CySEC: findings on Compliance Officer’s and Internal Audit’s reports
CySEC issued today its findings on the Compliance Officer's and Internal Audit's reports in relation to money-laundering and terrorist financing for 2017 and the respective Board of Directors minutes submitted in 2018. Compared to the 2018, CySEC found an overall improvement to the content of these reports.
Summary of CySEC findings on the Compliance Officer's and Internal Audit's reports:
- Insufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer;
- Inadequate information provided in the Compliance Officers’ Annual Reports on the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions
- No or limited information provided in the Compliance Officers’ Annual Reports submitted by the Administrative Services Providers in relation to the country of origin and type of high-risk customers with whom a business relationship
- No or limited reference was made in the Internal Audit Reports submitted by the Administrative Services Providers (ASPs) in relation to prior years’ findings and recommendations and ,sometimes, there was no indication of whether these had been adequately addressed and rectified within the reference year, in order
Full Content of the Report
|: March 28, 2019|
|: C 307|
|Subject||: Findings of the assessment of Compliance Officers’ Annual Reports and the Internal Audit Reports on the prevention of money laundering and terrorist financing|
The Cyprus Securities and Exchange Commission (the ‘CySEC’) wishes, with this circular, to inform the Regulated Entities of the following:
- For the purpose of assessing the compliance of the Regulated Entities with their obligations under the Prevention and Suppression of Money Laundering and Terrorist Financing Law (the ‘Law’) and the Directive DI144-2007-08 on the Prevention of Money Laundering and Terrorist Financing (the ‘Directive’), CySEC conducted its annual risk-based assessment of Compliance Officers’ Annual Reports and Internal Audit Reports (the Reports). This riskbased assessment reviews both Reports for this purpose, for the year 2017 and the relevant minutes of the Board of Directors (the ‘BoD’) submitted to CySEC in 2018. Regulated entities are obliged to submit Compliance Officers’ Annual Reports by end of March and the Internal Audit Reports by end of April to CySEC for the previous calendar year.
- In carrying out these assessments, CySEC found an overall improvement in the content of the Reports. In most cases the findings were in line with the requirements set out in the Law, Directive, and Circular C033 on the Content of the Compliance Officer’s Annual Report on the prevention of money laundering and terrorist financing (‘the Circular’), which are enforced by CySEC.
- From the review of the Compliance Officers’ Annual Reports, CySEC has also identified the following common and recurring weaknesses and/or deficiencies which in addition to the measures taken to ensure full compliance, CySEC calls upon all Regulated Entities to dully consider and immediately implement corrective measures.
- In some instances, there was not sufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer to determine the degree of compliance of the Regulated Entity in the policy, practices, measures, procedures and controls applied for the prevention of ML/TF. This relates to paragraph 10(4)(b) of the Directive and point 2 of Appendix 1 of the Circular.
- Following an assessment of Compliance Officers’ Annual Reports submitted by the Administrative Services Providers (ASPs), it was identified that occasionally no or limited information was provided in relation to the country of origin and type of high-risk customers with whom a business relationship was established or an occasional transaction had been executed, with little comparative data from the previous year. This refers to paragraph 10(4)(g) of the Directive and point 6 of Appendix 1 of the Circular.
- The information provided in the Compliance Officers’ Annual Reports on the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions was not always adequate when compared with the data and information kept in the customer’s economic and risk profile. In particular, details on the timing of ongoing monitoring of customers’ accounts and transactions (e.g. in real time or after the completion of an event) and the method used for documenting the ongoing monitoring of customers’ accounts and transactions (e.g. preparing a memo describing all relative actions and recording it in the customer’s file) were not sufficient. This refers to paragraph 10(4)(h) of the Directive and point 7 of Appendix 1 of the Circular.
- As regards to the assessed Internal Audit Reports submitted by the Administrative Services Providers (ASPs), CySEC occasionally found that no or limited reference was made to prior years’ findings and recommendations. There was sometimes no indication of whether these had been adequately addressed and rectified within the reference year, in order to ensure compliance with the provisions of paragraph 6 of the Directive.
- Under the Law and the Directive, Regulated Entities must ensure and adhere to:
- The Compliance Officer’s obligation for the correct preparation of the Annual Report and the sufficient assessment of the level of compliance of the Regulated Entity in relation to the prevention of ML/TF.
