CySEC does not ask for a Sectoral Risk Assessment across every regulated sector unless it intends to use the answers. The release of the new SRA Form under CySEC Circular C763 (23 March 2026) is a supervisory instrument: a standardised, scored self-assessment that will let CySEC compare AML/CFT control effectiveness within and across sectors — CIFs, CASPs, Management Companies, ASPs, and Crowdfunding Service Providers — using data firms themselves provided, under deadline, through TRS.
For compliance officers who have already submitted, the Form is closed but its implications are not. For those assessing what CySEC is now reading in those answers, the Form's structure tells the story.
Legal Basis and Scope
CySEC Circular C763 is issued pursuant to section 25(1)(c)(ii) & (iii) of the Cyprus Securities and Exchange Commission Law of 2009 (the 'CySEC Law'), as amended. That provision gives CySEC the authority to issue circulars to regulated entities as part of its supervisory mandate. The Form is not a voluntary questionnaire.
The scope is wider than it first appears. Dormant authorisations do not create an exemption. An entity that held a CIF or CASP authorisation as at 31 December 2025, regardless of whether it conducted a single regulated transaction, was required to submit.
The reporting period is 01/01/2025 – 31/12/2025, reference date 31/12/2025, per CySEC Circular C763, section 1.1. All responses in the Form are anchored to that calendar year and that closing reference date.
The sectors covered by the Form are set out in Table 1 of C763:
→ Cyprus Investment Firms and EU Investment Firms Branches in Cyprus (CIFs & CBRs) → Crypto-Asset Service Providers (CASPs) → Management Companies (MCs) — comprising AIFMs, Internally Managed AIFs, AIFLNPs, Small AIFMs, UCITS Management Companies, and Internally Managed UCITS → Administrative Service Providers (ASPs) → Crowdfunding Service Providers (CSPs)
Each sector has its own Form track. The sector a firm selects in Section A, Cell D21, determines which set of Section B questions applies.
The Dual-Authorisation Rule
The dual-authorisation rule is operationally significant and easy to overlook. CySEC Circular C763, section 1.2 states that entities holding more than one authorisation must complete a separate Form for each authorisation held.
The Circular gives a specific example: if a Regulated Entity holds both a CIF authorisation and a CASP authorisation, it must submit two separate Forms — one for the "CIFs and CBRs" sector and one for the "CASPs" sector.
There is one carve-out. A CIF that is also authorised by CySEC to perform AIF management functions is required to submit only one Form, for the "CIFs and CBRs" sector. CySEC Circular C763, section 1.2 That carve-out is narrow. It covers the specific case of a CIF with AIF management permissions — not a firm holding separate CIF and AIFM licences.
The operational implication: compliance teams at dual-authorised entities needed to run two separate Section B assessments, reflecting the distinct risk profiles of their CIF business and their CASP business, and submit each under the correct file naming convention. A CIF that also holds a CASP licence cannot average its AML/CFT control effectiveness across both activities into a single score set.
Section B: What 14 Questions at 1–10 Tell Us About CySEC's Risk Framework
Section B is the substantive core of the Form. CySEC Circular C763, section 2.2 requires Regulated Entities to assess the current AML/CFT control environment of their sector by responding to Questions 1 through 14. For each question, firms must select one score from 1 to 10, where 10 represents the highest level of effectiveness. If a question is not applicable, "N/A" must be selected.
The 14-question, 1–10 scoring format is a deliberate supervisory design choice. It produces ordinal, comparable data. CySEC can rank entities within a sector, identify outliers at either end, track sector-wide scores across time, and calibrate its thematic inspection priorities accordingly. A firm that scored its customer due diligence controls at 3 has handed CySEC a supervisory lead.
The questions themselves are not reproduced in the circular text, but the instruction that each question reflects the firm's "assessment, experience, or view" of control effectiveness signals that CySEC is not asking for a binary pass/fail. It is asking for a calibrated, professional judgment. A compliance officer completing Section B was being asked to commit, in writing, to a score that CySEC will read as a representation of the firm's AML/CFT maturity.
The primary objective stated in C763 is to gain a sector-wide understanding of the current AML/CFT control environment for the purpose of conducting a Sectoral Risk Assessment. CySEC Circular C763 That language confirms the Form is input data for a structured CySEC analysis, not a standalone filing requirement.
Submission Mechanics: TRS, File Naming, Feedback File, Deadlines
The Form had to be submitted electronically via CySEC's Transaction Reporting System (TRS) by Friday, 17 April 2026, per CySEC Circular C763, section 1.4.
