Investment Firms Licensing & Regulatory Compliance

Currently there are more than 200 investment firms regulated by the Cyprus Securities and Exchange Commission (“CySEC”). For all organisations engaged in activities that come under the supervision of the CySEC, a proactive rather than a reactive approach to regulation saves time and effort at a later stage. In an ever-changing regulatory environment, investment firms in Cyprus are faced with the challenge of adapting to new regulations which enforce demanding requirements, whilst also managing compliance costs. PwC Cyprus has a dedicated team of experts specialising in the various regulations governing the sector, assisting many clients, through a broad range of services, to comply with their regulatory obligations.
We help Cyprus Investment Firms to confidently navigate regulatory changes, addressing their needs for integrated and practical solutions that cover the entire regulatory agenda and beyond. These changes need to deliver real and significant benefits to their business as a whole.
Our dedicated experts recognise that every business is different. We can help you to assess the impact of regulation on your business as well as develop and implement a strategic response that empowers you to take control of the regulatory agenda.

Explore our Capabilities


If you aim to operate a regulated Investment Firm in Cyprus, you need to apply to CySEC and obtain the relevant license. In a continuously changing regulatory environment, you need to identify whether a license is needed and to set up your operations in the best possible way, thus saving time and money in the process of obtaining the relevant license. 

We can help you:

  • Prepare or review the full application package that needs to be submitted to CySEC
  • For already licensed investment firms, prepare or review your application to the regulator to set up a branch abroad or offer services cross border
  • In the case of licensed investment firms, prepare or review your application to CySEC in order to obtain a license for the provision of additional investment services
  • Implement the conditions that may be attached to your license to operate as a regulated Investment Firm in Cyprus


Markets in Financial Instruments Directive II (“MiFID II”) and Markets in Financial Instruments Regulation (MiFIR) 

The Market in Financial Instruments Directive (“MiFID” or the “Directive”) officially took effect on 1 November 2007. The Directive’s aim was to integrate the European Union’s financial markets and to increase the amount of cross border investment activities. The financial crisis of 2008 highlighted existing problems and led to the decision of the European Commission to revise MiFID. As a result, MiFID II/MiFIR have entered into force on 3rd January 2018, and are expected to significantly affect entities providing investment services. 

We can help you:

  • Undertake a gap analysis between your current way of operation and the MiFID II/MiFIR provisions
  • Implement the MiFID II/MiFIR requirements
  • Identify interdependencies with other key regulations
  • Assess the impact of the rules on your strategic priorities and your operations
  • Capture the strategic opportunities and minimize any resultant threats
  • Enhance your business processes, technological systems and infrastructure
  • Answer day-to-day queries in relation to MiFID II/MiFIR
  • Prepare or update your policies and procedures (e.g. Procedures Manual, Conflicts of Interest Policy, Best Execution Policy, etc.)
  • Deliver tailor-made training on MiFID II/MiFIR related subjects


Capital Requirements Directive IV (“CRD IV”) Package 

The successful creation of a single rule book for European credit institutions and investment firms resulted in the CRD IV package, which consists of the Capital Requirements Regulation (“CRR”), which is adopted directly by the EU Member States, and the Capital Requirements Directive (“CRD”), which has been transposed into national law by credit institutions and investment firms regulators across Europe. 

The CRD IV rules promote a robust capital and liquidity framework through strict requirements. These pose challenges for credit institutions and investment firms alike and raise questions on the efficient use of capital and liquidity resources. CRD IV also focuses on rules relating to corporate governance, including remuneration, as well as specifications regarding standardised EU regulatory reporting. 

Since the introduction of CRD IV, the Basel Committee on Banking Supervision has been working on a new set of requirements, commonly referred to as “Basel IV”, which may have a significant impact on the way that investment firms operate as well as on the size of their Risk Weighted Assets. 

