CySEC Policy Statement on the enhancement of the non-face-to-face customer onboarding process with electronic methods
In today’s fast-paced digital landscape, the need for efficient and secure customer onboarding processes has never been more critical. Recognizing this, the Cyprus Securities and Exchange Commission (CySEC) has introduced a groundbreaking Policy Statement (PS-01-2024), designed to revolutionize the way financial institutions onboard non-face-to-face (NFTF) customers.
A. A New Era for Remote Customer Onboarding
The new policy marks a significant step forward in integrating electronic methods and technologies within the customer due diligence (CDD) process. CySEC’s policy is built on the principle of technological neutrality, giving financial institutions the flexibility to choose the most appropriate Remote Customer Onboarding Solutions (RCOS) that suit their operational needs.
This policy is not just a regulatory update; it is a roadmap for the future of digital finance in Cyprus. It aligns with the European Banking Authority (EBA) Guidelines and leverages lessons learned during the COVID-19 pandemic, ensuring that the financial industry remains robust, secure, and resilient in the face of evolving challenges.
B. Key Highlights of the Policy
- Technological Neutrality: CySEC encourages the use of diverse RCOS, whether through video calls, dynamic selfies, or other innovative technologies. The policy does not favor any specific technology, allowing businesses to adapt and innovate as they see fit.
- Mandatory Risk Assessments: Before implementing any RCOS, financial institutions are required to conduct comprehensive risk assessments. This ensures that the chosen technologies are not only compliant with existing regulations but also robust enough to handle potential security threats.
- Supervisory Guidance: CySEC has provided detailed guidelines to help institutions navigate the complex regulatory environment. These guidelines ensure that all remote onboarding processes meet the highest standards of security, reliability, and customer protection.
- Ongoing Compliance and Monitoring: The policy emphasizes the need for continuous monitoring and assessment of RCOS, ensuring that they remain effective and compliant with all relevant laws and regulations.
C. How We Can Help
At Andria Papageorgiou Law Firm, we have over a decade of experience in the fintech industry, specializing in regulatory compliance and innovative financial solutions. Our team of experts is ready to assist your business in implementing these new onboarding requirements seamlessly.
Whether you need help with risk assessments, compliance checks, or choosing the right RCOS for your business, we are here to guide you every step of the way. We understand the complexities of the fintech landscape and are committed to helping you stay ahead in this dynamic industry.
D. Last word
CySEC’s new policy is a significant development for the financial industry, offering both opportunities and challenges. By embracing these changes and leveraging the right expertise, your business can not only comply with the new regulations but also thrive in the digital age.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
CySEC Circular C556 on addressing AML/CFT Compliance – Insights from CySEC’s Recent Inspections
The Cyprus Securities and Exchange Commission (CySEC) has recently issued a Circular C656 highlighting the findings from its inspections of various regulated entities over the past two years. These inspections assessed compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 and CySEC’s Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing. The circular provides valuable insights into good practices and common deficiencies observed, offering a roadmap for entities to enhance their Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) frameworks.
A. Good Practices Identified
CySEC’s inspections revealed several commendable practices among regulated entities, which can serve as benchmarks for others aiming to strengthen their AML/CFT controls:
- Utilization of Local Knowledge: Supplementing commercially available databases with local knowledge and open-source internet checks proved effective in researching potential high-risk customers, including Politically Exposed Persons (PEPs).
- Clear Escalation Processes: Establishing clear processes for escalating the review and approval of high-risk and PEP customer relationships to senior management.
- Face-to-Face Interactions: Conducting face-to-face meetings with high-risk and PEP prospects before onboarding them as customers.
- Comprehensive Customer Files: Maintaining detailed customer files that cover risk assessment, documentation, verification, expected account activity, and profiles of the customer or business relationship.
- Robust Transaction Monitoring: Ensuring transaction and account monitoring considers up-to-date Customer Due Diligence (CDD) information, including expected activity, source of wealth, and source of funds.
- Active Involvement of Senior Management: Involving senior management and AML/CFT staff in decisions regarding the maintenance or termination of high-risk relationships.
- Updated Policies and Procedures: Keeping AML/CFT policies and procedures current to comply with evolving legal and regulatory obligations.
