
Opinion on the product intervention measures on CFDs and other high-risk products proposed by the Spanish CNMV
This article is about the Opinion of the European Securities and Markets Authority (“ESMA”) on the adoption of additional product intervention measures on Financial Contracts for Difference (“CFDs”) and other high-risk products by the Spanish Comisión Nacional del Mercado de Valores (the “CNMV”) issued on the 11th of July 2023 (the “ESMA’s Opinion”).
- Background and Rationale:
After the completion of the consultation process that the CNMV launched in November 2022 with respect to its intention to introduce additional restrictive measures on the trading of CFDs, the CNMV notified ESMA in May 2023 of its decision to ultimately proceed with the adoption of additional restrictive measures on the trading of both CFDs and certain futures and options (the “High-Risk Products”) in pursuance to its mandate under the Regulation (EU) 600/214 on markets in financial instruments (the “MiFIR”).
The CNMV’s decision, as summarised in ESMA’s Opinion has been based on a multi-faced spectrum of considerations, as outlined below:
- Significant investor protection concerns;
- Degree of complexity, transparency, and the specific features of CFDs and other High-Risk Products;
- Size of potential detrimental consequences and the degree of disparity between the expected return and the risk of loss;
- Selling practices associated with CFDs and other High-Risk Products; and
- Existing EU regulatory requirements did not sufficiently address the risks.
A. Restrictions applying to CFDs:
As far as concerns CFDs, the additional restrictive measures will prohibit their marketing, distribution, sale, and related services by means of advertising communications aimed at retail investors in Spain. More specifically:
I. Prohibition of certain marketing communications, including, inter alia, the following:
- Redirecting to a website that offers CFDs or related services;
- Sending of a contact form, an application download, or any other kind of tool intended to put the client in touch with investment service providers that offer CFDs or related services; and
- Offering of training, technical seminars, courses or sessions whenever such offers are related to CFDs or related services, including training demo accounts or tools for retail investors or which encourage using these, whenever such offers are free or have a token charge, either if they are promoted or held by the regulated entities or by related or affiliated parties.
Exclusions to the prohibition on marketing communications will be applicable when:
-
- The provision of information related to CFDs is made in response to a request made upon the sole initiative of the client; and
- The provision of the following kind of information:
-
-
- the one required to contract CFDs or related services that are subject to the measures;
- to perform a transaction regarding CFDs, such as the precontractual and contractual information; and
- the information or warnings regarding the characteristics and risks of CFDs or related services offered that are provided to investors.
-
II. Prohibition of any event or organisation sponsorship operation and brand advertising, including:
- the use of public figures, whenever their purpose or effect is to directly or indirectly advertise CFDs or related services; and
- the cases where such sponsorship or brand advertising does not intend to offer such products or services, in particular, when such products or services only account for a small part of the offers on the website of the firm when compared with its general activity.
III. Prohibition of certain marketing practices, including:
- Rewards to customers who provide new retail customers;
- Remuneration to marketing networks or to third parties of which their remuneration is determined based on the number of clients acquired, the cash deposits by clients, the deposits by the entity providing the investment service, or the losses by clients and, in general, any type of remuneration that may come into conflict with the interests of the clients;
- The use and remuneration of collaborators to train new potential clients without these clients having accredited knowledge and experience;
- The use of call centers which contact clients or possible clients to promote the provision of investment services regarding the instruments that are subject to the restriction;
- The use of software in which the remuneration of the software providers is determined based on the cash deposits of clients, or deposits of the distributor or losses of clients;
- The acceptance of credit card payments for cash deposits.
C. Restrictions applying to other High-Risk Products:
As far as concerns other High-Risk Products, the additional restrictive measures subject the marketing, distribution and sale to Retail Clients of other High-Risk Products to the following conditions:
- The provider of the instrument provides initial margin protection by requiring the customer to pay the initial margin; and
- The provider of the instrument will provide margin close-out protection to the Retail Client.
D. ESMA’s conclusions:
ESMA concluded that the CNMV’s proposed national measures are justified and proportionate and encourage national competent authorities (the “NCAs”) to monitor the marketing, sale, and distribution of CFDs and the impact of other High-Risk Products in their national markets to assess whether similar risks for retail investors as those identified by the CNMV exist.