The file naming convention in Cell D22 of Section A is mandatory and sector-specific. CySEC Circular C763, section 2.1 sets the convention as:
TRS username_yyyymmdd_SRA-[TYPE]
Where yyyymmdd equals the reference date — 20251231 for the 31 December 2025 reference date. The sector-specific suffixes are:
→ CIFs: TRS username_20251231_SRA-CIF
→ CBRs: TRS username_20251231_SRA-CBR
→ CASPs: TRS username_20251231_SRA-CASP
→ MCs: TRS username_20251231_SRA-MC
→ ASPs: TRS username_20251231_SRA-ASP
→ CSPs: TRS username_20251231_SRA-CSP
The naming convention is not cosmetic. A file submitted under an incorrect name will generate errors in the TRS feedback file.
The feedback file mechanism is the critical confirmation step. CySEC Circular C763, section 1.5 requires that upon submission, the Regulated Entity must confirm receipt of a feedback file dispatched by TRS to the Outgoing directory. A Form is only regarded as successfully submitted when a NO ERROR indication feedback file is received, within the deadline. CySEC Circular C763, section 1.6
If the feedback file contains error descriptions, the firm must correct all errors and resubmit — including re-applying the digital signature for Excel files — before the 17 April 2026 deadline. The feedback file is dispatched only during CySEC regular hours, which is a practical constraint for submissions made close to the deadline.
The Form was available in the English language only. CySEC Circular C763, section 3.1 Before submission, firms were required to ensure that the validation test at the bottom of the form page and the Validation Tests Worksheet returned TRUE (Green Colour). CySEC Circular C763, section 3.3 The Excel file must be version 2007 or later (.xlsx format). CySEC Circular C763, section 4
The query window closed on 8 April 2026. CySEC Circular C763, section 5 stated that queries on how to complete the Form's fields had to be submitted in writing prior to Wednesday, 8 April 2026, to risk.statistics@cysec.gov.cy. Technical queries on digital signing and submission were directed to information.technology@cysec.gov.cy. After 8 April, the query channel was closed.
What Firms Should Take Away for the Next Cycle
The SRA Form is a baseline. The scores submitted for the 01/01/2025 – 31/12/2025 period are now CySEC's reference point for each regulated entity in each sector.
Several operational conclusions follow.
→ Document the basis for every Section B score submitted. If CySEC's next thematic inspection focuses on a control area where a firm scored high, the firm will need to demonstrate that its controls actually operate at the level represented. The score creates a performance benchmark CySEC can test against.
→ Where a firm scored low or selected N/A, consider whether a remediation plan is already in place or should be. A low score submitted honestly is defensible. A low score with no remediation trajectory, discovered at inspection, is a different conversation.
→ For dual-authorised entities, verify that both Forms were submitted and that both received NO ERROR feedback files. A missed submission for one authorisation is a non-submission for that sector.
→ Build the SRA Form cycle into the AML/CFT compliance calendar. The 2026 submission covered 2025 data. The next cycle will likely cover 2026 data on a similar timeline. The preparation — collating the control effectiveness evidence needed to score 14 questions with confidence — takes longer than the submission itself.
→ Retain the submitted Form, the feedback file with the NO ERROR confirmation, and the internal working papers supporting each score. These records are the audit trail if CySEC queries a submission or conducts an on-site review.
FAQ
Which entities were required to submit the SRA Form under C763?
All Regulated Entities authorised by 31 December 2025, across five sectors: CIFs and CBRs, CASPs, Management Companies, ASPs, and Crowdfunding Service Providers. Entities that held authorisation but did not use it during the reporting period were also required to submit. CySEC Circular C763, section 1.2
What does Section B of the Form actually require?
Section B requires the Regulated Entity to assess its current AML/CFT control environment by scoring 14 questions on a scale of 1 to 10, where 10 represents the highest level of effectiveness. If a question is not applicable, "N/A" must be selected. There is one score per question; the scoring reflects the firm's assessment, experience, or view of control effectiveness in that area. CySEC Circular C763, section 2.2
How does a firm know its submission was accepted?
A submission is successfully completed only when the TRS dispatches a feedback file to the Outgoing directory containing a NO ERROR indication, within the 17 April 2026 deadline. A feedback file containing error descriptions requires the firm to correct the errors and resubmit before the deadline. The feedback file is dispatched only during CySEC regular hours. CySEC Circular C763, sections 1.5–1.6
An entity holds both a CIF and a CASP authorisation. How many Forms did it need to submit?
Two separate Forms: one for the "CIFs and CBRs" sector and one for the "CASPs" sector, each with the appropriate file naming suffix (SRA-CIF and SRA-CASP respectively). The only exception to the dual-submission rule is a CIF also authorised to perform AIF management functions, which submits only one Form for the CIFs and CBRs sector. CySEC Circular C763, section 1.2
Primary sources, not summaries. The SRA Form's structure, the dual-authorisation rule, the feedback file mechanics, and the query deadline all turn on precise reading of C763. Every answer carries its citation. Verify the obligations and cross-reference the Form requirements against the source text at omnilaw.ai.
