Central Bank of Cyprus Directive for Compliance with UN Security Council Resolutions and EU Council Decisions

CENTRAL BANK OF CYPRUS EUROSYSTEM DIRECTIVE FOR COMPLIANCE WITH THE PROVISIONS OF UN SECURITY COUNCIL RESOLUTIONS AND THE DECISIONS/REGULATIONS OF THE COUNCIL OF THE EUROPEAN UNION March 2020 First Edition

2 INDEX PAGE

PART I Introductory Provisions 3 PART II General Requirements 4 PART III Formulation and Establishment of a Sanctions Risk Assessment 5 PART IV Development of Policies, Procedures, Systems and Controls 6 PART V Screening of Customers and Transactions 7 PART VI Investigation and Reporting of a Match 9 PART VII Exemptions And Permissible Operations 10 PART VIII Education and Training 10 PART IX Record keeping 11 PART X Internal Audit 11 PART XI Supervision 11 PART XII Enforcement 12

3 PART I INTRODUCTORY PROVISIONS Short title 1. This Directive may be cited as the Directive for Compliance with the Provisions of the UN Security Council Resolutions and the Decisions and Regulations of the Council of the European Union of 2020 (First edition). 2. This Directive is issued by the Central Bank of Cyprus by virtue of the powers vested in it by section 3(2) of the Implementation of the Provisions of the UN Security Council Resolutions (Sanctions) and the Decisions and Regulations of the Council of the European Union (Restrictive Measures) Law 58(I) of 2016, enacted on 25.04.2016. Level of application 3. This Directive shall apply to all persons supervised by the Central Bank of Cyprus, in relation to the activities determined by the Central Bank of Cyprus Law or any other law and for which the Central Bank of Cyprus exercises supervision. Definitions 4. For the purposes of this Directive, the definitions referred to in (i) Law 58 (I)/2016, (ii) UNSC Resolutions and EU Regulations or Decisions and (iii) the Combating of Terrorism and Protection of Victims Law of 2019 , N. (75(I)/2019), as subsequently amended shall apply. Additionally the following definitions are applicable: “AML/CFT –Law” means the Prevention and Suppression of the Money Laundering and Terrorist Financing Lawˑ188(I)/2007 as subsequently amended. “AMLCO” means an Anti- Money Laundering Compliance Officer. “Designated person” means any natural or legal person or other entity against which economic or other sanctions have been instigated by virtue of the provisions of United Nations Security Council Resolutions or Decisions and Regulations of the EU Council.ˑ “EU” means the European Union.ˑ “Institution” means a credit or any other financial institution or any other person supervised by the Central Bank of Cyprusˑ “False positives” are positive matches to listed persons and entities for which, following investigation and assessment, it transpires that they do not relate to a designated person. “MOKAS” means the Unit for Combating Money Laundering and Terrorist Financing.ˑ “Sanctions’ Law” means the Law for the Implementation of the Provisions of the UN Security Council Resolutions (Sanctions) and the Decisions and Regulations of the Council of the European Union (Restrictive Measures) Law 58(I) of 2016ˑas amended from time to time.

4 “Terrorism Law” means the Combating of Terrorism and Protection of Victims Law of 2019 , N. 75(I)/2019 which replaced the Combating of Terrorism Law of 2010 (110(I)/2010) as amended from time to time. “True Match” means a positive match for which, following an investigation, it is assessed that the person or entity concerned is a Designated person ˑ “UN and EU Sanctions or Sanctions” means UN Security Council Resolutions (Sanctions) or Decisions and the Decisions and Regulations of the Council of the European Union (Restrictive Measures)ˑ “Sanctions lists” means relevant lists issued by the United Nations or the European Union pursuant the UNSC Resolutions/Decisions and EU Regulations/Decisions.ˑ “UN” means the United Nations.ˑ “UNSCRs” means United Nations Security Council Resolutions.

