CySEC Circular C643 on Electronic Submission of Risk-Based Supervision Framework Form RBSF-MC Version 7

TO : Regulated Entities: i. Alternative Investment Fund Managers (‘AIFMs’) ii. Internally Managed Alternative Investment Funds iii. UCITS Management Companies iv. Internally Managed UCITS v. Internally Managed Alternative Investment Funds with Limited Number of Persons (‘AIFLNP’) vi. Companies with sole purpose the management of AIFLNPs vii. Small AIFMs FROM : Cyprus Securities and Exchange Commission DATE : May 22, 2024 CIRCULAR No : C643 FILE No : 01.13.001.002.002 SUBJECT : Risk-Based Supervision Framework – Electronic submission of information for the year 2023 (Form RBSF-MC) The present Circular is issued pursuant to section 25(1)(c)(ii) & (iii) of the Cyprus Securities and Exchange Commission Law (‘the CySEC Law’). The Cyprus Securities and Exchange Commission ('the CySEC') wishes to inform Regulated Entities about the following:

1. Information Requested by CySEC 1.1. A new version of the form, RBSF-MC Version 7 (‘the Form’) has been issued, which can be found in the Appendix. This Form is issued on an annual basis and aims to collect various statistical information. CySEC will use this information, for the purposes of statistical analysis and risk management, among other things. 1.2. The Form must be completed and successfully submitted to CySEC, by all Regulated Entities that were authorised, appointed or approved to act as External Fund Managers (in case no authorisation is required by the relevant legislation), by December 31, 2023. In this respect, Regulated Entities that were authorised, appointed or approved to act as External Fund Managers by December 31 2023, but have not made use of their authorisation or appointment, must also submit the Form.

Page 2 of 4 1.3. The Form must be successfully submitted electronically via CySEC’s Transaction Reporting System (‘TRS’) by Friday, June 21 2024 at the latest. 1.4. The steps that the Regulated Entities will have to follow, for the successful submission of the Form to the TRS, can be found here. Upon submission, the Regulated Entities are responsible to ensure that they have received a feedback file, i.e., an official submission confirmation dispatched by the TRS in the Outgoing directory. 1.5. The feedback file will either contain a NO ERROR indication or, in the case that any error(s) has/have occurred during submission, it will contain a description of that/those error (s). In case of any errors detected during submission of the Form, the Regulated Entities must review the Form and ensure that all errors are addressed and corrected, before they digitally sign (only applicable for Excel files) and re-submit the Form. The Form is regarded as being successfully submitted to CySEC only when a NO ERROR indication feedback file is received, within the deadlines set out in point 1.3 above. 1.6. CySEC emphasises the importance of meeting the deadline of Friday, June 21 2024. Failure to promptly and duly comply with the above, may bear the administrative penalties of section 37(5) of the CySEC Law. It is further noted that CySEC will not send any reminders to those Regulated Entities, which fail to promptly and duly comply. 2. Additional Information and Amendments In the Sections of the Form listed below, various additional or entirely new information is requested/amended, as follows: 2.1. Section B - Clientele Question 7 has been entirely deleted, as a new section has been added (Section R) in order to include further questions on the topic area. 2.2. Section R - Customers subject to international Sanctions (New Section) In this new section, the following are requested: • a further breakdown in regards to the Customers in the EU and UN sanctions list, • information in relation to the Customers included in the U.S. OFAC’s Specially Designated Nationals And Blocked Persons List (the ‘SDN List’), and • information in relation to the Customers included in the U.K. Designated Persons Sanctions List. The Law 58(I)/2016 provides for the Implementation of the Provisions of the United Nations Security Council Resolutions or Decisions (Sanctions) and the European Union Council’s Decisions and Regulations (Restrictive Measures). According to this law, CySEC is responsible for the compliance of its supervised entities with the Sanctions/Restrictive Measures which are decided and imposed by the United Nations Security Council and the European Union.

Page 3 of 4 In addition, paragraph 36 of the CySEC’s Directive on the Prevention and Suppression of Money Laundering and Terrorist Financing of 2020, as amended, states the obligations of the supervised entities to detect actions that are in breach of Sanctions and Restrictive Measures. Any definitions that the supervised entities should be aware of, in order to complete the relevant information/elements of the form correctly, are included in Law 58(I)/2016 and in the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, as amended. Useful sources of information are also listed in the relevant section of CySEC’s website regarding Sanctions/Restrictive Measures (Related Material and Useful Links). Relevant useful links/help are also included in the corresponding fields of the RBSF form, as well as in the CySEC’s Circulars C489 and C622. The specific information that will be collected is intended to provide an indication to CySEC regarding the exposure of supervised entities to business relationships with persons subject to Sanctions/Restrictive Measures, as well as international sanctions imposed by third countries. The analysis of the said information may reveal relevant risks, both on an entity level as well as collectively. Those risks may be examined in relevant thematic inspections for compliance with the provisions of Sanctions/Restrictive Measures. In addition, this information, as well as its ongoing feedback, may be used for any reporting obligations of CySEC to other competent authorities on issues regarding Sanctions/Restrictive Measures, e.g. European Commission. 2.3. Section F - Governance & Ownership Question 5.4 has been entirely deleted. 3. General Comments for the completion of the Form 3.1. The Form will be available only in English. 3.2. Regulated Entities are required to report data in EUR, rounded to the nearest unit. 3.3. Please always ensure that you have the latest version of the Form, i.e. Version 7. 3.4. Instructions on the completion of the Form can be found in the Form’s ‘instructions’ worksheet. 3.5. Before submitting the Form, please ensure that all validation tests that are contained in the Form (Sections A, B, C1, C2, D, E, F, G, H, I, K, L, M, N, O, P, Q, R and Validation Tests Worksheet) are TRUE (Green Colour).

Page 4 of 4 4. How to create, sign and submit the Form to CySEC: After populating the required Excel fields in the Form, the Regulated Entities should name their Excel file in accordance with the following naming convention: Username_yyyymmdd_RBSF-MC The information below explains the naming convention: (1) Username – is the username of the TRS credentials, which should already be in the possession of the Regulated Entities, which have previously submitted any electronic file to the TRS system. This codification should be entered in capital letters. Regulated Entities, that have not previously requested their TRS credentials, can do so by following the instructions available at our website here, which provides further information about the TRS. (2) yyyymmdd – this denotes the end of the reporting period of the Form. In this case, the Form should have a 20231231 format. Future forms will have different reporting periods. (3) RBSF-MC – this is the coding of the Form RBSF-MC, that remains unchanged and should be inserted, exactly as it appears. (4) The Excel® must be of 2007 version and onwards. Excel will add the extension .xlsx as soon as it is saved. This extension should not be inserted manually, under any circumstances. 5. Support 5.1. Queries on how to complete the fields of the Form Should you have any queries on the completion of Form RBSF-MC, please submit them only in writing, any day PRIOR to Friday, June 14, 2024, by sending an email to riskstatistics.fundmgrs@cysec.gov.cy. All email communication should have the Regulated Entity’s full name and the TRS coding, in the subject line. 5.2. Technical Queries on digitally signing and submitting the Form For technical matters on digitally signing and submitting the Form, REs are advised to frequently visit the CySEC website at the specified section. For further clarifications, REs can send an email to information.technology@cysec.gov.cy. All email communication with CySEC should include the REs full name and the TRS coding, in the subject line. Yours sincerely, George Karatzias Vice Chairman, Cyprus Securities and Exchange Commission