by Andria Papageorgiou

COMPLIANCE, CYSEC, REGULATORYMarch 16, 20230 comments

CySEC Circular C533 on the guidelines on certain aspects of the compliance function requirements

Cyprus Securities and Exchange Commission (the “CySEC”) issued the Circular C553 (the “Circular”)  on the 14^th of March 2023, for the provision of guidance on the application of certain aspects of the compliance function requirements provided in Article 17(2) of the Investment Services and Activities and Regulated Markets Law (the “Law”) and Article 22 of the MiFID II Delegated Regulation 2017/565 (the “Delegated Regulation 565”).

It shall be noted, that Circulars C030 and C050 are repealed and replaced by this Circular, and that this Circular should be read with Circular C447 on the ESMA’s Guidelines (ESMA35-36-1952) on certain aspects of the MiFID II compliance function requirements (the “Compliance Function Guidelines”).

The Circular issued by CySEC provides a summary of the Compliance Function Guidelines, alongside with further guidance from the Commission (please refer to statements in italics) so as to ensure the common, uniform and consistent application of the relevant legal requirements, as these are outlined above. In brief, we would like to note the following:

A. Guidelines on the responsibilities of the Compliance Function:

• Guideline 1 – Compliance risk assessment:

A risk assessment must be conducted by adopting a risk-based monitoring program to determine its priorities and the focus on monitoring, advisory, and assistance activities. In addition, based on the new provisions of the Guidelines, the following are expected:

1. The findings of the compliance risk assessment should be used to set the work programme of the Compliance Function and to allocate the function’s resources efficiently.
2. The compliance risk assessment should be reviewed on a regular basis, and, when necessary, updated to ensure that the objectives, focus and the scope of compliance monitoring and advisory activities remain valid.

• Guideline 2 – Monitoring obligations of the Compliance Function:

The aim of the risk-based monitoring program should be to evaluate whether the firm’s business is conducted in compliance with its obligations under the Law and that the internal policies and procedures, organization, and control measures remain effective and appropriate to ensure that compliance risk is comprehensively monitored. The risk-based approach to compliance shall form the basis for determining the appropriate tools and methodologies used by the Compliance Function, as well as the extent of the monitoring program and the frequency of monitoring activities performed by the Compliance Function. Also, the monitoring program should reflect changes to the firm’s risk profile as well as, extend to the implementation and effectiveness of any remedial measures taken by the firm in response to breaches of the Law.

• Guideline 3 – Reporting obligations of the Compliance Function:

The mandatory compliance reports should cover all business units involved in the provision of investment services, activities and ancillary services provided by a firm. The mandatory compliance reports is expected to include general information, manner of monitoring and reviewing, findings, actions taken and other information. The relevant report should also cover the firm’s product governance arrangement (e.g. role of Compliance Function, monitoring of the firm’s product governance by the Compliance Function, information about the financial instruments manufactured / distributed, including information on the distribution strategy). Additionally, the Compliance Function and the Complaints Management Function should be properly segregated, subject to the principle of proportionality.

Investment Firms should submit to CySEC the annual reports mentioned in Article 25 of the Delegated Regulation 565 within twenty (20) days from the date the reports are discussed by the Board of Directors and not later than four (4) months from the end of the calendar year. The Board of Directors should also provide CySEC with explanations of the Compliance Function’s findings (e.g. corrective measures in response to the identified deficiencies and timetable for their implementation). It is provided that the annual report is a standalone document and cannot be part of another report that the Investment Firm is obliged to prepare (e.g. anti-money laundering compliance function report).

• Guidelines 4 – Advisory and assistance obligations of the Compliance Function:

In general, pursuant to the Guideline 4, it is expected that the Compliance Function to fulfil its advisory and assistance responsibility, including providing support for staff and management training, providing day-to-day assistance for staff and management and participating in the establishment of policies and procedures within the firm (e.g. the firm’s remuneration policy or the firm’s product governance policies and procedures).

B. Guidelines on the responsibilities of the Compliance Function:

• Guideline 5 – Effectiveness of the Compliance Function:

The firm should ensure that the Compliance Function is allocated with the appropriate human and other resources by taking into account the scale and types of investment services, activities and ancillary services undertaken by the firm, as well as any changes to the firm’s compliance risk in case its business unit activities are significantly extended (e.g. establishment of branches, use of affiliates, cross border activities). The said guideline was further enhanced so as to be clearly indicated that it is of vital importance for the firms to have in place the necessary arrangements to ensure an effective exchange of information between the Compliance Function and other control functions (such as the internal audit and risk management) as well as with any internal and external auditors.

• Guideline 6 – Skills, knowledge, expertise and authority of the Compliance Function:

Guideline 6 outlines the requirements related with the skills, knowledge, expertise and authority of the Compliance Function (e.g. sufficiently broad knowledge and experience, sufficiently high level of expertise etc.). The senior management should assess the prospective Compliance Officer’s qualifications prior appointment, ensures that he/she has integrity, morals and credibility, as well as that he/she is a holder of the CySEC’s Advanced Certificate and registered in the Public Register. CySEC also performs an assessment of the qualification of the nominated Compliance Officer during the authorisation process and/or in the context of ongoing supervision, which includes the analysis of his/hers curriculum vitae, as well as an interview.

