A Quick Guide to IP Rights for Fintech Companies in Cyprus
A. IP Protection for Software
Under Cyprus law, software or computer programs are considered literary works protected by copyright, specifically under article 7B of the Law on Copyright and Related Rights of 1976 (Law No. 59/1976). The underlying ideas and principles of any component of a computer program, including the system interfaces, are not covered by intellectual property rights (article 7B(2)).
Copyright protection extends to preparatory design materials (if they can be turned into a computer program), source code, object code, and software architecture. Simply replicating an existing program or draft will not qualify for copyright protection.
Cyprus law does not require a formal registration for copyright, as it is automatically granted. Nevertheless, it is advisable to include the author’s name and creation date within the software’s source code.
Business methods and software programs are not eligible for patent protection, which is reserved for innovative inventions, new processes, and novel ways of operating products. However, this exclusion only applies to software as a standalone entity; inventions incorporating software may still qualify for a patent. Additionally, software code can be safeguarded as confidential information if kept secret, and confidentiality agreements should be used when third parties have access to the code.
B. IP Developed by Employees and Contractors
In Cyprus, intellectual property rights are generally owned by the creator or inventor. However, if an employee develops work as part of their employment contract, ownership typically transfers to the employer unless otherwise agreed. This is outlined in article 11(1)b of the Law on Copyright and Related Rights of 1976 (Law No. 59/1976).
Similarly, if an invention is created under an order or work contract, the patent rights usually belong to the person or entity that commissioned the work or the employer, unless a different arrangement is specified in the contract, as per article 11(1) of the Patents Law of 1998 (Law No. 16(I)/1998).
C. Joint Ownership
Joint owners of intellectual property are not restricted by law from using, licensing, charging, or transferring their rights. However, joint owners generally need to reach an agreement on how to exercise their rights. There may be exceptions depending on the type of intellectual property involved.
D. Trade Secrets
Trade secrets in Cyprus are protected under Law 164(I)/2020, which safeguards confidential business information from unauthorized access, use, or disclosure. To qualify as a trade secret, the information must be confidential, valuable, and protected by reasonable efforts to maintain secrecy. Unlawful actions include unauthorized access, misappropriation, or breaching confidentiality agreements. Trade secret holders can seek court remedies, including provisional measures or compensation for damages. Non-disclosure agreements and internal policies are recommended for protection.
Courts in Cyprus can ensure trade secret confidentiality during proceedings. Under Article 9(4) of Law 164(I)/2020, courts may restrict access to sensitive information and issue confidentiality orders, balancing this with the need for a fair trial.
E. Branding
Brand protection in Cyprus can be achieved through registering a Cypriot trademark or an EU trademark, which provides broader protection across the EU. Trademark registration is done through the Cypriot Intellectual Property Office or the EU Intellectual Property Office (EUIPO). A strong brand reputation can also offer protection against exploitation by third parties.
Logos and slogans that are original may qualify for copyright protection. Additionally, brand designs can be protected as industrial designs if they are new and unique. Fintech businesses should consult public trademark databases to ensure they do not infringe on existing trademarks or designs. A thorough trademark and design search is recommended to identify any potential conflicts.
F. Remedies for IP Infringement
Fintech businesses and individuals in Cyprus whose intellectual property rights have been infringed have several legal remedies at their disposal. These remedies are designed to protect their rights and mitigate the damage caused by the infringement:
- Injunctions: Courts can issue injunctions to immediately halt the infringing activities. This may include preliminary or interim injunctions, which are essential to prevent further damage while the case is being resolved, and permanent injunctions once a judgment is made.
- Damages: The aggrieved party may be entitled to monetary compensation for any financial loss or harm suffered as a result of the infringement. Damages can be calculated based on lost profits, a reasonable royalty, or the infringer’s unjust enrichment, ensuring the affected party is fairly compensated.
- Cease and Desist Orders: Courts may issue orders requiring the infringing party to cease all unauthorized use of the intellectual property. This includes removing or destroying infringing materials, discontinuing the production or sale of infringing goods, and taking measures to prevent future violations.
