CySEC Findings on Compliance Officers' Annual Reports and Internal Audit Reports for 2022

To : Regulated Entities: i. Crypto Asset Service Providers (‘CASPs’) ii. Cyprus Investment Firms (‘CIFs’) iii. Administrative Service Providers (‘ASPs’) iv. UCITS Management Companies (‘UCITS MC’) v. Self-Managed UCITS (‘SM UCITS’) vi. Alternative Investment Fund Managers (‘AIFMs’) vii. Self-Managed Alternative Investment Funds (‘SM AIFs’) viii. Self-Managed Alternative Investment Funds with Limited Number of Persons (‘SM AIFLNP’) ix. Companies with sole purpose the management of AIFLNPs x. Small Alternative Investment Fund Managers (‘Small AIFMs’) From : Cyprus Securities and Exchange Commission Date : 6 August 2024 Circular No. : C655 Subject : Findings of the assessment of Compliance Officers’ Annual Reports and Internal Audit Reports on the prevention of money laundering and terrorist financing, for the year 2022 The Cyprus Securities and Exchange Commission (‘CySEC’) wishes, with this circular, to inform the Regulated Entities the following:

1. For the purpose of assessing the Regulated Entities’ compliance with their obligations under the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (L.188(I)/2007), as amended (the ‘Law’) and the CySEC’s Directive for the Prevention of Money Laundering and Terrorist Financing, as amended (the ‘Directive’), CySEC conducted its annual risk-based assessment of Compliance Officers’ Annual Reports and Internal Audit Reports (the ‘Reports’). The relevant assessment concerns the Reports for the year 2022 and the relevant minutes of the Board of Directors (the ‘BoD’), submitted to CySEC in 2023. It is noted that this is an annual exercise where the Regulated Entities are obliged to submit the Reports to CySEC for the previous calendar year.

2 In carrying out these assessment reviews, CySEC evaluated the Regulated Entities’ adherence to the requirements set out in the Law and Directive and to instructions/guidance set out in the following Circulars: i. Circular C033 on the Content of the Compliance Officer’s Annual Report on the prevention of money laundering and terrorist financing (‘the Circular C033’), ii. Circular C186 regarding the Executive Summary in the Compliance Officer’s Annual Report and the Internal Audit Report on the prevention of money laundering and terrorist financing (the ‘Circular C186’) and; iii. Circular C191 regarding regulated entities’ compliance with reporting and other obligations (the ‘Circular C191’). 2. CySEC sets out some commonly identified weaknesses and deficiencies, and wishes to remind the Regulated Entities to take immediate corrective actions: A. In relation to the content of the Compliance Officers’ Annual Reports on the prevention of money laundering and terrorist financing and the relevant BoD minutes submitted by CIFs, ASPs, Internally Managed Investment Funds and External Investment Fund Managers, as well as CASPs, the CySEC found that: i. In some cases, there was not sufficient analysis of the specific method the inspections and reviews were performed by the Compliance Officer, to determine the degree of compliance of the Regulated Entity in the policy, practices, measures, procedures and controls applied for the prevention of ML/TF. Particularly, it was observed that the information provided in the Compliance Officers’ Annual Reports is merely the result of the inspections and reviews performed with no reference to the method of the inspections and reviews that were conducted. Additionally, in some cases, there was inadequate analytical reference to the inspections and reviews performed by the Compliance Officer in relation to the content and the method/way of conduct of these inspections and reviews for the implementation of the financial sanctions imposed by the United Nations and the European Union. Furthermore, in a number of cases it was noted that the sample of customers selected for inspection from each customer risk category was not proportionate to the total number of customers of each risk category and there was no justification or explanation of the sample size and/or proportionalities per risk category applied. Moreover, methodology should include the sample specifics of customers tested, the timing of the inspections and reviews performed, specific audit tests and any findings that were identified. (Paragraph 10(4)(b)(i) of the Directive and point 2 of Appendix 1 of the Circular C033). ii. The results of the inspections and reviews conducted, as per point 2Ai. above, on some occasions, included a general overview rather than a detailed description of the significant deficiencies and weaknesses identified in the measures, procedures and