• Guideline 7 – Permanence of the Compliance Function:

The firm should establish adequate arrangements for ensuring that the Compliance Function performs its tasks and responsibilities on a permanent basis and are fulfilled when the Compliance Officer is absent. The responsibilities, competences and the authority of the Compliance Function should be set out in a “compliance policy” or other general policies or internal rules that consider the scope and nature of the firm’s services and activities, which should include information on the monitoring programme, the reporting duties of the Compliance Function and its risk-based approach to monitoring activities.

• Guideline 8 – Independence of the Compliance Function:

Guideline 8 highlights that the Compliance Function holds a position in the firm’s organisational structure that ensures that the Compliance Officer and other compliance staff act independently when performing their tasks. The tasks performed by the Compliance Function should be carried out independently from the senior management and other units of the firm. Where the senior management deviates from important recommendations or assessments issued by the Compliance Function, the Compliance Officer should document this accordingly and present it in the compliance reports, and if deemed necessary, inform CySEC the soonest possible.

• Guideline 9 – Proportionality with regard to the effectiveness of the Compliance Function:

The firm should decide which measures, including organisational measures and the level of resources, are best suited for ensuring the effectiveness of the Compliance Function in the firm’s particular circumstances. The firm may fall under the proportionality exemption if the performance of the necessary compliance task does not require a full-time position due to the nature, scale and complexity of the firm’s business, and the nature and rage of the investment/ancillary services and activities, but should ensure that any conflicts of interests are minimised. Where a firm makes use of the proportionality exemption, it should record how this is justified, so that the CySEC is able to assess this.

The Compliance Function should also ensure that all employees that fall under the Directive regarding the Certification of Persons and the Certification Registers of 2019 to 2021 hold the relevant certificate and are registered in the public register, as well as that the content of the CIF Electronic Record is complete and accurate and where amendments are required, that these are done immediately.

• Guideline 10 – Combining the Compliance Function with other internal control functions:

Generally, firms should ensure that the control functions are properly segregated (e.g. the compliance staff shall not be involved in the activities they monitor). Nevertheless, a combination of the Compliance Function with other control units at the same level (such as money laundering prevention) may be acceptable if this does not generate conflicts of interests or compromise its effectiveness. Any such combination should be documented, including the rationale behind it, so that CySEC is able to assess whether such a combination is appropriate. Based on the provisions of the Guideline 10, the following should be noted:

• Where an internal audit function has been established and is maintained, such function may not be combined with other control functions such as the Compliance Function;
• Where the Compliance Officer is not appointed as the Single Officer (referred to in Article 9 of the Directive DI87-01), both the Single Officer and the Compliance Officer should act independently and the Compliance Officer should not supervise and/or issue any instruction to the Single Officer; and
• Where the Compliance Function is combined with other control functions or where it is also responsible for other tasks (for example anti-money laundering), the firm should ensure that it allocates enough resources for MiFID II compliance at all times.

 Guideline 11 – Outsourcing of the Compliance Function:

In accordance with Guideline 11, which outlines the requirements related with the outsourcing of tasks undertaken by the Compliance Officer and not the outsourcing of the relevant responsibilities, the following shall be noted:

• In all cases, outsourcing the Compliance Function should not undermine its quality and independence, create undue additional operational risks, impair the activities of internal controls or impair the ability of the firm and the relevant competent authority to supervise compliance with the applicable requirements;
• The outsourcing to non-EU entities may potentially make oversight and supervision of the Compliance Function more difficult and should therefore be subject to a closer monitoring; and
• Upon the termination of the outsourcing arrangement related with the Compliance Function, firms should ensure the continuity by transferring the Compliance Function back to the firm or outsourcing it to another provider.

C. Guidelines on the competent authority review of the Compliance Function:

• Guideline 12 – Review of the Compliance Function by the competent authority:

Generally, the competent authorities should assess whether a firm’s Compliance Function is adequately resourced and organised and whether adequate reporting lines have been established. With respect to the CySEC’s expectations and clarifications provided:

• It is required, as a condition for authorisation, that any necessary amendments to the Compliance Function are notified to CySEC.
• Also, as part of the ongoing supervisory process, CySEC assesses whether the measures implemented by the firm for the Compliance Function are adequate, and whether it fulfils its responsibilities appropriately.
• The Compliance Function must immediately disclose to CySEC every important development that may substantially affect its ability to effectively perform the Compliance Function and to fulfil its responsibilities appropriately.

Finally, without prejudice to the provisions of Guideline 6, a person may be nominated as Compliance Officer, even if not registered in the Public Register provided that, following an assessment of his/her qualifications, CySEC is satisfied that the person has the relevant knowledge and expertise and will succeed in the Advanced Examination and be registered in the Public Register within a determined time period decided by CySEC. The firm should notify CySEC of both the appointment and replacement of the Compliance Officer and the later may require a detailed statement on the grounds for the replacement.

In case you have any questions, please do not hesitate to contact us for further professional assistance.

Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.