CySEC detects deficiencies in firms’ compliance with AML regulations
The Cyprus Securities and Exchange Commission (CySEC) today published a circular concerning its assessment of the compliance of regulated firms, including Cyprus investment firms, with the Prevention and Suppression of Money Laundering and Terrorist Financing Law (the ‘Law’) and the CySEC’s Directive for the Prevention of Money Laundering and Terrorist Financing (the ‘Directive’).
CySEC explains that it conducted its annual assessment of all the Compliance Officers’ Annual Reports and Internal Audit Reports. The assessment review covers all the Reports for the year 2019 and the relevant minutes of the Boards of Directors submitted to CySEC in 2020. It is noted that this is an annual exercise where regulated entities are obliged to submit the Compliance Officers’ Annual Reports (by end of March) and the Internal Audit Reports (by end of April) to CySEC for the previous calendar.
In relation to the content of the Compliance Officers’ Annual Reports on the prevention of money laundering and terrorist financing and the relevant BoD minutes submitted by CIFs, ASPs, Internally Managed Investment Funds and External Investment Fund Managers, the CySEC found a number of deficiencies.
In some cases, there was insufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer to determine the degree of compliance of the Regulated Entity in the policy, practices, measures, procedures and controls applied for the prevention of ML/TF. Particularly, it was observed that the information provided in the Compliance Officers’ Annual Reports is merely the results of the inspections and reviews performed with no reference to the method/way of conducting these inspections and reviews.
In addition, it was observed that in a number of cases, the Compliance Officers did not make sufficient reference to information on the policy, measures, practices, procedures and controls applied in relation to high risk customers (e.g. specific enhanced due diligence measures and details of ongoing monitoring of accounts and transactions for PEPs). Moreover, it has been observed that information about the number, country of origin and type of the high risk customers with whom a business relationship is established or an occasional transaction has been executed as well as comparative data with the previous year was not always mentioned in the said Reports.
Also, the information provided in the Compliance Officers’ Annual Reports about the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions that are compared with the data and information kept in their economic profile, was not always adequate.
In particular, reference to the analysis of the way/method (automated or non-automated) of the ongoing monitoring of customers’ accounts and transactions, details for any variation of the ongoing monitoring of customers’ accounts and transactions according to the customer’s categorization on a risk based approach, details of the timing of the ongoing monitoring of customers’ accounts and transactions (e.g. in real time or after the completion of an event) and the method used for documenting the ongoing monitoring of customers’ accounts and transactions (e.g. preparing a memo describing all relative actions and recording it in the customer’s file) were not sufficient.
In relation to the content of the relevant BoD minutes accompanying the Compliance Officers’ Annual Reports, it was observed that the said minutes did not always include specific measures decided for the correction of all the weaknesses and/or deficiencies identified in the said Reports and the implementation timeframe of these measures as per paragraph 10(3) of the Directive.
Moreover, it has been observed that the Compliance Officers’ Annual Reports submitted by a number of Internally Managed Investment Funds and External Investment Fund Manager did not always include comparative data with the previous year of Internal Suspicion Reports and Compliance Officer’s Reports to MOKAS.
Furthermore, it has been observed that the Compliance Officers’ Annual Reports submitted by a number of Internally Managed Investment Funds and External Investment Fund Managers stated that due to the fact that they were not operational during the assessed period, no information was provided in the said reports. However, it should be reminded that according to point 4 of Circular C191, ‘the CySEC expects that the reports, even if they relate to a period during which the Regulated Entities were not operational, will contain the minimum required information requested by the CySEC and/or the European Regulation.’
In relation to the assessment of the Internal Audit Reports on the prevention of money laundering and terrorist financing and the relevant BoD minutes submitted by CIFs, ASPs, Internally Managed Investment Funds and External Investment Fund Managers, the CySEC found that the relevant BoD minutes did not always include specific measures decided for the correction of all the weaknesses and/or deficiencies identified in the Internal Audit Reports and the implementation timeframe of these measures, as per paragraph 6 of the Directive Regulated entities must note that the most common and recurring weaknesses and deficiencies identified will be the subject of subsequent compliance checks by CySEC.
CySEC expects that all Regulated Entities take into account the above-mentioned findings when preparing the Reports for the year 2021 and onwards, in order to ensure full compliance with the Law and the Directive.