CySEC - Latest Entries: CIRCULAR - CIF C441 - Common deficiencies and good practices identified through desk-based reviews regarding certain aspects of the compliance function requirements of the Investment Services and Activities and Regulated Markets.
Following CySEC’s various desk-based reviews on a sample of Regulated Entities regarding the compliance function requirements, CySEC published good practices implemented and common deficiencies and/or omissions, which aim at helping Regulated Entities to increase the effectiveness of their compliance function.
CySEC's Circular C441 key findings are below and Regulated Entities are invited to consider whether they comply with their obligations and, where appropriate, take corrective measures.
Areas of concern / weakness identified
I. Risk Assessment, Monitoring Activities and Compliance Programme (Article 22 of the Regulation). In some cases, potential risks and/or risk ratings were not specified, or specification of the risks was unclear.
In some cases, the annual compliance monitoring programme was not based on the results of the risk analysis.
In some cases, it was not mentioned that the types of financial instruments offered and distributed were taken into account when determining the risk assessment.
CySEC observed in some instances that the identification of risks and monitoring priorities of the compliance function were vaguely determined without specifying the monitoring methodologies/tools for each compliance risk.
Compliance function omitted to ensure that regular written compliance reports are prepared at appropriate intervals (e.g. quarterly reports) and sent to the management board, concerning higher risks areas, and/or remedial measures undertaken.
Irrespective of the annual compliance reports, any additional compliance matters were only communicated via email to the senior management without specifying if these are properly recorded or considering the need of producing additional written reports to the senior management.
Only results of previous monitoring activities and any relevant findings of internal/external audits formed the basis for the objectives and priorities of the compliance function’s monitoring programme.
II. Reporting Obligation (Article 22 (2)(c) and (3) (b) of the Regulation)
Evaluations of the Regulated Entities’ policies and procedures mainly focused on whether the firms’ policies are up-to-date and in compliance with the regulatory framework, rather than including findings on the implementation of those policies by all employees in practice.
Different types of reviews conducted by the compliance function were not accurately reflected in the Annual Compliance Report.
In regard to the product governance monitoring obligations, no positive/negative market findings were made in the report even though in the target market assessment the compliance officer states that improvement is needed.
In some cases the Annual Compliance Report did not include information on the measures taken or to be taken or the timeframes for the completion of such measures.
III. Advisory obligations of the compliance function (Articles 22(2)(b) and 27(3) of Delegated Regulation)
In respect to the staff knowledge assessments carried out, not enough evidence or details of regular internal/external training was provided in the Annual Reports, such as records of training logs.
Good Practices identified
Formal meetings of the senior management were held on a quarterly basis, with the physical presence of all members and the compliance officer as well as minutes of such quarterly meeting were kept with a brief description of the issues discussed
The preparation of quarterly reports for core compliance areas such as the monitoring of the Regulated Entity’s post trading reporting obligations for the senior management’s attention.
The inclusion of the review conducted on the order of board meetings in the Annual Compliance Report - i.e. the agenda and the right materials are sent to the senior management beforehand
The inclusion of the extent and frequency of training to staff in the Annual Compliance Report and documenting/justifying why trainings should be tailored on each department's needs and activities.
The inclusion of a communication log in the Annual Compliance Report listing the communication with CySEC.
Next Steps
All Regulated Entities should take into consideration the issues raised in the above circular and make sure they have adequate policies and procedures in place to ensure compliance with the compliance function requirements.
If you have any questions, or require any assistance with compliance, do not hesitate to contact us.
Written by Constantinos Constantinides, Director of FAI Comply