- The Internal Auditor’s obligation for the correct preparation of the Internal Audit Report and the sufficient review and evaluation of the appropriateness, effectiveness and adequacy of the policy, practices, measures, procedures and control mechanisms applied by the regulated entity for the prevention of ML/TF.
- The obligation of the Regulated Entity’s senior management officials to approve the policies, procedures and controls applied in relation to ML/TF, as well as monitor, and where appropriate, enhance the measures adopted – in reference to section 58C of the Law.
- The responsibility of a designated member of the BoD, to implement the provisions of the Law and Directives, circulars and regulations issued pursuant thereto including any relevant acts of the European Union – in reference to section 58D of the Law.
- The Regulated Entity’s BoD obligation for the sufficient assessment and approval of the Annual Report and the Internal Audit Report. The BoD must take all appropriate measures for the correction of any weaknesses and/or deficiencies identified, as well as the implementation timeframe of these measures.
- CySEC expects that all Regulated Entities take into account the above-mentioned findings when preparing the Reports for the year 2018 and onwards, in order to ensure full compliance with the Law and the Directive. It is stressed that the Law provides strict administrative sanctions in case of non-compliance with the requirements of the Law and the Directive, which CySEC will not hesitate to use.
A considerable number of CIFs (Cyprus Investments Firms) - more than 50% - offer CFDs (Contracts for Differences) to their retail and professional clients. Due to their complexity and higher risk, CIFs offering CFDs are required to have adequate procedures to ensure their clients' interests are maintained and treated fairly.
An area of regulatory focus
The provision of CFD instrument to retail clients is a key area of focus for regulators. In particular, the European Securities and Markets Authority (ESMA) has made an announcement on 15 December 2017 on its work in relation to the provision of CFDs, including rolling spot forex, and binary options to retail clients. ESMA remains concerned that the risks to investor protection are not sufficiently controlled or reduced.
ESMA is considering the possible use of its product intervention powers under Article 40 of the Markets in Financial Instruments Regulation (MiFIR) to address risks to investor protection. In particular, ESMA is considering measures to:
- Prohibit the marketing, distribution or sale of binary options to retail clients.
- Restrict the marketing, distribution or sale to retail clients of CFDs, including rolling spot forex.
The FCA review of the CFD market
FCA issued on 10 January 2018 their "Dear CEO" letter which listed the findings from their recently completed review of the CFD market (the Review). CIFs offering CFD instruments could use the FCA's findings and recommendations to improve their own procedures, policies and controls when providing or distributing CFD instrument to their retail clients.
The review focused on firms offering CFDs to retail customers on either an advisory or discretionary (including limited power of attorney) portfolio management basis. The review assessed both the conduct of firms which provide the CFD service (the providers) and the organisations that distribute the product and deal with the end consumer (the distributors).
The objectives of this review were to to ensure that firms:
- deliver CFD products to the intended target market; and
- pay due regard to the interests of customers and treat them fairly.
Summary of observations from the CFD review
- Most providers and distributors in the review were unable to offer a satisfactory definition of their target market or to explain how they align the needs of this group to the CFD product they offered.
- Given the level of risk of these products, it is important firms comply with the relevant rules. FCA noted that the majority (76%) of retail customers who bought CFD products on either an advisory or discretionary basis lost money over the 12 month period under review (July 2015 to June 2016).
- FCA saw a wide range of communication, monitoring and challenge practices by providers over their distributors, many of which were ineffective and did not meet their expectations.
- Most sample providers had flawed due diligence processes for taking on new distributors.
- FCA identified weaknesses in the conflict of interest management arrangements at all the distributors they assessed.
- Most firms had management information ("MI") and monitoring structures in place. However, flaws in these tools meant firms did not have the effective oversight they needed to robustly challenge poor conduct or control failings. Some firms were unable to offer any evidence of MI or KPIs.
- The quality of remuneration arrangements at CFD distributors was mixed. While some demonstrated good practice, many firms had significant room for improvement.
- Several distributor firms had problems with their processes and the criteria they consider acceptable when categorising clients as elective professionals.
The provision and distribution of CFD products and the delivery of good customer outcomes will remain key areas of focus for the regulators and ,therefore, further work will be undertaken on these topics to assess how firms have complied with the respective regulatory requirements.
In addition, following the implementation of MiFID II on 3 January 2018, firms should pay particular attention to the product governance requirements for firms manufacturing (ie. providing) and/or distributing financial instruments.
