Financial certification used to work on a one-and-done basis. Pass the exam, you’re qualified for life. However, that model is gone in Cyprus, and it isn’t coming back. Training and continuous professional development (CPD) is now more important than ever — a mandatory yearly requirement for certified professionals. This is where FM Academy comes in, and why your next CPD checklist may be the easiest decision you make in 2026.

All Cyprus Securities and Exchange Commission (CySEC) certified persons — anyone holding a Basic, Advanced, or AML certification — must now log Continuous Professional Development hours every year to keep their registration valid. That means 10 hours for Basic, 15 for Advanced, 10 for AML, and up to 20 for combined certifications. If an individual misses the December 31 deadline, they are deregistered automatically. Re-registering costs an extra €280 on top of the standard renewal fee, with no appeal process available.

This isn’t paperwork for its own sake. It is CySEC acknowledging what regulators across Europe have quietly concluded: a certificate from five years ago tells you nothing about whether someone understands today’s rulebook.

FM Academy

The Regulatory Rulebook Doesn’t Sit Still

Anyone spending more than five minutes looking at the regulatory space would be hard-pressed to disagree, especially given the pace of change. Look at what has landed on Cypriot compliance desks in the last two renewal cycles alone. MiCA reshaped supervision of crypto-asset service providers from the ground up. CySEC has issued fresh AML circulars on beneficial ownership and transaction monitoring annually.

DORA brought operational resilience obligations to compliance officers who never had to think about ICT risk before. Someone who studied for their exam in 2020 isn’t slightly out of date — they are from a different era entirely, missing entire regulatory regimes that didn’t exist when they sat the test.

That’s the real case for CPD, separate from the compliance-checkbox version people default to. Regulators aren’t requiring hours because they like paperwork. They’re requiring it because knowledge decay is a genuine source of risk. AML failures and mis-selling cases rarely come from bad actors. They come from people who didn’t know the rule had changed.

CPD Doesn’t Stop at the Three Exams

CPD obligations in Cyprus extend well past CySEC’s headline certifications. Employees at CySEC-supervised firms need regular AML/CFT training regardless of whether they hold a certificate, and new hires need it before they touch client work. ICPAC accountants and Cyprus Bar Association lawyers working inside regulated firms carry their own parallel hour requirements. The perimeter keeps expanding, and nobody is shrinking the list of people who need to keep training.

For firms, that changes what training looks like on a balance sheet. It used to sit in the discretionary column — useful, but the first thing cut when budgets tighten. Under a CPD regime it is closer to a licensing cost. Let your AML compliance officer’s hours lapse and you’re not looking at a knowledge gap. You’re looking at deregistration, which is a business continuity problem, not an HR one.

Not Every Hour Counts the Same

The content matters as much as the count. CySEC’s requirement isn’t satisfied by any 10 or 15 hours of vaguely finance-adjacent training. The material must map to the legislative framework tied to the certification: AML-focused content for the AML certification, broader coverage of investment services law and the CIF regulatory regime for Basic and Advanced.

A compliance officer who spends their CPD hours on generic soft-skills training and shows up at renewal with certificates that don’t reference the relevant framework risks having that training rejected outright, putting them back to square one with the clock already running.

That’s why a market for accredited CPD providers has grown up around the requirement, offering courses built specifically to CySEC’s categories and producing the documentation certified persons need at renewal.

What You Need to Do in 2026

Plan it — don’t improvise it. Certified staff need to know exactly how many hours they owe, by when, and whether the training they’re doing counts. Individuals or firms that leave this until December end up with a compliance officer who is technically deregistered in January, scrambling to source last-minute accredited content that may not even be available on short notice. The full list of CPD courses and credits available at FM Academy is a useful starting point.

There’s a counterparty-risk angle too. Banking partners and institutional counterparties doing due diligence on Cyprus-regulated firms now routinely ask whether the compliance team’s certifications are current. A lapsed certification, even briefly, is exactly the kind of finding that turns up in a correspondent bank’s risk review.

None of this is about ticking a box once a year. It reflects a regulator’s position that competence has a shelf life — and that keeping people current is now as much a part of running a licensed financial business as the license itself.