The MOKAS 2025 Annual Report: What 24,092 Suspicious Transaction Reports Actually Mean for Cyprus Compliance Operations

The Cyprus Financial Intelligence Unit, MOKAS, has published its 2025 Annual Report. The headline figure is the volume of suspicious transaction and activity reports submitted: 24,092, up from 3,870 in 2024. The figure that matters operationally for compliance teams is what that volume describes. An industrial-scale detection and analysis operation, running daily inside Cyprus-licensed firms.

1. The Headline Volume

MOKAS received 24,092 reports in 2025, up from 3,870 in 2024. A six-fold increase in a single year.

Of the total, 21,857 reports were submitted by Cyprus-licensed entities operating under freedom of services across the EU. The breakdown:

• Crypto-Asset Service Providers: 20,570 reports (up from 760 in 2024)
• Investment Firms: 986 reports (up from 347)
• Electronic Money Institutions: 283 reports (down from 370)
• Payment Institutions operating under freedom of services: 24 reports

A further 1,183 reports came from traditional obliged entities established in Cyprus, principally banking institutions (597 reports),payment institutions (340),and gambling service providers (136).

One observation worth flagging at the outset. In the 2025 MOKAS taxonomy, payment institutions sit in the "traditional" bucket. Alongside banks, gambling operators, lawyers, accountants, and corporate service providers. A few years ago, payment institutions were the fintech disruptors. The wave that redefined what a non-bank financial institution could do. In 2025, the regulator has effectively reclassified them as part of the established financial system. The new frontier is occupied by crypto-asset service providers. The implicit message of the taxonomy is that "innovative" is not a permanent label. Every disruptor eventually becomes an incumbent, and the framework rearranges itself accordingly.

These are the visible figures. They are also the end-product of a much larger upstream process.

2. What Lies Behind a Submitted Report

A suspicious transaction or activity report is the final output of a detection and analysis chain. Industry rule of thumb, drawn from published transaction monitoring effectiveness studies and supervisory feedback in multiple EU jurisdictions, places the conversion rate from triggered alert to filed STR somewhere between five and ten percent.

Applied to the 23,040 reports submitted by Cyprus-licensed obliged entities (the 24,092 total excluding cross-border reports forwarded by other EU FIUs, which are produced by foreign firms' alert systems rather than Cyprus ones),that implies between approximately 230,000 and 460,000 transaction monitoring alerts reviewed, triaged, and either closed off or escalated by compliance analysts during the year. In a single calendar year.

Each of those alerts represents a discrete review event:

• An analyst opening a case
• Pulling transaction history, customer profile, and source-of-funds documentation
• Checking adverse media and sanctions databases
• For CASPs, running blockchain analytics on associated wallets and clusters
• Making a documented decision: close as false positive, escalate to L2, request additional information from the client, or submit an STR
• Recording the rationale in a case management system, with a clear audit trail

This is before considering parallel workstreams: ongoing CDD refresh cycles, EDD reviews triggered by risk-rating changes, sanctions screening, PEP screening, KYC remediation projects, and the periodic business-wide risk assessment exercise required under the EU AML/CFT framework.

3. The Indicators That Triggered the Reports

The MOKAS report sets out the leading suspicion indicators by sector. These are useful, because they tell compliance teams what their transaction monitoring rules and analyst training should actually be optimised for.

For Crypto-Asset Service Providers, the leading indicator was the suspected use of money mules, followed by transactions between unconnected counterparties, multiple transactions within the same day or a short timeframe, fraud (including cyber fraud),and unjustified source of funds. This is consistent with the broader European pattern of fraud-proceeds laundering through layered peer-to-peer crypto transfers.

For Investment Firms, the leading indicators were suspected fraud (including cyber fraud),activities lacking economic rationale, unusual client behaviour, submission of fake documents, and insufficient documentation.

One question worth raising on the investment firms figure. Reports in this sector nearly tripled between 2024 (347) and 2025 (986). The report does not clarify how much of that jump is attributable to traditional MiFID-authorised investment-firm AML activity intensifying, versus CIFs that have added crypto-asset services to their licence under MiCA's transition mechanism, with the resulting STRs categorised under "Investment Firms" rather than under "CASPs." MiCA's simplified-notification route let MiFID-authorised firms add CASP services without a separate authorisation, and a number of Cyprus CIFs have taken that route since the regime took effect on 30 December 2024. If a meaningful share of the IF jump reflects this licence expansion, the IF and CASP figures are partly telling the same story rather than two independent ones. If it does not, then there is a separate story to tell about traditional investment-firm AML activity in 2025. The report does not disaggregate, so neither reading can be confirmed from the published numbers alone.