In addition to these primary remedies, courts may also grant additional relief, such as the seizure or destruction of infringing goods, publication of the judgment to restore reputation, and reimbursement of legal costs incurred by the intellectual property holder.
In case you have any questions or need any assistance, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
New Rules for Crypto-Asset Service Providers (CASPs) in Cyprus: Key Updates
The Cyprus Securities and Exchange Commission (CySEC) has made an important announcement regarding regulating Crypto-Asset Service Providers (CASPs). Here’s what you need to know:
- Transition to EU’s MiCA Regulation As of 30/12/2024, the European Union’s Markets in Crypto-Assets Regulation (MiCA) will come into full effect for CASPs. This regulation aims to create a clear framework across the EU for the operation of crypto-asset services, enhancing investor protection and market integrity.
- What Happens During the Transitional Period? CySEC has set a transitional period for CASPs already operating under current national rules. Suppose a CASP is registered before 30/12/2024. In that case, it can continue to offer services until 1/7/2026, or until it receives a decision on its application for authorization under MiCA, whichever comes first.
- No New Applications Under National Rules Starting from 17/10/2024, CySEC will no longer accept new applications for CASP registration under the existing national framework. All new applications will need to comply with the MiCA requirements once the regulation is fully in place.
- Preparation for MiCA Applications CySEC is awaiting the finalization of the Regulatory and Implementing Technical Standards (RTS and ITS) by the European Commission. Once these are released, CySEC will publish guidelines on how to apply for authorization under MiCA. In the meantime, interested parties can refer to draft technical standards by the European Securities and Markets Authority (ESMA) to get a head start on their preparations.
- Cross-Border Services For entities that are already providing crypto-asset services across the European Economic Area (EEA), the deadline to submit notifications to CySEC under the current rules is 30/10/2024. After this date, new cross-border service notifications will not be processed until MiCA is fully in effect.
These changes mark a significant shift in how crypto-asset services are regulated, aiming for more consistent rules across Europe. Entities currently offering these services should make sure they understand the new requirements and prepare for the transition to ensure compliance. For more details, you can refer to CySEC’s official announcement.
These updates represent a key step in aligning Cyprus’s crypto regulations with the broader EU framework, ensuring a smooth transition for CASPs and enhanced protection for users across the region.
In case you have any questions or need any assistance, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
The EU’s Digital Operational Resilience Act 2022/2554 (DORA)
Financial regulators have long faced the challenge of ensuring stability in financial markets, especially given the growing reliance on third-party systems, technology, and platforms. The integration of cloud solutions has heightened these complexities, and the potential risk to financial markets increases if a technology provider experiences a cyber incident.
In today’s interconnected financial ecosystem, long chains of IT subcontractors can make it difficult for institutions to fully understand the vulnerabilities in their systems. This is further complicated when key functions are outsourced to entities without direct contractual ties to the financial institution.
The EU introduced the Digital Operational Resilience Act (DORA) with these issues in mind. DORA mandates that financial institutions identify ICT services supporting critical functions and strengthen their contractual protections. It became effective in January 2023, and affected financial entities and ICT providers have until January 2025 to ensure full compliance. After that, regulators will have the power to impose fines and require firms to remedy security vulnerabilities.
DORA has implications beyond the EU, as it also applies to non-EU companies providing ICT services to EU-based financial institutions.
Key stakeholders in the financial industry must prepare for compliance by aligning their contracts with the new standards, as non-compliance can result in severe penalties, including fines, sanctions for board members, reputational damage, and even criminal liability.
Key Dates:
- January 2023: DORA came into force.
- January 2024: Technical standards to be finalized.
- July 2024: Final set of standards published.
- January 2025: Full compliance required.
Who Will Be Affected?
DORA applies to a broad range of financial entities, such as banks, investment firms, and insurance companies, as well as certain ICT service providers who meet specific criteria outlined in the regulation. Some providers will be classified as critical, subjecting them to oversight by EU regulatory authorities.
ICT Services Defined:
ICT services encompass digital and data services provided via IT systems, including hardware, software, and support services. Critical providers are identified based on their impact on the stability and quality of financial services.