B. Common Weaknesses and Deficiencies
Despite the good practices, several weaknesses were commonly identified, which need immediate attention to mitigate AML/CFT risks:
- Risk Management and Procedures Manual: Manuals often contained generic descriptions rather than tailored procedures specific to the entity’s risks. In some cases, procedures for identifying and detecting unusual cash transactions were inadequate.
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): Entities sometimes failed to construct comprehensive customer economic profiles or verify the identity of beneficial owners adequately. There was also a lack of additional information for high-risk customers.
- AML/CFT Risk Assessments: Risk assessments often did not consider guidelines from the European Banking Authority (EBA) or the Financial Action Task Force (FATF). In some instances, entities did not account for the risks posed by customers with Cypriot citizenship acquired through the Cyprus Investment Program.
- Source of Funds and Transactions Monitoring: Insufficient documentation to support customer transactions and initial source of funds was a recurrent issue. Entities need to gather detailed evidence and maintain updated customer profiles.
- Reporting of Suspicious Transactions: Compliance officers sometimes failed to examine internal reports adequately to determine if there was a suspicion of money laundering or terrorist financing.
- Record Keeping: Entities did not always ensure prompt availability of documents and information required by CySEC for regulatory duties.
CySEC’s circular serves as a crucial reminder for all regulated entities to review and enhance their AML/CFT policies, controls, and procedures. By addressing the identified deficiencies and adopting the highlighted good practices, entities can better align with regulatory expectations and effectively mitigate the risks associated with money laundering and terrorist financing.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
CySEC Circular C655: Findings of the assessment of Compliance Officers’ Annual Reports and Internal Audit Reports on the prevention of money laundering and terrorist financing, for the year 2022
The Cyprus Securities and Exchange Commission (CySEC) has published Circular No. C655, summarizing the findings from its 2023 assessment of Compliance Officers’ Annual Reports and Internal Audit Reports submitted by various regulated entities for the year 2022. The report underscores critical areas of non-compliance and provides detailed recommendations for improvement.
A. Targeted Entities
The circular addresses the following regulated entities:
- Crypto Asset Service Providers (CASPs)
- Cyprus Investment Firms (CIFs)
- Administrative Service Providers (ASPs)
- UCITS Management Companies (UCITS MC)
- Self-Managed UCITS (SM UCITS)
- Alternative Investment Fund Managers (AIFMs)
- Self-Managed Alternative Investment Funds (SM AIFs)
- Self-Managed Alternative Investment Funds with Limited Number of Persons (SM AIFLNP)
- Companies managing AIFLNPs
- Small Alternative Investment Fund Managers (Small AIFMs)
B. Scope of the Assessment
The assessment aimed to evaluate compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, and the CySEC Directive for the Prevention of Money Laundering and Terrorist Financing. The evaluation included the review of Compliance Officers’ Annual Reports and Internal Audit Reports submitted in 2023, reflecting the activities of the previous year.
C. Key Findings
CySEC identified several common weaknesses and deficiencies across the reports:
- Lack of Detailed Analysis: Many reports lacked sufficient analysis of the inspection methods used by Compliance Officers. Reports often provided results without explaining the methodologies, sample sizes, and the specifics of the inspections and reviews conducted.
- General Overviews: Some reports offered only general overviews rather than detailed descriptions of identified deficiencies, their seriousness, risk implications, and recommended corrective actions.
- Inadequate Customer Monitoring: Reports frequently did not provide adequate details on ongoing monitoring systems for customer accounts, including methods used and variations in monitoring based on customer risk categories.
- Insufficient Organizational Structure Information: The organizational structure and duties of the Compliance Officer’s department were often not sufficiently detailed.
- Incomplete Training Program Information: Information on recommended training programs for the upcoming year was frequently inadequate.
- Late Submissions: There were late submissions of Compliance Officers’ Annual Reports, Internal Audit Reports, and relevant Board of Directors (BoD) minutes.
D. Recommendations
CySEC has outlined several recommendations to address these deficiencies:
- Enhance Report Preparation: Ensure detailed and methodologically sound preparation of both Compliance Officers’ Annual Reports and Internal Audit Reports, including a thorough analysis of inspection methods and results.
- Improve Monitoring Systems: Establish robust systems for ongoing monitoring of customer accounts and transactions, providing detailed documentation of methods and findings.
- Detail Organizational Structure and Training: Include comprehensive information on the Compliance Department’s structure and staff duties, and clearly outline training programs for the next year.
