An effective planning ahead of a CySEC inspection
The Cyprus Securities and Exchange Commission (CySEC) is Cyprus’ independent public supervisory authority responsible for overseeing the investment services market since 2001. Its mandate is to protect investors and ensure a healthy development of the securities market by exercising effective supervision.
CySEC aims to safeguard the smooth operation and methodical development of the capital and stock exchange market, creating and maintaining a reputable financial jurisdiction. To achieve that, CySEC shall conduct inspections to its supervised entities to ensure compliance with the national and European regulatory frameworks, and to prevent any illegitimate activities that could jeopardize the financial system of the Republic.
During the course of this article, the SALVUS Regulatory Compliance team shares crucial insights regarding the key areas of a CySEC inspection and government and organisational requirements for the regulated entities. Last but not least, this article explains the post-inspection communication process, and is divided into the following sections:
1. CySEC powers of inspection
2. Governance and organisational arrangements
3. Key inspection areas
4. What happens post-inspection?
We regularly share bite-sized insights on LinkedIn such as those found in this article
1. CySEC powers of inspection
CySEC is granted with the authority to inspect and investigate its supervised entities by requesting and collecting information deemed necessary for the exercise of its responsibilities. In this respect, CySEC maintains wide powers of inspection, including entering the premises of the regulated entities or appointing an investigating officer to act on its behalf.
In instances where an obliged entity refuses access to CySEC, the regulator can order the immediate confiscation of the required documents and data to investigate. However, CySEC has an obligation to return such confiscated documents to its holder within 45 days of the confiscation date if investigations are not completed earlier.
2. Governance and organisational arrangements
Cypriot Investment Firms (CIF) have an obligation to meet the necessary governance and organisational requirements to obtain and maintain their license. Specifically, the Board of Directors (BoD) is liable for all matters and governance arrangements of the CIF, including:
- having a non-executive director, as the Chairman of the BoD who shall not exercise simultaneously the function of the CEO (unless approved by CySEC),
- approving and overseeing the effective application of strategic objectives, risk prevention strategy and internal governance,
- ensuring the integrity of the accounting and financial reporting systems,
- supervising the disclosure and announcements process and the Senior Management.
- addressing and rectifying any identified issues following an implementation timeline.
In this respect, the BoD is accountable to ensure that the CIF maintains the established internal information reporting and communication and operates an effective administrative strategy for the avoidance of conflicts of interest. This can only happen by employing appropriate and proportionate systems, resources, and procedures to fulfill the organisational requirements of the investment firm.
3. Key inspection areas
While CySEC can inspect every function of the regulated entity, the main focus is usually targeted towards, but not limited to:
- Organisational structure and personnel changes; examining if the electronic record is updated, and if the Chinese Walls along with the documented Employee Replacement Policy are in place,
- Employment Contracts and Remuneration; checking if the remuneration, employee recruitment, staff knowledge and competence policy and practices are established,
- Personnel Training; assessing its adequacy and quality as well as the employee awareness,
- Senior Management & BoD; ensuring the obeyance of their duties and responsibilities, their suitability and awareness on the firm’s operations,
- Compliance Function; ascertaining that all required compliance processes are in place, including risk assessment and monitoring procedures,
- Risk Management Function; reviewing the risk management plan, interviewing the key personnel employed, and if they report directly to the BoD,
- Internal Audit Function; analyzing whether its findings were reported to CySEC through the Electronic Record, and communicated to the BoD in a timely manner,
- Shareholders Holdings, Tied Agents, Inducements, Cross-Border, ICF; inspecting if appointment or intention of such services has been communicated to CySEC,
- Internal Operations Manual; checking whether the documented procedures are adequate and sufficient, and reflect the current procedures in practice,
- Conflicts of Interest & Personal Transactions; investigating if a Conflict of Interest policy is implemented and if appropriate measures are taken to prevent or detect such phenomenon,
- Client Complaints; assessing the complaints handling policy and procedures and if the annual fee payment has been made to the Financial Ombudsman,
- Outsourcing; analyzing the adequacy and competence of outsourcing arrangements,
- Business Continuity & Disaster Recovery; ensuring if appropriate procedures and policies are in place,
- Product Governance; reviewing whether a Product Governance policy and product approval process is implemented.
4. What happens post-inspection?
A post- inspection communication by CySEC is a crucial next step since it has the authority to potentially:
- Request compliance evidence for the matters discussed,
- Require further information regarding already provided data that may be insufficient,
- Examine the progress of any immediate actions ordered,
- Apply corrective actions and implementation timeframes for deficiencies that require a lengthier timeframe.
Once the post inspection communication has ended, the regulator has an obligation to inform the firm:
- of the actions to be taken,
- if there’s a breach of critical conditions of its license,
- of any administrative fines or measures imposed,
- of any imprisonment penalties in case of serious misconduct,
- if the firm’s license shall be suspended or revoked,
- if any follow-up information must be provided.
Final Thoughts
Having in mind all the above, an inspection by CySEC can be extremely challenging for its supervised entities and requires a tremendous amount of preparation and effort. In order to enhance their policies and procedures, regulated entities shall stay up to date with the issues raised in circulars and thematic reviews. Furthermore, it is essential for Board members to have a deep understanding of the firm’s operations and practices to be able to oversee and approve crucial regulatory compliance matters.
The SALVUS Regulatory Compliance team alongside the SALVUS Internal Audit team can support licensed, or potentially licensed, Cyprus Investment Firms and other CySEC regulated entities, to achieve regulatory compliance and ensure adequate interim internal audits. Our teams employ a project management approach to accomplish a high standard outcome.
In this respect, SALVUS Funds, in collaboration with the Institute for Professional Excellence (IforPE), offers an online self-paced course entitled “How to Get Prepared for an Inspection by the Regulator in 2024”. This program aims to provide valuable insights regarding the CySEC inspection process and preparation, sharing essential compliance tips to help your organization meet the regulator’s expectations.
Ultimately, members of the Board and Compliance professionals, will consider this course as their regulatory compliance bible since they bear the overall responsibility of the obliged entity’s compliance. Through participation in this course, professionals will acquire the knowledge, expertise and skills required to apply a proactive approach, ensuring a successful inspection.
This online self-study program constitutes a comprehensive guide and grants 5 Continuous Professional Development (CPD) units counting towards the annual requirements of CySEC Advanced and CySEC Basic certification holders.
Contact us at info@salvusfunds.com if you need assistance with a regulator’s inspection, to discuss your internal audit needs, or if you have questions about our “How to get prepared for an inspection by the regulator in 2024” online CPD course with IforPE.
#StayAhead
Should you be interested to read more about Organisational & Operational Requirements, AML compliance or the Compliance Function requirements please visit the selected articles below:
- Prepare for an inspection by CySEC
- CIF Organisational & Operational Requirements and the Safeguarding of Client Funds
- AML risk-based approach for CySEC & CySEC regulated entities
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.