CySEC Circular C638: Electronic Submission of 2023 RBS-F Information for ASPs

TO : Administrative Services Providers (‘ASPs’) FROM : Cyprus Securities and Exchange Commission DATE : April 23, 2024 CIRCULAR No : C638 FILE No : E.K. 02.03.001, E.K. 01.03.004 and E.K. 01.13.001.002.002 SUBJECT : Risk Based Supervision Framework (‘The RBS-F’) – Electronic submission of information for the year 2023 (Form RBSF-ASP).

The present Circular is issued pursuant to section 25(1)(c)(ii) & (iii) of the Cyprus Securities and Exchange Commission Law of 2009, as amended (‘the CySEC Law’). The Cyprus Securities and Exchange Commission ('the CySEC') wishes to inform the Administrative Service Providers (‘the ASPs’) about the following:

1. Information requested by CySEC 1.1. A new version of the Form RBSF-ASP (‘the Form’), Version 7, found in the Appendix, is now issued and its scope is the collection of various statistical information. This Form is issued on an annual basis. CySEC will use this information, for the purposes of conducting statistical analyses, risk management and other purposes. 1.2. The Form must be completed and successfully submitted to CySEC, by all ASPs that were authorised by December 31, 2023. In this respect, ASPs that were authorised by December 31, 2023, but have not made use of their authorisation must also submit the Form. 1.3. The Form must be successfully submitted electronically via the CySEC’s Transaction Reporting System (‘TRS’) by Friday, May 31, 2024, the latest. 1.4. The steps that ASPs will have to follow, for the successful submission of the Form to the TRS, can be found here. Upon submission, the ASPs are responsible to ensure that they have received a feedback file, i.e. an official submission confirmation, dispatched by the TRS in the Outgoing directory. 1.5. The feedback file will either contain a NO ERROR indication or, in case that an error(s) has occurred during submission, the description of that error(s). In case of any errors detected during submission of the Form, the ASPs must review the Form and ensure

2 that all errors are addressed and corrected before they digitally sign (only applicable for the Excel Files) and re-submit the Form. The Form is regarded as being successfully submitted to CySEC only when a NO ERROR indication feedback file is received, within the deadlines set in point 1.3. above. 1.6. CySEC emphasises the importance of meeting the deadline of Friday, May 31, 2024. 1.7. Failure to comply with the above promptly and duly will bear the administrative penalties of section 37(5) of the CySEC Law. 2. Additional Information Requested In the Sections of the Form listed below, various additional or entirely new information is requested/amended, as follows: 2.1. Section G – Governance and Ownership (new point added) One question has been added, as follows: Question 1.3.: Does any of the entity's shareholders and/or BOs belong to any of the following groups? 2.2. Section M – Customers subject to International Sanctions (new Section) The Law that provides for the Implementation of the Provisions of the United Nations Security Council Resolutions or Decisions (Sanctions) and the European Union Council’s Decisions and Regulations (Restrictive Measures) is Law 58(I)/2016. According to this Law, the Cyprus Securities and Exchange Commission (‘CySEC’) is responsible for the compliance of its supervised entities with the Sanctions/Restrictive Measures which are decided and imposed by the United Nations Security Council and the European Union. In addition, paragraph 36 of the CySEC’s Directive on the Prevention and Suppression of Money Laundering and Terrorist Financing of 2020, as amended ('CySEC Directive'), states the obligations of the supervised entities to detect actions that are in breach of Sanctions and Restrictive Measures. Any definitions that the supervised entities should be aware of, to complete the relevant information/elements of the form correctly, are included in Law 58(I)/2016 and in the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, as amended (Law 188(Ι)/2007). Useful sources of information are also listed in the 3 relevant sections of CySEC’s website regarding Sanctions/Restrictive Measures (Related Material and Useful Links). Relevant useful links/help are also included in the corresponding fields of the RBSF form, as well as in the CySEC’s Circulars C489 and C622.

3 The specific information that will be collected is intended to provide an indication to CySEC regarding the exposure of supervised entities to business relationships with persons subject to Sanctions/Restrictive Measures, as well as international sanctions imposed by third countries. The analysis of the said information may reveal relevant risks, both on an entity level as well as collectively. Those risks may be examined in relevant thematic inspections for compliance with the provisions of Sanctions/Restrictive Measures. In addition, this information, as well as its ongoing feedback, may be used for any reporting obligations of CySEC to other competent authorities on issues regarding Sanctions/Restrictive Measures, e.g. European Commission. 3. General Comments for the Form 3.1. The Form will be available only in the English language. 3.2. Reporting entities are required to report data in Euro, rounded to the nearest unit. 3.3. Please always ensure that you have the latest version of the Form, i.e. Version 7. 3.4. Instructions on the completion of the Form can be found in the ‘Instructions’ Worksheet of the Form. 3.5. Before submitting the Form, please ensure that all validation tests that are contained in the Form (Sections A, B, C, D, E, F, G, H, I, J, K, L, M) at the bottom of the page and Validation Tests Worksheet are TRUE (Green Colour). 4. Method of creating, signing, and submitting the Form to the CySEC After populating the required Excel fields in the Form, ASPs should name their Excel file in accordance with the following naming convention: Username_yyyymmdd_RBSF-ASP The information below explains the naming convention: (1) Username – is the username of the TRS credentials, which should already be in the possession of the ASPs that have previously submitted any electronic file to the TRS system. This codification should be entered in capital letters. For ASPs that have not previously requested the TRS credentials they can do so by referring here where further information are provided about the TRS. (2) yyyymmdd – this denotes the end of the reporting period of the Form. In this case, the Form should have a 20231231 format. Future forms will have different reporting periods. (3) RBSF-ASP – this is the coding of the Form RBSF-ASP that it remains unchanged and should be inserted exactly as it appears.

4 (4) The Excel® must be of 2007 version and onwards. Excel will add the extension .xlsx as soon as it is saved. This extension should not under any circumstances be inserted manually. 5. Support 5.1. Queries on how to complete the fields on the Form Should you have any queries on the completion of Form RBSF-ASP, please submit them only in writing, any day PRIOR to Friday, May 17, 2024, by sending an email to the address riskstatistics.asps@cysec.gov.cy . 5.2. Technical Queries on digitally signing and submitting the Form For technical matters on digitally signing and submitting the Form, the ASPs are advised to frequently visit the CySEC’s specified section. For further clarifications, the ASPs are asked to use the electronic address information.technology@cysec.gov.cy . All email communication with CySEC should include, in the subject, the ASPs full name and the TRS coding. Yours sincerely, Dr George Theocharides Chairman, Cyprus Securities and Exchange Commission