E. CySEC Circular C602:
Further to all of the above, CySEC issued Circular C602 on the 12th of October 2023, for the purposes of informing Cyprus Investment Firms (the “CIFs”) in relation to the Resolution of the CNMV on product intervention measures relating to CFDs and other leveraged products to retail investors in Spain and the corresponding Press Release that were issued during July 2023.
As already mentioned above, the said Resolution forbids the advertisement of CFDs and other leveraged instruments to retail investors as well as certain remuneration policies and sales techniques and establishes intervention measures for the marketing, sale, and distribution to retailers of other leveraged instruments. It is noted that the relevant measures are applicable from the 3rd of August 2023 to all entities authorized to provide investment services in Spain regardless of the origin of the investment firm marketing and distributing such products, or whether there is not a branch in Spain (i.e. including entities under the freedom to provide services without an establishment).
In view of the above, all CIFs that are marketing, distributing, and selling CFDs and other leveraged products to retail investors in Spain are urged by CySEC to take all the appropriate steps and measures in order to ensure their adherence to the CNMV’s Resolution.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.

Circular C589 – MONEYVAL’s report on money laundering and financing of terrorism risks in the world of virtual assets
We would like to draw your attention to Circular C589 (the “Circular”), issued by the Cyprus Securities and Exchange Commission (the “CySEC”) on the 18th of July 2023, for the purposes of informing Regulated Entities, as these defined therein, about MONEYVAL’s Report on money laundering and financing of terrorism risk in the world of virtual assets (the “Report”).
A. Purpose:
The Report purports to present in an integrated manner an overview of the money laundering and financing of terrorism risks in the world of virtual assets (the “VAs”) and their service providers in MONEYVAL members. In order to do this, the Report includes the following:
- horizontal analysis of MONEYVAL’s members’ level of compliance with the Financial Action Task Force (the “FATF”) Recommendation 15;
- an overview of the measures taken to regulate and supervise virtual asset service providers (the “VASPs”) sector; and
- features of the identified risks that criminals use VASPs and VAs to launder proceeds of crimes (i.e. exchanges, exchange offices, aggregators, and other cryptocurrency platforms including e-gaming, sports betting, and NTFs).
In particular, the Report integrates and analyses data obtained from MONEYVAL members across multiple issues, relating to (a) how members regulated the activity of issuance of Vas and operation of VASPs; (b) whether the Law Enforcement Authorities (LEAs) have adequate powers and tools to investigate, locate and impose interim measures in respect of Vas; (c) the types of VA platforms used for financial support of criminal activity; (d) examples of cases investigated by the relevant authorities with description of criminal schemes involving the virtual asset elements that have been identified; and (e) other data relevant to the goals of the study.
B. Main Provisions:
In view of the above, the Report has been structured into the following four (4) sections:
1. Horizontal review of compliance with FATF Recommendation 15:
FATF has published documents that are aimed at helping jurisdictions and the private sector to comply with the new AML/CFT requirements for VAs and VASPs (available here and here). Due to the peculiarities of the sector and the relatively recent adoption of the standard, the vast majority of MONEYVAL members have not yet fully implemented these requirements (i.e. of the 23 jurisdictions that have been assessed since June 2021 for their compliance with Recommendation 15, the majority require major or moderate improvements). In particular, further improvements are needed in assessing ML/TF risks, supervision, and the application of AML/CFT preventative measures.
2. Assessment of VA and VASP risks:
As already mentioned above, not all members have assessed the ML/TF risks posed by VAs and VASPs, or if such risk assessment has been conducted in many cases it lacks depth. In the case of Andorra that carried out its second national risk assessment back in 2020, it is noted that the risk assessment at the national level would start with an inventory (i.e. when VASPs must be licensed or registered, leaving the authorities with the tasks of estimating if and to which extent unregistered entities are still servicing clients in the respective jurisdiction) of the registered entities in the jurisdiction and determining the materiality of the VASP sector. However, in practice, jurisdictions experience challenges in identifying unregistered or unlicensed VASP activity in their jurisdiction.
