Introduction

Administrative Service Providers (“ASPs”) operating in Cyprus are subject to ongoing reporting obligations that support supervisory oversight, transparency, and anti-money-laundering controls. These obligations are not uniform across all providers. In practice, they depend on how administrative services are provided and under which supervisory framework the activity falls.

In Cyprus, ASP reporting is overseen by three authorities: the Cyprus Securities and Exchange Commission (CySEC), the Cyprus Bar Association (CBA), and the Institute of Certified Public Accountants of Cyprus (ICPAC). Each authority applies a different reporting framework, uses different submission channels, and focuses on different aspects of compliance and governance.

This guide explains how ASP reporting works in practice in Cyprus. It is written for compliance officers, MLCOs, directors, and professional advisers who need clarity on:

• what must be reported,
• to whom,
• when, and
• how that information is reviewed by supervisors.

Orientation for readers
The primary focus of this guide is regulatory reporting to supervisory authorities. Certain obligations—such as trust reporting, beneficial ownership (UBO) updates, and suspicious activity reporting—support and underpin regulatory reporting and are therefore addressed as special reporting obligations later in the guide.

CX Financia regularly supports ASPs across all three supervisory regimes with regulatory reporting frameworks, annual compliance reviews, internal audit coordination, and governance support. The analysis below reflects how these requirements are applied and assessed in practice.

How to use this guide

This guide is structured so that readers can quickly locate what is relevant to them:

• Sections 1–2 explain which activities fall within ASP scope and which supervisor applies
• Sections 3–5 set out core regulatory reporting obligations by authority
• Section 6 explains special reporting obligations (trusts, UBOs, SARs/STRs) that apply across ASPs
• Sections 7–9 explain how regulators review reporting, where firms typically face issues, and how reporting is organised in practice

Licensing is referenced only to provide context, as the same supervisory distinctions apply from authorisation onward.

What activities trigger ASP reporting obligations?

What activities trigger ASP reporting obligations?

ASP reporting obligations arise when a firm provides administrative services to third parties, irrespective of the firm’s professional background or branding. In practice, administrative services include:

• company formation and ongoing corporate administration;
• provision of directors, company secretaries, or nominee shareholders;
• provision of registered office or correspondence address services;
• trust or fiduciary administration;
• management or administration of companies or trusts on behalf of clients.

In Cyprus, administrative services may be provided by:

• independent corporate or fiduciary services firms,
• law firms, or
• accountancy firms.

Law firms and accountancy firms are licensed and supervised as professionals, rather than as standalone ASP entities. Specifically:

• Law firms are supervised by the Cyprus Bar Association (CBA);
• Accountancy firms are supervised by the Institute of Certified Public Accountants of Cyprus (ICPAC).

Where such professionals provide administrative services, those activities are treated as ASP activities for regulatory and AML purposes. However, the reporting and supervisory obligations are exercised through the relevant professional supervisory authority, rather than through the Cyprus Securities and Exchange Commission (CySEC), which supervises independent ASP firms.

This distinction does not affect whether reporting obligations apply. It determines how and to whom those obligations are discharged.

Which regulator supervises ASP reporting in Cyprus?

A common question when structuring ASP activities is:

“Why do some ASPs report to CySEC, while others report to the Cyprus Bar Association or ICPAC?”

ASP obligations arise because certain activities qualify as administrative services. However, the supervisory authority responsible for those obligations ,and the way reporting is made ,depends on the regulatory status of the entity providing those services

ASP reporting supervision in Cyprus (who reports to whom)

Key clarification:
ASP obligations arise because certain activities qualify as administrative services.
The supervisory authority and reporting format depend on the regulatory status of the provider, not on the substance of the service itself.

Core ASP regulatory reporting obligations

Once the competent authority is identified, ASPs must comply with regulator-specific reporting obligations. These obligations form the backbone of supervisory oversight and are reviewed collectively rather than in isolation.

