Central bank of cyprus aml directive

Preface (i). Cyprus enacted the appropriate legislation and has taken effective regulatory and other measures by putting in place suitable mechanisms for the prevention and suppression of money laundering and terrorist financing activities. Moreover, Cyprus is committed to applying all the requirements of international treaties and standards in this area and, specifically, those deriving from the European Union Directives. (ii). In 1992, Cyprus enacted the first Law by which money laundering deriving from drug trafficking was criminalised. In 1996 Cyprus enacted “The Prevention and Suppression of Money Laundering Activities Law” defining and criminalising money laundering deriving from all serious criminal offences.

The Law recognised the important role of the financial sector on the prevention and forestalling of money laundering activities and contained special provisions for measures and procedures that persons involved in financial business should put in place to that effect. The Law was subsequently amended to adopt new international initiatives and standards in the area of money laundering, including the 2nd European Union Directive for the prevention of the use of the financial system for the purpose of money laundering (Directive 91/308/EEC). (iii).

The Law designated the Central Bank of Cyprus as the competent supervisory authority for persons engaged in banking activities and assigned to it the responsibility of supervising and monitoring the compliance of banks with the provisions of the Law with the aim of preventing the use of the services provided by banks for money laundering. (iv). On 13/12/2007 the House of Representatives enacted “The Prevention and Suppression of Money Laundering Activities Law” (hereinafter to be referred to as “the Law”) by which the former Laws on the prevention and suppression of money laundering activities of 1996-2004 were consolidated, revised and repealed.

Under the current Law, which came into force on 1 January 2008, the Cyprus legislation was harmonised with the Third European Union Directive on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (Directive 2005/60/? C) hereinafter to be referred to as the “European Union Directive”. The Basic Law and its subsequent amendments (i. e. 58(? )/2010, 80(? )/2012, 192(? )/2012 and 101(? )/2013) are available at the webpage of the Central Bank of Cyprus http://www. centralbank. gov. cy. (v).

From 1989 up to 1996, the Central Bank of Cyprus issued several circulars to the banks operating in Cyprus, recommending the introduction of specific measures against the use CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 2 of the financial system for the purpose of money laundering. As from 1997, the Central Bank of Cyprus, exercising its powers emanating from the Law enacted in 1996, proceeded with the issue of a series of Directives to all banks in Cyprus prescribing the practices and procedures that banks should adopt so as to comply with the requirements of the Law for the implementation of preventive measures against money laundering activities. (vi).

The present Central Bank of Cyprus’ Directive (Fouth Edition) (hereinafter to be referred to as “the Directive”) is issued to all credit institutions in accordance with Article 59(4) of the Prevention and Suppression of Money Laundering Activities Laws of 2007 to 2013, and aims at laying down the specific policy, procedures and control systems that all credit institutions should implement for the effective prevention of money laundering and terrorist financing so as to achieve full compliance with the requirements of the Law.

It is emphasized that the Law explicitly states that Directives are binding and compulsory to all persons to whom they are addressed. Furthermore, the Law assigns tothe supervisory authorities, including the Central Bank of Cyprus, the duty of monitoring, evaluating and supervising the implementation of the Law and of the Directives issued to the supervised entities. CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 3 1. INTERNAL CONTROL PROCEDURES AND RISK MANAGEMENT 1. 1 Obligation to establish procedures.

The Law Article 58 1. Article 58 of the Law requires all persons carrying on financial or other business to establish adequate and appropriate systems and procedures, inter alia, for the following: (i). Internal control, risk assessment and risk management in order to forestall and prevent money laundering and terrorist financing, and (ii). the detailed examination of any transaction which by nature may be considered to be particularly vulnerable to be associated with money laundering or terrorist financing, and in particular, complex and unusually large transactions and all unusual patterns of transactions which have no apparent economic or clear lawful purpose.