Impact and Compliance:
Financial institutions must ensure robust ICT risk management frameworks, incident reporting protocols, and resilience testing. Contracts with third-party ICT providers must meet DORA’s standards, including pre-contractual due diligence, monitoring service levels, and planning for termination or exit strategies.
While DORA applies to the EU, it has a similar counterpart in the UK, with regulations designed to align with global standards on operational resilience. Firms in both regions should ensure they meet impact tolerances for critical services by March 2025.
With the compliance deadline fast approaching, it is crucial for affected organizations to identify gaps in their processes, update their policies, and negotiate contracts that reflect the new requirements.
In case you have any questions or need any assistance, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
EU Financial Services: Key points to watch for the rest of 2024
Last week, Maria Luís Albuquerque from Portugal was appointed as the new EU Commissioner for Financial Services and the Savings and Investment Union. With her appointment, alongside Mario Draghi’s report on European competitiveness, the EU is set to focus on significant developments in the financial services sector in the coming months.
Key priorities include scaling up sustainable finance, with a focus on transition finance and climate resilience. This aligns with the recommendations from the European Supervisory Authorities (ESAs) and the European Securities and Markets Authority (ESMA) to introduce a product categorization system for financial products with sustainability features. Additionally, digital finance will be a major theme, with a push for an open-access framework and the use of AI in financial services.
Other areas of focus include revitalizing securitization markets and addressing macroprudential concerns with non-bank financial institutions (NBFIs). Upcoming consultations, including one on securitization regulations and another on macroprudential policies for NBFIs, are expected to bring significant regulatory changes.
While work will continue by the Commission and the ESAs to prepare Level 2 and Level 3 measures under key financial services mandates over the coming months (in particular MiCA, DORA, the new AML/CFT package and the EU Banking Package), a number of Level 1 measures (directives and regulations) actioned during the term of the last Commission still need to be finalised.
Several important legislative proposals, such as EMIR 3.0, the ESG Ratings Regulation, and amendments to Solvency II, are expected to be published by the end of 2024. Additionally, trilogue negotiations on key regulations like Payment Services Directive 3 (PSD3) and the retail investment package are set to commence soon.
The move towards a T+1 settlement cycle and developments in short-term funding instruments, such as commercial paper, are also worth monitoring, though immediate changes are not expected.
This period marks a transformative time for EU financial services as the region aims to strengthen its competitive edge and regulatory framework.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Q&A: due diligence for tech M&A in Cyprus
As the technology sector thrives in Cyprus, mergers and acquisitions (M&A) involving tech companies have become increasingly common. Conducting thorough due diligence is essential to ensure that intellectual property (IP) and technology assets are accurately evaluated, and potential legal or regulatory risks are addressed before completing a transaction. This process requires specialized knowledge in areas such as IP ownership, licensing, data protection, and cybersecurity.
With over a decade of experience in the fintech industry and extensive expertise in GDPR compliance, intellectual property, and regulatory frameworks, our Law Firm is well-equipped to guide clients through the complexities of tech M&A in Cyprus. We understand the unique challenges that tech companies face during the necessary due diligence phase, and our deep sector knowledge ensures that every aspect—from IP rights to data protection—is carefully reviewed to safeguard our client’s interests.
In this article, we present the key areas of tech M&A due diligence in Cyprus, outlining the distinct approaches for share acquisitions versus asset purchases, and highlighting the legal and regulatory considerations specific to the local market. With our expertise, both buyers and sellers can confidently handle these transactions, ensuring a seamless and legally sound process.
1. What are the typical areas of due diligence undertaken in tech M&A in Cyprus?
In Cyprus, due diligence for tech M&A focuses on reviewing the target’s technology and intellectual property (IP) assets. This includes confirming the ownership, licensing, and protection of technology and IP rights, assessing IT infrastructure (e.g., cloud-based or on-premises systems), reviewing data protection compliance (especially with GDPR), and evaluating cybersecurity measures. Due diligence also assesses contractual obligations, key third-party relationships, the handling of open-source software, and any regulatory filings triggered by the transaction.
