CySEC Circular C655: Findings of the assessment of Compliance Officers’ Annual Reports and Internal Audit Reports on the prevention of money laundering and terrorist financing, for the year 2022
The Cyprus Securities and Exchange Commission (CySEC) has published Circular No. C655, summarizing the findings from its 2023 assessment of Compliance Officers’ Annual Reports and Internal Audit Reports submitted by various regulated entities for the year 2022. The report underscores critical areas of non-compliance and provides detailed recommendations for improvement.
A. Targeted Entities
The circular addresses the following regulated entities:
- Crypto Asset Service Providers (CASPs)
- Cyprus Investment Firms (CIFs)
- Administrative Service Providers (ASPs)
- UCITS Management Companies (UCITS MC)
- Self-Managed UCITS (SM UCITS)
- Alternative Investment Fund Managers (AIFMs)
- Self-Managed Alternative Investment Funds (SM AIFs)
- Self-Managed Alternative Investment Funds with Limited Number of Persons (SM AIFLNP)
- Companies managing AIFLNPs
- Small Alternative Investment Fund Managers (Small AIFMs)
B. Scope of the Assessment
The assessment aimed to evaluate compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, and the CySEC Directive for the Prevention of Money Laundering and Terrorist Financing. The evaluation included the review of Compliance Officers’ Annual Reports and Internal Audit Reports submitted in 2023, reflecting the activities of the previous year.
C. Key Findings
CySEC identified several common weaknesses and deficiencies across the reports:
- Lack of Detailed Analysis: Many reports lacked sufficient analysis of the inspection methods used by Compliance Officers. Reports often provided results without explaining the methodologies, sample sizes, and the specifics of the inspections and reviews conducted.
- General Overviews: Some reports offered only general overviews rather than detailed descriptions of identified deficiencies, their seriousness, risk implications, and recommended corrective actions.
- Inadequate Customer Monitoring: Reports frequently did not provide adequate details on ongoing monitoring systems for customer accounts, including methods used and variations in monitoring based on customer risk categories.
- Insufficient Organizational Structure Information: The organizational structure and duties of the Compliance Officer’s department were often not sufficiently detailed.
- Incomplete Training Program Information: Information on recommended training programs for the upcoming year was frequently inadequate.
- Late Submissions: There were late submissions of Compliance Officers’ Annual Reports, Internal Audit Reports, and relevant Board of Directors (BoD) minutes.
D. Recommendations
CySEC has outlined several recommendations to address these deficiencies:
- Enhance Report Preparation: Ensure detailed and methodologically sound preparation of both Compliance Officers’ Annual Reports and Internal Audit Reports, including a thorough analysis of inspection methods and results.
- Improve Monitoring Systems: Establish robust systems for ongoing monitoring of customer accounts and transactions, providing detailed documentation of methods and findings.
- Detail Organizational Structure and Training: Include comprehensive information on the Compliance Department’s structure and staff duties, and clearly outline training programs for the next year.
- Adhere to Submission Deadlines: Comply with the specified timeframes for submitting reports and BoD minutes.
E. CySEC’s Expectations
CySEC expects all regulated entities to consider these findings and recommendations seriously when preparing their reports for 2023 and beyond. The Commission has emphasized that recurring weaknesses will be subject to rigorous compliance checks, and strict administrative sanctions may be imposed for non-compliance with the Law and Directive.
D. Conclusion
CySEC’s 2023 assessment report highlights significant areas for improvement in AML compliance and overall governance among regulated entities. By addressing the identified deficiencies and adhering to CySEC’s recommendations, entities can ensure robust compliance frameworks, thereby enhancing the integrity and trustworthiness of Cyprus’s financial sector.
E. How we can assist you
With ten years of experience in the financial services industry, our law firm is well-equipped to assist you with outsourced legal and compliance services. We provide comprehensive support and guidance for the preparation of annual CySEC reports, ensuring your compliance with all regulatory requirements.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Procedures for the receipt of reports of infringement of Regulation (EU) No. 596/2014 on market abuse
We would like to draw your attention to the Circular C488 (the “Circular”) issued by the Cyprus Securities and Exchange Commission (the “CySEC” of the “Commission”) on the 17th of February 2021, under the provisions of Article 2(1) of the Regulation (EU) No 596/2014 as amended (the “Market Abuse Regulation”), in relation to the updated procedures in force regarding the receipt of reports of infringement pursuant to the provisions of Article 32 of the Market Abuse Regulation.
In brief, please note the following:
A. Reporting Requirements:
- The staff members of the Market Surveillance and Investigations Department of CySEC dedicated to the handling of the reports of infringements (the “Competent Department”) have been assigned with specific duties in order to assist and provide information on the procedures for reporting infringements to any interested person.
- The report of infringement can be submitted either by name or anonymously, through the communication channels of the Competent Department as further specified under point A3 of the Circular.
- A person who is accused of having committed an actual or potential infringement of the Market Abuse Regulation (the “Reporting Person”), may proceed with the submission of a written report of infringement by completing the “Whistleblowing External Disclosure Form” (the “Form”) which is available as an Appendix within the Circular.
- In cases when the identity of the Reporting Person has been disclosed, CySEC may request further information.
- Upon the submission of the infringement report, either orally or written, CySEC notifies the Reporting Person in writing within how many days will be notified about the results of his/her inquiry and ensures that the relevant notification will be sent within the timeframe set.
B. Record Keeping of the Infringement Reports:
- Unless otherwise requested by the Reporting Person, a receipt of a confirmation is sent by CySEC.
- In cases where reporting of infringements has been performed through the use of a telephone line, CySEC has the right to document the oral reporting, except the cases where Reporting Person’s prion consent is not provided.
- In cases where Reporting Person’s consent is not provided for the reporting of infringements, CySEC has the right to document the conversation in the form of accurate minutes.
- In cases where a person requests a physical meeting with the Competent Department for the purposes of reporting the infringement, CySEC ensures that complete and accurate records of the meeting are kept in a durable and retrievable form.
- In cases where the confidentiality regime is used, CySEC notes that under certain circumstances as those explained in point C of the Circular, confidential information of the Reporting Person may be published.
To this end and as per Article 6(6) of the Market Abuse Law of 2016, a person providing information to CySEC, in accordance with the Market Abuse Regulation, is not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, nor will the said person have the liability of any kind related to such disclosure.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.