We can help you: 

  • Establish policies and procedures in order to adhere to the CRD IV package
  • Quantify your capital ratios, liquidity ratios and leverage according to the CRD IV specifications
  • Prepare or review the prudential forms prior to their submission to CySEC
  • Become equipped with the necessary skills and knowledge through tailor-made training and workshops
  • Prepare or review the Internal Capital Adequacy Assessment
  • Process (“ICAAP”) document and manual
  • Prepare or review your Remuneration Policy and/or provide assistance in understanding the European Banking Authority’s (“EBA”) requirements
  • Design scenarios for stress testing analysis
  • Prepare or review the Pillar 3 Disclosures report
  • Address ad-hoc queries relating to the CRD IV provisions
  • Optimise your capital consumption and capital allocation framework


Foreign Account Tax Compliance Act (“FATCA”) 

The Foreign Account Tax Compliance Act (‘‘FATCA’’) is a US tax legislation which was enacted as part of the Hiring Incentives to Restore Employment (“HIRE”) Act in March 2010 to prevent and detect US tax evasion and improve taxpayer compliance. FATCA is focused on strengthening information reporting and withholding compliance with respect to US persons that invest through, or in, non-US entities, such as Cyprus resident financial institutions. 

All investment firms in Cyprus are affected by FATCA, irrespective of whether they have US clients. The penalties of non-compliance are significant and include a 30% withholding tax on any incoming payments relating to US-sourced income. In addition, failure to comply with FATCA may involve legal and reputational issues which could disrupt business relationships with other financial institutions which are FATCA compliant (e.g. counterparties) and lead to loss of business. 

We can help you:

  • Understand FATCA and its impact in the context of your specific business needs
  • Conduct a gap analysis against the FATCA requirements
  • Strategically refocus your business in the context of the FATCA provisions
  • Implement FATCA by adapting your business systems and processes accordingly
  • Define the FATCA related specification requirements for your individual IT platform
  • By providing support to reinforce your implementation efforts
  • By giving guidance during the testing and go-live phase of your FATCA implementation


OECD Common Reporting Standard (“CRS”)

In February 2014, the Organization for Economic Cooperation and Development (“OECD”), released a global standard for the automatic exchange of financial account information, which involves the systematic and periodic transmission of ‘bulk’ taxpayer information. 

Similar to the provisions of FATCA, the OECD Common Reporting Standard imposes obligations on financial institutions (“FIs”) to review and collect information in an effort to identify an account holder’s country of residence and then in turn, to provide certain specified account information to the home country’s tax administration. 

Most financial institutions in Cyprus, including Cyprus Investment Firms, are affected by CRS, which involves significant complexity compared to FATCA and which fundamentally changes an FI’s way of doing international business both from a strategic and an operational point of view. Therefore, designing effective due diligence through smart and strategic alignment with AML/KYC processes is key for a successful CRS project. 

CRS enforcement is achieved through the imposition of penalties under local legislation as well as compliance activities carried out by the relevant local authorities. Non-compliance may also result in indirect costs from disruption of business relationships and reputational risk. 

We can help you:

  • Understand the regulatory requirements under CRS and their impact on your business
  • Conduct a gap analysis against the CRS requirements and ascertain how work done in relation to FATCA can be leveraged in the context of CRS
  • Assess and analyse your current policies and procedures against the key CRS provisions
  • Understand and document the CRS requirements across different jurisdictions
  • Define the CRS related specification requirements for your individual IT platform


European Market Infrastructure Regulation (“EMIR”) 

In 2009, the G20 group of nations agreed on a set of Over the Counter (‘‘OTC’’) market reforms designed to reduce systematic risks and to improve market transparency. The European Market

Infrastructure Regulation, Regulation (EU) No 648/2012, which came into force on 16 August 2012, brought a number of reforms in the regulation of the global OTC derivatives market. Derivative contracts are traded on exchanges or electronic platforms, cleared through central counter parties (‘‘CCPs’’), reported to trade repositories (‘‘TRs’’) and are subject to capital or other requirements to reflect the risk of transactions. As such, all Investment Firms engaging in derivative transactions are affected by EMIR. 

More specifically, EMIR introduced clearing, transaction reporting and significant risk management procedures for firms that are subject to EMIR requirements (“firms”), as well as a pan-European regulatory regime for CCPs and TRs. Risk management requirements were phased- in from 15 March 2013, whereas reporting requirements, which have affected a significant number of firms, came into force on 12 February 2014. Clearing obligations for specific asset classes have also come into force and further obligations will be phased-in depending on a firm’s clearing classification category. 