2. How does due diligence differ between share acquisitions and asset purchases in Cyprus?
In a share acquisition, the buyer acquires the entire company, including all assets and liabilities, which typically means a more extensive due diligence process. This includes verifying IP ownership and identifying potential third-party disputes over rights. In asset purchases, the focus is on ensuring the transferability of the specific IP and technology assets, as well as contracts, with potential restrictions on transfer. Asset purchases may also require separate approvals for data transfers, particularly where customer data is involved.
3. What public searches are typically conducted during tech M&A due diligence in Cyprus?
Public searches typically involve checking Cypriot IP registers for patents, trademarks, and design rights to verify ownership and status. Searches may also include international IP databases, company registers, and records for liens or security interests on intellectual property. Additionally, searches may be made through the Department of Registrar of Companies for annual reports, charges, and encumbrances on the target’s assets.
4. Can liens or security interests be placed on intellectual property or technology assets in Cyprus?
Yes, intellectual property and technology assets can be pledged as security in Cyprus. Due diligence will involve checking the Department of Registrar of Companies for any registered liens, pledges, or security interests on IP assets. Ensuring that proper documentation for the release of such security is in place is crucial as part of closing the transaction.
5. What is the due diligence process for employee-created intellectual property in Cyprus?
In Cyprus, IP rights created by employees during the course of their employment typically belong to the employer, unless agreed otherwise. Due diligence should review employment contracts to ensure that they include clauses transferring IP rights to the company. Similarly, contractor agreements should be reviewed to confirm that the company holds ownership of any IP or technology developed by external third parties.
6. What due diligence is conducted regarding the target’s use of open-source software?
The buyer will assess whether the target uses open-source software in its proprietary technology and confirm compliance with relevant licenses. Open-source licenses, especially those with “copyleft” provisions, may require that modifications or derivative works be made publicly available. Due diligence will also check if the target has policies to manage the use of open-source software, and, if necessary, the buyer may request code scans to identify potential risks.
7. How is software licensing typically reviewed during tech M&A due diligence in Cyprus?
Software due diligence involves reviewing both licensing in (software the target uses) and licensing out (software the target licenses to others). Key issues include confirming that the software licenses cover the necessary users (especially in group structures) and assessing whether there are any restrictions on transferring licenses to the buyer. Agreements with third-party software providers should be reviewed to ensure continued support and maintenance post-acquisition.
8. What are the data protection considerations in tech M&A in Cyprus?
Compliance with data protection laws, including GDPR, is a significant focus in tech M&A. Due diligence will involve reviewing the target’s data processing activities, internal policies, and any potential data breaches. For transactions involving customer data, especially in asset purchases, it is important to assess whether customer consent is required for transferring personal data, as this may complicate the transaction.
9. Are there specific regulatory concerns for tech companies in Cyprus?
Yes, certain sectors may have additional regulatory requirements in Cyprus. For example, tech companies dealing with sensitive data or operating in sectors like telecommunications or financial services must comply with sector-specific regulations. Due diligence will assess whether the target company has made the necessary regulatory filings or received the appropriate approvals, and whether any filings are triggered by the transaction.
10. How are intellectual property rights (IPR) transferred in tech M&A in Cyprus?
The transfer of intellectual property rights is generally straightforward in Cyprus but may require specific agreements, especially in asset purchases. Transfer of licenses, particularly software licenses, often requires the consent of the licensor. Exclusive and non-exclusive licenses may be treated differently, with exclusive licenses requiring more stringent review. It is essential to ensure that all necessary consents and assignments are obtained before closing the transaction.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Announcement by the Registrar of Companies and Intellectual Property for Cases Where the Beneficial Owner Has Deceased
The Department of the Registrar of Companies and Intellectual Property (DRCIP), following an opinion from the Legal Service of the Republic dated 13/06/2024 on the above matter, provides the following guidance/instructions, as seen in the relevant announcement here.
CASES WHERE THE BENEFICIAL OWNER HAS DECEASED
Answers to specific questions:
- Who is registered as the beneficial owner (BO) when there is no will and, consequently, no executor of the estate?
- What happens if there is a will? Can the executor of the estate be registered as the senior management official until the process is completed?
