Prepare for an inspection by CySEC
The Cyprus Securities and Exchange Commission (CySEC) is the independent public supervisory authority responsible for overseeing the investment services market. In addition, CySEC monitors transactions involving transferable securities conducted within Cyprus and regulates the collective investment and asset management sector. It also exercises supervision over firms that provide administrative services, as well as Crypto-Asset Services Providers.
CySEC’s vision is to establish the Cyprus securities market as one of the safest, most reliable, and attractive destinations for investment. As part of its responsibilities, CySEC conducts all necessary investigations to fulfil its duties under the law and on behalf of other foreign competent authorities.
Throughout this article, the SALVUS Regulatory Compliance team explores CySEC’s inspection powers and sheds light on the governance and organisational requirements for investment firms. Additionally, the team shares insights from its extensive experience in successfully completing regulatory inspections and the key areas that a regulated entity shall focus on. The article covers the following areas:
We regularly share bite-sized insights on LinkedIn such as those found in this article
1. CySEC inspection authority
CySEC possesses the authority to collect information and conduct inspections to verify the compliance of regulated entities with the relevant regulatory framework. Under this authority, CySEC has the ability to access the premises of regulated entities for investigative purposes or appoint an investigating officer to act on its behalf. The investigation’s outcome may lead to CySEC imposing administrative sanctions, levying administrative fines, and either accepting or rejecting corrective actions.
It is noteworthy that if any obliged entity refuses to grant CySEC access, CySEC has the authority to issue an immediate order for the confiscation of all records. This may encompass books, accounts, documents, data in electronic format, and other means of data transfer.
2. Governance and organisational compliance
Governance and organisational requirements are mandatory for investment firms to fulfil for approval of the license and after authorisation. The ultimate responsibility for compliance always rests with the firm’s Board of Directors. Thus, to ensure effective and prudent management the Board shall adopt among others, the following governance arrangements:
- Adequate segregation of duties.
- Prevention of conflicts of interest.
- Promotion of market integrity.
- Safeguarding clients’ interests.
In addition to governance arrangements, regulated entities must adhere to organisational requirements that pertain to the day-to-day operations of the firm. These requirements involve the allocation of functions and responsibilities, the employment of skilled and knowledgeable personnel, and the delivery of high-quality services to clients.
3. Key inspection areas
At this point, we would like to highlight that all areas and functions related to investment services may undergo regulatory inspection, with key areas of scrutiny being:
- Compliance and Risk Management – determining the level of adherence to regulatory requirements and risk mitigation measures and controls.
- Client Onboarding and Due Diligence – examining processes for client identification, and verification, as well as appropriateness and suitability assessments.
- Trading and Execution of client orders – monitoring trade execution practices and adherence to best execution standards.
- Asset Custody and Safekeeping – verifying the application of proper custody and safekeeping of client assets.
- Financial Reporting and Record Keeping – assessing financial reporting accuracy and the maintenance of appropriate records.
- Capital Adequacy and Financial Stability – ensuring compliance with capital adequacy and liquidity requirements.
- Corporate Governance – evaluating the firm’s corporate governance practices and structure.
- Product Governance, Appropriateness and Suitability of Product offering – evaluating the firm’s practices for the product assessment procedures and whether the products offered to clients are suitable for their needs, characteristics, knowledge, expertise and risk tolerance.
- Remuneration – reviewing the internal practices towards remuneration of personnel and outsourced arrangements, to ensure that they are in line with the regulatory framework.
- Internal Controls and Policies – reviewing internal control mechanisms and effectiveness of policies and procedures.
- Market Abuse Prevention – ensuring that appropriate measures are in place to prevent market abuse and insider trading.
- Information Security and Data Protection – assessing the safeguards adopted regarding information security and data protection.
- Complaints Handling and Conflicts of Interest Resolution – evaluating the processes for addressing client complaints and conflicts of interest.
- Anti-Money Laundering and Combating Financing of Terrorism – examining whether robust procedures are established and followed.
- Training and Competence – reviewing employee training and competence to perform their roles effectively.
These key areas are expected to concern the regulator during an inspection, always based on the principle of proportionality and each firm’s business model and objectives.
4. Compliance tips
Regarding the inspection of different departments, our Regulatory Compliance team at SALVUS would like to share with firms the following compliance tips:
- Ensure that employees in each department understand their duties, responsibilities, and internal policies and procedures.
- Each department should have a physical presence, preferably within the firm’s head office premises, complying with Chinese Walls requirements.
- Notify CySEC about the structure of each department, through the update of the relevant portal.
- Key employees are required to be certified and registered with the regulator’s registers to meet continuous professional development (CPD) obligations.
- Provide tailored training to personnel in each department based on their roles, expertise, and the systems they use.
- Each department maintains appropriate records of the reports submitted both on a regular basis and on an ad-hoc basis.
Department heads should inform the firm’s Senior Management and the Board of Directors about the department’s compliance status, as well as any additional resources needed.
In our view, regulated entities must proactively ensure compliance with the applicable regulatory framework before a regulator’s inspection. This proactive approach increases the likelihood of a successful inspection at any time. Therefore, stakeholders should familiarise themselves with the firm’s regulatory obligations and promptly establish or enhance the required policies and procedures.
The Regulatory Compliance team at SALVUS stands ready to assist both potential and authorised CIF, as well as other CySEC regulated entities, in achieving regulatory compliance. Additionally, the SALVUS Internal Audit team goes beyond the annual regulatory obligation by conducting interim internal audits. This involves monitoring our clients’ progress and focusing on the findings and weaknesses identified in last year’s report to ensure proper rectification.
To ensure a successful inspection, professionals in Cyprus Investment Firms (CIF) and other CySEC regulated entities should be knowledgeable about the aspects subject to review in each area. To aid in this endeavour, the SALVUS Regulatory Compliance team has created a self-study course titled – How to get prepared for an inspection by the regulator in 2023. The course is available through the Institute for Professional Excellence (IforPE).
This online self-study CPD course serves as a comprehensive guide for stakeholders to conduct a gap analysis between established firm policies and procedures and regulatory requirements and standards. It covers the role and powers of CySEC, critical governance arrangements, organisational requirements, and key inspection areas. Additionally, our team shares valuable inspection and compliance tips, along with post-inspection expectations based on their first-hand experience.
Contact us at firstname.lastname@example.org if you need support for a regulator inspection, to discuss your internal audit needs, or if your have questions about our “How to get prepared for an inspection by the regulator in 2023” online CPD course with IforPE.
Should you be interested to read more about Organisational & Operational Requirements, AML compliance or the Compliance Function requirements please visit the selected articles below:
- CIF Organisational & Operational Requirements & the Safeguarding of Client Funds
- CySEC Circular C553 & the Compliance Function Requirements
- AML compliance for CySEC regulated entities
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.