Materiality and vulnerability of the banking sector
Cyprus has become an international business centre mainly due to its tax system, its strategic geographical location and the advanced professional services sector. The fact that foreign investors find that Cyprus is an attractive location for their investments and for the establishment of their business, has led to the development of the Cyprus economy and especially of the banking sector, nevertheless, it has exposed the industry to greater money laundering (“ML”) and terrorist financing (“TF”) risks.
Cyprus has conducted the National ML/TF Risk Assessment in 2018 (the “NRA”) -which will be conducted every four years- whereby it was found that the most vulnerable sector that is primarily exposed to external ML threats is the banking sector, followed by the administrative service providers (“ASPs”) and the real estate sector. This is primarily attributed to the banks’ involvement with, among other, i) businesses that are not resident in Cyprus with often complex corporate structures, ii) cross-border wire transfers with counterparties in various jurisdictions, iii) businesses that have been introduced by third parties e.g. ASPs, iv) businesses that use nominee shareholders/directors and trusts.
The Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (the “MONEYVAL”) through the Cyprus Fifth Round Mutual Evaluation Report, issued in December 2019 (the “MONEYVAL Report”) has commented on the ML/TF risks in conjunction with the materiality of the banking sector, where it was found that the banking sector is “weighted as being the most important in Cyprus based on its materiality and risks” given that the “the aggregated assets are – even after a considerable reduction following the financial crisis – about two and a half times the GPD of Cyprus” and “the two largest banks are accounting for two thirds of the overall assets”.
Therefore, the size and the international expansion of the sector along with the favourable Cyprus regimes, render Cyprus an attractive venue for individuals seeking to hide the proceeds of crime among the legitimate and sometimes complex business structures, through the variety of services offered by the banks, such us private banking, deposits, loans, cash deposits, wire transfers, credit cards, trade finance, client accounts and correspondent banking accounts.
Policies and supervision
The Central Bank of Cyprus (the “CBC”) is the authority responsible for the supervision of the licensed credit institutions in Cyprus and for the implementation of the anti-money laundering policies.
CBC has issued the fifth edition of the Directive on the Prevention of Money Laundering and Terrorist Financing, in February 2019 (the “Directive”) pursuant to section 59(4) of the Prevention and Suppression of Money Laundering Law of 2007 (188(I)/2007), as amended (the “Law”) which transposed into Cyprus law the EU Directive 2015/849 (the “4th EU Directive”) on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. The Law specifically states that the Directive is binding and compulsory to the institutions addressed to and the supervisory authority for monitoring the Directive’s implementation is the CBC.
The CBC, for the purpose of its evaluations and assessments, also takes into consideration policies, decisions and recommendations issued by the Financial Action Task Force (“FATF”), which is the intergovernmental organisation responsible for developing policies to combat money laundering and terrorism financing; MONEYVAL; the European Banking Authority; the World Bank and the International Monetary Fund.
It is important to note that further amendments to the Law and the Directive are expected, as the EU Directive 2018/843 (the “5th EU Directive”), which amends the 4th EU Directive, is yet to be transposed into Cyprus law. Cyprus has received a formal notice by the EU for non-compliance, as the deadline for the transposition was in January 2020.
The risk-based approach
The risk-based approach is regarded as an important pillar for a successful strategy against ML and TF.
Through the risk-based approach, the banks are expected to identify and assess the ML and TF risks they are exposed to and take the necessary measures. The focus of banks should be to assess the nature of the risks they are facing and then apply the relevant and necessary preventive measures, having regard to the nature and complexity of the bank’s products and services, their size, business model, corporate governance arrangements, financial and accounting information, delivery channels through which the customers can transact their business, customer profiles, geographic location, volume and size of transactions and countries of operation. Considering the above factors, it is important to note that each bank’s controls might differ depending on their operational complexity.
The due diligence policy of banks
The credit institutions are required to appoint an Anti-Money Laundering Compliance Officer (the “AMLCO”) who will be responsible, among other, for the preparation of the institution’s policy on how new customers will be accepted and the conditions and the procedures under which a customer relationship will be terminated; for cooperating with the relevant departments of the institution in order to design the necessary policies and procedures in compliance with the Law; for recording and assessing on an annual basis the institution’s risks for ML and TF, especially before the launch of new products, business practices or new technologies.
The banks, through the AMLCO and based on instructions from the CBC, ought to establish a specific due diligence policy, that includes the applicable risk-based approach and the measures to be applied in case the bank is exposed to low or high ML/TF risks.
The initial stages of the customer due diligence (the “CDD”) process should be designed to help banks assess the ML/TF risks associated with a proposed business relationship and determine the level of CDD to be applied. Following the completion of the initial stage of the CDD, depending on its risk exposure, the bank should request the relevant amount of information and proceed with the necessary verification checks (standard or enhanced due diligence). Where banks are not in a position to apply the appropriate level of CDD, due to non-cooperation by the client (e.g. refusal to provide the requested information) or if for any reason the bank cannot verify the information received, then the banks are required to not enter into the business relationship or terminate an existing business relationship.
In addition, if during the business relationship between the client and the bank, or during the CDD process the bank is suspicious of any ML/FT activities, then the Unit for Combatting Money Laundering (“MOKAS”) should be notified accordingly. The MOKAS is established through section 56 of the Law and it’s the national centre for, inter alia, receiving and reviewing disclosures of suspicious transactions reports and other relevant information in connection with suspected ML or TF activities; issuing administrative orders for postponement of transactions; issuing guidance to financial institutions, professionals and others.
The MONEYVAL has reported that the banks file suspicious transaction reports to MOKAS far more frequently than other types of financial institutions and that in comparison with other sectors, banks have a generally sophisticated understanding of their exposure to ML and TF risks. In essence, it was found the banking sector has gradually become more effective in addressing and mitigating the ML/TF risks, which is largely the result of the supervision practices of CBC. However, there is a widespread perception in Cyprus that banks are particularly intense in their collection and evaluation of CDD information and that due to their rigid CDD processes, they create unnecessary hurdles to clients and service providers.