In cases where an administrator has been appointed but the administration of the estate has not been completed, the following may be registered for a period until the process is completed:
i. The estate administrator as the senior management official of the company if they exercise control over the company through other means; or
ii. The legal heir as the beneficial owner or as the senior management official.
When a person dies without a will, the Court authorizes one or more persons as administrators of the deceased’s estate, granting them letters of administration following a petition by these persons, which is called an application for administration without a will attached. Similarly, when a person dies leaving a will, this will is probated (see Article 14 of the Administration of Estates Law (CAP. 189)), following an application by the persons named as executors of the will or by other persons entitled to the grant of probate or the receipt of letters of administration with the will annexed.
With the granting of letters of administration or the issuance of probate, as referred to above, the administrator or executor becomes the deceased’s personal representative and is considered a trustee of the deceased’s movable and immovable property. As such, they constitute the natural person who “has ultimate control” according to the definition of “beneficial owner” in Article 2 of Law 188(I)/2007 (it should be noted that the situation where the ultimate ownership or control of the legal person is held through a trust at a percentage exceeding 25% of the shares or voting rights or ownership rights of the said legal person is different).
Therefore, when there is no will, and an administrator has been appointed, or when there is a will, and an executor of the deceased’s estate has been appointed, they constitute the beneficial owners as the natural persons who have the ultimate control of the company as long as they retain this capacity concerning the specific assets of the company (i.e., the shares).
The above is subject to the provisions of Article 27 of CAP. 189, which provides for the direct inheritance to the heirs, in special cases (even though no letters of administration of the estate have been granted), in which the beneficial owners become the heirs of the deceased who inherit, as the natural persons who have the ultimate ownership status (it should be noted that in practice, the procedure of Article 27 of CAP. 189 is applied only in cases where the value of the estate does not exceed 6000 pounds).
Who is registered as BO when there is no appointed estate administrator and no heirs?
According to Article 47 of CAP. 195, “if there is no person alive who is related to the deceased up to the sixth degree of kinship at the time of death, the deceased is deemed to have died intestate,” and “subject to the share of any surviving spouse, the intestate part of the estate and the undistributed part of the estate become the property of the Republic.”
Nevertheless, in response to the query, the non-filing of an application and non-issuance of letters of administration, and therefore the non-appointment of a personal representative (and non-transfer of the estate to the Republic) imply that “no natural person with ultimate ownership or control of the legal entity” can be identified. Therefore, the beneficial owner in this case is “the natural person holding a position of senior management official,” according to the definition of “beneficial owner” in Article 2 of Law 188(I)/2007, unless Article 27 of CAP. 189 applies (see point 3 above).
Who is registered as BO when no estate administrator has been appointed, there are no heirs, but the deceased has minor children and a spouse?
Without the issuance of letters of administration and the appointment of a personal representative when the deceased left behind heirs (i.e., a spouse and children), the beneficial owner is “the natural person holding a position of senior management official,” according to the definition of “beneficial owner” in Article 2 of Law 188(I)/2007, since no natural person can be identified as a beneficial owner under paragraph (a)(i) of the definition, unless Article 27 of CAP. 189 applies.
Who is registered as BO in an entity when the sole officer (director, secretary) and beneficial owner has died, and there is no will or estate administrator?
In the event of the death of the sole shareholder and officer of a company, and if no letters of administration have been granted, and there is no “natural person holding a position of senior management official” as this can be interpreted under the provisions of Law 188(I)/2007, there is, in fact, no natural person within the meaning of “beneficial owner” in Article 2 of Law 188(I)/2007, and it follows that the company is not conducting business or operating.
Note:
In every case, any relevant provision in the company’s Memorandum and Articles of Association or the application of other legislation depending on the particular facts should be considered.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
ASIC Wins Landmark Case Against Kraken Crypto Exchange Operator for Compliance Failures
In a landmark decision, the Australian Securities and Investments Commission (ASIC) successfully sued Bit Trade Pty Ltd, the operator of the Kraken cryptocurrency exchange in Australia, for failing to meet its design and distribution obligations under the Corporations Act 2001. This court ruling sends a clear message to the cryptocurrency industry about the importance of regulatory compliance and the need to protect consumers from potentially risky financial products.