In view of the above and following the first inventory of VASPs, a more in-depth analysis of the sector was undertaken. There is a risk that if the work conducted by Andorra indicates that there are no businesses operating domestically that should be registered, then VAs and VASPs become less of a focus. An assessment must be made about the use of VAs in the country even if there are no registered VASPs (for instance, whether customers in the domestic jurisdiction are obtaining services in another jurisdiction).
3. Risk-Based Approach Supervision of the VASP Sector:
The relevant section of the Report outlines the different approaches taken by members to license or register domestic VASPs and to implement a risk-based supervisory framework for the VASP sector. In brief, the following are noted:
- VAs is defined as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes and do not include digital representations of FIAT currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations.
- VASP is any natural or legal person that provides as a business activity one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between virtual assets and FIAT currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and (v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
- The analysis shows that not all members included natural persons in the definition of VASPs.
- A risk-mitigating measure for VASP activity is the application of market entry controls and of adequate risk-based supervision for AML/CFT purposes in the sector.
- Recommendation 15 allows countries to choose between licensing or registration of VASPs, providing that at a minimum, VASPs would be required to be licensed or registered in the jurisdiction(s) where they were created.
- MONEYVAL members have implemented different approaches to supervision (i.e. licensing or registration authority is not always the same authority that conducts the AML/CFT supervision of VASPs).
- In supervising the VASP sector most of the MONEYVAL members are at the beginning of implementation. Not all supervisors are comprehensively resourced in terms of staffing and knowledge, and the risk-based approach is rarely tailored to a sector-specific risk assessment.
- The volume and flow of cross-border transactions is one important element that supervisors should consider when determining the risk of the VASP sector and conducting supervision activities.
- The availability of sanctions for VASP supervisors in MONEYVAL members differs in the scope and mounts of the sanctions that can be applied.
4. Law Enforcement and Operational Issues:
The capabilities and approaches of authorities in MONEYVAL countries to investigate ML/TF cases involving the use of VAs and to impose interim measures are examined in the relevant section of the Report. In particular, a number of case studies from the MONEYVAL region shed light on the use of VAs for money laundering purposes, such as the types of understanding crimes that are normally associated with such ML cases, as well as the modus operandi and typologies as to how such money laundering cases are perpetrated, are outlined within the Report. VAs are being used and can probably be used interchangeably with FIAT currencies when looking at typologies, as per the following investigated cases:
- Theft of VAs through “typosquatting” – Isle of Man (in cooperation with UK and Netherlands);
- Sale of fake VAs – Azerbaijan;
- Use of money mules – Latvia;
- Drug and arms dealing – Slovak Republic; and
- Laundering of drug trafficking proceeds – Malta.
C. Next Steps:
CySEC considers the Report to be of assistance to the Regulated Entities engaging or seeking to engage in VA activities, in understanding their AML/CFT risks and obligations and how they can effectively comply with these obligations.
To this end, it is expected by CySEC that all Regulated Entities will study the Report and take its content into account when assessing AML/CFT risks, thereby improving the effectiveness of the measures and procedures applied.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.

ESAs public consultation on DORA
We would like to draw your attention that the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) launched yesterday, 19th of June 2023, a public consultation on the first batch of policy products under the DORA.
This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). These technical standards aim to ensure a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.
DORA entered into force on the 16th of January 2023 and will apply from the 17th of January 2025 aiming to enhance the digital operational resilience of entities across the EU sector and to further harmonize key digital operational resilience requirements for all EU financial entities.
This regulatory framework covers key areas such as:
- ICT risk management,
- ICT-related incident management and reporting,
- digital operational resilience testing and
- management of ICT third-party risk.
DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. The first batch of technical standards, are the following:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024.
Comments to this consultation can be sent to the ESAS by the 11th of September 2023.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.

CySEC Circular C576 – Adoption of the European Banking Authority Guidelines
We would like to draw your attention to Circular C576 (the “Circular”) issued by the Cyprus Securities and Exchange Commission (the “CySEC”) on the 2nd of June 2023, for the purposes of informing the Cyprus Investment Firms (the “CIFs”) about its decision to adopt the following European Banking Authority’s (the “EBA”) guidelines, that have been previously published within 2022, by incorporating them into its supervisory practices and regulatory approach:
- (a) Guidelines on the benchmarking exercises on remuneration practices and the gender pay gap under the Directive (EU) 2019/2034 (the “Guidelines on benchmarking”). Our previous notification email is attached herein; and
- (b) Guidelines on data collection exercises regarding high earners under Directive 2013/36/EU and under Directive (EU) 2019/2024 (the “Guidelines on high earners”). Our previous notification email is attached herein.