- Adhere to Submission Deadlines: Comply with the specified timeframes for submitting reports and BoD minutes.
E. CySEC’s Expectations
CySEC expects all regulated entities to consider these findings and recommendations seriously when preparing their reports for 2023 and beyond. The Commission has emphasized that recurring weaknesses will be subject to rigorous compliance checks, and strict administrative sanctions may be imposed for non-compliance with the Law and Directive.
D. Conclusion
CySEC’s 2023 assessment report highlights significant areas for improvement in AML compliance and overall governance among regulated entities. By addressing the identified deficiencies and adhering to CySEC’s recommendations, entities can ensure robust compliance frameworks, thereby enhancing the integrity and trustworthiness of Cyprus’s financial sector.
E. How we can assist you
With ten years of experience in the financial services industry, our law firm is well-equipped to assist you with outsourced legal and compliance services. We provide comprehensive support and guidance for the preparation of annual CySEC reports, ensuring your compliance with all regulatory requirements.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
DORA: Why it is relevant & why is it relevant to you?
The Digital Operational Resilience Act (DORA) is a significant development in EU regulation, compelling financial entities to ensure consistent cybersecurity and operational resilience maturity levels across all their operations within the EU. With a two-year preparatory phase, organizations face a significant task of implementation and demonstration of compliance.
To navigate this transition effectively, financial institutions must conduct comprehensive gap assessments to gauge their readiness vis-à-vis DORA, identifying areas necessitating further investment and prioritization. Proactively addressing these gaps positions businesses to meet more complex requirements such as supply risk management, threat intelligence, and advanced security testing, thus gaining a competitive edge in the market.
DORA marks a substantial shift for entities under ESMA or EIOPA supervision and banks already subject to existing EBA guidelines on banking supervision. Moreover, it extends its scope to encompass previously less regulated stakeholders in the financial sector, including crypto-asset service providers, intermediaries managing alternative investment funds, crowdfunding service providers, cloud-service providers, and ICT third-party service providers.
One of DORA’s key focuses is on third-party risk management, necessitating entities to ensure the resilience of their critical ICT third-party service providers. This requires close collaboration and joint efforts to satisfy regulatory expectations, particularly in supporting the delivery of essential business services.
DORA officially entered into force at the beginning of 2023, initiating a two-year implementation period. Financial entities are thus expected to achieve compliance with the regulation by early 2025. As this deadline approaches, proactive engagement with DORA compliance becomes essential to avoid penalties and maintain operational continuity.
In light of these developments, Andria Papageorgiou Law Firm is committed to assisting organizations in navigating the complexities of DORA compliance. With our outsourced DPO services and regulatory compliance consulting, tailored to address the specific requirements of DORA, we ensure that businesses are well-equipped to meet regulatory obligations and uphold operational resilience in an evolving digital landscape.
Contact us today at info@apapageorgiou.com to learn more about how we can support your journey toward DORA compliance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
CySEC Circular on EBA Guidelines: Enhancing Anti-Money Laundering Measures for Crypto-Asset Service Providers
We would like to draw your attention to Circular C640 (the “Circular”), issued by the Cyprus Securities and Exchange Commission (the “CySEC”) on the 26th of April 2024, for the purposes of informing Regulated Entities, as these defined therein, about European Banking Authority’s Guidelines amending Guidelines EBA/2021/02 on customer due diligence and the factors credit and financial institutions
should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions under Articles 17 and 18(4) of Directive (EU) 2015/849 – Guidance to crypto-asset service providers to effectively manage their exposure to ML/TF risks
On January 16, 2024, the European Banking Authority (EBA) extended its Guidelines on ML/TF risk factors to CASPs, signifying a significant stride in the EU’s efforts to combat financial crime. The new Guidelines (EBA/GL/2024/01) underscore ML/TF risk factors and mitigating measures that CASPs need to adopt, recognizing the potential abuse of CASPs for illicit financial activities.
The risks associated with CASPs are manifold, ranging from the rapidity of crypto-asset transfers to the anonymity features embedded in certain products, heightening the susceptibility to ML/TF activities. Hence, CASPS must grasp these risks comprehensively and implement effective measures to mitigate them.
