With the Circular 516, the Cyprus Securities and Exchange Commission (the “CySEC”) wishes to inform the regulated entities about its findings on the assessment of the Compliance Officers’ Annual Reports and Internal Audit Reports (the “Reports”) for the year 2020 and the relevant minutes of the Board of Directors (the “BoD”) submitted to CySEC in 2021.
A. In relation to the content of the Compliance Officers’ Annual Report on the prevention of money laundering and terrorist financing and the relevant BoD minutes submitted by the regulated entities, the CySEC found that:
- In some instances, the Executive Summaries did not contain all references mentioned in point 4 of Circular C186 and especially references to key findings/weaknesses and suggestions.
- In some cases, there was not sufficient analysis of the specific method inspections and reviews that were performed by the Compliance Officer to determine the degree of Compliance of the regulated entity in the policy, practices, measures, procedures and controls applied for the prevention of ML/TF. Methodology should include the sample of clients tested, the timing that inspections and reviews were performed, specific audit tests and any findings that are identified.
- Information about the number, country of origin and type of high-risk customers with whom a business relationship is established or an occasional transaction executed along with comparative data from the previous year was not always provided in the reports.
- Information provided by the Compliance Officers’ Annual Reports about the systems and procedures applied by regulated entities for the ongoing monitoring of customers’ accounts and transactions was not always adequate.
- In some cases, the Compliance Officers’ Annual Reports did not include sufficient reference to the specific method with which the adequacy and effectiveness of staff training had been assessed and reference to the results.
B. In relation to the content of the relevant BoD minutes accompanying the Compliance Officers’ Annual Reports and the Internal Audit Report on the prevention of money laundering and terrorist financing, it was observed that, in some cases, the said minutes did not include specific measures decided for the correction of all the weaknesses and/or deficiencies identified in the said Reports and the implementation timeframe of these measures.
Taking into account the above findings, the regulated entities should ensure the following obligations are upheld in accordance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (L.188(I)/2007), (hereinafter referred to as the Law), the CySEC’s Directive for the Prevention of Money Laundering and Terrorist Financing (hereinafter referred to as the Directive) and the relevant guidance given in the relevant CySEC’s circulars i.e. Circular C033, Circular C186 and Circular C191:
- The Compliance Officer’s obligation for the correct preparation of the Annual Report and the sufficient assessment of the level of compliance of the regulated entity in relation to the prevention of money laundering and terrorist financing.
- The Internal Auditor’s obligation for the correct preparation of the Internal Audit Report and a sufficient review and evaluation of the appropriateness, effectiveness and adequacy of the policy, practices, measures, procedures and control mechanisms applied by the regulated entity for the prevention of money laundering and terrorist financing.
- The regulated entity’s BoD obligation for the sufficient assessment and approval of the Annual Report and the Internal Audit Report and taking all appropriate measures for the correction of any weaknesses and/or deficiencies identified, as well as the implementation timeframe of these measures.
- The regulated entity’s BoD obligation to ensure the overall implementation of all requirements of the Law and the Directive, as well as to ensure that appropriate, effective, and sufficient systems and controls are introduced for achieving the abovementioned requirement.
The regulated entities should ensure full compliance with the Law and the Directive and take into account the above-mentioned findings onwards. It is stressed that CySEC may impose strict administrative sanctions in case of non-compliance with the requirements of the Law and the Directive.