In brief, kindly note the below:
1. Guidelines on benchmarking:
The relevant guidelines specify how competent authorities shall collect from investment firms the remuneration and the gender pay gap data and how they will then submit them to EBA. It is noted that the said data shall be collected and submitted at the individual level whereas where Article 7 of IFR applies, this data shall be collected and submitted only at the level of consolidation set out therein. Please note that the Guidelines on benchmarking should be read in conjunction with the EBA Guidelines on sound remuneration policies under IFD.
In view of the above and pursuant to Section 28(1) of the Prudential Supervision of Investment Services Law of 2021 (the “Prudential Supervision Law”), CySEC shall collect the information disclosed in accordance with Article 51(1)(c) and (d) of IFR as well as the information provided by CIFs on the gender pay gap and use that information to benchmark remuneration trends and practices. Pursuant to Section 28(4) of the Prudential Supervision Law, CySEC shall provide the collected information to EBA in order to benchmark remuneration trends and practices at the Union level.
Therefore, the following actions should be taken by CIFs in regard to the topics presented below:
Related Topic | Information to be submitted | Deadline |
Remuneration Data | o Information on the remuneration of all staff, as set out in Annex I of Guidelines on benchmarking | 15th of June of each calendar year* |
o Additional information on remuneration for identified staff, as set out in Annex II and Annex III of Guidelines on benchmarking | ||
o Information on derogation as specified in Annex IV of Guidelines on benchmarking | ||
Gender Pay Gap | o Information set out in Annex V of Guidelines on benchmarking regarding the financial year 2023 | 15th of June every three years, starting from 2024 |
*It is clarified that the remuneration data outlined above should be submitted by the 31st of August 2023 the latest, regarding the financial year 2022.
2. Guidelines on high earners:
The objective of the data collected on high earners is to analyse and publish year-to-year developments in the number of individuals in institutions and investment firms earning at least EUR 1 million within the European Union (the “EU”) and the European Economic Area (the “EEA”), and within the different Member States, and to assess the major components of remuneration awarded to high earners in different business areas. The said information can be used together with other remuneration benchmarking data to analyse the application of remuneration policies within the EU and EEA and the trends in remuneration practices so as to improve the relevant legal framework.
In view of the above, CIFs should submit to CySEC data regarding high earners (i.e. staff member(s) earning a remuneration of at least EUR 1 million in the reported financial year) so as for the latter to submit such information to EBA.
Please note that high earners data should be reported, as applicable, at the level of consolidation set out in Article 7 of IFR and should concern all the high earners’ data for all entities and branches within the highest level of prudential consolidation. In the case of standalone investment firms, high earner’s data should be reported on an individual basis. The data submitted should also include data relevant to EU/EEA branches.
In this respect, please note the following:
- Where CIFs do not have high earners to report, it is not necessary to submit this information, unless explicitly requested by the CySEC.
- High earners data should be submitted to CySEC each year for any given financial year by the 15th of June of the next calendar year.
- It is clarified that high earners’ data should be submitted by the 31st of August 2023 the latest, regarding the financial year 2022.
3. Method of submission:
The information outlined in points 1 and 2 above should be submitted through CySEC’s XBRL Portal only, which is expected to be updated by the 30th of June 2023.
CIFs are urged to consider the Guidelines on benchmarking & Guidelines on high earners and where necessary, take actions to ensure compliance with their provisions.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.

CySEC Circular C533 on the guidelines on certain aspects of the compliance function requirements
Cyprus Securities and Exchange Commission (the “CySEC”) issued the Circular C553 (the “Circular”) on the 14th of March 2023, for the provision of guidance on the application of certain aspects of the compliance function requirements provided in Article 17(2) of the Investment Services and Activities and Regulated Markets Law (the “Law”) and Article 22 of the MiFID II Delegated Regulation 2017/565 (the “Delegated Regulation 565”).