The amended Guidelines serve to equip CASPs with a framework for identifying these risks, offering a non-exhaustive list of factors indicating exposure to varying levels of ML/TF risk. By leveraging these risk factors, CASPs can gain insights into their customer base and pinpoint areas of vulnerability, thereby fine-tuning their mitigating measures, including the use of blockchain analytics tools.
Recognizing the interconnectedness of the financial sector, the Guidelines extend guidance to credit and financial institutions with CASPs as clients or exposure to crypto assets. This risk is exacerbated when institutions engage with unregulated crypto-asset service providers.
In essence, these Guidelines foster a unified understanding of ML/TF risks associated with CASPs and outline the requisite steps for CASPs and other financial institutions to manage these risks effectively. The amended Guidelines will come into effect on December 30, 2024.
In line with its overarching supervisory approach, CySEC urges all Regulated Entities to adhere to the Guidelines and demonstrate the appropriateness of their AML/CFT policies, controls, and procedures in light of identified ML/TF risks, thus ensuring robust measures to combat financial crime.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
How to Register with CySEC as a Crypto Asset Service Provider (CASP)?
The Cyprus Securities and Exchange Commission (CySEC) functions as the autonomous regulatory body overseeing the investment services market, collective investment, asset management sectors, as well as crypto-asset activities within and beyond the Republic of Cyprus. CySEC’s mission is to position the Cyprus securities market as a premier destination for investment, renowned for its security, reliability, and attractiveness.
Acting as the national authority responsible for Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT), CySEC governs Crypto-Asset Services Providers (CASP) offering services within or from Cyprus.
On September 13th, 2021, the CySECreleased a Policy Statement concerning the Registration and Operations of CASP. This statement details the registration criteria and offers further guidance on the process for becoming a registered CASP.
Submission of an application for registration in the Register of CASP:
For a complete application, the below information will be needed:
- The name, trade name, legal form and legal entity identifier of the CASP;
- the physical address of the CASP;
- the services provided and/or the activities that the CASP may carry out as defined below.
- the website of the CASP.
- the crypto-assets’ addresses of the CASP;
- the crypto-assets in relation to which the CASP provides services or exercises activities;
- the types of clients the CASP services;
- information as to whether the CASP offers payment services in crypto-assets;
- information as to whether the CASP operates crypto-assets ATMs, the number and the exact location thereof;
- the geographic jurisdictions in which the CASP operates; and
- information as to whether the CASP is registered or supervised in any other jurisdiction.
The documents and data are submitted in the official language of the Republic or in English and are originals or, where this is not possible, they are true copies of the originals. In case that the documents and data are produced in a language other than the official language of the Republic or in English, their true translation is also submitted.
List of Forms and Questionnaires for registration:
- Form 188-01: Application for CASP Registration and for Amendment of Registration;
- Form 188-02: Personal Questionnaire for CASP Beneficiaries – Natural Persons;
- Form 188-03: Personal Questionnaire for CASP Beneficiaries who are Legal Persons;
- Form 188-04: Personal Questionnaire for CASP Beneficiaries who are Trusts;
- Form 188-05: Personal Questionnaire for Persons Holding a Management Position;
- Form 188-06: List of Persons Holding a Management Position;
- Form 188-07: NotificationForm for EEA CASPs.
Crypto Asset Services:
Crypto Asset Service Providers are able to operate through varying business models due to the different combinations of crypto-asset activities and services that can be generated, based on the company’s business plan and vision. CASP are categorised into three classes according to the crypto-asset services offered:
CASP Class | Crypto Asset Services |
---|---|
Class 1
|
• Provision of investment advice
|
Class 2 | • Provision of investment advice
And/or any of the below: • Reception and transmission of client orders
|
Class 3 | • Provision of investment advice
And/or any of the below: • Reception and transmission of client orders Plus any of the below: • Administration, transfer of ownership, transfer of site, holding, and/or safekeeping, including custody, of crypto assets or cryptographic keys or means enabling control over crypto assets |
Initial Capital Requirements:
The initial capital requirements differ depending on the various classes of CASPs, as outlined in the table provided below.
CASP Class | Initial Capital Requirements |
---|---|
Class 1 | 50,000 EUR |
Class 2 | 125,000 EUR |
Class 3 | 150,000 EUR |
Board of Directors:
In the case of the Board of Directors, the Board of Directors of the applicant is comprised of at least 4 persons who meet certain requirements (i.e. good reputation, experience, skills, etc.), 2 of which must direct the business activities of the CASP and 2 must be independent members.
