How to implement a robust Compliance Monitoring Program (CMP)

As a regulatory requirement from the national and European supervisory authorities, all investment firms must have effective internal policies and procedures, maintaining compliance with all applicable laws and regulations. A strong CMP is crucial for the smooth operation of the firm, regulating and monitoring its investment and ancillary services. The backbone of monitoring is determined by performing a business-wide Compliance Risk Assessment (CRA) regularly on all departments of the firm and the applicable practices, to ensure soundness. CMP’s purpose is to create a successful method of evaluating the firm’s operations, to ensure compliance and validity of focus.

In the course of this commentary, the SALVUS Regulatory Compliance team expands on the importance of the Compliance Function along with its responsibilities and organisational requirements, as mentioned in CySEC Circular C553, to build an effective CMP. Finally, the article will address the below areas:

1. What does the Compliance Function do?
2. What are the common inspection areas?
3. Findings and Recommendations.

We regularly share bite-sized insights on LinkedIn such as those found in this article

1. What does the Compliance Function do?

The Compliance Function belongs to the high caliber of the organisational structure of an investment firm, playing a pivotal role in its corporate governance, since it is considered its second level of defense. It consists of the appointed Compliance Officer, and, if any, assistant Compliance Officers.

Essentially, the Function needs to understand the business operations, be in position to identify risks occurring from the firm’s activities, suggest improvements and most importantly, act independently. The Compliance Function shall carry out regular assessments which require the implementation of an effective risk-based monitoring program, conducting:

  • desk-based reviews of the firm’s policies and procedures,
  • onsite inspections at the operational departments,
  • monitoring activities of different frequency,
  • reporting of findings of the monitoring activities to the Board of Directors (BoD), through the Annual Compliance Report prepared by the function.

In more detail, CySEC can scrutinize the organisational requirements of each Compliance Function, in the context of the below guidelines, as set in Circular C553:

  • Guideline 5 – Effectiveness of the Compliance Function:
    • The firm must ensure that the budget assigned to the compliance function is proportionate to the level of compliance risk,
    • The Compliance Officer shall attend meetings of the Senior Management and the Board of Directors, when necessary,
    • Adequate arrangements shall ensure the effective exchange of information between the compliance function and other control functions.
  • Guideline 6 – Guideline on the skills, knowledge, expertise and authority of the Compliance Function

For the appointment of a Compliance Officer, the firm shall ensure that the person:

    • Demonstrates the necessary skills, knowledge and expertise to perform the compliance activities of the firm,
    • Is provided with the necessary authority to execute its duties and responsibilities,
    • Possesses high professional ethical standards and personal integrity.
  • Guideline 7 – Permanence of the compliance function
    • Compliance tasks and duties must be performed permanently even in the absence of the Compliance Officer.
    • The monitoring program and activities alongside the other responsibilities of the function shall be recorded in the firm’s compliance policy/manual.
  • Guideline 8 – Independence of the Compliance Function
    • The Compliance Officer and employees must act independently when executing their duties,
    • The Function shall operate independently from any other function including Senior Management.
  • Guideline 9 – Proportionality with regard to the effectiveness of the Compliance Function

Firms must determine the combination of organisational measures and resources that ensure effectiveness of the Compliance Function and the criteria that shall be used for an effective assessment of the Function including:

    • The types of investment and ancillary services provided,
    • Scope and volume of services,
    • Types of financial instruments offered,
    • Client target market e.g. retail, professional, eligible counterparties,
    • Number of employees,
    • If being part of a group,
    • Employment of tied agents,
    • Establishment of branches,
    • Provision of cross-border activities,
    • Organization and sophistication of IT systems.
  • Guideline 10 – Combining the Compliance Function with other internal functions
    • Combination with other control functions is only allowed if effectiveness and independence are not jeopardized,
    • Function combinations shall be documented and justified,
    • Compliance and Internal Audit Functions cannot be combined,
    • Compliance personnel shall not be involved with their supervising activities.
  • Guideline 11 – Independence of the Compliance Function
    • All requirements remain applicable if the Function is outsourced,
    • Responsibility always remains with the firm,
    • Due diligence procedures shall be followed,
    • Senior Management is responsible for the supervision of the outsourced function.

2. What are the common inspection areas?

The CMP inspection focus is not definite, as it depends on the CRA findings of each firm. However, a common inspection area that affects the overall compliance of firms is the organisational structure, ensuring:

  • The electronic record or the CySEC portal is up to date,
  • Any personnel changes such as appointments or replacements are notified to CySEC,
  • The organisational structure itself is functional,
  • Adequate personnel training and training policy implementation such as AML/CFT targeted training program,
  • The Senior Management and Board of Directors (BoD) perform their duties effectively,
  • Implementation and effectiveness of CRA,
  • Conflicts of interest monitoring,
  • Client complaints reporting,
  • Internal structure of Risk Management’s and Internal Audit’s Function is communicated to CySEC, along with the details of any tied agents or any intention to provide cross-border services,
  • Efficacy of the compliance function practices.

3. Findings and Recommendations

The significance of the CMP lies in its findings which may include organisational, control, policy or other internal deficiencies and misstatements. Once the policies and procedures have been reviewed, the findings and recommendations have to be identified along with the risks recognized through the compliance function’s monitoring activities.

Furthermore, based on the program’s findings, certain recommendations ought to be discussed for potential effective solutions to be implemented and rectify the non-compliant areas.

Final thoughts

Having in mind all the above, for the implementation of a robust Compliance Monitoring Program, the firm shall build a strong internal foundation to monitor and manage the derived compliance risks. Relevant stakeholders of CySEC regulated entities shall remain aware of the compliance requirements and regulatory developments through targeted training.

The SALVUS Regulatory Compliance team alongside the SALVUS Internal Audit team can assist licensed, or potentially licensed, Cyprus Investment Firms and other CySEC regulated entities, to achieve regulatory compliance. Our teams employ a sophisticated project management approach to accomplish a high standard outcome.

In this respect, SALVUS Funds in cooperation with the Institute for Professional Excellence (IforPE) has designed a self-study, self-paced course titled Compliance Monitoring Program & Assessment in 2024. The course can be of considerable value to Compliance Professionals, Board members and Senior Management personnel who wish to cement their understanding of the topic with a sound practical grounding.

This online self-study program constitutes a comprehensive guide and grants 5 Continuous Professional Development (CPD) units counting towards the annual requirements of CySEC Advanced and CySEC Basic certification holders.

Please contact us at info@salvusfunds.com or call us at +357 7000 7898 if you require support with your regulatory compliance obligations or are interested in successfully preparing for the CySEC Advanced or Basic certification exams.


Should you be interested to read more about the Compliance Monitoring Program, AML compliance, how to prepare for an inspection, or the Compliance Function requirements please visit the selected articles below:

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post