It shall be noted, that Circulars C030 and C050 are repealed and replaced by this Circular, and that this Circular should be read with Circular C447 on the ESMA’s Guidelines (ESMA35-36-1952) on certain aspects of the MiFID II compliance function requirements (the “Compliance Function Guidelines”).
The Circular issued by CySEC provides a summary of the Compliance Function Guidelines, alongside with further guidance from the Commission (please refer to statements in italics) so as to ensure the common, uniform and consistent application of the relevant legal requirements, as these are outlined above. In brief, we would like to note the following:
A. Guidelines on the responsibilities of the Compliance Function:
- Guideline 1 – Compliance risk assessment:
A risk assessment must be conducted by adopting a risk-based monitoring program to determine its priorities and the focus on monitoring, advisory, and assistance activities. In addition, based on the new provisions of the Guidelines, the following are expected:
- The findings of the compliance risk assessment should be used to set the work programme of the Compliance Function and to allocate the function’s resources efficiently.
- The compliance risk assessment should be reviewed on a regular basis, and, when necessary, updated to ensure that the objectives, focus and the scope of compliance monitoring and advisory activities remain valid.
- Guideline 2 – Monitoring obligations of the Compliance Function:
The aim of the risk-based monitoring program should be to evaluate whether the firm’s business is conducted in compliance with its obligations under the Law and that the internal policies and procedures, organization, and control measures remain effective and appropriate to ensure that compliance risk is comprehensively monitored. The risk-based approach to compliance shall form the basis for determining the appropriate tools and methodologies used by the Compliance Function, as well as the extent of the monitoring program and the frequency of monitoring activities performed by the Compliance Function. Also, the monitoring program should reflect changes to the firm’s risk profile as well as, extend to the implementation and effectiveness of any remedial measures taken by the firm in response to breaches of the Law.
- Guideline 3 – Reporting obligations of the Compliance Function:
The mandatory compliance reports should cover all business units involved in the provision of investment services, activities and ancillary services provided by a firm. The mandatory compliance reports is expected to include general information, manner of monitoring and reviewing, findings, actions taken and other information. The relevant report should also cover the firm’s product governance arrangement (e.g. role of Compliance Function, monitoring of the firm’s product governance by the Compliance Function, information about the financial instruments manufactured / distributed, including information on the distribution strategy). Additionally, the Compliance Function and the Complaints Management Function should be properly segregated, subject to the principle of proportionality.
Investment Firms should submit to CySEC the annual reports mentioned in Article 25 of the Delegated Regulation 565 within twenty (20) days from the date the reports are discussed by the Board of Directors and not later than four (4) months from the end of the calendar year. The Board of Directors should also provide CySEC with explanations of the Compliance Function’s findings (e.g. corrective measures in response to the identified deficiencies and timetable for their implementation). It is provided that the annual report is a standalone document and cannot be part of another report that the Investment Firm is obliged to prepare (e.g. anti-money laundering compliance function report).
- Guidelines 4 – Advisory and assistance obligations of the Compliance Function:
In general, pursuant to the Guideline 4, it is expected that the Compliance Function to fulfil its advisory and assistance responsibility, including providing support for staff and management training, providing day-to-day assistance for staff and management and participating in the establishment of policies and procedures within the firm (e.g. the firm’s remuneration policy or the firm’s product governance policies and procedures).
B. Guidelines on the responsibilities of the Compliance Function:
- Guideline 5 – Effectiveness of the Compliance Function:
The firm should ensure that the Compliance Function is allocated with the appropriate human and other resources by taking into account the scale and types of investment services, activities and ancillary services undertaken by the firm, as well as any changes to the firm’s compliance risk in case its business unit activities are significantly extended (e.g. establishment of branches, use of affiliates, cross border activities). The said guideline was further enhanced so as to be clearly indicated that it is of vital importance for the firms to have in place the necessary arrangements to ensure an effective exchange of information between the Compliance Function and other control functions (such as the internal audit and risk management) as well as with any internal and external auditors.