ASP reporting under CySEC

Applies to: CySEC-regulated Administrative Service Providers

CySEC-regulated ASPs are subject to a structured reporting framework reflecting the fiduciary nature and scale of their activities.

CySEC ASP reporting obligations

CySEC places particular emphasis on annual governance reporting, notably the MLCO Annual Report and the Internal Audit AML Report. In supervisory reviews, these are assessed alongside procedures, client files, and evidence of remediation.

ASP reporting under professional supervisors

Cyprus Bar Association and ICPAC

Law firms and accountancy firms providing administrative services are supervised under frameworks aligned to their professional regulation.

CBA ASP reporting obligations (law firms)

What law firms are actually expected to produce,

ICPAC ASP reporting obligations (accountancy firms)

How ICPAC supervision works in practice, including monitoring reviews.

Clarification:
ICPAC monitoring reviews are supervisory assessments, not recurring “reports”, but firms are expected to maintain documentation ready for review.

Special reporting obligations supporting ASP regulatory reporting

In addition to supervisory reporting, ASPs are subject to activity-based reporting obligations that regulators expect to be embedded into the compliance framework.

Trust and beneficial ownership (UBO) reporting

Trust and UBO reporting obligations apply across all ASPs, depending on the activities performed.

Who must comply

• Trust reporting: all ASPs acting as trustee or administering trusts
• UBO reporting: all ASPs administering companies or other legal entities

What regulators expect in practice
Regulators do not treat registry filings as standalone formalities. During inspections, they assess whether:

• the ASP understands the structures it administers,
• UBO and trust data are accurate and up to date,
• registry information aligns with client files and risk assessments.

Trust & UBO reporting obligations (full applicability)

To distinguish registry filings from supervisory reporting, while showing how regulators use them.

Key point:
Although filed with registries, non-compliance is routinely raised during CySEC, CBA, or ICPAC supervisory reviews.

Suspicious Activity / Transaction Reports (SARs / STRs)

All ASPs are obliged entities for AML purposes and must submit Suspicious Activity or Transaction Reports where suspicion arises.

• Applies to: all ASPs, regardless of supervisor
• Reported to: MOKAS
• Nature: event-driven, without fixed deadlines

While SARs are not submitted to CySEC, the CBA, or ICPAC, regulators routinely assess:

• whether SAR obligations are understood,
• whether reporting decisions are documented,
• how SAR processes integrate with AML procedures.

Failure to demonstrate effective SAR processes is a frequent inspection finding.

How regulators review ASP reporting in practice

In practice, regulators assess ASP reporting holistically. They:

• cross-check periodic submissions, registry filings, and AML records;
• compare reported risk profiles with actual client portfolios;
• assess whether issues identified in annual reports were remediated;
• review board and senior management oversight.

Consistency across reporting, procedures, and operational practice is therefore critical.

Internal compliance outputs expected by supervisors

Purpose:
These are the first documents requested during inspections, regardless of supervisor.

Common ASP reporting weaknesses observed in practice

Weaknesses identified through supervisory reviews and advisory experience

How CX Financia supports ASP reporting and governance

CX Financia supports ASPs across the full regulatory reporting lifecycle, including:

• designing regulator-specific reporting frameworks and calendars;
• preparing and reviewing MLCO Annual Reports and Internal Audit AML Reports;
• supporting boards and senior management with compliance oversight;
• aligning procedures, risk assessments, and reporting outputs;
• providing ongoing support during supervisory engagement.

CX Financia also assists firms preparing for ASP authorisation, ensuring that reporting and governance frameworks meet supervisory expectations from the outset.

Key takeaways

• ASP reporting in Cyprus depends on regulatory status and activities performed.
• CySEC, the Cyprus Bar Association, and ICPAC apply distinct reporting frameworks.
• Trust, UBO, and SAR obligations support and underpin regulatory reporting.
• Regulators assess reporting in context, not as isolated submissions.

