On 24 March 2020, the Cyprus Securities and Exchange Commission (CySEC), issued circular C367 (replacing circular C157) informing all entities under its supervision of the requirements that need to be followed in the rare instances where regulated entities choose to complete the client due diligence procedures following the commencement of a business relationship or an occasional transaction.
All obliged entities have an obligation to (i) identify and (ii) verify the identity of their clients. According to section 62(1) of the Prevention and Suppression of Money Laundering and Terrorist Financing Law (the Law), verification of the identity of the client including the verification of the beneficial owner should be performed before the establishment of a business relationship or the carrying out of the transaction.
Section 62(2) of the Law, provides the exception to the general rule set out above allowing for the verification to occur later. CySEC sets out the parameters in which regulated entities are permitted to make use of this exception.
In general, the verification of the identity of the client may be completed during the establishment of a business relationship, if this is necessary so as not to interrupt the normal conduct of business and where there is a lower risk of money laundering or terrorist financing. The verification procedures should be completed as soon as possible after the initial contact.
The circular clarifies the only instances where Cyprus Investment Firms (CIFs) are permitted, by way of derogation, to verify the identity of a customer at a later stage. In any event, the verification shall be completed within 15 days from the day that the customer either accepted the terms and conditions of the CIF or the day that the first deposit was made (whichever came first).
The new circular provides guidance to CIFs in terms of the steps that need to be taken in each instance and what sufficiently identifying and sufficiently verifying the client entails. The obligation on CIFs which arises pursuant to other European Union Directives (such as the need to apply suitability and an appropriateness test) is reiterated at the identification stage.
It is noted that regulated entities are under an obligation to include procedures, measures, and controls within their internal manuals to ensure proper and effective implementation and monitoring.
Administrative Service Providers (ASPs) are under stricter obligations to comply with article 62 and in the rare instances where they choose to verify the identity of clients/beneficial owners after the commencement of a business relationship, then they should provide a full explanation of their actions.
CySEC’s circular 367 can be found here.
Prevention and Suppression of Money Laundering and Terrorist Financing Law can be found here.