top of page

Summary of CySEC Circular C655

People sitting at a desk with paperwork and laptops writing reports

Further to the requirements set out in the AML/ TF Law of 2007 to 2021 as amended, the CySEC AML/TF Directive and the guidance set out in Circulars C033, C186 and of C191 CySEC sets out some commonly identified weaknesses and deficiencies found in the Compliance Officers’ Annual Reports and Internal Audit Reports for the year 2022.



In relation to the Compliance Officers' Annual Reports and the relevant BoD minutes submitted by CIFs, ASPs, Internally Managed Investment Funds and External Investment Fund Managers, as well as CASPs, the CySEC found that:


  • There was not a sufficient analysis of the method used by the Compliance Officer to conduct the inspections and reviews and the specifics of customers tested.  The timing of the reviews and specific audit tests performed, should also be included in the methodology.  The sample of clients selected for inspection from each Risk category must be proportional to the total number of clients of each risk category.


  • There was no detailed description of the significant deficiencies and weaknesses identified in the measures, procedures and controls being applied by the Regulated Entities for the prevention of ML/TF.


  • Information about the number, country of origin and type of high-risk customer with whom a business relationship is established, along with comparative data from the previous year, was not always provided in the reports.


  • Adequate information was not provided about the systems and procedures applied by Regulated Entities for the ongoing monitoring of customers’ accounts, particularly how transactions are compared to data and information kept in their economic profile. Analysis of the methods (automated or non-automated) used for the ongoing monitoring of customers’ accounts and transactions according to the customer’s categorization based on a RBA, was not sufficient.


  • Some Annual Reports did not include enough information on the next year’s training program which is recommended to be attended by the staff and the Compliance Officer.


  • Annual Reports  of Regulated Entities which were not operational during the assessed period, must still contain the minimum required information requested by the CySEC and/or the European Regulation.


  • Some BoD minutes accompanying the Annual Reports did not include the implementation timeframe of the measures decided for the correction of any weaknesses and/or deficiencies identified.


In relation to the Internal Audit Reports and the relevant BoD minutes submitted, the CySEC found that:


  • In some cases, the Internal Audit Reports submitted by ASPs which have branches and subsidiaries established in countries outside the EEA, did not include findings and observations from the reviews and evaluations performed on the AML/TF measures, procedures and control mechanisms applied by their branches and subsidiaries.


  • On some occasions, the submission of the Internal Audit Reports and the relevant BoD minutes, was not within the timeframes provided in paragraph 6 of the Directive.


Considering the above findings, CySEC stresses:


  • The Compliance Officers' obligation for the correct preparation of the Annual Report and the sufficient assessment of the level of compliance of the regulated entities in relation to the prevention of money laundering and terrorist financing.


  • The Internal Auditors' obligation for the correct preparation of the Internal Audit Report and a sufficient review and evaluation of the measures, procedures and control mechanisms applied by the regulated entities for the prevention of money laundering and terrorist financing.


  • The regulated entities' BoD obligation for the sufficient assessment and approval of the Annual Report and the Internal Audit Report, as well as taking all appropriate measures for the correction of any weaknesses and/or deficiencies identified.


Regulated entities should be aware that common and recurring weaknesses and deficiencies will be the subject of rigorous compliance checks by the CySEC.


CySEC expects all regulated entities to consider the above-mentioned findings when preparing the Reports for the calendar year 2023 and onwards, to ensure full compliance with the Law and the Directive.


Written by Sophie Papacosta, Compliance Associate, FAI Comply


 

In case you have any questions please do not hesitate to contact us for further professional assistance.

Comentarios


Los comentarios se han desactivado.
bottom of page