CySEC Circular C655: Findings of the assessment of Compliance Officers’ Annual Reports and Internal Audit Reports on the prevention of money laundering and terrorist financing, for the year 2022
The Cyprus Securities and Exchange Commission (CySEC) has published Circular No. C655, summarizing the findings from its 2023 assessment of Compliance Officers’ Annual Reports and Internal Audit Reports submitted by various regulated entities for the year 2022. The report underscores critical areas of non-compliance and provides detailed recommendations for improvement.
A. Targeted Entities
The circular addresses the following regulated entities:
- Crypto Asset Service Providers (CASPs)
- Cyprus Investment Firms (CIFs)
- Administrative Service Providers (ASPs)
- UCITS Management Companies (UCITS MC)
- Self-Managed UCITS (SM UCITS)
- Alternative Investment Fund Managers (AIFMs)
- Self-Managed Alternative Investment Funds (SM AIFs)
- Self-Managed Alternative Investment Funds with Limited Number of Persons (SM AIFLNP)
- Companies managing AIFLNPs
- Small Alternative Investment Fund Managers (Small AIFMs)
B. Scope of the Assessment
The assessment aimed to evaluate compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, and the CySEC Directive for the Prevention of Money Laundering and Terrorist Financing. The evaluation included the review of Compliance Officers’ Annual Reports and Internal Audit Reports submitted in 2023, reflecting the activities of the previous year.
C. Key Findings
CySEC identified several common weaknesses and deficiencies across the reports:
- Lack of Detailed Analysis: Many reports lacked sufficient analysis of the inspection methods used by Compliance Officers. Reports often provided results without explaining the methodologies, sample sizes, and the specifics of the inspections and reviews conducted.
- General Overviews: Some reports offered only general overviews rather than detailed descriptions of identified deficiencies, their seriousness, risk implications, and recommended corrective actions.
- Inadequate Customer Monitoring: Reports frequently did not provide adequate details on ongoing monitoring systems for customer accounts, including methods used and variations in monitoring based on customer risk categories.
- Insufficient Organizational Structure Information: The organizational structure and duties of the Compliance Officer’s department were often not sufficiently detailed.
- Incomplete Training Program Information: Information on recommended training programs for the upcoming year was frequently inadequate.
- Late Submissions: There were late submissions of Compliance Officers’ Annual Reports, Internal Audit Reports, and relevant Board of Directors (BoD) minutes.
D. Recommendations
CySEC has outlined several recommendations to address these deficiencies:
- Enhance Report Preparation: Ensure detailed and methodologically sound preparation of both Compliance Officers’ Annual Reports and Internal Audit Reports, including a thorough analysis of inspection methods and results.
- Improve Monitoring Systems: Establish robust systems for ongoing monitoring of customer accounts and transactions, providing detailed documentation of methods and findings.
- Detail Organizational Structure and Training: Include comprehensive information on the Compliance Department’s structure and staff duties, and clearly outline training programs for the next year.
- Adhere to Submission Deadlines: Comply with the specified timeframes for submitting reports and BoD minutes.
E. CySEC’s Expectations
CySEC expects all regulated entities to consider these findings and recommendations seriously when preparing their reports for 2023 and beyond. The Commission has emphasized that recurring weaknesses will be subject to rigorous compliance checks, and strict administrative sanctions may be imposed for non-compliance with the Law and Directive.
D. Conclusion
CySEC’s 2023 assessment report highlights significant areas for improvement in AML compliance and overall governance among regulated entities. By addressing the identified deficiencies and adhering to CySEC’s recommendations, entities can ensure robust compliance frameworks, thereby enhancing the integrity and trustworthiness of Cyprus’s financial sector.
E. How we can assist you
With ten years of experience in the financial services industry, our law firm is well-equipped to assist you with outsourced legal and compliance services. We provide comprehensive support and guidance for the preparation of annual CySEC reports, ensuring your compliance with all regulatory requirements.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Procedures for the receipt of reports of infringement of Regulation (EU) No. 596/2014 on market abuse
We would like to draw your attention to the Circular C488 (the “Circular”) issued by the Cyprus Securities and Exchange Commission (the “CySEC” of the “Commission”) on the 17th of February 2021, under the provisions of Article 2(1) of the Regulation (EU) No 596/2014 as amended (the “Market Abuse Regulation”), in relation to the updated procedures in force regarding the receipt of reports of infringement pursuant to the provisions of Article 32 of the Market Abuse Regulation.