A. Background of the Case
The case revolves around the “margin extension” product offered by Bit Trade Pty Ltd to Australian customers on the Kraken platform. This product, which allowed users to extend their margin for trading digital assets or national currencies, was offered without a proper target market determination—a requirement under Australian law since October 2021. By failing to comply with these design and distribution obligations (DDO), Bit Trade was found to have breached Section 994B(2) of the Corporations Act each time the product was made available.
B. Court’s Findings
Justice Nicholas of the Federal Court highlighted that the failure to establish a target market determination was a significant violation. Although Bit Trade argued that the obligations related to margin extensions did not constitute a “deferred debt” or a credit facility, the court ruled otherwise. It was determined that when margin extensions were provided in a national currency like US dollars, they indeed created a deferred debt, making the product a credit facility under the law.
The court further clarified that while digital assets might not be considered money, margin extensions involving national currencies fall under the definition of a financial product that requires a target market determination. As a result, the court concluded that Bit Trade had breached its obligations under the Corporations Act, and the company now faces potential financial penalties pending further court orders.
You can read the full Judgement here.
C. Implications for the Crypto Industry
This ruling is a wake-up call for all entities operating within the crypto space. ASIC Deputy Chair Sarah Court emphasized the importance of compliance with legal requirements to protect consumers. She stated, “Today’s outcome sends a salient reminder to the crypto industry about the importance of compliance with the design and distribution obligations.”
The decision underlines that financial products, including those involving digital assets, must be distributed appropriately to consumers who understand the risks involved. It also reaffirms ASIC’s commitment to scrutinizing the design and distribution of financial products in the crypto sector to ensure they meet regulatory standards.
D. What’s Next for Bit Trade and Kraken?
Following the court’s decision, ASIC and Bit Trade have been given seven days to agree on declarations and injunctions. ASIC has also indicated its intent to seek financial penalties against Bit Trade, with the details of these penalties to be determined at a later date.
For Kraken and its operator, Bit Trade, this ruling could lead to significant operational changes, especially regarding how they offer products to Australian customers. The company may need to reassess its product offerings and ensure full compliance with Australian financial regulations.
E. Conclusion
This case is a significant victory for ASIC and a crucial moment for the crypto industry in Australia. It highlights the importance of compliance with financial regulations and the need for transparent and responsible distribution of financial products. As the crypto market continues to evolve, regulatory bodies like ASIC will undoubtedly continue to play a pivotal role in shaping the future of the industry, ensuring it operates in a manner that is fair and safe for all participants.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
CySEC Policy Statement on the enhancement of the non-face-to-face customer onboarding process with electronic methods
In today’s fast-paced digital landscape, the need for efficient and secure customer onboarding processes has never been more critical. Recognizing this, the Cyprus Securities and Exchange Commission (CySEC) has introduced a groundbreaking Policy Statement (PS-01-2024), designed to revolutionize the way financial institutions onboard non-face-to-face (NFTF) customers.
A. A New Era for Remote Customer Onboarding
The new policy marks a significant step forward in integrating electronic methods and technologies within the customer due diligence (CDD) process. CySEC’s policy is built on the principle of technological neutrality, giving financial institutions the flexibility to choose the most appropriate Remote Customer Onboarding Solutions (RCOS) that suit their operational needs.
This policy is not just a regulatory update; it is a roadmap for the future of digital finance in Cyprus. It aligns with the European Banking Authority (EBA) Guidelines and leverages lessons learned during the COVID-19 pandemic, ensuring that the financial industry remains robust, secure, and resilient in the face of evolving challenges.
B. Key Highlights of the Policy
- Technological Neutrality: CySEC encourages the use of diverse RCOS, whether through video calls, dynamic selfies, or other innovative technologies. The policy does not favor any specific technology, allowing businesses to adapt and innovate as they see fit.
- Mandatory Risk Assessments: Before implementing any RCOS, financial institutions are required to conduct comprehensive risk assessments. This ensures that the chosen technologies are not only compliant with existing regulations but also robust enough to handle potential security threats.