- Guideline 6 – Skills, knowledge, expertise and authority of the Compliance Function:
Guideline 6 outlines the requirements related with the skills, knowledge, expertise and authority of the Compliance Function (e.g. sufficiently broad knowledge and experience, sufficiently high level of expertise etc.). The senior management should assess the prospective Compliance Officer’s qualifications prior appointment, ensures that he/she has integrity, morals and credibility, as well as that he/she is a holder of the CySEC’s Advanced Certificate and registered in the Public Register. CySEC also performs an assessment of the qualification of the nominated Compliance Officer during the authorisation process and/or in the context of ongoing supervision, which includes the analysis of his/hers curriculum vitae, as well as an interview.
- Guideline 7 – Permanence of the Compliance Function:
The firm should establish adequate arrangements for ensuring that the Compliance Function performs its tasks and responsibilities on a permanent basis and are fulfilled when the Compliance Officer is absent. The responsibilities, competences and the authority of the Compliance Function should be set out in a “compliance policy” or other general policies or internal rules that consider the scope and nature of the firm’s services and activities, which should include information on the monitoring programme, the reporting duties of the Compliance Function and its risk-based approach to monitoring activities.
- Guideline 8 – Independence of the Compliance Function:
Guideline 8 highlights that the Compliance Function holds a position in the firm’s organisational structure that ensures that the Compliance Officer and other compliance staff act independently when performing their tasks. The tasks performed by the Compliance Function should be carried out independently from the senior management and other units of the firm. Where the senior management deviates from important recommendations or assessments issued by the Compliance Function, the Compliance Officer should document this accordingly and present it in the compliance reports, and if deemed necessary, inform CySEC the soonest possible.
- Guideline 9 – Proportionality with regard to the effectiveness of the Compliance Function:
The firm should decide which measures, including organisational measures and the level of resources, are best suited for ensuring the effectiveness of the Compliance Function in the firm’s particular circumstances. The firm may fall under the proportionality exemption if the performance of the necessary compliance task does not require a full-time position due to the nature, scale and complexity of the firm’s business, and the nature and rage of the investment/ancillary services and activities, but should ensure that any conflicts of interests are minimised. Where a firm makes use of the proportionality exemption, it should record how this is justified, so that the CySEC is able to assess this.
The Compliance Function should also ensure that all employees that fall under the Directive regarding the Certification of Persons and the Certification Registers of 2019 to 2021 hold the relevant certificate and are registered in the public register, as well as that the content of the CIF Electronic Record is complete and accurate and where amendments are required, that these are done immediately.
- Guideline 10 – Combining the Compliance Function with other internal control functions:
Generally, firms should ensure that the control functions are properly segregated (e.g. the compliance staff shall not be involved in the activities they monitor). Nevertheless, a combination of the Compliance Function with other control units at the same level (such as money laundering prevention) may be acceptable if this does not generate conflicts of interests or compromise its effectiveness. Any such combination should be documented, including the rationale behind it, so that CySEC is able to assess whether such a combination is appropriate. Based on the provisions of the Guideline 10, the following should be noted:
- Where an internal audit function has been established and is maintained, such function may not be combined with other control functions such as the Compliance Function;
- Where the Compliance Officer is not appointed as the Single Officer (referred to in Article 9 of the Directive DI87-01), both the Single Officer and the Compliance Officer should act independently and the Compliance Officer should not supervise and/or issue any instruction to the Single Officer; and
- Where the Compliance Function is combined with other control functions or where it is also responsible for other tasks (for example anti-money laundering), the firm should ensure that it allocates enough resources for MiFID II compliance at all times.
Guideline 11 – Outsourcing of the Compliance Function:
In accordance with Guideline 11, which outlines the requirements related with the outsourcing of tasks undertaken by the Compliance Officer and not the outsourcing of the relevant responsibilities, the following shall be noted:
- In all cases, outsourcing the Compliance Function should not undermine its quality and independence, create undue additional operational risks, impair the activities of internal controls or impair the ability of the firm and the relevant competent authority to supervise compliance with the applicable requirements;
- The outsourcing to non-EU entities may potentially make oversight and supervision of the Compliance Function more difficult and should therefore be subject to a closer monitoring; and
- Upon the termination of the outsourcing arrangement related with the Compliance Function, firms should ensure the continuity by transferring the Compliance Function back to the firm or outsourcing it to another provider.