Required Policies:
- Business Plan;
- Anti-Money Laundering Manual;
- Internal Operations Manual (IOM);
- Travel Rule Book;
- Remuneration Policy;
- Corporate Governance (if not included in the IOM);
- Business Continuity Plan and Disaster Recovery Policy;
- Outsourcing Policy (if not included in the IOM);
- Accounting Procedures (if not included in the IOM);
- Risk Management Policy;
- IT and Security Policies;
- Complaints’ Handling Policy;
- Legal Documents which will be accessible and available at all times on the website of the CASP licensed entity (i.e. Terms and Conditions).
Applications Fees:
Fees payable to the Cyprus Securities and Exchange Commission for the examination of the registration application are standard and independent of the services intended to be offered. The fee is 10,000 EUR. Where the application for the CASP registration is approved the CASP is not required to pay any additional fees to CySEC for the first year of its registration.
Annual Fees:
Annual fees payable to the Cyprus Securities and Exchange Commission for the renewal of the CASP registration for one year, are standard and independent of the services offered by the CASP. The applicable fee is 5,000 EUR from year 2 onwards.
Licensing Timeframe:
Although the relevant regulatory framework specified that CySEC shall inform the applicable within 6 months from the submission of a fully completed application, in our experience, the CASP registration procedure can be concluded in 12 months, in anticipation of CySEC’s varying workload and the applicant’s preparedness on reverting back with the information and documents requested.
Andria Papageorgiou Law Firm:
Our Firm comprises top-tier professionals dedicated to assisting both new and established CASPs offering crypto asset services in or from Cyprus with their registration process. Our team handles everything from gathering the necessary information to preparing and submitting a complete application package to CySEC, ensuring a smooth and efficient registration process on your behalf.
Once your registration is completed, our Firm stands ready to collaborate closely with you to ensure compliance with all regulatory obligations. We offer a wide array of post-registration services tailored to your specific needs.
Furthermore, for EEA-established CASPs already registered with their national competent authority, we assist in submitting the requisite notification form to CySEC, along with the necessary evidence regarding crypto asset services conducted or intended to be conducted in Cyprus.
It’s worth noting that our Law Firm has extensive experience in CASP registration, having successfully achieved the registration of a CASP-licensed entity, placing among the first 10 entities with a CASP license.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Supervisory priorities for 2024, targets CIFs providing services on a cross border basis
In a recent announcement, the Cyprus Securities and Exchange Commission (CySEC) has outlined its focus areas for 2024, intending to guide and support regulated entities amidst evolving regulatory landscapes. As trusted advisors, we aim to elucidate these priorities for our esteemed clients, including Cyprus Investment Firms (CIFs) and asset managers, providing clear guidance and actionable insights.
CySEC’s objectives for 2024 revolve around preserving market integrity and safeguarding investor interests. Informed by ongoing market evaluations and regulatory updates, these priorities serve as a compass for regulated entities, steering them towards excellence in compliance amid shifting regulatory dynamics.
A. Key Highlights:
Enhanced Supervision: CySEC stresses the significance of vigilant oversight, particularly for firms involved in cross-border activities with intricate financial products such as Contracts for Difference (CFDs). This heightened scrutiny is designed to mitigate risks and uphold market stability.
Promoting Compliance Culture: Nurturing a culture of compliance is imperative. CySEC urges firms to reinforce governance structures and control functions, fostering a sustainable approach to regulatory adherence.
Proactive Risk Management: Prompt identification and mitigation of risks are paramount. Regulated entities are encouraged to proactively address emerging threats, ensuring business resilience and investor protection.
B. Focus Areas for Regulated Entities:
Investment Services: CIFs are required to adhere to professional conduct rules, enhance organizational arrangements, and embrace technological advancements. Additionally, robust governance frameworks and proactive risk management are emphasized.
Asset Management: Asset managers should prioritize compliance with regulatory mandates, including sustainability requirements and effective asset valuation procedures. Thorough data analysis and oversight of derivative contracts are vital for maintaining financial stability.
C. What Firms Need To Do:
- Review policies, procedures and internal controls arrangements put in place to ensure compliance with the regulatory requirements.
- Implement effective and prudent management practices, with active oversight from the management body.
- Evaluate the adequacy of governance structures and the effectiveness of control functions such as compliance, internal audit and risk management.