PART II GENERAL REQUIREMENTS General Requirements 5. Institutions should have a Sanctions’ Policy, outlining the principles to be followed in order to comply with the requirements of the Sanctions’ and Terrorism Laws and also the mitigation of risks arising from the sanctions risk assessment. 6. The Board of Directors and Senior Management should understand their Institution’s obligations in relation to the Sanctions’ and Terrorism Laws and have the ultimate responsibility to ensure that their Institution develops and implements an appropriate and effective sanctions compliance program, by which the risks identified in the Institution’s sanctions risk profile are managed in a manner commensurate with the magnitude and complexity of such risks. 7. An appropriate compliance program must include, as a minimum, (i) an assessment of the risks arising from sanctions vis-à-vis the client base and activities of the Institution, (ii) vulnerability to sanctions’ related risks and (iii) implementation of adequate and effective systems and controls to ensure that designated persons are promptly identified, their funds or economic resources are frozen without delay, payments are not made to or for the benefit of a designated person, financial services are not provided and reporting is undertaken in compliance with applicable regulatory requirements. 8. Adequate and appropriate resources are allocated by Senior Management in dealing with sanctions.

5 9. Senior management receives regular and accurate information of sanctioned cases identified or positive matches which could not be verified. 10. The Institutions should be able to demonstrate to the Central Bank of Cyprus that the sanctions risk assessment, their systems, controls and procedures implemented are commensurate with the risks they face. 11. Institutions’ compliance programme must incorporate the following considerations: a. The formulation and establishment of a risk assessment process b. The development of policies, procedures, systems and controls c. Screening of customers and transactions d. Investigation and reporting of a match e. Obtaining a license f. Education and Training g. Record Keeping h. Audit

PART III FORMULATION AND ESTABLISHMENT OF A SANCTIONS RISK ASSESSMENT Sanctions Risk Assessment 12. Institutions should formulate and establish a Sanctions risk assessment that: a) Identifies which part of their business could possibly be affected by Sanctions or carry a greater likelihood of Sanctions’ breaches, including the countries or geographical areas where the Institutions have a presence, the customer screening processes used as part of the KYC/CDD procedures and the product and services’ distribution channels used. b) In relation to customers, identifies and assesses risks relating to Sanctions considering relevant risk factors including the client base, customers’ activity profile, the countries or geographical areas where customers operate in or have links to, the particular products and services used and the nature of transactions carried out by customers as well as the distribution channels used to conduct business.ˑ

6 c) Adopts a holistic view of the Sanctions risk factors identified which, as a whole, determine the level of Sanctions risk associated with the Institution’s business relationships or occasional transactions. 13. Institutions should implement systems and controls to allow for effective management and mitigation of Sanctions risks, of identification and assessment of emerging Sanctions risks and, where appropriate, incorporation thereof into the Institutions’ overall risk assessment processes in a timely manner. 14. Sanctions risk assessment should be documented and approved by the Board of Directors through Senior Management. The said report should be submitted on an annual basis together with the AMLCO’s Annual Report to the Central Bank of Cyprus.

PART IV DEVELOPMENT OF POLICIES, PROCEDURES, SYSTEMS AND CONTROLS Policies, procedures, systems and controls 15. Institutions should develop appropriate policies, procedures, systems and controls, approved by Senior Management, in order to manage and mitigate Sanctions risks as identified by the Sanctions risk assessment process. 16. Policies, procedures, systems and controls must be appropriate to the Institution’s business, taking into consideration all necessary factors including: a) the nature, scale and complexity of its business; b) the diversity of its operations, including geographical diversity; c) the nature of customers’ transactions; and d) the degree of Sanctions risk associated with its operations. 17. Institutions must ensure that their policies, procedures, systems and controls remain up to date and fit for purpose. 18. Institutions must ensure that policies and procedures are communicated in a timely manner to relevant staff, including any changes thereto. 19. Policies, procedures, systems and controls must be adequately monitored and reviewed to support the Institution’s compliance with the Sanctions requirements, including mechanisms to ensure any new or

7 changes to Sanctions in force are appropriately taken into account. Such policies, procedures, systems and controls must enable Institutions to comply with the specific requirements of each UNSCR or EU Regulation/Decision, as regards their obligations in dealing with Designated persons. 20. Where Institutions maintain operations in other countries, consistent group wide policies relating to Sanctions should be applied. 21. Policies and procedures should provide that information and documentation collected in accordance with the AML/CFT Law and the Central Bank of Cyprus Directives issued for the prevention of money laundering and terrorist financing, in relation to the effective application of customer due diligence measures (“CDD”) will also be used for Sanctions purposes. 22. Copies of the identification documents collected for CDD purposes should always include the passport/ID number, issue date and country, address, as well as the date of birth of the customer allowing Institutions to establish whether a customer is or has become a Designated person. 23. Screening against UN and EU sanctions lists should include not only customers, ultimate beneficial owners, but, where possible, third related parties (i.e. directors, authorised signatories, nominees, trustees, contractors, partners, etc.). 24. Institutions’ policies and procedures should consider their screening breadth depending on the type of service provided to their customers, since Sanctions also apply to both direct and indirect payments to and payments for the benefit of Designated persons, countries, products etc. 25. Institutions’ policies and procedures should include provisions to detect and prohibit attempts to circumvent Sanctions. Circumvention of Sanctions may occur from structuring transactions with the purpose of concealing the involvement of a Designated person or from omitting, deleting or altering information in payment messages for the purpose of avoiding detection of that information by other institutions involved in the payment process.

