Compliance & Regulatory Advisory for Licensed Financial Firms

Comprehensive Anti-Money Laundering and Know Your Customer policies, procedures, and controls tailored to your license type, jurisdiction, and business model.

• •AML/CFT manual — full policy document aligned with applicable regulation (6AMLD, FATF, local AML law)
• •Business Risk Assessment (BRA) — firm-level risk assessment covering products, clients, geographies, and channels
• •Customer Risk Assessment (CRA) — client-level risk scoring methodology and tiering
• •KYC onboarding procedures — standard CDD, enhanced EDD, simplified due diligence frameworks
• •Source of Funds (SOF) and Source of Wealth (SOW) verification protocols
• •PEP and sanctions screening procedures
• •Transaction monitoring calibration — alert thresholds, typologies, and escalation procedures
• •Suspicious Activity Report (SAR / STR) drafting guidelines and submission procedures
• •AML audit framework — internal review schedule and methodology

All AML/KYC frameworks are designed to satisfy the specific requirements of the relevant regulator — CySEC, FSC Mauritius, FSA Seychelles, FCA, ASIC, LFSA, or other applicable authority.

Many licensed financial firms — particularly smaller CIFs, offshore broker-dealers, EMIs, and VASPs — are required by their regulator to appoint a qualified Compliance Officer and/or MLRO but cannot justify the cost of a full-time hire.

• •CySEC CIF compliance officer obligations under MiFID II and CySEC circulars
• •FSA Seychelles Securities Dealer compliance officer requirements (resident compliance function)
• •FSC Mauritius Investment Dealer MLRO and compliance officer obligations
• •LFSA Labuan compliance officer requirements
• •EMI and Payment Institution compliance officer under PSD2 and CBC/Bank of Lithuania requirements

• •Regulatory correspondence management
• •Regulatory reporting preparation and filing
• •Internal compliance monitoring and review
• •Staff training coordination
• •Board compliance reporting
• •Regulator examination preparation
• •Policy and procedure updates as regulations change

Note: The CBC (Central Bank of Cyprus) 2025 AML Directive prohibits full outsourcing of the compliance function for CySEC-licensed firms — our Cyprus CO engagements are structured as a supported in-house function, not full outsourcing, to comply with this requirement.

The Digital Operational Resilience Act (DORA) became fully applicable to EU financial entities on 17 January 2025. All CySEC-licensed CIFs, CBC-regulated Payment Institutions, and other EU-regulated financial entities are now subject to DORA obligations.

• •ICT risk management framework — policies, procedures, and governance aligned with DORA Articles 5–16
• •Third-party ICT provider risk assessment — DORA requires formal assessment and contractual provisions for all critical ICT third-party providers
• •ICT-related incident reporting — classification, internal escalation, and regulatory notification procedures
• •Digital operational resilience testing — threat-led penetration testing (TLPT) and vulnerability assessments
• •DORA gap analysis — review of existing ICT governance against DORA requirements with prioritised remediation roadmap

DORA applies to: CySEC CIFs, CBC Payment Institutions, EMIs, and other EU financial sector entities as defined in Article 2 of DORA.

MiCA is fully in force for Crypto-Asset Service Providers (CASPs) operating in the EU from December 2024.

• •Whitepaper review and maintenance — ensuring crypto-asset whitepapers meet MiCA Article 19+ requirements and are updated when material changes occur
• •Market abuse prevention — market manipulation detection, insider dealing controls under MiCA Title VI
• •Custody and client asset protection — segregation requirements and custody policy documentation
• •Complaints handling — MiCA-compliant client complaints procedures and regulatory reporting
• •Travel rule compliance — Transfer of Funds Regulation (TFR) implementation for CASPs
• •Ongoing regulatory reporting to CySEC as MiCA competent authority

Ongoing MiFID II compliance for CySEC-licensed CIFs and other EU MiFID II entities.

• •Product governance framework — target market definition, distribution strategy, and product approval and review (PAR)
• •Best execution policy — execution quality monitoring, RTS 27/28 reporting obligations
• •Conflicts of interest management — identification, documentation, and escalation procedures
• •Inducements and research — MiFID II inducement rules and unbundling requirements
• •Client categorisation — retail, professional, and eligible counterparty classification procedures
• •Client reporting — periodic statements, cost and charges disclosures, transaction reports
• •EMIR and MiFIR reporting — trade reporting obligations

The 6th AML Directive and the Cyprus AML Amendment Law of 2025 have materially updated AML obligations for all licensed financial entities operating in or from Cyprus.

• •Cyprus AML Directive (ΚΔΠ 120/2025) — effective June 2025, extending customer due diligence obligations, new governance mandates for boards and compliance officers, prohibiting full outsourcing of the compliance function
• •CASPs as financial institutions — crypto asset service providers captured as 'financial institutions' under Cyprus AML law, triggering full AML/CFT obligations including Travel Rule
• •6AMLD criminal liability expansion — extended criminal liability for AML offences including for compliance officers personally
• •FATF grey list monitoring — impact on correspondent banking and counterparty due diligence requirements

Zitadelle AG conducts AML gap analysis against 2026 requirements and updates AML manuals, training programmes, and risk assessments to reflect current regulatory expectations.

Preparation and submission of mandatory regulatory reports.

• •Capital adequacy returns (CAR, ICAAP, ILAAP)
• •Large exposure and concentration reports
• •Liquidity coverage ratio (LCR) reporting
• •Transaction reporting (EMIR, MiFIR, SFTR)
• •CRS/AEOI reporting for qualifying entities
• •AML annual compliance reports
• •Regulatory statistical returns

All reports prepared with review by jurisdiction-specific advisors before submission.

Zitadelle AG's inspection readiness service prepares firms for regulatory visits.

• •Pre-inspection compliance review — simulating regulator document requests and identifying gaps before the official visit
• •Policy and procedure audit — confirming all required documentation is current, complete, and accessible
• •Staff preparation — compliance function briefing on regulator expectations and interview readiness
• •File review — sample review of client files, transaction monitoring records, and KYC documentation
• •Findings remediation — post-inspection support to address regulator findings within required timelines

We prepare firms for CySEC on-site inspections, FSC Mauritius regulatory reviews, FSA Seychelles examinations, and LFSA Labuan supervisory visits.

Representation before regulators and management of regulatory correspondence.

• •Response drafting for regulator information requests
• •Voluntary disclosure management
• •Licence condition compliance monitoring
• •Regulatory relationship management
• •Change of business model notifications
• •Material change pre-approval applications
• •Ongoing dialogue management with CySEC, FSC, FSA, LFSA, and other applicable regulators

Independent compliance reviews and gap analysis.

• •Full AML/CFT audit against applicable regulatory requirements
• •MiFID II compliance audit for CySEC CIFs
• •DORA ICT risk management gap analysis
• •MiCA compliance readiness review
• •Pre-licensing compliance framework review
• •Annual compliance health check

Delivered as a written report with prioritised findings and a remediation roadmap.

AML, compliance, and regulatory training for board, management, and operational staff.

• •AML/CFT awareness training — annual requirement for all staff under most jurisdictions
• •Board-level regulatory governance training
• •Compliance officer CPD support
• •New joiner compliance induction
• •Specific training on MiCA, DORA, 6AMLD, MiFID II as relevant to the firm's licence type
• •Training records maintained for regulatory audit