- Improve monitoring of marketing communications.
- Implement measures to address risks in the field of ICT and prepare for compliance with DORA.
- Consider investing in technology solutions/tools that complement firms’ efforts to ensure business resilience and regulatory compliance.
D. Next Steps: Firms should expect ongoing engagement from supervisory teams on the areas mentioned above as well as specific feedback, including communication with the board of directors. CySEC aims to take in a timely way, actions commensurate to the problems and shortcomings identified, to effectively prevent, mitigate or bring them to an end, considering repetition or continuation over time as aggravating factors.
Andria Papageorgiou Law Frim is a reputable Firm specializing in regulatory compliance and risk management solutions. With a dedication to empowering clients through tailored strategies and innovative tools, we are poised to support our clients’ journey toward compliance excellence.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Opinion on the product intervention measures on CFDs and other high-risk products proposed by the Spanish CNMV
This article is about the Opinion of the European Securities and Markets Authority (“ESMA”) on the adoption of additional product intervention measures on Financial Contracts for Difference (“CFDs”) and other high-risk products by the Spanish Comisión Nacional del Mercado de Valores (the “CNMV”) issued on the 11th of July 2023 (the “ESMA’s Opinion”).
- Background and Rationale:
After the completion of the consultation process that the CNMV launched in November 2022 with respect to its intention to introduce additional restrictive measures on the trading of CFDs, the CNMV notified ESMA in May 2023 of its decision to ultimately proceed with the adoption of additional restrictive measures on the trading of both CFDs and certain futures and options (the “High-Risk Products”) in pursuance to its mandate under the Regulation (EU) 600/214 on markets in financial instruments (the “MiFIR”).
The CNMV’s decision, as summarised in ESMA’s Opinion has been based on a multi-faced spectrum of considerations, as outlined below:
- Significant investor protection concerns;
- Degree of complexity, transparency, and the specific features of CFDs and other High-Risk Products;
- Size of potential detrimental consequences and the degree of disparity between the expected return and the risk of loss;
- Selling practices associated with CFDs and other High-Risk Products; and
- Existing EU regulatory requirements did not sufficiently address the risks.
A. Restrictions applying to CFDs:
As far as concerns CFDs, the additional restrictive measures will prohibit their marketing, distribution, sale, and related services by means of advertising communications aimed at retail investors in Spain. More specifically:
I. Prohibition of certain marketing communications, including, inter alia, the following:
- Redirecting to a website that offers CFDs or related services;
- Sending of a contact form, an application download, or any other kind of tool intended to put the client in touch with investment service providers that offer CFDs or related services; and
- Offering of training, technical seminars, courses or sessions whenever such offers are related to CFDs or related services, including training demo accounts or tools for retail investors or which encourage using these, whenever such offers are free or have a token charge, either if they are promoted or held by the regulated entities or by related or affiliated parties.
Exclusions to the prohibition on marketing communications will be applicable when:
-
- The provision of information related to CFDs is made in response to a request made upon the sole initiative of the client; and
- The provision of the following kind of information:
-
-
- the one required to contract CFDs or related services that are subject to the measures;
- to perform a transaction regarding CFDs, such as the precontractual and contractual information; and
- the information or warnings regarding the characteristics and risks of CFDs or related services offered that are provided to investors.
-
II. Prohibition of any event or organisation sponsorship operation and brand advertising, including:
- the use of public figures, whenever their purpose or effect is to directly or indirectly advertise CFDs or related services; and
- the cases where such sponsorship or brand advertising does not intend to offer such products or services, in particular, when such products or services only account for a small part of the offers on the website of the firm when compared with its general activity.
III. Prohibition of certain marketing practices, including:
- Rewards to customers who provide new retail customers;
- Remuneration to marketing networks or to third parties of which their remuneration is determined based on the number of clients acquired, the cash deposits by clients, the deposits by the entity providing the investment service, or the losses by clients and, in general, any type of remuneration that may come into conflict with the interests of the clients;
- The use and remuneration of collaborators to train new potential clients without these clients having accredited knowledge and experience;
- The use of call centers which contact clients or possible clients to promote the provision of investment services regarding the instruments that are subject to the restriction;
- The use of software in which the remuneration of the software providers is determined based on the cash deposits of clients, or deposits of the distributor or losses of clients;
- The acceptance of credit card payments for cash deposits.