C. Guidelines on the competent authority review of the Compliance Function:
- Guideline 12 – Review of the Compliance Function by the competent authority:
Generally, the competent authorities should assess whether a firm’s Compliance Function is adequately resourced and organised and whether adequate reporting lines have been established. With respect to the CySEC’s expectations and clarifications provided:
- It is required, as a condition for authorisation, that any necessary amendments to the Compliance Function are notified to CySEC.
- Also, as part of the ongoing supervisory process, CySEC assesses whether the measures implemented by the firm for the Compliance Function are adequate, and whether it fulfils its responsibilities appropriately.
- The Compliance Function must immediately disclose to CySEC every important development that may substantially affect its ability to effectively perform the Compliance Function and to fulfil its responsibilities appropriately.
Finally, without prejudice to the provisions of Guideline 6, a person may be nominated as Compliance Officer, even if not registered in the Public Register provided that, following an assessment of his/her qualifications, CySEC is satisfied that the person has the relevant knowledge and expertise and will succeed in the Advanced Examination and be registered in the Public Register within a determined time period decided by CySEC. The firm should notify CySEC of both the appointment and replacement of the Compliance Officer and the later may require a detailed statement on the grounds for the replacement.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.

Financial Action Task Force Statement Publications – February 2023
Paris, 24 February 2023 – The second Plenary of the FATF under the Presidency of T. Raja Kumar of Singapore concluded on 24/2/2023. Delegates from over 200 jurisdictions of the Global Network participated in these discussions at the FATF headquarters in Paris.
Following the statements issued since March 2022, the FATF reiterates that all jurisdictions should be vigilant to current and emerging risks from the circumvention of measures taken against the Russian Federation in order to protect the international financial system. The outcomes of the FATF Plenary, 22-23 February 2023 relate among others to the following matters:
FATF Statement on High-Risk Jurisdictions subject to a Call for Action:
Following FAFT’s statement of October 2022 on the list of “High-Risk Jurisdictions subject to a Call for Action- October 2022”, the latter proceeded with the issuance of a Publication on the 24th of February 2023, through which it urges all jurisdictions to apply enhanced due diligence, and, in the most serious cases, countries are called upon to apply counter-measures to protect the international financial systems from the money laundering, terrorist financing, and proliferation financing (the “ML/TF/PF”) risks emanating from the country. In particular, the FATF’s call for action on the following high-risk jurisdictions remains in effect:
A. Jurisdictions subject to a FATF call on its members and other jurisdictions to apply countermeasures.
-
- Democratic People’s Republic of Korea (DPRK)
- Iran
B. Jurisdiction subject to a FATF call on its members and other jurisdictions to apply enhanced due diligence measures proportionate to the risks arising from the jurisdiction.
-
- Myanmar
FATF Statement on Jurisdictions under Increased Monitoring:
On the 24th of February 2023, the FAFT issued a Publication in relation to the results of the progress review to identify new countries with strategic AML/CFT deficiencies, despite the challenged posed by Covid-19, based on which:
A. Jurisdictions no longer subject to increased monitoring:
-
- Cambodia
- Morocco
B. Jurisdictions with strategic deficiencies:
-
- Albania
- Barbados
- Burkina Faso
- The Cayman Islands
- (*) Democratic Republic of the Congo
- Gibraltar
- Haiti
- Jamaica
- Jordan
- Mali
- (*) Mozambique
- Nigeria (new)
- Panama
- Philippines
- Senegal
- South Africa (new)
- South Sudan
- Syria
- (*) Tanzania
- Turkey
- Uganda
- United Arab Emirates
- Yemen
* Chose to defer reporting; thus, the relevant Statements available, issued in October 2022 may not necessarily reflect the most recent status of the jurisdictions’ AML/CFT regimes.
FATF Statement on the Russian Federation:
On the 24th of February 2023, the FAFT issued a Statement in relation to its decision to suspend the membership of the Russian Federation, as the latter’s continuing and intensifying war of aggression against Ukraine runs counter to FATF’s core principles aiming to promote security, safety and the integrity of the global financial system. In particular, Russian Federation can no longer hold any leadership or advisory roles or take part in decision-making on standard-setting, FATF peer review processes, governance, and membership matters.