PART V SCREENING OF CUSTOMERS AND TRANSACTIONS Screening of Customers 26. Institutions should have in place policies, procedures and systems to manage the risk of conducting business with or on behalf of or involving Designated person, including the following:

8 a) Screening prospective/new customers and related third parties (i.e. directors, beneficial owners, authorised signatories, nominees, trustees, contractors, partners, etc.) against Sanctions lists at the time of on-boarding and before providing any service or executing any transaction. b) Ongoing screening and re-screening existing customers when data changes occur (such as changes of beneficial owners, directors etc.). c) Screening the entire customer base without delay when a new UNSCR or EU Decision/Regulation is issued or when there are additions or changes to the existing Sanctions lists. d) Screening payment transactions, products and services entailing Sanctions risks on a real-time basis, to ensure that direct or indirect payments are made to or for the benefit of a Designated person. Transaction screening should involve screening of payment information to identify any potential Sanctions violation. e) Screening the entire customer base for complying with ad-hoc requests by the Central Bank of Cyprus. f) Maintaining an audit trail of screening. 27. Institutions are responsible for ensuring that Sanctions lists against which screening is conducted are up-to-date and robust at all times, irrespective of the use of subscription to electronic services offered by commercial databases. 28. Institutions may rely on manual screening or use automated customer screening system, depending on the nature, size and risk profile of their business. 29. Where an automated electronic screening system is used, Institutions must be in a position to demonstrate thorough understanding of the systems’ capabilities along with its limitations and should be able to show how such systems are effective and appropriate to the Institutions business requirements and Sanctions risk profile. 30. Institutions should keep calibration of automated systems under regular review to ensure their effectiveness at all times and should be satisfied that they have adequate contingency arrangements should the software fail.

9 PART VI INVESTIGATION AND REPORTING OF A MATCH Investigations and Reporting of Matches 31. Institutions should have in place procedures and controls for investigating whether a positive match is a “true match” or “false positive” as defined in this Directive. 32. In case there is a positive match, Institutions must take reasonable and appropriate measures to validate the accuracy of the match and to determine whether the person or entity identified is Designated person, thereby determining whether the positive match is a “true match” or a ‘false positive’. 33. When Institutions are satisfied that the positive match is a “true match”, then, depending on the case, should take appropriate actions such as refraining from entering into a business relationship in the case of a potential customer, or freezing the customer’s funds or economic resources without delay or aborting a financial transaction, or provision of financial assistance or service, as prescribed by the relevant UNSCR/ EU Regulations/Decisions and inform the Central Bank of Cyprus accordingly. 34. Institutions should have clear reporting processes for reporting true matches to the Central Bank of Cyprus, or when a request is initiated by the Central Bank of Cyprus, as soon as practicable. 35. Institutions’ reporting processes should include, inter-alia, the requirement to report to the Central Bank of Cyprus the following information: a. Information on which knowledge or belief is based that a true match was identified. b. Information and data held by the Institution about the designated person identified by a true match. c. The nature and amount of funds or economic resources held in the name of the Designated person. 36. In case there is a true match in relation to terrorism related sanctions and there is a suspicion for terrorism financing, a suspicious report should also be submitted to MOKAS, adhering to all relevant requirements of the AML/CFT Law. 37. Institutions shall report to the Central Bank of Cyprus by 31st January every year all names of persons for whom they maintain funds or other economic resources, who are themselves or are connected with persons designated under the relevant UNSCR or EU Regulation/Decision and the outstanding balances of all frozen accounts/transactions. 38. Institutions shall report to the Central Bank of Cyprus any exceptions/licenses granted by the Advisory Body on Financial Sanctions

10 (SEOK) or the Unit for the Implementation of Sanctions in the Financial Sector (MEK)

PART VII EXEMPTIONS AND PERMISSIBLE OPERATIONS Obtaining a license or exemption 39. In the case of UNSCRs or EU Regulations/Decisions where certain activities involving designated persons are permitted, when Institutions are called to obtain required licenses in order to be engaged in such activities or to rely on an exemption to the application of Sanctions, they should apply to the competent authorities of the Republic. The Central Bank of Cyprus shall communicate the contact details of these competent authorities.

