (ESFS) for firms outsourcing to cloud services providers. There are a total of nine sets of guidelines that help firms and competent authorities identify, address and monitor risks associated with cloud outsourcing arrangements.
The requirements are more stringent for critical or important functions. ESMA will consider these guidelines when assessing compliance by third-country central counterparties with the European Market Infrastructure Regulation requirements. Credit institutions in Cyprus should consult the Central Bank of Cyprus for investment services supervision, as CySEC lacks authority over this area. The Guidelines apply from 31 July 2021 to all new or amended cloud outsourcing arrangements. Firms must review and amend existing arrangements by 31 December 2022, and if the critical functions review is not completed by then, the competent authority should be informed, and also informed of any planned measures or exit strategies.
In order to strengthen the security of their digital financial infrastructure, regulated financial companies are also required to abide by requirements that were implemented by DORA.
INTELLECTUAL PROPERTY RIGHTS
IP protection for software
- Which intellectual property rights are available to protect software, and how do you obtain those rights?
Under Cyprus law, computer programs or software are literary works protected by copyright and are subject to article 7B of the Law on Copyright and Related Rights of 1976 (Law No. 59/1976). The ideas and principles underlying any computer program component, including those underlying its interconnection systems, are not protected by intellectual property rights (article 7B(2)).
Copyright protection within the meaning of Law No. 59/1976 includes preparatory design materials (given they can result in a computer program), the source code, object code and software architecture. The copying of an existing program or draft program would not suffice for copyright protection.
Cyprus law does not provide a formal registration procedure for copyright, and copyright owners benefit from automatic protection. However, it is beneficial to include the author’s name and the creation date in the software’s source code.
Business practices and computer programs are not eligible to benefit from patent protection. Patents protect innovative inventions, new processes and new modes of product operation. Nonetheless, the exclusion from patentability is only applicable to the program in its whole, therefore an invention that uses or incorporates a piece of software may still be eligible for a patent.
Software code may be protected as confidential information if it has been kept secret. Confidentiality agreements are advised if third parties have access to it.
IP developed by employees and contractors
- Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?
According to Cyprus law, the original owner of any intellectual property right in a work is often the creator or inventor of it. The only situation where this is not true is when an employee completes the work as part of their employment contract or commission work, unless the contrary was agreed.
The right of ownership is deemed to have been transferred to the person or organization that commissioned the work or to the developer’s employer, subject to any agreement between the parties excluding or limiting such transfer, pursuant to article 11(1)b of the Law on Copyright and Related Rights of 1976 (Law No. 59/1976).
Similarly, where an invention is invented in the execution of an order or contract for work, the right to a patent for that invention shall belong to the person who ordered the work or to the employer, unless there are contractual provisions to the contrary between the parties concerned, in accordance with article 11 (1) of the Patents Law of 1998 (Law No. 16(I)/1998).
Joint ownership
- Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?
The exercise of intellectual property rights by a joint owner is not constrained by the law. To utilize their different intellectual property rights, however, the joint owners must generally come to an agreement; otherwise, the rights must be exercised jointly. Of course, depending on the kind of IP, there may be several exceptions to this rule.
Trade secrets
- How are trade secrets protected? Are trade secrets kept confidential during court proceedings?
To protect undisclosed know-how and business information from unauthorized acquisition, use and disclosure, the Law on the protection of undisclosed know-how and business information (trade secrets) against unlawful acquisition, use and disclosure (Law 164(I)/2020) offers robust measures for individuals and companies to safeguard their proprietary information. The law defines a trade secret as confidential information with limited access, commercial value and reasonable efforts made to maintain secrecy. Unlawful acquisition includes unauthorized access, misappropriation, or copying of controlled documents or materials, while unlawful use or disclosure encompasses breaches of confidentiality agreements or contractual obligations. In such cases, the trade secret holder can seek redress through the court, which may grant provisional measures or order compensation for damages. Proper safeguards, such as non-disclosure agreements and internal policies, are recommended to ensure trade secret protection.
Trade secrets can be kept confidential during court proceedings in Cyprus. According to article 9(4) of Law (164(I)/2020), the court may take measures to ensure the protection of trade secrets during legal proceedings. The court may restrict access to sensitive information and issue confidentiality orders, although in certain cases, confidentiality may be balanced with the principles of justice and a fair trial. It is essential to note that the court’s ability to maintain absolute confidentiality during court proceedings may be subject to the nature and requirements of the case.
Branding
- What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?