C. Restrictions applying to other High-Risk Products:
As far as concerns other High-Risk Products, the additional restrictive measures subject the marketing, distribution and sale to Retail Clients of other High-Risk Products to the following conditions:
- The provider of the instrument provides initial margin protection by requiring the customer to pay the initial margin; and
- The provider of the instrument will provide margin close-out protection to the Retail Client.
D. ESMA’s conclusions:
ESMA concluded that the CNMV’s proposed national measures are justified and proportionate and encourage national competent authorities (the “NCAs”) to monitor the marketing, sale, and distribution of CFDs and the impact of other High-Risk Products in their national markets to assess whether similar risks for retail investors as those identified by the CNMV exist.
E. CySEC Circular C602:
Further to all of the above, CySEC issued Circular C602 on the 12th of October 2023, for the purposes of informing Cyprus Investment Firms (the “CIFs”) in relation to the Resolution of the CNMV on product intervention measures relating to CFDs and other leveraged products to retail investors in Spain and the corresponding Press Release that were issued during July 2023.
As already mentioned above, the said Resolution forbids the advertisement of CFDs and other leveraged instruments to retail investors as well as certain remuneration policies and sales techniques and establishes intervention measures for the marketing, sale, and distribution to retailers of other leveraged instruments. It is noted that the relevant measures are applicable from the 3rd of August 2023 to all entities authorized to provide investment services in Spain regardless of the origin of the investment firm marketing and distributing such products, or whether there is not a branch in Spain (i.e. including entities under the freedom to provide services without an establishment).
In view of the above, all CIFs that are marketing, distributing, and selling CFDs and other leveraged products to retail investors in Spain are urged by CySEC to take all the appropriate steps and measures in order to ensure their adherence to the CNMV’s Resolution.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Circular C589 – MONEYVAL’s report on money laundering and financing of terrorism risks in the world of virtual assets
We would like to draw your attention to Circular C589 (the “Circular”), issued by the Cyprus Securities and Exchange Commission (the “CySEC”) on the 18th of July 2023, for the purposes of informing Regulated Entities, as these defined therein, about MONEYVAL’s Report on money laundering and financing of terrorism risk in the world of virtual assets (the “Report”).
A. Purpose:
The Report purports to present in an integrated manner an overview of the money laundering and financing of terrorism risks in the world of virtual assets (the “VAs”) and their service providers in MONEYVAL members. In order to do this, the Report includes the following:
- horizontal analysis of MONEYVAL’s members’ level of compliance with the Financial Action Task Force (the “FATF”) Recommendation 15;
- an overview of the measures taken to regulate and supervise virtual asset service providers (the “VASPs”) sector; and
- features of the identified risks that criminals use VASPs and VAs to launder proceeds of crimes (i.e. exchanges, exchange offices, aggregators, and other cryptocurrency platforms including e-gaming, sports betting, and NTFs).
In particular, the Report integrates and analyses data obtained from MONEYVAL members across multiple issues, relating to (a) how members regulated the activity of issuance of Vas and operation of VASPs; (b) whether the Law Enforcement Authorities (LEAs) have adequate powers and tools to investigate, locate and impose interim measures in respect of Vas; (c) the types of VA platforms used for financial support of criminal activity; (d) examples of cases investigated by the relevant authorities with description of criminal schemes involving the virtual asset elements that have been identified; and (e) other data relevant to the goals of the study.
B. Main Provisions:
In view of the above, the Report has been structured into the following four (4) sections:
1. Horizontal review of compliance with FATF Recommendation 15:
FATF has published documents that are aimed at helping jurisdictions and the private sector to comply with the new AML/CFT requirements for VAs and VASPs (available here and here). Due to the peculiarities of the sector and the relatively recent adoption of the standard, the vast majority of MONEYVAL members have not yet fully implemented these requirements (i.e. of the 23 jurisdictions that have been assessed since June 2021 for their compliance with Recommendation 15, the majority require major or moderate improvements). In particular, further improvements are needed in assessing ML/TF risks, supervision, and the application of AML/CFT preventative measures.