For Electronic Money Institutions, suspected fraud dominated, followed by money mules, adverse media, fake documents, and transactions inconsistent with the client's economic profile.

For Banking Institutions, suspected fraud (including cyber fraud) was the leading indicator, followed by insufficient documentation, adverse media, transactions not matching the client's economic profile, and cash deposits. The report explicitly flags the evolving landscape of cyber-enabled fraud (smishing, vishing, phishing, often in combination) as a driver of submissions.

These indicators describe what compliance teams are detecting in real time, every day, across an EU-wide client base.

4. The Systems Required to Produce This Volume

24,092 STRs is not achievable through manual review. It requires:

• Transaction monitoring platforms with rules and scenarios calibrated to detect the indicators above, tuned to maintain a workable alert-to-STR conversion rate without missing legitimate suspicion;
• KYC and CDD platforms with workflow for periodic refresh, risk-rating recalculation, and EDD triggering;
• Sanctions and adverse media screening solutions running against the full customer base on an ongoing basis;
• For CASPs, blockchain analytics tooling capable of wallet attribution, cluster analysis, and identification of exposure to high-risk counterparties such as mixers, sanctioned addresses, or wallets linked to known illicit activity;
• Case management systems with structured workflows, role-based access controls, and full audit trails;
• Management information layer feeding compliance KPIs, alert backlog metrics, STR submission timeliness, and quality indicators up to the MLRO, the senior management, and the board.

The MOKAS report itself reflects this reality on the regulator's side. The Unit has established a Virtual Assets and Financial Technology sub-department to handle the analytical complexity of crypto-related reports, and is automating its dissemination, triage, and database-check processes to manage the volume of reports it now receives. The supervisory infrastructure is industrialising in parallel with the reporting infrastructure.

5. The People Behind the Numbers

What this means in practice: Behind 24,092 reports sits a community of compliance professionals. AMLCOs, MLROs, transaction monitoring analysts, KYC officers, sanctions specialists, blockchain analysts, and the technology and operations teams that support them. Every report is the product of hundreds of upstream decisions made by people working through alert queues, customer reviews, and case files. Whenever AML is described as "tick-box compliance," the MOKAS 2025 numbers are the answer.

6. Other Notable Figures From the Report

• Disseminations to competent authorities rose approximately 70%, to 572. Of these, 82% went to the Cyprus Police.
• International cooperation: MOKAS sent 319 requests to counterpart FIUs and executed 312 incoming requests. Spontaneous disclosures sent to other FIUs totalled 77; received, 219.
• Cross-border reports forwarded to EU/EEA FIUs exceeded 18,000, reflecting the operational reality of FIUs receiving reports from passporting entities and onward-disseminating them to the FIU of the Member State concerned.
• Freezing orders: Domestic freezing orders secured exceeded €10 million in value. Combined with foreign freezing order registrations, total frozen assets exceeded €27.5 million.
• Capacity: MOKAS staffing in 2025 stood at 23 analysts, 4 Counsels of the Republic, supporting officers and administrative staff, with significant reinforcement planned for 2026.

Know what supervisors are looking for. The MOKAS figures describe what compliance teams are detecting at the output stage. Strengthening the upstream is where most of the practical work sits. Customer risk assessment, business-wide risk assessment, transaction monitoring calibration, and the documentation that makes a file inspection-ready. Two of our seminars cover this directly:

• AML Customer Risk Assessment. How to build, document, and defend a customer risk assessment that holds up in inspection.
• Business-Wide Risk Assessment. How to embed the annual MOKAS report in your company's business-wide risk assessment.

Sources: Cyprus Financial Intelligence Unit (MOKAS),Annual Report 2025; Annual Report 2024. Industry estimates of transaction monitoring alert-to-STR conversion rates drawn from published supervisory feedback and effectiveness studies; actual rates vary materially by sector, system design, and risk appetite.