In Cyprus, brand protection can be achieved through either a Cypriot trademark, which is limited to Cyprus, or an EU trademark, offering broader coverage across the EU. To obtain trademark rights, registration is essential, and this process can be completed through either the Cypriot Intellectual Property Office in the Department of Registrar of Companies and Intellectual Property, or the European Union Intellectual Property Office (EUIPO) for EU-wide safeguarding. Alternatively, brands can be safeguarded through market practices if they have established a strong reputation in the market, and if any other entity attempts to exploit the brand’s reputation or market position.
For brands represented by logos or slogans, copyright protection applies, provided that these creative works are original. Additionally, they can be protected under Cypriot or EU industrial design or model rights, as long as they are considered new and unique (and do not conflict with law or morality).
Fintech businesses and entrepreneurs are advised to refer to public databases maintained by the Cypriot Intellectual Property Office and the EUIPO to check the availability of specific trademarks or designs. It is highly recommended that new businesses conduct comprehensive trademark and design searches to identify potential conflicts with existing registrations or unregistered trademarks that have gained significant recognition in the market.
Remedies for infringement of IP
- What remedies are available to individuals or companies whose intellectual property rights have been infringed?
The following remedies and proceedings may be available:
- injunctions to prevent the infringing party from continuing to use the IP;
- damages to compensate the IP owner for losses resulting from the infringement; and
- an order or request to cease actions.
COMPETITION
Sector-specific issues
- Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?
There are no competition issues with respect to fintech companies, provided that the businesses offering such products or services comply with the relevant national and EU laws and regulations.
TAX
Incentives
- Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?
Fintech companies benefit from the overall low corporate tax of 12.5 percent as well as the widely developed network of double tax treaties, which facilitate cross-border investments.
Cyprus offers an IP box regime, providing favorable tax treatment for income generated from qualifying IP rights with an 80 percent exemption of qualified profit from exploitation of IP assets, which could be advantageous for fintech companies involved in software development, licensing, etc. There is also no withholding tax on outgoing payments (dividends, interest, royalties) and any income from dividends is exempt (subject to certain conditions).
There are also start-up incentives available in Cyprus, such as reduced social insurance contributions for employees and grants for research and development.
Increased tax burden
- Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?
Although for the time being there are no specifically targeted tax laws proposed, the transposition of EU Directive 2021/514 (DAC7) into national law is pending and currently in the consultation stage, so it remains to be seen whether this would affect fintech companies and if there will be any domestic taxation or relating administrative costs. DAC7 requires digital platform operators to report certain information about the sellers that use their platforms, so that authorities of member states will get the information they need to ensure that taxes are paid on gains made in trading or investing in cryptoassets.
IMMIGRATION
Sector-specific schemes
- What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?
Overall, there are a few schemes that aim to attract skilled staff from abroad and business from the technology and financial sectors, including the following:
- immigration permits for investors (recently, new fast-track procedures were applied), including for investment in units of a Cyprus Investment Organization of Collective Investments, and that should be held in Cyprus;
- full package schemes for companies of foreign interests:
- the Business Facilitation Unit (BFU) is Cyprus’ single point of contact for businesses, offering services for company establishment, licensing and registration under the new government policy, to attract investment and talent; and
- the Cyprus Startup Visa Scheme enables third-country entrepreneurs to establish high-growth start-ups for economic development;
- highly-qualified personnel in eligible Cypriot companies with high turnover are exempt from the four-year duration limit;
- tailored intra-corporate transfer applications; and
- flexible temporary residence permits, for example, the Cyprus Digital Nomad Visa Scheme.
UPDATE AND TRENDS IN FINTECH IN CYPRUS
Current developments
- Are there any other current developments or emerging trends to note?
The convergence of innovative projects inside Cyprus’s financial sector demonstrates the country’s dedication to promoting innovation and elevating its fintech ecosystem to new heights. The Cypriot government is also supportive of the fintech industry and has introduced a number of initiatives to attract and support fintech start-ups. A regulated environment for further development is provided by the Cyprus Securities and Exchange Commission sandbox and the Central Bank of Cyprus’s Innovation Hub. These institutions act as pillars of support, enabling swift adaptation while keeping a close eye on consumer protection. With these elements interacting harmoniously, Cyprus is emerging as a dynamic playground for pioneers, where transformative ideas in fintech and AI can take root, grow and redefine the future of finance.
* The authors wish to thank Polina Christodoulou, Stelios Christophides and George Englezakis for their assistance in the preparation of this chapter.
* The information in this chapter was accurate as of October 2023.
If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)
You can also download the .docx version here.
“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”
LEGAL CONSULTING SERVICES
090.252.4567NT INTERNATIONAL LAW FIRM
- Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
- Phone: 090 252 4567
- Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam