The Cyprus Securities and Exchange Commission (CySEC) today issued a circular targeted at Cyprus investment firms (CIFs), including CFD and FX brokers, inter alia, as well as management companies.

The document concerns the results of a review of the compliance of the Regulated Entities with the compliance function requirements pursuant to Article 17(2) of the Investment Services and Activities and Regulated Markets Law.

The Review has detected common deficiencies and/or omissions that CySEC wishes to highlight to all Regulated Entities, aimed at helping them to increase the effectiveness of their compliance function, despite the fact that the Review covered only a sample of them.

In general, Regulated Entities took into consideration the severity of risks (i.e. the level of potential impact/ damage that could be caused), however, in some cases, they did not specify or determine the potential impact, e.g. financial, reputational, regulatory risk, etc. or even in some cases the risk rating was not defined/specified and/or the identification of the risks was vague.

In addition, in some cases the annual compliance monitoring program was not based on the results of the risk analysis.

Furthermore, in some cases the risk assessment analysis did not mention that the types of financial instruments offered and distributed were taken into account by the Regulated Entities when determining their risk assessment.

Additionally, CySEC observed that there have been instances where the identification of risks and the monitoring priorities of the compliance function were vaguely determined without specifying the monitoring methodologies/tools for each compliance risk and the frequency of targeted assessments and monitoring activities were thus not justifiable.

It was also observed that the compliance function failed to ensure that regular written compliance reports are prepared at appropriate intervals (e.g. quarterly reports) and sent to the management board.

In CySEC’s view, the management board should convene regular meetings where the compliance function can properly present material deviations or situations requiring urgent resolution in order to rectify any urgent compliance matters and the compliance function should properly record such meetings.

Some Regulated Entities indicated that the compliance officer only prepares the annual compliance report and any additional compliance matters are communicated via email to the senior management without specifying if these are properly recorded in a log or taking into account the need of producing additional written reports to the senior management.

Even though Regulated Entities stated that compliance officers conduct interviews, thematic and desk-based reviews, the annual compliance report mainly focuses on findings from the evaluation of the Regulated Entities’ written policies and procedures. Specifically, such evaluations mainly focus on the determination on whether the firms’ policies are up-to-date and in compliance with the regulatory framework rather than including findings on the implementation of those policies by all employees in practice.

Also, the different types of reviews conducted by the compliance function should be more accurately reflected in the Annual Report, CySEC says.

With regard to the product governance monitoring obligation, it is noted that while most CIFs report in the Annual Compliance Report that the CIF’s requirements have been assessed, no further findings or comments were made. In particular, in some cases no positive /negative market findings were made in the report even though the in the target market assessment the compliance officer states that improvement is needed.

Finally, CySEC noted that in some cases even though the Annual Compliance Report states that staff knowledge assessments are carried out, not enough evidence or details of regular internal and external training is provided such as records of training logs.

The regulator advises CIFs to consider the issues raised in the circular. If, when reviewing the policies and arrangements in place, the firms identify any weaknesses, they must take immediate actions to ensure compliance. CySEC will continue assessing the regulated entities’ policies and arrangements relating to the compliance function requirements and will consider, if necessary, taking further actions (e.g. enforcement actions).