fbpx

Compliance Monitoring Program & Assessment

Banner image with the title “Compliance Monitoring Program & Assessment” in elegant serif font, featuring the Salvus Funds logo on the left, gold quotation mark accents, a beige and white background design, and the hashtag #StayAhead displayed vertically on the right side.
03Mar

Compliance Monitoring Program & Assessment

By Articles , , , , ,

To achieve regulatory compliance with national and European supervisory authorities, all investment firms must incorporate and maintain an effective Compliance Monitoring Program (CMP). A CMP is responsible for monitoring the firm’s operations and ensuring ongoing adherence to applicable legal and regulatory requirements. 

A well-established Compliance Risk Assessment (CRA) forms the foundation of the monitoring program. Without a properly structured CRA, the CMP cannot be risk-based, proportionate, or effective. Together, the CRA and CMP function as strategic tools that enable firms to identify, assess, monitor, and mitigate compliance risks across all departments. 

In this article, the SALVUS Regulatory Compliance team outlines the key responsibilities and organisational requirements of the Compliance Functions defined in CySEC Circular C553 and  explains how these elements contribute to building an effective Compliance Monitoring Program (CMP). It concludes by addressing the following core areas of compliance oversight.

1. What is Compliance Monitoring & Assessment?
2. Purpose and Objectives of the Compliance Risk Assessment
3. What does the Compliance and Risk Management Function do?
4. CySEC Circular C553 – Organisational Requirements of the Compliance Function
5. Departmental Inspection Areas
6. CySEC Circular C441 – CySEC Desk-based review

We regularly share bite-sized insights on LinkedIn such as those found in this article

Follow us on LinkedIn

1. What is Compliance Monitoring & Assessment? 

Compliance monitoring is a structured process used by regulated firms to ensure ongoing adherence to legal and regulatory requirements. It involves identifying compliance risks through a Compliance Risk Assessment (CRA), developing a Compliance Monitoring Program (CMP), and regularly reviewing operations to detect and prevent violations. The Compliance Function (CF) must operate independently, report findings to senior management, and provide annual reports and advisory support. This ensures transparency, accountability, and regulatory integrity within the firm. 

2. Purpose and Objectives of the Compliance Risk Assessment (CRA)

The purpose of Compliance Risk Assessment is to ensure the efficient allocation of the Compliance Function’s resources and to guarantee that all areas of compliance risk are comprehensively identified, prioritized, and monitored. 

The CRA evaluates the compliance risk considering the:

– The firm’s obligations under the applicable legal framework 

– the policies and procedures implemented 

– the systems and controls utilized within the area of investment services 

– the results of any monitoring activities 

– the findings of any internal and external audits 

A properly documented CRA allows the Compliance Function to design a proportionate and risk-based CMP, determining the type, frequency, and scope of  monitoring activities.

3. What does the Compliance and Risk Management Function do?

Within an investment firm’s governance framework, the Compliance and Risk Management Functions constitute the second line of defence.  

The Compliance Function, led by the appointed Compliance Officer and supported by assistants where applicable, plays a critical role in safeguarding regulatory integrity. From a corporate governance perspective, the Compliance Function acts as the firm’s regulatory gatekeeper and i actively involved in: 

  • The development and review of policies and procedures relating to investment and ancillary services 
  • Providing compliance expertise and advice on strategic decisions, new business models, and marketing strategies 
  • Participating in organisational changes, new product approvals, and remuneration policy discussions  
  • Being involved in product approval processes for manufacturers and distributors 
  • Handling material and non-material correspondence with CySEC and other competent authorities 

To fulfil its obligations, the Compliance Function implements a risk-based monitoring program that includes:

  • Reviewing internal policies and procedures, 
  • Performing onsite inspections of operational departments, 
  • Carrying out monitoring activities at appropriate intervals, 
  • Reporting findings to the Board of Directors via the Annual Compliance Report. 

4. CySEC Circular C553 – Organisational Requirements of the Compliance Function

Circular C553 outlines specific guidelines to help investment firms implement key aspects of the compliance function requirements. Which includes the following: 

Guidelines 1–4: Responsibilities of the Compliance Function 

These guidelines define the core duties of the Compliance Function within a Cyprus Investment Firm (CIF): 

  • Compliance Risk Assessment – The Compliance Function must identify and evaluate regulatory risks across the firm’s operations to guide its monitoring priorities. 
  • Monitoring Obligations – A risk-based monitoring programme must be established to ensure the firm’s activities comply with legal and internal requirements. 
  • Reporting Obligations – The Compliance Function must prepare and submit an annual compliance report to the Board of Directors, covering all relevant business units. 
  • Advisory and Assistance – The function must support staff and management through training, policy development, and day-to-day regulatory guidance. 

Guidelines 5–11: Organizational Requirements of the Compliance Function 

These guidelines outline how the Compliance Function should be structured and resourced: 

  • Effectiveness – The function must operate effectively and be capable of fulfilling its responsibilities.
  • Skills and Authority – Staff must have the necessary expertise, knowledge, and authority to carry out compliance duties.
  • Permanence – The Compliance Function must be a permanent part of the firm’s structure.
  • Independence – It must act independently, free from conflicts of interest.
  • Proportionality – Its structure and resources should be proportionate to the firm’s size, complexity, and risk profile.
  • Combination with Other Functions – If combined with other control functions, safeguards must be in place to maintain independence and effectiveness.
  • Outsourcing – Outsourced compliance tasks must meet regulatory standards and not compromise the function’s responsibilities.

Guideline 12: Competent Authority Review

  • CySEC, as the competent authority, is responsible for reviewing the implementation and effectiveness of the Compliance Function. This includes assessing its structure, resources, reporting lines, and ability to meet regulatory obligations during both the licensing process and ongoing supervision.

5. Departmental Inspection Areas

A properly structured CMP requires periodic inspection of all operational departments. While the scope of inspections depends on the firm’s business model and risk assessment, certain areas consistently attract supervisory focus.

Departmental inspection commonly covers the Back Office function, AML/CFT compliance, Accounting and Finance, Provision of Services, Business Development and Marketing, Customer Support, and Information Technology. The Compliance Function assesses whether internal policies and procedures are properly implemented and whether staff adhere to regulatory obligations in their day-to-day activities.

Key inspection areas typically include the accuracy and timeliness of updates submitted through the CySEC portal, notification of changes in key personnel, effectiveness of the organisational structure, adequacy of staff training programmes (including AML/CFT training), conflicts of interest monitoring, complaints handling procedures, and the documentation and application of the Compliance Risk Assessment.

Additional focus is placed on the effectiveness of governance arrangements, including oversight exercised by Senior Management and the Board of Directors, as well as the coordination between Compliance, Risk Management, and Internal Audit functions.

Through structured departmental inspections, firms can identify deficiencies early, implement corrective actions, and strengthen their overall control environment.

6. CySEC Circular C441 – CySEC Desk-based review

CySEC Circular C441 introduced the supervisory practice of desk-based reviews, whereby the regulator conducts thematic and targeted assessments based on documentation and information submitted by regulated entities.

Desk-based reviews typically focus on specific regulatory topics and aim to identify common deficiencies, inconsistencies, or weaknesses in firms’ compliance frameworks. These reviews often examine the effectiveness of the Compliance Monitoring Program, the adequacy of the Compliance Risk Assessment, governance arrangements, conflicts of interest management, and client protection measures.

Circular C441 has highlighted recurring findings across the industry, including insufficient documentation of risk assessments, inadequate monitoring methodologies, weaknesses in internal reporting lines, and failure to implement corrective actions within reasonable timeframes. At the same time, it has also identified examples of good practices, encouraging firms to adopt more structured, risk-based, and well-documented compliance processes.

For firms, understanding the outcomes of CySEC’s desk-based reviews is essential. Incorporating these supervisory observations into the design and enhancement of their Compliance Monitoring Program allows entities to proactively address regulatory expectations and reduce the likelihood of adverse findings during inspections.

In this respect, SALVUS Funds in cooperation with the Institute for Professional Excellence (IforPE), has designed a self-study CPD course titled “Compliance Monitoring Program & Assessment.” The course discusses the key features, inspection areas and methodology of the CMP, provides valuable compliance tips on their application, taking into consideration the desk-based review of C441 and C553 on the guidlines on certain aspects of f the compliance function requirement. 

This online self-study program constitutes a comprehensive guide and grants 5 Continuous Professional Development (CPD) units counting towards the annual requirements of CySEC Advanced and Basic certification holders. 

Contact us at compliance@salvusfunds.com if you require support with your regulatory compliance obligations or are interested in successfully preparing the CySEC Advanced or Basic Certification exams with IforPE. 

#StayAhead

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post