2. The Board of Directors, the credit institution’s Senior Management and, in the cases of branches of foreign banks operating in Cyprus, the Manager of the Cyprus branch, are responsible for ensuring the implementation of the requirements of the Law and this Directive and the introduction of appropriate systems and internal control procedures for the identification, evaluation, monitoring and effective management of the risks emanating from money laundering or terrorist financing activities according to the nature, size and complexity of their operations.

3. Effective procedures for the prevention of money laundering and terrorist financing include appropriate management oversight, systems and controls, segregation of duties, education and other relevant practices.

4. The Central Bank of Cyprus’ “Directive on a Framework of Principles of Operation and Criteria of Assessment of Banks’ Organisational Structure, Internal Governance and Internal Control Systems” issued in May, 2006, and its subsequent amendments requires that credit institutions whose shares are listed on the Stock Exchange or operate branches and/or subsidiaries abroad and whose total off balance sheet and on balance sheet assets exceeds.

2 bn EUR setup a Compliance Unit which is administratively independent from other units whose responsibilities include risk management, executive or audit responsibilities e. g. Risk Management Unit, Internal Audit Unit and Legal Unit of the credit institution. The aforementioned Directive, amongst others, provides that the Compliance Unit of a credit institution or its Risk Management Unit (where no Compliance Unit has been set up) establishes and applies suitable procedures for the purpose of achieving a timely and on-going compliance of the credit institution with the applicable supervisory and regulatory framework.

CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 4 The Law Articles 59(6)(? )(iv) &(v) relating to the prevention of the use of the financial system for the purposes of money laundering and financing of terrorism. In this respect, the Money Laundering Compliance Officer appointed under Article 69 of the Law should organizationally belong to the Compliance Unit or, where such unit has not been established, to the Risk Management Unit. 5.

The Money Laundering Compliance Officer (“MLCO”) should be appointed by the credit institution’s Board, after having obtained the consent of the Central Bank of Cyprus which reserves the right to request his/her substitution if, in its opinion, he/she is not “fit and proper”, as laid down in Article 69(1) of the Law, to discharge his/her duties. It should be noted that the MLCO could be the same person as with the Head of Compliance Unit. 6. The MLCO of branches of foreign banks operating in Cyprus report directly to the local manager and the Senior Management of the bank’s Head Office at its country of origin.

7. According to Article 59(6)(a)(iv) and (v) the Central Bank of Cyprus may, inter alia, request the cessation or removal from his position of any director, manager or official, including the MLCO and the Head of Internal Audit and Compliance Units, in the event of infringement due to his own fault, willful omission or negligence. In addition, it may impose an administrative fine as specified in Article 59(6)(ii) of the Law to a director, manager or official or any other person, in the event of infringement due to his own fault, willful omission or negligence. 8.

The Central Bank of Cyprus requires credit institutions to apply the following measures and procedures: (i) The Board of Directors determines, records and approves the general policy principles of the credit institution for the prevention of money laundering and terrorist financing which are subsequently communicated to the Senior Management and the MLCO. (ii) In case where a credit institution operates branches or subsidiaries in a third country, it has to put in place a Group policy (See Section 9 of this Directive). (iii)

The credit institution’s Senior Management should be aware of the degree of risk of money laundering and terrorist financing that the credit institution is exposed to and whether all the necessary measures for their management and mitigation have been implemented. Consequently, the MLCO has the responsibility to draft and submit to the Board through the Senior Management a brief report recordingand evaluating all money laundering and terrorist financing potential risks (having in mind the areas of operation of the credit institution, the development of new products and services, the customer acceptance policy, expansion to new markets/countries, the complexity of legal persons’ ownership structure, ways to attract customers, etc. ), the measures that.

CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 5 have been taken for their management and mitigation as well as the monitoring mechanisms for the appropriate and effective operation of internal regulations, procedures and controls (See Section 3 of this Directive). (iv)

The MLCO has the responsibility in cooperation with other departments of the credit institution (e. g. the Organisation and Methods Unit) for the design of the internal practices, procedures and controls, as well as the description and explicit allocation of competence and limits of responsibility of each unit that is involved in the prevention of money laundering and terrorist financing. In this connection, a risk management and procedures manual should be prepared, which after being approved by the credit institution’s.

Senior Management, should be communicated to the executives and all the employees that manage, monitor or control in any way the customers’ accounts and transactions and have the responsibility for the application of the policy, procedures and controls that have been determined.

The risk management and procedures manual covers, inter alia, the credit institution’s customer acceptance policy, the procedures for establishing a business relationship, executing one-off transactions, opening of accounts and customer due diligence, including the documents and information that is required for the establishment of a business relationship and execution of transactions, the procedures for the on-going monitoring of accounts and transactions, as well as, the procedures and controls for the identification of unusual and suspicious transactions and their internal reporting to the MLCO.

The manual is assessed on a periodic basis and reviewed when deficiencies are found or when the need arises to adapt the credit institution’s procedures for the effective management of the risks emanating from money laundering and terrorist financing. It should be noted that any reviews of the manual should be approved by the Senior Management. (v) Explicit responsibilities and duties are allocated to the credit institution’s staff so as to secure the effective management of policy, procedures and controls for the prevention of money laundering and terrorist financing and achieving compliance with the requirements of the Central Bank of Cyprus’ Directives and the Law. (vi)

The MLCO, the Alternate MLCO, the Assistant Money Laundering Compliance Officers and other members of staff who have been assigned with the duty of implementing the adopted procedures for the prevention of money laundering and terrorist financing, have full and timely access to all information concerning customers’ identity, transactions’ records and other relevant files and information maintained by the credit institution so as to be fully facilitated in the effective CENTRAL BANK OF CYPRUS EUROSYSTEM

Central Bank of Cyprus’s Directive – December 2013 6 discharge of their duties. (vii) All employees are made aware of the person appointed as MLCO (as well as his alternate) to whom they should report any information concerning transactions and activities for which they have knowledge or suspicion that might be related to money laundering and terrorist financing activities. (viii) There is a clear and concise reporting chain, explicitly prescribed in the risk management and procedures manual by which information regarding suspicious transactions is passed without delay to the MLCO, either directly or through his Assistants; (ix)

Explicit policy and procedures are applied and measures are taken for preventing the abuse of new technologies and systems of providing banking services and effecting banking transactions for the purpose of money laundering and terrorist financing (e. g. services and transactions via the internet, telephone or via the Automatic Teller Machines or other modern telecommunication devices). (x) Appropriate measures are applied so that the risk of money laundering and terrorist financing is appropriately considered and managed in the course of daily activities ofthe credit institution  with regard to the development of new products and possible changes in the credit institution’s business profile (i. e. penetration of new markets with the opening of branches/subsidiaries in new countries/regions).

It is noted that the Central Bank of Cyprus’s Directive on the “Framework of principles of operation and criteria of assessment of banks’ organisational structure, internal governance and internal control systems” issued to banks’ in May 2006 and as subsequently amended, requires the participation, in an advisory capacity, of the Compliance Unit in the planning of new products and procedures, in matters that call for an operational decision, as well as for the assessment of operational risk which may result from a major development (merger, acquisition, etc), so that the necessary control and risk management mechanisms which will ensure compatibility with the existing rules are established and pursued. (xi)

The Senior Management of the credit institution ensures that the MLCO has sufficient resources, including competent staff and technological equipment, for the effective discharge of his/her duties. (xii)

The Internal Audit Unit reviews and evaluates, on an annual basis, the effectiveness and adequacy of the policy, procedures and controls applied by the credit institution for preventing money laundering and terrorist financing and verifies CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 7 the level of compliance with the provisions of the Central Bank of Cyprus’ Directive and the Law. Findings and observations of the internal auditor are submitted to the Board of Directors’ Audit Committee and are notified to the Senior Management and the MLCO of the credit institution who take the necessary measures to ensure the rectification of any weaknesses and omissions which have been detected by the internal auditor.