2. Assessment of VA and VASP risks:
As already mentioned above, not all members have assessed the ML/TF risks posed by VAs and VASPs, or if such risk assessment has been conducted in many cases it lacks depth. In the case of Andorra that carried out its second national risk assessment back in 2020, it is noted that the risk assessment at the national level would start with an inventory (i.e. when VASPs must be licensed or registered, leaving the authorities with the tasks of estimating if and to which extent unregistered entities are still servicing clients in the respective jurisdiction) of the registered entities in the jurisdiction and determining the materiality of the VASP sector. However, in practice, jurisdictions experience challenges in identifying unregistered or unlicensed VASP activity in their jurisdiction.
In view of the above and following the first inventory of VASPs, a more in-depth analysis of the sector was undertaken. There is a risk that if the work conducted by Andorra indicates that there are no businesses operating domestically that should be registered, then VAs and VASPs become less of a focus. An assessment must be made about the use of VAs in the country even if there are no registered VASPs (for instance, whether customers in the domestic jurisdiction are obtaining services in another jurisdiction).
3. Risk-Based Approach Supervision of the VASP Sector:
The relevant section of the Report outlines the different approaches taken by members to license or register domestic VASPs and to implement a risk-based supervisory framework for the VASP sector. In brief, the following are noted:
- VAs is defined as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes and do not include digital representations of FIAT currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations.
- VASP is any natural or legal person that provides as a business activity one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between virtual assets and FIAT currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and (v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
- The analysis shows that not all members included natural persons in the definition of VASPs.
- A risk-mitigating measure for VASP activity is the application of market entry controls and of adequate risk-based supervision for AML/CFT purposes in the sector.
- Recommendation 15 allows countries to choose between licensing or registration of VASPs, providing that at a minimum, VASPs would be required to be licensed or registered in the jurisdiction(s) where they were created.
- MONEYVAL members have implemented different approaches to supervision (i.e. licensing or registration authority is not always the same authority that conducts the AML/CFT supervision of VASPs).
- In supervising the VASP sector most of the MONEYVAL members are at the beginning of implementation. Not all supervisors are comprehensively resourced in terms of staffing and knowledge, and the risk-based approach is rarely tailored to a sector-specific risk assessment.
- The volume and flow of cross-border transactions is one important element that supervisors should consider when determining the risk of the VASP sector and conducting supervision activities.
- The availability of sanctions for VASP supervisors in MONEYVAL members differs in the scope and mounts of the sanctions that can be applied.
4. Law Enforcement and Operational Issues:
The capabilities and approaches of authorities in MONEYVAL countries to investigate ML/TF cases involving the use of VAs and to impose interim measures are examined in the relevant section of the Report. In particular, a number of case studies from the MONEYVAL region shed light on the use of VAs for money laundering purposes, such as the types of understanding crimes that are normally associated with such ML cases, as well as the modus operandi and typologies as to how such money laundering cases are perpetrated, are outlined within the Report. VAs are being used and can probably be used interchangeably with FIAT currencies when looking at typologies, as per the following investigated cases:
- Theft of VAs through “typosquatting” – Isle of Man (in cooperation with UK and Netherlands);
- Sale of fake VAs – Azerbaijan;
- Use of money mules – Latvia;
- Drug and arms dealing – Slovak Republic; and
- Laundering of drug trafficking proceeds – Malta.
C. Next Steps:
CySEC considers the Report to be of assistance to the Regulated Entities engaging or seeking to engage in VA activities, in understanding their AML/CFT risks and obligations and how they can effectively comply with these obligations.
To this end, it is expected by CySEC that all Regulated Entities will study the Report and take its content into account when assessing AML/CFT risks, thereby improving the effectiveness of the measures and procedures applied.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
ESAs public consultation on DORA
We would like to draw your attention that the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) launched yesterday, 19th of June 2023, a public consultation on the first batch of policy products under the DORA.
This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). These technical standards aim to ensure a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.
DORA entered into force on the 16th of January 2023 and will apply from the 17th of January 2025 aiming to enhance the digital operational resilience of entities across the EU sector and to further harmonize key digital operational resilience requirements for all EU financial entities.
This regulatory framework covers key areas such as:
- ICT risk management,
- ICT-related incident management and reporting,
- digital operational resilience testing and
- management of ICT third-party risk.
DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. The first batch of technical standards, are the following:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024.
Comments to this consultation can be sent to the ESAS by the 11th of September 2023.
Should you have any further questions, please do not hesitate to contact us at info@apapageorgiou.com.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.