We can help you:

  • Understand the EMIR obligations and their impact on your business, through an initial impact assessment
  • Select a TR(s) and/or a CCP(s) in order to meet reporting and clearing obligations
  • Gather business requirements for data interface and migration processes for reporting purposes
  • Identify derivative products subject to the clearing obligation
  • Assess the application of clearing exemptions for intra-company transactions
  • Design, test and document business and operational clearing processes, including improvement of processing efficiency and control
  • Adapt the firm’s operational, credit, liquidity and market risk strategy and appetite in light of new collateral arrangements
  • Design, build and implement management information systems to monitor different risk types


Anti-Money Laundering (“AML”) and Combating the Financing of Terrorism 

The fight to deter money laundering and terrorist financing has been a high priority of law enforcement agencies and financial regulators around the globe. Laws and regulations become more demanding aiming to provide a stronger framework to address new threats to the international financial system. 

To successfully follow a risk-based approach, institutions need to perform thorough and regular AML risk assessments and implement adequate controls to mitigate their risks. Know-Your Customer (“KYC”) specific procedures, including enhanced due diligence for high risk customers remain a critical requirement. Boards and senior management are increasingly seeking to build integrated, risk-based and efficient AML compliance control programmes. 

Not only are institutions concerned about avoiding enforcement actions or remedying weaknesses and failures, but many are learning that by treating these initiatives as long-term investments, they can capitalize on potential opportunities. 

We can help you:

  • Perform an AML risk assessment in line with regulatory requirements and best practices
  • Perform background checks on legal or physical persons to support KYC procedures
  • Create effective and sustainable AML compliance control programs
  • Improve the quality of AML internal audits
  • Design and implement effective customer due diligence processes
  • Improve the function and performance of your suspicious activity monitoring systems and processes
  • Train senior executives and employees on topics ranging from specific aspects of compliance to regulatory expectations and industry trends
  • Prepare or update your policies and procedures (e.g. AML Policy) to ensure compliance with the regulatory requirements

Internal Audit

Today more than ever Boards of Directors are facing ongoing pressure from stakeholders to mitigate risk yet drive business performance. Internal Audit plays a critical role in regulated entities by providing objective assurance that protects the business against risk, supports strategic decision making and improves regulatory compliance. 

However, for an organisation’s internal audit function to provide value, it needs to be equipped with the right tools, technology and know-how. Also an organisation needs to balance the costs and benefits from having the internal audit function in-house or cosourced/outsourced. 

We can help you:

  • With Internal Audit resourcing solutions, including full outsourcing or complementing in-house functions with specialist skills or geographical coverage
  • In the development of a risk-based Internal Audit methodology, including assessing whether the Internal Audit function is delivering real value to stakeholders
  • In the establishment of your in-house Internal Audit function
  • By advising the Audit Committee and developing Audit Committee charters
  • By supporting Internal Audit functions with technology solutions (such as Computer Assisted Audit Techniques) to enhance and support their work
  • By performing IT Audits including ERP systems such as SAP, Oracle, Navision

Recovery Plans

In June 2014, the European Parliament and Council approved the Bank Recovery and Resolution Directive (“BRRD”), Directive 2014/59/EU. This important piece of legislation sets a common framework across all 28 countries of the European Union on how to deal with troubled financial institutions. In March 2016, the BRRD was transposed to national law and published in the Official Gazette of the Republic (“the Law”). 

The investment firms impacted by the Law will have to prepare and submit Recovery Plans to CySEC, setting out the actions to be taken to restore their financial position in case of significant deterioration of their financial situation. Following the submission of the Recovery Plans, CySEC will be responsible for their assessment, evaluation and approval. 

In summary, the main areas which should be included in a Recovery Plan include strategic analysis, recovery plan indicators, scenarios and stress testing, recovery options as well as a governance and communication plan. It is noted that, as per the Law, CySEC will have the power to apply simplified recovery planning obligations to investment firms that meet certain criteria. 

We can help you: 

  • Prepare the Recovery Plan document, leveraging international best practices
  • Share recovery planning insights, industry best practices as well as tools and templates
  • Leverage our experience with regulators to support your delivery and communication strategy
  • Review your existing documentation and procedures and identify potential gaps / provide recommendations
  • Provide advisory support on regulatory standards

Contact us

Elina Christofides

Partner - Advisory, PwC Cyprus

Tel: +357-22555718

Follow us