CySEC issued Circular C550 to inform regulated entities of the common weaknesses/deficiencies and good practices identified during the onsite inspections performed during 2021 and 2022, in relation to the prevention of money laundering and terrorist financing.
Summary of good practices identified:
- Updating AML/CFT policies and practices to ensure compliance with changing legal and regulatory requirements.
- Data and information related to customer identification and transactions are immediately retrieved.
- Approval of AML/CFT policies by the senior management with the necessary expertise and responsibility. AML/CFT and sanctions concerns are also being led by senior management, for instance through daily decision-making and employee interactions.
- The use of automated systems for client due diligence (CDD), risk assessments, transaction/account monitoring to detect suspicious activity, and automated screening systems for gathering and evaluating data regarding their clients’ or beneficial owners’ histories.
- The usage of local expertise and open-source internet searches to supplement commercial databases when examining possible high-risk consumers, such as PEPs.
List of common weaknesses/deficiencies identified:
- Customer Due Diligence (CDD) Measures
- Failure to construct and/or update a complete and proper customer economic profile.
- Failure to verify the reliability of the customer’s source of funds and source of wealth.
- Weaknesses in verifying the collected customer’s data and information, leading to inadequate customer economic profile-building.
- Failure to collect sufficient evidence for the verification of customer’s main business activities and operations.
- Reliance on the CDD information collected at the beginning of the business relationship and failure to ongoing update that information.
- Enhanced Due Diligence (EDD) Measures
- Despite the classification of specific customers as high risk, there was lack of evidence that the regulated entities collected additional information for the purpose of applying enhanced customer due diligence.
- AML/CFT Risk Assessments
- Failure to consider the Risk Factors Guidelines (Circular C276) and Risk-based Approach (RBA) Guidance for Trust and Company Service Providers (Circular C331) when conducting the customer’s AML/CFT risk assessment.
- Failure to demonstrate an effective and thorough assessment of the ML/FT risks posed by customers related to the Cyprus Investment Program, thus not implementing appropriate CDD measures.
- Failure to flag and properly assess published adverse information related to customers and/or their UBO’s.
- Customers’ Screening and Transactions Monitoring
- Customer’s background checks were not always recorded and documented.
- Failure to collect supporting documentation on customer’s transactions conducted for the purpose of ensuring the maintenance of a satisfactory audit trail.
- On the ASPs sector, loan agreements were obtained in some cases without a visible economic purpose.
- Certain ASPs and Fund managers were found to rely on credit institutions for conducting customer transaction monitoring without applying appropriate internal processes.