1. What is the Compliance Risk Assessment (CRA)?

The Compliance Risk Assessment (CRA) is a procedure that evaluates the focus of the monitoring, advisory, and assistance activities performed by the Compliance Function. The compliance function undertakes a CRA to ensure that its resources are efficiently allocated for the compliance risk to be comprehensively monitored.

For that purpose, the compliance function’s work program shall be developed and implemented based on the CRA results. The CRA shall be reviewed on a regular basis to ensure that the focus and scope of the function’s activities remain valid and relevant to the risk faced by the business.

2. What is the role of the Compliance Function?

The Compliance Function along with the Risk Management Function act as an Investment Firm’s Second Level of Control missioned to:

• identify risk areas,
• detect situations, activities and operations that require increased monitoring,
• develop policies essential to formalise risk assessment and mitigation,
• monitor the adequacy and effectiveness of the implemented policies, as well as the reporting accuracy.

Organisational requirements of investment firms mandate the establishment of a permanent compliance function that operates effectively and independently. The function belongs to the higher ranks of the firm’s organisational structure, where the Compliance Officer reports directly to the Senior Management and Board of Directors (BoD).

3. The aim and characteristics of the CMP

The CMP must consider all areas of the investment and ancillary services provided by the firm and establish priorities as these are determined by the CRA. The aim of the CMP is to evaluate if the firm’s operations are conducted in compliance with its legal obligations and whether its internal policies remain effective and appropriate.

The CMP-specific characteristics consist of the following:

• is established by the compliance function,
• is risk-based,
• results in the efficient allocation of the available compliance resources,
• reflects any changes that occurred to the firm’s risk profile,
• examines the implementation and effectiveness of any remedial measures taken,
• determines the frequency of monitoring activities performed based on the set priorities.

4. Inspection areas

The CMP inspection areas must cover all the activities performed relating to the investment and ancillary services offered by the firm, as well as the operations and risks associated with the said services. A high-level categorisation of the CMP inspection areas is provided below:

• Policies and Procedures – evaluating the adequacy of the established policies and their implementation by the relevant employees.
• Organisational Requirements – examining whether the firm complies with all the necessary requirements concerning the organisational structure and arrangements.
• Operating Conditions – determining whether all operating conditions are sufficient and in compliance with the applicable legislative provisions.
• Client Accounts opening and closing – verifying whether clear and sufficient information is provided to clients and adequate procedures are followed for the opening and closing of client accounts.
• Departmental inspection areas – concerning the operations, resources, and expertise of the following departments
  • Back Office,
  • Anti-Money Laundering,
  • Accounting and Finance,
  • Provision of Services,
  • Business Development and Marketing,
  • Customer Support,
  • Information Technology.

5. Good practices and common deficiencies of CySEC regulated entities

The Cyprus Securities and Exchange Commission (CySEC) is the authority responsible for the supervision of investment services offered in and from the Republic of Cyprus. Thus, any Cyprus Investment Firm (CIF), Crypto Asset Service Provider (CASP) or other CySEC regulated entity shall be concerned with feedback provided by CySEC.

Such feedback is often based on common deficiencies and good practices identified by the regulator during its onsite and desk-based reviews. In this respect, the following good practices were identified by CySEC during its thematic inspection, as presented under certain aspects of the compliance function requirements:

• Formal senior management meetings were arranged on a quarterly basis, with all members being physically present and the Compliance Officer included.
• Senior management meeting minutes were sufficiently recorded indicating the matters discussed, the suggestions expressed, and the final decisions taken.
• Preparation of quarterly reports concerning core compliance areas, such as the monitoring of the entity’s post-trading reporting obligations and product governance requirements.
• The annual compliance report submitted to the regulator included among others
  • the review conducted on the order of board meetings.
  • references to the extent and frequency of the training provided to the employees.
  • the annual communication log, listing the matters discussed with the regulator.

On the contrary, through the same thematic inspection some of the common deficiencies detected were:

• Several compliance monitoring programs were not designed based on the risk assessment results.
• The risk assessment analysis performed by certain firms did not consider the types of financial instruments offered and distributed by the firm.
• The risks identified and the monitoring priorities set were unjustifiable compared to the monitoring methodologies, tools and frequency employed.
• In particular instances, compliance functions failed to provide the BoD with regular written reports, covering compliance areas which impose higher risk and require daily, weekly or monthly reviews.
• Some of the annual compliance reports submitted, focused mainly on the findings identified through the examination of written policies and procedures rather than the examination of the procedures followed in practice.

Final thoughts

In conclusion, the establishment of an effective Compliance Monitoring Program is critical for the monitoring and management of the compliance risk stemming from each firm’s operations. Relevant stakeholders of CySEC regulated entities shall remain aware of the compliance requirements and regulatory developments through targeted training.

SALVUS Funds in cooperation with the Institute for Professional Excellence (IforPE) has developed a self-study course titled The course is geared towards Compliance Officers and Assistants, as well as professionals employed by CySEC regulated entities and counts for the fulfilment of the annual Continuous Professional Development (CPD) requirements.

In addition, our collaboration with IforPE extends to offer The Most Complete™ CySEC Advanced and The Most Complete™ Basic certification preparation courses for persons interested in acquiring a CySEC Certification.

Lastly, the SALVUS Regulatory Compliance team is able to guide Investment Firms and Funds, as well as Crypto-Asset Services Providers in establishing a CMP as per their business model, the necessary policies, procedures and tools to achieve full compliance with the applicable regulatory obligations.

Please contact us at info@salvusfunds.com or call us at +357 7000 7898 if you require support with your regulatory compliance obligations or are interested in successfully preparing for the CySEC Advanced or Basic certification exams.

#StayAhead

Should you be interested to read more about Product Governance, Cyprus Investment Firms or Crypto-Asset Services Providers, please visit the selected articles below:

• MiCA and the CySEC CASP regime in Cyprus
• Establishing an Investment Firm in 2022 in Cyprus
• MiFID II Product Governance and KIDs for PRIIPs

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.