In brief, please note the following:
A. Reporting Requirements:
- The staff members of the Market Surveillance and Investigations Department of CySEC dedicated to the handling of the reports of infringements (the “Competent Department”) have been assigned with specific duties in order to assist and provide information on the procedures for reporting infringements to any interested person.
- The report of infringement can be submitted either by name or anonymously, through the communication channels of the Competent Department as further specified under point A3 of the Circular.
- A person who is accused of having committed an actual or potential infringement of the Market Abuse Regulation (the “Reporting Person”), may proceed with the submission of a written report of infringement by completing the “Whistleblowing External Disclosure Form” (the “Form”) which is available as an Appendix within the Circular.
- In cases when the identity of the Reporting Person has been disclosed, CySEC may request further information.
- Upon the submission of the infringement report, either orally or written, CySEC notifies the Reporting Person in writing within how many days will be notified about the results of his/her inquiry and ensures that the relevant notification will be sent within the timeframe set.
B. Record Keeping of the Infringement Reports:
- Unless otherwise requested by the Reporting Person, a receipt of a confirmation is sent by CySEC.
- In cases where reporting of infringements has been performed through the use of a telephone line, CySEC has the right to document the oral reporting, except the cases where Reporting Person’s prion consent is not provided.
- In cases where Reporting Person’s consent is not provided for the reporting of infringements, CySEC has the right to document the conversation in the form of accurate minutes.
- In cases where a person requests a physical meeting with the Competent Department for the purposes of reporting the infringement, CySEC ensures that complete and accurate records of the meeting are kept in a durable and retrievable form.
- In cases where the confidentiality regime is used, CySEC notes that under certain circumstances as those explained in point C of the Circular, confidential information of the Reporting Person may be published.
To this end and as per Article 6(6) of the Market Abuse Law of 2016, a person providing information to CySEC, in accordance with the Market Abuse Regulation, is not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, nor will the said person have the liability of any kind related to such disclosure.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Supervisory briefing in relation to firms using tied agents in the MiFID II framework
A. INTRODUCTION
In accordance with the Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority) amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC as amended by Regulation (EU) 2019/2175, one of European Securities and Markets Authority (the “ESMA“)’s objectives is to actively foster supervisory convergence across the Union with the aim of establishing a common supervisory culture.
B. OVERVIEW AND SCOPE
Following the UK withdrawal from the EU, ESMA has been monitoring the behaviour of firms in order to understand whether their interaction with EU-based clients is done in a way that is compliant with the MiFIR and MiFID legislation (including the regimes providing the conditions for third-country firms to provide investment services and activities in the Union). In this context, some practices concerning investment firms using tied agents recently emerged as a potential source of circumvention of the abovementioned legal framework.
Furthermore, ESMA believes that these issues have more general relevance, and it is thereby important to identify the supervisory expectations on firms using tied agents in a convergent manner across the Union. Therefore, this supervisory briefing takes into account all cases where an EU firm uses tied agents; a specific focus is given to cases where tied agents are legal persons that are controlled or have close ties with other entities or third-country entities.
The purpose of the Briefing is to give indications and information on supervisory expectations of ESMA and National Competent Authorities (the “NCAs”) to market participants of compliant implementation of the MiFID II provisions relating to tied agents and aims at contributing to the development of a convergent supervisory culture across the European Union (the “EU”).
The Briefing has been designed to be used in the way that best fits with supervisory methodologies. It is noted that the Briefing covers the aspects mentioned under Points [B] and [C] below.
C. SUPERVISORY EXPECTATIONS WHEN FIRMS APPOINT TIED AGENTS
Before the appointment of a tied agent, it is expected that a firm:
- Has a clear understanding of how the tied agent will contribute to the strategy of the firm, what types of clients the tied agent will be dealing with and how the firm will obtain and deal with these clients.