3 controls being applied by the Regulated Entities for the prevention of ML/TF. On the same note, the seriousness of the deficiencies or weaknesses was not sufficiently noted, as well as the risk implications, the actions taken, and the recommendations made for rectifying the situations and timeframe for implementation. (Paragraph 10(4)(b)(ii) of the Directive and point 2 of Appendix 1 of the Circular C033). iii. In addition, on some occasions, information about the number, country of origin and type of high-risk customer with whom a business relationship is established, or an occasional transaction executed along with comparative data from the previous year, was not always provided in the reports (Paragraph 10(4)(g) of the Directive and point 6 of Appendix 1 of the Circular C033). iv. In a number of cases, the information provided in the Compliance Officers’ Annual Reports about the systems and procedures applied by Regulated Entities for the ongoing monitoring of customers’ accounts, particularly how transactions are compared to data and information kept in their economic profile, was not always adequate. Analysis of the methods (automated or non-automated) used for the ongoing monitoring of customers’ accounts and transactions, details for any variation of the ongoing monitoring of customers’ accounts and transactions according to the customer’s categorization on a risk based approach, details of the timing of the ongoing monitoring of customers’ accounts and transactions (e.g. in real time or after the completion of an event) and the method used for documenting the ongoing monitoring of customers’ accounts and transactions (e.g. preparing a memo describing all relative actions and recording it in the customer’s file) were not sufficient. (Paragraph 10(4)(h) of the Directive and point 7 of Appendix 1 of the Circular C033). v. Some Compliance Officers’ Annual Reports that were submitted by external Investment fund managers provide only consolidated information for all funds under management in relation to points iii and iv above, instead of a detailed analysis that is required for each fund under management (AIF and RAIF). vi. Some Compliance Officers’ Annual Reports did not include sufficient information on the next year’s training program which is recommended to be attended by the Regulated Entity’s Compliance Officer and the rest of the staff (Paragraph 10(4)(k) of the Directive and point 9(iv) of Appendix 1 of the Circular C033). vii. In some cases, Compliance Officers’ Annual Reports submitted by internally managed Investment Funds and external Investment Fund Managers stated that since they were not operational during the assessed period, no information was provided in the said reports. However, it should be reminded that according to point 4 of Circular C191, ‘the CySEC expects that the reports, even if they relate to a period during which the Regulated

4 Entities were not operational, will contain the minimum required information requested by the CySEC and/or the European Regulation.’ viii. In some instances, the Compliance Officers’ Annual Reports did not include sufficient information on the organisational structure of the Compliance Officer’s Department and the duties of its staff. (Paragraph 10(4)(n) of the Directive and point 10(iii), (iv) of Appendix 1 of the Circular C033). ix. On some occasions, the BoD minutes accompanying the Compliance Officers’ Annual Reports did not include the implementation timeframe of the measures decided for the correction of any weaknesses and/or deficiencies identified in the relevant reports while the submission of the Compliance Officers’ Annual Reports and the relevant BoD minutes, was not within the timeframes provided in paragraph 10(3) of the Directive. B. In relation to the assessment of the Internal Audit Reports on the prevention of money laundering and terrorist financing and the relevant BoD minutes submitted by CIFs, ASPs, Internally Managed Investment Funds and External Investment Fund Managers, the CySEC found that: i. In some cases, the Internal Audit Reports submitted by ASPs which have branches and subsidiaries established in countries outside the EEA, did not include findings and observations from the reviews and evaluations performed in relation to the appropriateness, effectiveness and adequacy of the policy, practices, measures, procedures and control mechanisms applied by their branches and subsidiaries, for the prevention of money laundering and terrorist financing. ii. On some occasions, the submission of the Internal Audit Reports and the relevant BoD minutes by CIFs, ASPs, Internally Managed Investment Funds and External Investment Fund Managers, was not within the timeframes provided in paragraph 6 of the Directive. 3. Considering the above findings, Regulated Entities should ensure the following obligations are upheld in accordance with the Law and the Directive and the relevant guidance given in the abovementioned CySEC’s circulars: • The Compliance Officer’s obligation for the correct preparation of the Annual Report and the sufficient assessment of the level of compliance of the regulated entity in relation to the prevention of money laundering and terrorist financing. • The Internal Auditor’s obligation for the correct preparation of the Internal Audit Report and a sufficient review and evaluation of the appropriateness, effectiveness and

5 adequacy of the policy, practices, measures, procedures and control mechanisms applied by the regulated entity for the prevention of money laundering and terrorist financing. • The regulated entity’s BoD obligation for the sufficient assessment and approval of the Annual Report and the Internal Audit Report and taking all appropriate measures for the correction of any weaknesses and/or deficiencies identified as well as the implementation timeframe of these measures. • The regulated entity’s BoD obligation to ensure the overall implementation of all requirements of the Law and the Directive as well as to ensure that appropriate, effective and sufficient systems and controls are introduced for achieving the abovementioned requirement. 4. Regulated entities should be aware that common and recurring weaknesses and deficiencies will be the subject of rigorous compliance checks by the CySEC. 5. CySEC expects that all Regulated Entities consider the above-mentioned findings when preparing the Reports for the calendar year 2023 and onwards, to ensure full compliance with the Law and the Directive. It is stressed that the Law provides strict administrative sanctions in case of non-compliance with the requirements of the Law and the Directive, which CySEC will not hesitate to use. Sincerely, Panikkos Vakkou Vice Chairman, Cyprus Securities and Exchange Commission