fbpx
Audit | Accounting | Advisory services
+357 25 327770
Mon - Fri / 9:00am - 6:00pm
info@evidentrust.com

CySEC: findings on Compliance Officer’s and Internal Audit’s reports 2019

CySEC: findings on Compliance Officer’s and Internal Audit’s reports

CySEC issued today its findings on the Compliance Officer's and Internal Audit's reports in relation to money-laundering and terrorist financing for 2017 and the respective Board of Directors minutes submitted in 2018. Compared to the 2018, CySEC found an overall improvement to the content of these reports.

Summary of CySEC findings on the Compliance Officer's and Internal Audit's reports:

  • Insufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer;
  • Inadequate information provided in the Compliance Officers’ Annual Reports on the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions
  • No or limited information provided in the Compliance Officers’ Annual Reports submitted by the Administrative Services Providers in relation to the country of origin and type of high-risk customers with whom a business relationship
  • No or limited reference was made in the Internal Audit Reports submitted by the Administrative Services Providers (ASPs) in relation to prior years’ findings and recommendations and ,sometimes, there was no indication of whether these had been adequately addressed and rectified within the reference year, in order

 


Full Content of the Report

Date   

  

: March 28, 2019  
Circular No.  

  

: C 307  
Subject    Findings of the assessment of Compliance Officers’ Annual Reports and the Internal Audit Reports on the prevention of money laundering and terrorist financing  

The Cyprus Securities and Exchange Commission (the ‘CySEC’) wishes, with this circular, to inform the Regulated Entities of the following:   

  1. For the purpose of assessing the compliance of the Regulated Entities with their obligations under the Prevention and Suppression of Money Laundering and Terrorist Financing Law (the ‘Law’) and the Directive DI144-2007-08 on the Prevention of Money Laundering and Terrorist Financing (the ‘Directive’), CySEC conducted its annual risk-based assessment of Compliance Officers’ Annual Reports and Internal Audit Reports (the Reports). This riskbased assessment reviews both Reports for this purposefor the year 2017 and the relevant minutes of the Board of Directors (the ‘BoD’) submitted to CySEC in 2018Regulated entities are obliged to submit Compliance Officers’ Annual Reports by end of March and the Internal Audit Reports by end of April to CySEC for the previous calendar year.  
  2. In carrying out these assessments, CySEC found an overall improvement in the content of the Reports. In most cases the findings were in line with the requirements set out in the Law, Directive, and Circular C033 on the Content of the Compliance Officer’s Annual Report on the prevention of money laundering and terrorist financing (‘the Circular’), which are enforced by CySEC.    
  3. From the review of the Compliance Officers’ Annual Reports, CySEC has also identified the following common and recurring weaknesses and/or deficiencies which in addition to the measures taken to ensure full compliance, CySEC calls upon all Regulated Entities to dully consider and immediately implement corrective measures.   
    • In some instances, there was not sufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer to determine the degree of compliance of the Regulated Entity in the policy, practices, measures, procedures and controls applied for the prevention of ML/TFThis relates to paragraph 10(4)(b) of the Directive and point 2 of Appendix 1 of the Circular.   
    • Following an assessment of Compliance Officers’ Annual Reports submitted by the Administrative Services Providers (ASPs), it was identified that occasionally no or limited information was provided in relation to the country of origin and type of high-risk customers with whom a business relationship was established or an occasional transaction had been executed, with little comparative data from the previous year. This refers to paragraph 10(4)(g) of the Directive and point 6 of Appendix 1 of the Circular.     
    • The information provided in the Compliance Officers’ Annual Reports on the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions was not always adequate when compared with the data and information kept in the customer’s economic and risk profile. In particulardetails on the timing of ongoing monitoring of customers’ accounts and transactions (e.g. in real time or after the completion of an event) and the method used for documenting the ongoing monitoring of customers’ accounts and transactions (e.g. preparing a memo describing all relative actions and recording it in the customer’s file) were not sufficientThis refers to paragraph 10(4)(h) of the Directive and point 7 of Appendix 1 of the Circular.  
  4. As regards to the assessed Internal Audit Reports submitted by the Administrative Services Providers (ASPs), CySEC occasionally found that no or limited reference was made to prior years’ findings and recommendations. There was sometimes no indication of whether these had been adequately addressed and rectified within the reference year, in order to ensure compliance with the provisions of paragraph 6 of the Directive.    
  5. Under the Law and the Directive, Regulated Entities must ensure and adhere to:   
    • The Compliance Officer’s obligation for the correct preparation of the Annual Report and the sufficient assessment of the level of compliance of the Regulated Entity in relation to the prevention of ML/TF.  
    • The Internal Auditor’s obligation for the correct preparation of the Internal Audit Report and the sufficient review and evaluation of the appropriateness, effectiveness and adequacy of the policy, practices, measures, procedures and control mechanisms applied by the regulated entity for the prevention of ML/TF.  
    • The obligation of the Regulated Entity’s senior management officials to approve the policies, procedures and controls applied in relation to ML/TF, as well as monitor, and where appropriate, enhance the measures adopted – in reference to section 58C of the Law.  
    • The responsibility of a designated member of the BoD, to implement the provisions of the Law and Directives, circulars and regulations issued pursuant thereto including any relevant acts of the European Union – in reference to section 58D of the Law.   
    • The Regulated Entity’s BoD obligation for the sufficient assessment and approval of the Annual Report and the Internal Audit Report. The BoD must take all appropriate measures for the correction of any weaknesses and/or deficiencies identified, as well as the implementation timeframe of these measures.  
  6. CySEC expects that all Regulated Entities take into account the above-mentioned findings when preparing the Reports for the year 2018 and onwards, in order to ensure full compliance with the Law and the Directive. It is stressed that the Law provides strict administrative sanctions in case of non-compliance with the requirements of the Law and the Directive, which CySEC will not hesitate to use.  

 

Source: CySEC