- Supervisory Guidance: CySEC has provided detailed guidelines to help institutions navigate the complex regulatory environment. These guidelines ensure that all remote onboarding processes meet the highest standards of security, reliability, and customer protection.
- Ongoing Compliance and Monitoring: The policy emphasizes the need for continuous monitoring and assessment of RCOS, ensuring that they remain effective and compliant with all relevant laws and regulations.
C. How We Can Help
At Andria Papageorgiou Law Firm, we have over a decade of experience in the fintech industry, specializing in regulatory compliance and innovative financial solutions. Our team of experts is ready to assist your business in implementing these new onboarding requirements seamlessly.
Whether you need help with risk assessments, compliance checks, or choosing the right RCOS for your business, we are here to guide you every step of the way. We understand the complexities of the fintech landscape and are committed to helping you stay ahead in this dynamic industry.
D. Last word
CySEC’s new policy is a significant development for the financial industry, offering both opportunities and challenges. By embracing these changes and leveraging the right expertise, your business can not only comply with the new regulations but also thrive in the digital age.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
CySEC Circular C556 on addressing AML/CFT Compliance – Insights from CySEC’s Recent Inspections
The Cyprus Securities and Exchange Commission (CySEC) has recently issued a Circular C656 highlighting the findings from its inspections of various regulated entities over the past two years. These inspections assessed compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 and CySEC’s Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing. The circular provides valuable insights into good practices and common deficiencies observed, offering a roadmap for entities to enhance their Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) frameworks.
A. Good Practices Identified
CySEC’s inspections revealed several commendable practices among regulated entities, which can serve as benchmarks for others aiming to strengthen their AML/CFT controls:
- Utilization of Local Knowledge: Supplementing commercially available databases with local knowledge and open-source internet checks proved effective in researching potential high-risk customers, including Politically Exposed Persons (PEPs).
- Clear Escalation Processes: Establishing clear processes for escalating the review and approval of high-risk and PEP customer relationships to senior management.
- Face-to-Face Interactions: Conducting face-to-face meetings with high-risk and PEP prospects before onboarding them as customers.
- Comprehensive Customer Files: Maintaining detailed customer files that cover risk assessment, documentation, verification, expected account activity, and profiles of the customer or business relationship.
- Robust Transaction Monitoring: Ensuring transaction and account monitoring considers up-to-date Customer Due Diligence (CDD) information, including expected activity, source of wealth, and source of funds.
- Active Involvement of Senior Management: Involving senior management and AML/CFT staff in decisions regarding the maintenance or termination of high-risk relationships.
- Updated Policies and Procedures: Keeping AML/CFT policies and procedures current to comply with evolving legal and regulatory obligations.
B. Common Weaknesses and Deficiencies
Despite the good practices, several weaknesses were commonly identified, which need immediate attention to mitigate AML/CFT risks:
- Risk Management and Procedures Manual: Manuals often contained generic descriptions rather than tailored procedures specific to the entity’s risks. In some cases, procedures for identifying and detecting unusual cash transactions were inadequate.
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): Entities sometimes failed to construct comprehensive customer economic profiles or verify the identity of beneficial owners adequately. There was also a lack of additional information for high-risk customers.
- AML/CFT Risk Assessments: Risk assessments often did not consider guidelines from the European Banking Authority (EBA) or the Financial Action Task Force (FATF). In some instances, entities did not account for the risks posed by customers with Cypriot citizenship acquired through the Cyprus Investment Program.
- Source of Funds and Transactions Monitoring: Insufficient documentation to support customer transactions and initial source of funds was a recurrent issue. Entities need to gather detailed evidence and maintain updated customer profiles.
- Reporting of Suspicious Transactions: Compliance officers sometimes failed to examine internal reports adequately to determine if there was a suspicion of money laundering or terrorist financing.
- Record Keeping: Entities did not always ensure prompt availability of documents and information required by CySEC for regulatory duties.