CIFs should ensure they maintain adequate oversight and control arrangements to reach the relevant regulatory standards. The three line of defence (1. functions that own and manage risks, 2. functions that oversee or who specialise in compliance or the management of risk, and 3. functions that provide independent assurance i.e. Internal Audit) should be kept abreast of the latest regulatory requirements and take an active role in identifying, recommending and following up on instances where regulatory compliance is not achieved.
Nearly one-in-four internal auditors say they've been pressured to suppress or change valid audit findings
Just about every internal auditor will face an ethical dilemma or difficult situation at some point in their career. Among the toughest scenarios is when the CEO or other senior executive exerts pressures to suppress or change the results of an audit finding because it reflects poorly on management or some other aspect of the business. A new report indicates, however, that it's an all-too-common occurrence.
The latest CBOK study from the Internal Audit Foundation, the research unit of the Institute of Internal Auditors, finds that 25 percent of the internal auditors at North American organizations surveyed said they have been pressured to "suppress or significantly modify a valid internal audit finding or report" during their career. Another 6 percent indicated that they would rather not answer the question.
"In an ideal environment, internal auditors should always be able to present findings without the threat of personal recrimination," the report's author, Larry Rittenberg, writes in the report. "Unfortunately, internal auditors do not always operate in such environments."
Internal auditors faced different levels of pressure across geographic regions of the globe. For example, 31 percent of respondents in Sub-Saharan Africa reported facing pressure to change audit findings, the highest in the report, while 27 percent of Latin America & Caribbean respondents said they faced such pressure. The lowest result came from internal auditors in the East Asia & Pacific region (15 percent), although 19 percent of respondents from that region also declined to answer the question. Rittenberg surmises in the report that they may have faced a different kinds of pressure. "One interpretation is that when participants stated that they preferred not to answer, that response often may have indicated that pressure existed not to respond, either from an internal or external source," he states. The average across all regions was 23 percent who said they faced pressure to change findings, and 11 percent who declined to answer.
On a Regular Basis
Of those that did face pressure to suppress or modify audit findings, many reported that it happens on a regular basis, with 24 percent indicating that it happens on an occasional or frequent basis. Chief audit executives were the most likely to face pressure (29 percent), while 20 percent of staff internal auditors reported pressure to change findings.
"The pervasiveness of pressure suggests that there is a need to improve two related factors: (1) governance and overall support for internal auditing, and (2) a mindset of always improving the quality and value of internal audit work," writes Rittenberg. "It is also important to recognize that pressure will never go away. It may exist because of legitimate disagreements about audit findings, or it may exist simply because human nature is such that individuals do not like to see negative results."
Source of Pressure
The source of the pressure to suppress or change findings, when it occurred, was surprisingly varied and depended on largely on the rank of the internal auditor reporting the pressure. CAEs, for example, faced pressure most often from the CEO (38 percent), operations management (25 percent), and the CFO (24 percent). Staff internal auditors, however, more often faced pressure from operations management (21 percent) and from the internal audit department itself (44 percent), presumably the chief audit executive. Perhaps the most troubling results of the survey are that CAEs even face pressure from the board. Of those who reported being pressured, 12 percent said it came from the board and 6 percent said it came directly from the audit committee.
The overwhelming reason for the pressure to change results, said respondents, was that "the operational audit would reflect badly on key operational management." At large internal audit departments, that was the case in 77 percent of instances where there was pressure to change findings and in 70 percent of cases for small-to-medium-sized internal audit functions. Other reasons for large department auditors who faced pressure were executive misuse of corporate funds (9 percent), financial reporting issue at odds with the external auditor or the CFO (4 percent), and other (11 percent).
Stand Your Ground
When internal auditors stood up to the pressure to suppress or change findings, they often faced consequences, the survey finds. Indeed, 33 percent of internal auditors said they were excluded from meetings for standing their ground on an audit issue. Another 18 percent said they lost out on job opportunities, and 4 percent said they faced budget cuts as a result of resisting pressure. In some rare instances, internal auditors said they faced job elimination, pay cuts, or hostile work conditions after resisting pressure.
A common refrain at the recent SuperStrategies internal audit conference, held in Las Vegas in September, was that internal auditors not only need to have integrity, but they also need courage to stand up to forces that could try to undermine that integrity. As the CBOK survey results indicate, internal auditors do face significant pressure to act unethically and also that they face consequences when they resist such pressures. Writes Rittenberg: "The survey results demonstrate that the ethical environment can be improved."
Source: Misti Trianing Institute