The internal auditor monitors, on an ongoing basis, through progress reports, or other means the implementation of his recommendations. (xiii) Credit institutions apply explicit procedures and standards of recruitment and evaluation of new employees’ integrity. 1. 2 Customer Acceptance Policy 9. Credit institutions should develop and establish a clear policy and procedures for accepting new customers, fully in line with the provisions of the Law and the requirements of this Directive.

The said policy should be prepared after detailed assessment of the risks faced by each credit institution from its customers and/or their transactions and/or their countries of origin or operations (See Section 3 of this Directive). 10. The MLCO prepares the customer acceptance policy and submits it through the credit institution’s Senior Management to the Board of Directors for consideration and approval. Once it has been approved, the said policy is communicated to all staff members. 11.

The said policy should set in an explicit manner the criteria for accepting new customers, the types of customers who do not meet the said criteria and are not, therefore, acceptable for entering into a business relationship and should prescribe the categories of customers that should be designated as being of high risk. Due consideration should be given to complex business structures, and the risks that such entities may accumulate, in determining the credit institution’s risk appetite and customer acceptance policy and enhanced measures should be required to effectively monitor and mitigate such risks.

The said policy should also determine the conditions and related procedures under which a customer relationship should be terminated. The description of the types of customers that are not acceptable for entering into a business relationship and the categories of high risk customers should take into account factors such as their background, type and nature of their business activities, their country of origin, anticipated level and nature of business transactions as well as the expected source and origin of funds. The customer acceptance policy and related procedures should provide for enhanced due diligence for the categories of high risk customers as prescribed in the Law, this Directive (see Section 4. 14.

2) as well as those customers that the credit institution itself has classified as high risk on the basis of its adopted policy. CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 8 2. THE ROLE OF THE MONEY LAUNDERING COMPLIANCE OFFICER 2. 1 . Appointment of a Money Laundering Compliance Officer (“MLCO”) The Law Article 69(1) 12. Article 69(1) of the Law requires persons carrying out financial and other business activities to apply the following internal reporting procedures: (i)

Appoint senior staff member who has the skills, knowledge and expertise in financial or other activities, as the case may be, known as the MLCO to whom a report is to be made about any information or other matter which comes to the attention of the person handling financial or other business and which, in the opinion of the person handling that business, proves or creates suspicions that another person is engaged in money laundering or terrorist financing; (ii) require that any such report be considered in the light of all other relevant information by the MLCO, for the purpose of determining whether or not the information or other matter set out in the report proves this fact or creates such suspicion;

(iii) allow the MLCO to have access to any information, records and details which may be of assistance to him/her and which is available to the person carrying outfinancial or other business activities; and (iv) ensure that the information or other matter contained in the report is transmitted to the Unit for Combating Money Laundering (“MOKAS”) where the person who has considered the report under the above procedures ascertains or has reasonable suspicions that another person is engaged ina money launderingoffence or terrorist financing or the transaction might be related to such activities.

Furthermore, the Law explicitly provides that the obligation to report to MOKAS includes also the attempt to execute such suspicious transactions. 13. The MLCO should be appointed by the Board, after having obtained the consent of the Central Bank of Cyprus which reserves the right to request his/her substitution if, in its opinion, he/she is no longer “fit and proper”, as laid down in Article 69(1) of the Law, to discharge his/her duties. In this connection, the person who has been nominated for appointment to the position of the MLCO should complete the Individual Questionnaire, found in Appendix 1, which includes information regarding the person’s career, including the qualifications held and work experience, as well as details of any sanctions or criminal convictions against the person. The said person should act independently and autonomously.

CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 9 The Law Article 68d(1) to perform the above duties, and depending on the organizational structure of the credit institution, should possess the appropriate seniority so as to command the necessary authority. 14.

Additionally, the credit institution should also appoint an Alternate MLCO who should replace the MLCO in case of absence. Where it is deemed necessary due to the volume and/or the geographic spread of the credit institution’s operations, credit institutions may appoint Assistant MLCOs by division, district or otherwise for the purpose of assisting the MLCO and immediately forwarding internal suspicionreports to the MLCO. In light of the aforesaid, credit institutions should communicate to the Central Bank of Cyprus, within ten days from the date of the appointment of the the Alternate MLCO, his name, position and contact details.

15. Article 68d(1) of the Law requires that every financial group (as specified in Article 68d (2)(a)) appoints a manager from the company of the group which has been incorporated in the Republic and holds the biggest amount of total assets among the companies of the group which have been incorporated in the Republic, as a coordinator, for ensuring the implementation by all the companies of the financial group, including their branches abroad, which are engaged in financial activities, of adequate and appropriate systems and procedures for the effective prevention of money laundering and terrorist financing offenses. 2.

2 Duties of the Money Laundering Compliance Officer 16. The role and responsibilities of the MLCO, the Alternate MLCO, as well as those of his Assistants, should be clearly specified by credit institutions and documented in the risk management and procedures manual for the prevention of moneylaundering and terrorist financing. 17.

Furthermore, the Compliance Unit or, where it does not exist, the MLCO should maintain procedures manual for all his tasks/responsibilities. 18. As a minimum, the duties of the MLCO should include the following: (i) The MLCO has the responsibility, to record and assess on an annual basis all risks arising from existing and new customers, products and services as well as the measures or changes to the systems and procedures implemented by the credit institution for the effective management of the aforesaid risks.

The said report should be submitted to the Board of Directors through the Senior Management for consideration and approval. A copy of the said report should be submitted to the Central Bank of Cyprus together with the MLCO’s CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 10 annual report. In addition to the aforementioned annual briefing of the Senior Management by the MLCO on the risks facing the credit institution, the MLCO is obliged to keep the Senior Management informed of any differentiation of those risks on an on-going basis. (ii)

The MLCO prepares the Customer Acceptance Policy which is submitted through the Senior Management of the credit institution to the Board of Directors for consideration and approval. (iii) The MLCO has the primary responsibilityfor the preparation of the credit institution’s risk management and procedures manual for the prevention of money laundering and terrorist financing.

The manual is assessed on a periodic basis and reviewed when deficiencies are found or when the need arises to adapt the credit institution’s procedures for the effective management of the risks emanating from money laundering and terrorist financing. (iv) Without prejudice to the obligations of the Compliance Unit, as set out in paragraph 3 above, the MLCO monitors and assesses whether the policy, procedures and controls that have been introduced for the prevention of money laundering and terrorist financing are correctly and effectively applied.

In this regard, the MLCO should apply appropriate monitoring mechanisms (e. g. on-site visits to units/branches)  which will provide him/her with all necessary information for assessing the level of compliance of the units /branches of the credit institution with the procedures and controls currentlyin force. In the event that the MLCO identifies shortcomings and/or weaknesses in the application of the requisite procedures and controls, he/she should give appropriate guidance for corrective measures. (v)

The MLCO receives any information from the credit institution’s employees which is considered by the latter to be knowledge or suspicion of money laundering or terrorist financing activities or might be related with such activities in the form of an internal report. A specimen of such an internal report (hereinafter to be referred to as “Internal Money Laundering Suspicion Report”) is attached, as Appendix 2, to this Directive. All such reports should be registered and kept on a separate file. (vi)

The MLCO evaluates and investigates the information received as per paragraph (v), citing other available sources of information, the discussion of the case with the reporting employee and, where appropriate, with the employee’s superior(s). The evaluation of the information reported to the MLCO should be made on a separate form which should be registered and retained on file.