CySEC’s circular serves as a crucial reminder for all regulated entities to review and enhance their AML/CFT policies, controls, and procedures. By addressing the identified deficiencies and adopting the highlighted good practices, entities can better align with regulatory expectations and effectively mitigate the risks associated with money laundering and terrorist financing.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
CySEC Circular C655: Findings of the assessment of Compliance Officers’ Annual Reports and Internal Audit Reports on the prevention of money laundering and terrorist financing, for the year 2022
The Cyprus Securities and Exchange Commission (CySEC) has published Circular No. C655, summarizing the findings from its 2023 assessment of Compliance Officers’ Annual Reports and Internal Audit Reports submitted by various regulated entities for the year 2022. The report underscores critical areas of non-compliance and provides detailed recommendations for improvement.
A. Targeted Entities
The circular addresses the following regulated entities:
- Crypto Asset Service Providers (CASPs)
- Cyprus Investment Firms (CIFs)
- Administrative Service Providers (ASPs)
- UCITS Management Companies (UCITS MC)
- Self-Managed UCITS (SM UCITS)
- Alternative Investment Fund Managers (AIFMs)
- Self-Managed Alternative Investment Funds (SM AIFs)
- Self-Managed Alternative Investment Funds with Limited Number of Persons (SM AIFLNP)
- Companies managing AIFLNPs
- Small Alternative Investment Fund Managers (Small AIFMs)
B. Scope of the Assessment
The assessment aimed to evaluate compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, and the CySEC Directive for the Prevention of Money Laundering and Terrorist Financing. The evaluation included the review of Compliance Officers’ Annual Reports and Internal Audit Reports submitted in 2023, reflecting the activities of the previous year.
C. Key Findings
CySEC identified several common weaknesses and deficiencies across the reports:
- Lack of Detailed Analysis: Many reports lacked sufficient analysis of the inspection methods used by Compliance Officers. Reports often provided results without explaining the methodologies, sample sizes, and the specifics of the inspections and reviews conducted.
- General Overviews: Some reports offered only general overviews rather than detailed descriptions of identified deficiencies, their seriousness, risk implications, and recommended corrective actions.
- Inadequate Customer Monitoring: Reports frequently did not provide adequate details on ongoing monitoring systems for customer accounts, including methods used and variations in monitoring based on customer risk categories.
- Insufficient Organizational Structure Information: The organizational structure and duties of the Compliance Officer’s department were often not sufficiently detailed.
- Incomplete Training Program Information: Information on recommended training programs for the upcoming year was frequently inadequate.
- Late Submissions: There were late submissions of Compliance Officers’ Annual Reports, Internal Audit Reports, and relevant Board of Directors (BoD) minutes.
D. Recommendations
CySEC has outlined several recommendations to address these deficiencies:
- Enhance Report Preparation: Ensure detailed and methodologically sound preparation of both Compliance Officers’ Annual Reports and Internal Audit Reports, including a thorough analysis of inspection methods and results.
- Improve Monitoring Systems: Establish robust systems for ongoing monitoring of customer accounts and transactions, providing detailed documentation of methods and findings.
- Detail Organizational Structure and Training: Include comprehensive information on the Compliance Department’s structure and staff duties, and clearly outline training programs for the next year.
- Adhere to Submission Deadlines: Comply with the specified timeframes for submitting reports and BoD minutes.
E. CySEC’s Expectations
CySEC expects all regulated entities to consider these findings and recommendations seriously when preparing their reports for 2023 and beyond. The Commission has emphasized that recurring weaknesses will be subject to rigorous compliance checks, and strict administrative sanctions may be imposed for non-compliance with the Law and Directive.
D. Conclusion
CySEC’s 2023 assessment report highlights significant areas for improvement in AML compliance and overall governance among regulated entities. By addressing the identified deficiencies and adhering to CySEC’s recommendations, entities can ensure robust compliance frameworks, thereby enhancing the integrity and trustworthiness of Cyprus’s financial sector.
E. How we can assist you
With ten years of experience in the financial services industry, our law firm is well-equipped to assist you with outsourced legal and compliance services. We provide comprehensive support and guidance for the preparation of annual CySEC reports, ensuring your compliance with all regulatory requirements.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.