CySEC Circular C553 & the Compliance Function RequirementsSalvus Team
The Compliance Function belongs to the higher ranks of the organisational structure of investment firms, with the Compliance Officer reporting directly to the Senior Management and Board of Directors. For that reason, Cyprus Investment Firms (CIF) are required to establish a permanent Compliance Function (CF), that operates effectively and independently.
In this article, the SALVUS Regulatory Compliance team explores the essential insights of Circular C553, released by the Cyprus Securities and Exchange Commission (CySEC). We support CIF, CASP and other CySEC regulated entities in developing effective policies and procedures affected by such circulars, tailored to their business characteristics. The circular concerns certain aspects of the CF and its key takeaways are discussed in the following order:
We regularly share bite-sized insights on LinkedIn such as those found in this article
1. Overview of Circular C553
On the 14th of March 2023, CySEC published Circular C553 to guide CIF and other CySEC regulated entities on the implementation of certain aspects of the CF requirements. Circular C553 is assembled taking into consideration:
- the Investment Services and Activities and Regulated Markets Law of 2017, Law 87(I)/2017. The law transposes the European Market in Financial Instruments Directive (MiFID) II into national legislation.
- the MiFID Delegated Regulation 2017/565, regarding the organisational requirements and operating conditions for investment firms.
- CySEC Circulars C030, C050 and C477, with the first two being repealed and replaced by Circular C553.
Circular C553 outlines twelve guidelines categorised into three main areas: CF responsibilities, CF organisational requirements, and CF review conducted by the competent authority.
2. Responsibilities of the Compliance Function
The following guidelines comprise on a high level the responsibilities of an investment firm’s compliance function:
- Guideline 1: Compliance risk assessment
- Guideline 2: Monitoring obligations of the compliance function
- Guideline 3: Reporting obligations of the compliance function
- Guideline 4: Advisory and assistance obligations of the compliance function
As discussed in a previous article, the CF shall perform a Compliance Risk Assessment (CRA), that will set the priorities for the establishment of the Compliance Monitoring Program (CMP). The Board of Directors (BoD) shall be informed about the firm’s compliance with the applicable regulatory provisions, through the Annual Compliance Report prepared by the CF. The main content of the report shall discuss the function’s findings in implementing the CMP.
The Senior Management is responsible for cultivating and promoting a strong compliance culture, across all levels of operations. To this end, the CF is mandated to support daily the firm’s employees and management in establishing and implementing different policies and procedures. The following diagram presents the key advisory and assistance obligations of the CF.
The Compliance Function shall:
3. Organisational requirements of the Compliance Function
CySEC pays significant attention to the organisational requirements of the CF, by providing the below subset of guidelines:
- Guideline 5: Effectiveness of the compliance function
- Guideline 6: Skills, knowledge, expertise and authority of the compliance function
- Guideline 7: Permanence of the compliance function
- Guideline 8: Independence of the compliance function
- Guideline 9: Proportionality concerning the effectiveness of the compliance function
- Guideline 10: Combining the compliance function with other internal control functions
- Guideline 11: Outsourcing of the compliance function
The establishment of a permanent CF that operates effectively and independently constitutes a critical requirement for investment firms. To this extent, the BoD is responsible for appointing a Compliance Officer with the necessary skills, knowledge and expertise. This will allow the firm to discharge its compliance obligations adequately.
Following the principle of proportionality, investment firms may choose to combine the CF with other internal control functions or outsource it to an external provider. However, in either of these cases, the effectiveness and independence of the CF must not be compromised.
4. Competent authority review of the Compliance Function
The final of the twelve guidelines address CySEC’s examination of the implementation and maintenance of the CF requirements:
- Guideline 12: Competent authority review of the compliance function
CySEC evaluates how investment firms have adopted and sustained the CF requirements as described in the previous guidelines. The assessment is conducted for the first time during the authorisation process and afterwards in the context of CySEC’s ongoing and risk-based supervision.
The assessment focuses on the function’s resources, organisation and reporting lines. Moreover, it examines any changes required for the improvement of the firm’s measures regarding the fulfilment of the CF requirements.
At SALVUS, we believe that the Compliance Function plays a crucial role in maintaining a sustainable and thriving business. This is especially true as regulatory demands and expectations from competent authorities continue to grow.
Through the dedicated Circular C553 issued by CySEC, it is also highlighted that investment firms should build a strong and autonomous CF. The function shall be effectively involved in the day-to-day operations and decisions.
To achieve this objective, it is essential that Senior Management, Compliance Officers and Assistants in Cyprus Investment Firms (CIF), Crypto Asset Service Providers (CASP), and other CySEC regulated entities are knowledgeable about the CF requirements that must be met. In addition, members of the Board of Directors remain responsible for overseeing and evaluating the effectiveness of the CF to ensure that the necessary authority and resources are provided.
SALVUS Funds in cooperation with the Institute for Professional Excellence (IforPE), has prepared a thorough review of CySEC’s Circular C553. This review is available as part of the self-study courses mentioned below:
- Compliance Monitoring Program & Assessment in 2023
- How to prepare the MiFID Compliance Report in 2023
- Review of Regulatory Updates and CySEC Circulars for Q1 2023
The Compliance Monitoring & Assessment course aims to equip professionals with the necessary knowledge regarding the CF and the implementation of the CMP and Risk Assessment. Further to that, the MiFID Compliance Report course guides professionals on how to prepare the annual compliance report, utilising the findings identified through the CMP application.
Where the Review of Regulatory Updates and CySEC Circulars for Q1 2023 course constitutes part of a series of similarly structured courses released quarterly. The course series facilitates regulated entities and stakeholders to remain informed and take immediate action to achieve regulatory compliance.
The SALVUS Regulatory Compliance team can support CIF, CASP and other CySEC regulated entities in developing effective policies and procedures tailored to their business characteristics. Moreover, we assist our clients in fulfilling their regulatory and reporting obligations through our Compliance Consulting service.
Should you be interested to read more about the Annual Compliance Report, the Compliance Monitoring Program or Crypto-Asset Service Providers please visit the selected articles below:
- How to prepare the MiFID Annual Compliance Report in 2023
- Establishing a CASP in Cyprus in 2023
- How to establish an effective Compliance Monitoring Program (CMP)
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.