Other matters:
- Mutual Evaluation Reports: FATF has adopted a mutual evaluation report of Indonesia and Qatar that will be published by May 2023 following the completion of its quality and consistency review.
- Beneficial Ownership of Legal Persons: FATF Plenary has finalised a guidance document which will help countries implement the revised requirements of Recommendation 24 which requires countries to ensure that beneficial ownership information is held by a public authority or body functioning as a beneficial ownership registry or an alternative mechanism they will use to enable efficient access. The guidance will be published in March 2023.
- Beneficial Ownership of Legal Arrangements: FATF Plenary also agreed on enhancements to Recommendation 25 on legal arrangements to bring its requirements broadly in line with those for Recommendation 24 on legal persons to ensure a balanced and coherent set of FATF standards on beneficial ownership.
- Disrupting the financial flows from ransomware: FATF completed research that analyses the methods that criminals use to carry out their ransomware attacks and how they launder ransom payments. Relevant research will be published in March 2023 and will include a list of risk indicators that can help public and private sector entities identify suspicious activities related to ransomware.
- Improving implementation of FATF requirements for virtual assets and virtual asset service providers: Plenary agreed on a roadmap to strengthen the implementation of FATF Standards on virtual assets and virtual asset service providers, which will include a stocktake of current levels of implementation across the global network. In the first half of 2024, the FATF will report on steps FATF members and FSRB countries with materially important virtual asset activity have taken to regulate and supervise virtual asset service providers.
- Money Laundering and Terrorist Financing in the Art and Antiquities Markets: FATF has also finalised a report that explores the link between money laundering and art and antiquities which was published on the 27th of February 2023.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.

Procedures for the receipt of reports of infringement of Regulation (EU) No. 596/2014 on market abuse
We would like to draw your attention to the Circular C488 (the “Circular”) issued by the Cyprus Securities and Exchange Commission (the “CySEC” of the “Commission”) on the 17th of February 2021, under the provisions of Article 2(1) of the Regulation (EU) No 596/2014 as amended (the “Market Abuse Regulation”), in relation to the updated procedures in force regarding the receipt of reports of infringement pursuant to the provisions of Article 32 of the Market Abuse Regulation.
In brief, please note the following:
A. Reporting Requirements:
- The staff members of the Market Surveillance and Investigations Department of CySEC dedicated to the handling of the reports of infringements (the “Competent Department”) have been assigned with specific duties in order to assist and provide information on the procedures for reporting infringements to any interested person.
- The report of infringement can be submitted either by name or anonymously, through the communication channels of the Competent Department as further specified under point A3 of the Circular.
- A person who is accused of having committed an actual or potential infringement of the Market Abuse Regulation (the “Reporting Person”), may proceed with the submission of a written report of infringement by completing the “Whistleblowing External Disclosure Form” (the “Form”) which is available as an Appendix within the Circular.
- In cases when the identity of the Reporting Person has been disclosed, CySEC may request further information.
- Upon the submission of the infringement report, either orally or written, CySEC notifies the Reporting Person in writing within how many days will be notified about the results of his/her inquiry and ensures that the relevant notification will be sent within the timeframe set.
B. Record Keeping of the Infringement Reports:
- Unless otherwise requested by the Reporting Person, a receipt of a confirmation is sent by CySEC.
- In cases where reporting of infringements has been performed through the use of a telephone line, CySEC has the right to document the oral reporting, except the cases where Reporting Person’s prion consent is not provided.
- In cases where Reporting Person’s consent is not provided for the reporting of infringements, CySEC has the right to document the conversation in the form of accurate minutes.
- In cases where a person requests a physical meeting with the Competent Department for the purposes of reporting the infringement, CySEC ensures that complete and accurate records of the meeting are kept in a durable and retrievable form.
- In cases where the confidentiality regime is used, CySEC notes that under certain circumstances as those explained in point C of the Circular, confidential information of the Reporting Person may be published.
To this end and as per Article 6(6) of the Market Abuse Law of 2016, a person providing information to CySEC, in accordance with the Market Abuse Regulation, is not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, nor will the said person have the liability of any kind related to such disclosure.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.