- Assesses, inter alia, the following:
- The tied agent is suitable to promote or provide activities on behalf of the firm, is of sufficiently good repute, and possesses the necessary knowledge and competence (e. tied agent should be included in the assessment of knowledge and competence of staff in accordance with the ESMA Guidelines);
- The tied agent has the ability, capacity, sufficient resources, appropriate organisational structure to support the performance of activities on behalf of the firm, and that the firm has a good understanding and is satisfied that the tied agent is able to ensure compliance with MiFID II requirements (e. assess the organizational structure of tied agent, assess the existence of appropriate mechanisms that the tied agent will use to report to the firm, assess the good repute and suitability of the persons responsible for the management and internal control of the tied agent, etc.);
- The tied agent (if a legal person) has anticipated the number of natural persons that will be involved in the provision of activities on behalf of the firm, the place from which those persons will provide services to the firm as well as how they will be monitored;
- In the case where under the national legislation a tied agent is allowed to hold money and/or financial instruments of clients as per Article 29(2) of MiFID II, then it is expected that the firm will assess the financial situation and the arrangements performed in regards to safeguarding of clients’ funds;
- The appointment of the tied agent does not prevent the firm from complying with the MiFID II legislative framework (e. verification that the organisational settings of tied agents do not prevent their effective supervision by firms).
- Ensures that the tied agent clearly agrees with the respective rights and obligations. Thus instructions and termination rights shall be provided by firms through an agreement between the relevant parties. The aspects that the relevant agreement is expected to cover are available under Point [22] of the Briefing.
- Avoids appointing a tied agent which is a legal person and whose employees involved in the provision of the activities on behalf of the firm (e.g. sales staff) are also at the disposal or under the control of other entities (including third-country entities) as such entities could exercise inappropriate influence over the way in which the tied agent carries out the activities on behalf of the firm or may prevent the firm from effectively monitoring the activities of their tied agent.
D. SUPERVISORY EXPECTATIONS ON FIRMS USING TIED AGENTS IN THEIR ONGOING ACTIVITIES
Pursuant to the provisions of Article 29(2) of MiFID II, firms are required to monitor the activities of their tied agents to ensure that they continue to comply with MiFID II when acting through tied agents. Thus, once a firm appoints a tied agent, it is expected to ensure the following:
- It has in place adequate internal measures and processes to appropriately oversight the activity that the tied agent carries out on its behalf, such as the following:
- The Compliance Function shall advise and assist the persons responsible to carry out investment services and activities to comply with the firm’s obligation under MiFID II.
- With respect to risk management, a firm shall monitor, inter alia:
- the level of compliance by the firm’s relevant persons with the arrangements, processes and mechanisms adopted by the firm to manage the risks relating to the firm’s activities
- the adequacy and effectiveness of measures taken to address any deficiencies in the policies, procedures, arrangements and mechanisms adopted by the firm to manage the risks, including failures by the relevant persons to comply with such arrangements, processes and mechanisms
- The remuneration policies and procedures are not incentivising relevant persons to favour their own interests to the potential detriment of any client.
- The Conflict of Interest Policy shall include procedures and measures to ensure that relevant persons carry on their activities at an appropriate level of independence.
- Adoption of appropriate and proportionate governance arrangements by firms to monitor the activities carried out by the tied agents, such as for example:
- The appointment of one or more independent or non-executive directors in charge of monitoring the activities of the tied agents;
- To carry out an independent (external) review of the internal control framework (and staff) in charge of monitoring the tied agents.
- Consequently, in order to monitor the tied agent’s activity, NCAs should be satisfied that a firm has in place, inter alia, adequate:
- Organisational arrangements in order to monitor the skills and experience of the tied agent;
- Appropriate reporting mechanisms (e.g. firms to engage in face-to-face meeting/discussions with tied agents to avoid excessive reliance when it comes to high-level attestation from the tied agent, receipt of specific information from the tied agent on a regular basis);
- Mechanisms to assess the quality of services provided by the tied agent, as well as the consistency of the tied agent with the relevant EU legislative framework;
- Mechanisms for the identification of conflicts of interest, which may arise from the relationship between the appointed tied agent and other entities or third-country entities with which the tied agent has the close link.
- Regular monitoring of the tied agents’ financial situation through experienced persons (e.g. financial accountants).
- Dealing with the complaints concerning the activities of the appointed tied agents.
- Has the ability to terminate the relationship with a tied agent, where necessary, with immediate effect (e.g. when this is in the interest of clients) without determinant the continuity and quality of the provision of activities to clients.
- When the relationship between a firm and a tied agent is terminated:
- Immediate notification of the NCA of the home Member State specifying if the said termination is due to matters having a serious regulatory impact or involving an offence or a breach of MiFID II requirements;
- Notification of all relevant clients in order to avoid any future interaction with the tied agent; and
- Completion and fulfilment of all outstanding activities and obligations to clients either by the firm itself or another tied agent.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.