ICPAC's Updated Practice Guide for Administrative Service Providers: What Changed in March 2026

In March 2026, the Institute of Certified Public Accountants of Cyprus (ICPAC) published the second amendment to its Suggested Practice Guide for Administrative Service Providers. The first version was issued in August 2014. The first amendment followed in May 2019. This is the first update in seven years.

The guide sets out best practice procedures for firms providing administrative services as defined in the Law Regulating Companies Providing Administrative Services and Other Related Matters of 2012 (Law 196(I)/2012). While ICPAC published the guide for its own regulated members, administrative services in Cyprus are also provided by law firms regulated by the Cyprus Bar Association and by firms regulated by CySEC. The practical content of this guide is relevant to all three categories.

This article walks through the key changes introduced in the March 2026 amendment and highlights the sections that carry the most practical weight for compliance teams and directors at firms providing administrative services.

1. New Sanctions Legislation References

The most prominent addition to the guide is the incorporation of two new pieces of legislation into the client acceptance framework. Section 2.1 (Due Diligence Requirements) now explicitly references the Criminalisation of Violation of Restrictive Measures Law of 2025 (Law 149(I)/2025) and the Establishment of the National Sanctions Implementation Unit and the Implementation of Restrictive Measures and National Sanctions in the Republic Law of 2025 (Law 150(I)/2025).

The guide states that ASPs must take these laws into consideration alongside ICPAC's Sanctions Directive to ensure that the services provided do not violate any provisions of the said law.

What this means in practice: Sanctions screening is no longer a background check at onboarding. It is a continuous obligation with criminal liability attached. The new Law 149(I)/2025 criminalises sanctions violations, and Law 150(I)/2025 creates a dedicated National Sanctions Implementation Unit (NSIU). ASPs must ensure their internal procedures reflect both of these.

2. Director Liability Now Covers Crypto and Electronic Wallets

Section 4.1 (Directors) has been expanded to address a reality that many ASPs already face but that had not previously appeared in ICPAC's guidance. The guide now states that a director is liable for the company's electronic or crypto wallets as a signatory or private key holder. It further states that this responsibility is not discharged in case the bank management function is delegated to a person other than the director, and that transaction monitoring must be performed by the director irrespective of the nature of the account or wallet.

What this means in practice: If you are a director of a company administered by an ASP and that company holds crypto assets, you carry the same monitoring and oversight obligations as you do for traditional bank accounts. Delegation does not remove liability. This is a direct response to the growing number of Cyprus-administered companies that operate with digital asset wallets.

3. Beneficial Owner Register: Obligations and Penalties

Section 12 of the guide consolidates the current BO register obligations under Articles 61A and 61C of the Prevention and Suppression of Money Laundering Activities and Terrorist Financing Laws 2007 (Law 188(I)/2007). The guide sets out three core obligations for directors and secretaries of Cyprus companies:

Initial submission: BO details must be filed electronically within 90 days of incorporation via the BO Register portal.

Updates: The BO register must be updated within 45 days of any change in BO details, including ownership percentage, address, or termination. For investment funds, changes must be notified within 45 days of NAV calculation.

Annual confirmation: BO details must be confirmed between 1 October and 31 December each calendar year.

The penalty framework is specific. For missed deadlines, the guide notes an initial fine of €100 plus €50 per day of delay, capped at €5,000. For false or misleading declarations, the penalties escalate to criminal liability with up to 1 year imprisonment or a €100,000 fine, or both. Directors are jointly and severally liable unless they can prove due diligence was applied.

What this means in practice: The penalty regime is not theoretical. Directors who miss filing deadlines face daily accumulating fines, and those who file inaccurate information face criminal exposure. The guide explicitly notes that joint and several liability applies, which means every director on the board is personally exposed unless they can demonstrate they took reasonable steps.

4. Trust BO Register (CYTBOR): Tighter Deadlines

Section 12.3 addresses the Trust BO Register (CYTBOR) under Article 61C of the AML/CFT Law. The deadlines for trusts are significantly shorter than for companies. Initial filing must take place within 15 days of establishment of the trust (compared to 90 days for companies). Updates to the CYTBOR must also be made within 15 days of any change.