For tailored assistance with ASP reporting, governance, or licensing, contact CX Financia.

Email: inquire@cxfinancia.com
Phone
Website: www.cxfinancia.com

Definitions

Administrative Service Provider (ASP):
An Administrative Service Provider (ASP) is an entity or professional practice that, by way of business, provides corporate, fiduciary, or trust-related administrative services to third parties.

Beneficial Owner (UBO):
A Beneficial Owner (UBO) is the natural person who ultimately owns or controls a legal entity or legal arrangement, whether through direct or indirect ownership, control, or other means.
For AML and transparency purposes, beneficial ownership extends beyond formal shareholding and includes persons exercising effective control, as reflected in UBO registry and supervisory requirements.

Trust:
A trust is a legal arrangement under which a trustee holds and administers assets for the benefit of one or more beneficiaries, or for a specified purpose, in accordance with a trust deed or equivalent instrument.
For ASP and AML purposes, trust administration includes the identification and ongoing monitoring of settlors, trustees, protectors (if any), beneficiaries, and other controlling persons, as well as compliance with applicable trust registration obligations.

MLCO:
The Money Laundering Compliance Officer (MLCO) is the individual appointed by an obliged entity, including ASPs, with overall responsibility for the design, implementation, and oversight of the AML/CFT framework.
The MLCO is responsible for risk assessment, monitoring, internal reporting, suspicious activity escalation, and AML reporting to senior management and supervisors, as applicable.

Business Risk Assessment (BRA)
The Business Risk Assessment (BRA) is the firm-wide assessment through which an ASP identifies and documents its exposure to money laundering and terrorist financing risks, considering factors such as clients, services, jurisdictions, delivery channels, and transactions.
The BRA underpins the risk-based approach and informs client risk classification, due diligence, monitoring, and regulatory reporting.

Suspicious Activity / Transaction Report (SAR / STR)
A Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) is an event-driven AML intelligence report submitted where knowledge, suspicion, or reasonable grounds for suspicion of money laundering or terrorist financing arise.
SARs/STRs are distinct from periodic regulatory reporting, but supervisors assess the quality of decision-making and documentation around SARs during inspections.

Compliance note
This material is for general information only and does not constitute legal, tax, or regulatory advice.

Frequently Asked Questions (FAQs)

1. Who supervises ASP reporting obligations in Cyprus?

ASP reporting in Cyprus is supervised by different authorities depending on the regulatory status of the provider. Independent ASP firms are supervised by CySEC, while law firms and accountancy firms providing administrative services are supervised by the Cyprus Bar Association and ICPAC, respectively. The underlying AML and governance expectations are broadly aligned, but reporting formats and processes differ.

2. Do law firms and accountancy firms have ASP reporting obligations?

Yes. Where law firms or accountancy firms provide administrative services, those activities give rise to ASP-related reporting obligations. These obligations are discharged through the firm’s professional supervisory authority, rather than through CySEC, but they are assessed to similar AML and governance standards.

3. Are trust and UBO filings considered regulatory reporting?

Trust and UBO filings are registry submissions, not supervisory returns. However, CySEC, the Cyprus Bar Association, and ICPAC routinely review compliance with trust and UBO obligations as part of AML inspections and supervisory assessments, making them a critical component of ASP compliance.

4. Are AML reports the same across CySEC, CBA, and ICPAC?

In substance, yes. Core AML reports—such as MLCO annual assessments and firm-wide risk evaluations—address similar requirements across all regimes. Differences arise mainly in format, submission channel, and timing, rather than in the underlying compliance expectations.

5. What are the most common reporting weaknesses identified for ASPs?

Supervisory reviews frequently identify issues such as late or incomplete submissions, weak or generic MLCO reports, inconsistencies between registry data and client files, and insufficient evidence of remediation. Regulators increasingly focus on the quality, consistency, and governance oversight of reporting rather than on form alone.