A specimen of such a report (hereinafter to be referred to as “Money Laundering Compliance Officer’s Internal Evaluation Report”) is attached, as Appendix 3, to this Directive. (vii) If following the evaluation described in paragraph (vi) above, the MLCO decides to CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 11 notify the Unit for Combating Money Laundering (MOKAS), then he/she should complete a written report and submit it to MOKAS the soonest possible. A specimen of such a report (hereinafter to be referred to as “Money Laundering Compliance Officer’s.

Report to the Unit for Combating Money Laundering”) is attached, as Appendix 4, to this Directive. All such reports should be registered and kept on a separate file. (viii) After the submission of the MLCO’s report to MOKAS, the transactions of the customer(s) involved are monitored by the MLCO. (ix) If following the evaluation described in paragraph (vi) above, the MLCO decides not to notify MOKAS then he/she should fully explain the reasons for such a decision on the “Money Laundering Compliance Officer’s Internal Evaluation Report” which should, as already stated, be registered and retained on file.

(x) The MLCO maintains a registry with statistical information (e. g. district and branch/unit maintaining the customer(s) account(s), date of submission of the internal report, date of assessment, date of reporting to MOKAS) in relation to the Internal Money Laundering Suspicious Reports and the MLCO’s reports to MOKAS. (xi) The MLCO acts as a first point of contact with MOKAS, upon commencement of and during an investigation as a result of filing a report to MOKAS under (vii) above. (xii) The MLCO responds to requests from MOKAS and provides all the supplementary information requested and fully co-operates with MOKAS.

(xiii) The MLCO ensures that all branches and subsidiaries of the credit institution in non-EU countries have taken all necessary measures for achieving full compliance with the provisions of this Directive in relation to customer identification, due diligence and record keeping procedures. (xiv) The MLCO must cooperate, coordinate and exchange information with the other MLCOs of the group. (xv) The MLCO is generally responsible for the timely and correct submission to the Central Bank of Cyprus of the prudential reports referred to in Section 10 of this Directive and for providing the necessary explanations to the employees responsible for the preparation of the aforesaid returns.

The MLCO responds promptly to any queries or clarifications requested by the Central Bank of Cyprus in relation to information contained in the aforesaid returns. (xvi) The MLCO is responsible for examining and deciding on the applications for accepting cash deposits in foreign currency notes (referred to in Section 5. 2 of this Directive) CENTRAL BANK OF CYPRUS EUROSYSTEM Central Bank of Cyprus’s Directive – December 2013 12 submitted in writing by the responsible officials of the branches/units of the credit institution where the related customers’ accounts are maintained.

Copies of the applications submitted together with his/her decision must be kept by the MLCO on a separate file as well as the file of the customer concerned. (xvii) The MLCO keeps records with the full details of customers or group of connected customers (name, address, account number(s), branch(es) maintaining the account(s)) for which he/she has given his/her written approval for a one-off cash deposit or a series of cash deposits in foreign currency notes on a continuous and regular basis.

In this respect, the MLCO must keep separate records for customers who are involved in: (i) one-off cash deposits, and (ii) cash deposits on a continuous and regular basis. (xviii) The MLCO maintains a register of all cases of persons (prospective customers) for which the credit institution declined the establishment of business relationship. (xix) The MLCO responds to all requests and queries from the Central Bank of Cyprus and provides all requested information and co-operates fully with the Central Bank of Cyprus. (xx)

The MLCO, the Alternate MLCO and the Assistant MLCOs acquire the requisite knowledge and skills for the implementation of appropriate internal procedures for recognising, preventing and reporting transactions/activities suspected to be associated with money laundering or terrorist financing. (xxi) The MLCO provides advice and guidance to the employees of the credit institution on the correct implementation of procedures and controlsto prevent money laundering and terrorist financing. (xxii)

The MLCO determines which of the credit institution’s