MONTHLY REGULATORY updates
C507 - ΕΒΑ Guidelines on sound remuneration policies under Directive (EU) 2019/2034 (EBA/GL/2021/13) (link)
Through Circular C507, CySEC wishes to remind the Regulated Entities that the European Banking Authority (EBA) has published the Guidelines on sound remuneration policies (the "Guidelines") under Directive (EU) 2019/2034 (the "IFD") which was fully incorporated and transposed into the Prudential Supervision of Investment Firms Law of 2021 (the "Law").
The Guidelines specify:
- how the provisions under the Law on remuneration policies and variable remuneration to identified staff should be applied
- the sound and gender-neutral remuneration policies that CIFs should have in place for all staff and for identified staff. In particular for identified staff, the alignment of the variable remuneration with the risk profile of the CIFs or the assets they manage is crucial.
CySEC has incorporated the Guidelines into its supervisory practices and regulatory approach and calls CIFs to which the Guidelines apply to take all necessary actions in order to ensure their compliance with them by implementing any adjustments of their remuneration policies and updating the required documentation accordingly.
Finally, the guidelines will be applicable as of 30 April 2022 and the remuneration policies should be applied in line with the Guidelines for the performance year starting after 31 December 2021.
C508 - ΕΒΑ Guidelines on internal governance under Directive (EU) 2019/2034 (EBA/GL/2021/14) (link)
Through Circular C508, CySEC wishes to remind Cyprus Investment Firms (CIFs) that the European Banking Authority (EBA), has published the revised Guidelines on internal governance ('Guidelines') under Directive (EU) 2019/2034 (the "IFD"), which was fully incorporated and transposed into the Prudential Supervision of Investment Firms Law of 2021 (the "Law").
The Guidelines provide further details on:
- how the IFD governance provisions should be applied
- the tasks, responsibilities and organization of the management body and the organization of CIFs
- the requirements needed to ensure the sound management of risks across all three lines of defence, particularly the compliance function and independent risk management (second line of defence), where applicable, and the internal audit function (third line of defence), where applicable
CySEC has incorporated the Guidelines into its supervisory practices and regulatory approach and calls CIFs to which these Guidelines apply to take all necessary actions to ensure their compliance with the Guidelines.
C512 - Reporting of cyber-attack incidents (link)
On 17 May 2022, CySEC published on Circular C512 its interest to collect more information on cyber security incidents with the purpose to evaluate cybersecurity risks and take the relevant required actions.
This will happen by collecting the information submitted on the Regulated Entities that exchange with other EU National Component Authorities and the European Securities and Markets Authority (ESMA) anonymously. The Regulates Entities must report to CySEC any successful and unsuccessful attacks.
The Regulated Entities can use a template provided by CySEC which must be filled and sent to firstname.lastname@example.org as soon as they become aware of such incidents.
C513 - CIF's on-going monitoring of their prudential requirements (link)
Through Circular C513, CySEC reminds to all Regulated Entities of the necessary steps they must take when they no longer meet their own funds requirements and/or concentration limits, as well as their obligation to have sound administrative and accounting procedures and robust internal control mechanisms
The key points from C513 are the below:
- Class 2 and Class 3 CIFs should notify CySEC as soon as they become aware that their own funds fall below their own funds requirement, pursuant to Article 11(4) of Regulation (EU) 2019/2033 (IFR).
- Class 2 CIFs should notify CySEC without delay when they exceed the concentration limits of Article 37 of IFR, as required by Article 38 of IFR.
- All CIFs should have sound administrative and accounting procedures to enable them to monitor their own funds, own funds requirements, concentration limits and all other obligations pursuant to Article 35(1) of the IFR and Section 20(1)(c) of the Prudential Supervision of Investment Firms Law of 2001 (the 'L.165(I)/2021').
- A number of CIFs that have not met the own funds requirements and concentration limits in accordance to Articles 11 and 37 of the IFR, have notified CySEC through the normal submission of the Prudential Forms 165-01 or 165-02, which takes place 40 days following the reporting reference date.
Finally, CySEC reminds to all CIFS the following:
- Apply sound administration and accounting procedures and sufficient internal control mechanisms.
- Notify CySEC without undue delay.
- Demonstrate that their internal control framework (i.e., compliance, risk management and internal audit functions, where established) always ensures compliance with laws, regulations, and supervisory requirements.
Investment Services & Regulated Markets
MiFIR & MiFID
New Q&As available (link)
On 20 May 2022, the European Services and Markets Authority (ESMA) updated the following Questions and Answers (Q&As):
- on the application of the AIFMD
- on the application of the UCITS Directive
- on the Central Securities Depositories Regulation
- on the European crowdfunding service providers for business Regulation
- on MiFID II and MiFIR transparency topics
Review of the MiFID II framework on best execution reports by investment firms (link)
On 25 May 2022, the European Securities and Markets Authority (ESMA) published a final report, dated on 16 May 2022, on a review of the MiFID II framework on best execution reports by investment firms.
The final report follows a Consultation Paper that ESMA published on 24 September 2022, to seek stakeholders' technical input on proposals for possible improvements to the regime which could be adopted in the future to ensure effective and consistent level of regulation and supervision and increase investor protection in this area.
There are several proposals contained in the final report including the following:
- enhancing the RTS 28 reports' quality of information (inter alia, by proposing to delete a specific reporting obligation for firms on the features of executed orders which has not proven effective under the current reporting framework), and
- facilitating the use of RTS 28 reports (e.g. via the suggestion that firms are required to publish the reports' quantitative information in the simple CSV format to facilitate end-users' access and comparison of this data).
- Potential changes in the legislation (Article 27(6) of MiFID II - level 1) and as a consequence potential changes to RTS 28.
Anti Money Laundering (AML) & Financial Crime
Joint ESAs Report on the withdrawal of authorisation for serious breaches of AML/CFT rules (link)
On 1 June 2022, the European Supervisory Authorities (ESAs) published a joined Report which provides a complete analysis of the applicable laws on the withdrawal of license for serious breaches of the rules on AML and CFT. The report is based on the following four actions from Objective 5 of the AML Council Action Plan:
1. Clarify the degree of cautiousness of the prudential supervisors and outline the criteria for the withdrawal of the authorisation once a serious breach of AML/CFT rules has been broken, while taking into consideration the various practices and legal frameworks in Member States.
2. Ensure a uniform interpretation of the language referring to serious breaches of AML/CFT rules in the Capital Requirements Directive.
3. Have a consistent consideration of the consequences of licence withdrawal and be involved with the resolution authorities.
4. Recognize measures available to prudential authorities to address prudential concerns stemming from ML/TF risks and breaches of AML/CFT rules.