The guide notes that each trustee must maintain an active CYTBOR account, for which an annual fee is payable to CySEC. The required information includes details on the settlor, trustees, protector (if any),beneficiaries, any natural person exercising ultimate control, and activities in Cyprus.

5. AML/CFT and Sanctions Considerations in Document Execution

Section 7.4 is a new addition to the guide. It states that whenever an ASP is requested to execute a transaction through the signing of documents, the ASP must consider AML/CFT and sanctions implications. This means assessing the business rationale of the transaction, assessing the validity of the transactions and the counterparties involved, and considering whether the transaction breaches any sanctions regulations or is structured to hide illicit funds or circumvent sanctions.

The guide directs ASPs to apply the transaction monitoring requirements set by ICPAC's AML/CFT Directive and ICPAC's Sanctions Directive, and to take into consideration the Guidance Notes on Transaction Monitoring and the Guidance Notes on Suspicious Transactions/Activities.

What this means in practice: Signing a document on behalf of a client company is not an administrative act. It is a compliance decision. The guide makes clear that every transaction executed by an ASP must be assessed for AML/CFT and sanctions risk before the signature is applied, not after.

6. Powers of Attorney: Clear Restrictions

Section 7.3 sets out explicit best practices for powers of attorney. The guide states that general powers of attorney should not be provided. Powers of attorney should only be issued for the execution of specific decisions taken by the Board of Directors, the authorities of the attorney must be clearly defined, and the duration should not exceed one year.

The guide also requires that due diligence documentation be obtained on the attorney, that a background check confirming good character and clean criminal record be carried out, and that all documentation executed under the power of attorney be maintained at the company's registered office.

7. Voluntary Liquidation: Insolvency Practitioner Requirement

Section 11 covers company closure procedures. A notable addition is the explicit statement that the execution of voluntary liquidations falls within the scope of the Insolvency Practitioners Law and the liquidator has to be a Licensed Insolvency Practitioner.

The guide also sets out the full voluntary liquidation procedure under Sections 203(1)(b) and 261 of the Companies Law Cap 113, including the requirement for a Declaration of Solvency to be made within five weeks before the winding-up resolution, and the 12-month timeframe within which directors must believe the company can settle its debts.

8. Contractual Requirements: Expanded Scope

Section 2.2 now includes an expanded list of minimum requirements for service agreements between ASPs and their clients. In addition to the previously expected items (service type, BO details, fees, indemnities),the guide now explicitly lists GDPR compliance including valid consents for data sharing and processing, FATCA and CRS provisions, DAC6 assessment and reporting obligations depending on the role and involvement of other intermediaries, and succession provisions.

9. Banking Administration: Segregation and Monitoring

Section 6.2 sets out detailed requirements for maintaining bank accounts. The guide recommends that the process of executing a payment be segregated so that individuals who input payments are not the same individuals who authorise and release them. It also states that bank accounts should be monitored at frequent intervals and that transactions outside the normal scope of the client's business should be investigated.

The guide requires ASPs to maintain incoming transfer checklists, outgoing transfer checklists, and payment registers.

10. Records Retention Periods

Section 3.12 confirms the current records retention framework. Under the AML/CFT Law, obliged entities must keep client records for five years after the end of a business relationship or after the date of an occasional transaction. Under the VAT Law, the retention period is six years after the end of the business relationship or after the date of the individual transaction, unless otherwise notified by the relevant authorities.

11. Best Practices for BO Register Compliance

Section 12.4 provides a practical checklist of best practices for BO register compliance. These include early identification of BOs by reviewing changes in shareholding structures, maintaining updated registers and supporting documents, implementing internal alert mechanisms for ownership changes and NAV updates, documenting due diligence efforts, regularly training staff on AML obligations and BO reporting requirements, and ensuring only authorised officers update BO data.

Source: ICPAC Suggested Practice Guide for Administrative Service Providers (ASPs),2nd amendment, March 2026. Published by the Institute of Certified Public Accountants of Cyprus (ICPAC). 1st issue: August 2014. 1st amendment: May 2019.

This article is based entirely on the published ICPAC guide. It does not constitute legal advice. Firms should review the full guide and consult with their legal advisors as appropriate.

Know what supervisors expect before they ask. Our AML and compliance seminars are built around what regulators and supervisory bodies actually look for, not just what the law says on paper.

Explore seminars at cpds.academy