PART VIII EDUCATION AND TRAINING Education and Training 40. Institutions should establish adequate and appropriate policies and procedures to make their relevant employees aware with regard to a. Sanctions obligations b. related policies and procedures 41. Staff training can be carried out separately or alongside AML/CFT training. 42. Training should be tailored to the working needs of different groups of staff. The time and content of staff training of different units should be adapted to the needs of each Institution. Furthermore, the frequency of education/training may vary depending on factors such as amendments to the legislative requirements or changes to staff duties and staff rotation. 43. Institutions should ensure that the Board of Directors and Senior Management are adequately educated on Sanctions and Sanctions risks. 44. The AMLCO is required to evaluate the adequacy of seminars and training provided to staff members and to maintain detailed records regarding the seminars/programmes offered to staff members, including attendance information, and inform Senior Management in case weaknesses are identified in the implementation of the training programme with a view to rectifying such weaknesses.

11

PART IX RECORD KEEPING Maintenance of records 45. Without prejudice to the AML/CFT Law, Institutions should keep Sanctions related information and documents for a period of 5 years, for the purpose of complying with the Sanctions’ Law, allowing them to produce an audit trail of the actions taken in relation to Sanctions. This should also include documents and information in relation to positive matches, investigations and outcome thereof and final decisions taken.

PART X INTERNAL AUDIT Internal Audit 46. Institutions’ internal audit function should assess the adequacy and effectiveness of the policies, procedures, systems and controls put in place to ensure that Designated persons are promptly identified and UNSCRs and EU Regulations/Decisions are implemented without delay including the freezing of funds or other economic resources, and related reporting undertaken in compliance with applicable regulatory requirements. 47. Internal auditors must ultimately report to the Board of Directors and inform Senior Management about audit findings.

PART XI SUPERVISION Examination and submission of data 48. Any persons supervised by the Central Bank of Cyprus shall make available to, when so requested, the Central Bank of Cyprus any documents, records, files in electronic and paper form as well as any other relevant information for the purposes of assessing the degree of compliance with the Sanctions’ Law and the Central Bank of Cyprus present Directive and relevant Guidelines. In case that any Institution or person under the supervision of the Central Bank of Cyprus refuses to comply with the Central Bank of Cyprus request to provide the said information within a specified deadline or in case that person or Institution refuses to provide the requested information or provide insufficient,

12 deficient, false or forged information, the Central Bank of Cyprus has the power to take all and any of the measures mentioned in article 3(2) of the Sanctions’ Law. 49. In order to verify the compliance of persons under its supervision, the Central Bank of Cyprus may carry out inspections, request and collect information, enter the premises of the supervised persons and inspect documents, records and accounts and any data stored electronically or in paper form and to receive copies or extracts of such data. 50. The Central Bank of Cyprus may request persons under its supervision, whenever deemed necessary, to: (a) check their records in order to identify whether they maintain or have maintained in the past any accounts/balances or hold any funds or other economic resources for Designated persons, (b) freeze such accounts, and other related funds or assets as provided by UNSCRs and EU Regulations/Decisions without delay and (c) provide spontaneously relevant information to the Central Bank of Cyprus in relation to points (a) and (b) above in case they become aware of such relationships.

PART XII ENFORCEMENT Supervisory measures 51. Section 3(2) of the Sanctions’ Law provides, inter-alia, that the Central Bank of Cyprus may take those measures provided for in section 59(6) of the AML/CFT Law where a person subject to its supervision fails to comply with the provisions of the present Directive. 52. Additionally, in accordance with section 6 of the Sanctions’ Law if the Central Bank of Cyprus finds that a person is carrying out any act in breach of any of the provisions of the UNSCRs or the EU Regulations/Decisions, it reports the infringement to the Police for a relevant investigation. 53. Section 24(2) of Law 75(I)/2019 provides that supervisory authorities as recognised by the AML/CFT Law may take all measures listed in section 59(6) of the AML/CFT Law in case that a person under their supervision fails to comply with section 1 of the said Law.