The main legislation governing the banking sector in Cyprus is the Business of Credit Institutions Law of 1997, Law No 66(I)/1997 (as amended) (the Banking Law). The Banking Law deals with the licensing, ownership and membership of banks as well as the winding up of banks, among other matters.
A number of directives have been issued by the Central Bank of Cyprus (the CBC) pursuant to the provisions of the Banking Law, including the Assessment of the Fitness of the Members of the Management Body and Key Function Holders of Authorised Credit Institutions Directive of 2020 (the Fitness Directive) and the Governance and Management Arrangements Directive of 2014 (the Governance Directive).
There are also various EU regulations relevant to the banking sector that have direct effect in Cyprus, including Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (the CRR) and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (Regulation 1024/2013).
The provision of payment services and electronic money services is regulated separately by the Law on the Provision and Use of Payment Services and Access to Payment Systems, Law No 31(I)/2018 (as amended) (the Payment Services Law) and the Law on Electronic Money, Law No 81(I)/2012 (as amended).
The regulators responsible for supervising banks in Cyprus are the European Central Bank (the ECB) and the CBC.
Requirement for a Licence
Subject to what is stated in the next paragraph, a bank must obtain a banking licence from the CBC before it commences its activities in Cyprus or its activities abroad from Cyprus.
A bank authorised and supervised by the competent authorities of another European Economic Area country (an EEA State) can carry out the activities listed in annex IV to the Banking Law in Cyprus (see below) without the need for a licence from the CBC, provided these activities are covered by its licence and that it complies with the relevant notification requirements to the CBC. Such a bank can operate in Cyprus through either the establishment of a branch or the provision of cross-border services.
Activities and Services Covered
The activities and services covered by a banking licence include:
The Banking Law prohibits banks from carrying out any commercial activity that is not one of the activities set out in annex IV to the Banking Law, unless the activity constitutes an ancillary services undertaking (as defined in article 4(1)(18) of the CRR).
Conditions for Authorisation
A banking licence is only granted to a legal person established in Cyprus under the Companies Law, Cap. 113 (as amended) (the Companies Law) or to a credit institution established and authorised in a country other than an EEA State (a third country) under corresponding legislation of that country in order to operate in Cyprus through a branch.
The conditions for granting a banking licence include the following:
Procedure for Applying for Authorisation
The application for a banking licence must be made in writing by or on behalf of the applicant to the CBC. No application fee is payable.
The application form must be accompanied by the following, among others:
The CBC can require further information and/or documents.
The CBC rejects the application if the applicant does not comply with the conditions for authorisation under national law. If the applicant complies with such conditions, the CBC must propose granting the authorisation but the ultimate decision is made by the ECB (Regulation 1024/2013).
If the CBC rejects the application, it must notify the applicant of its decision and the reasons for it within six months of receiving the application or, where the application is incomplete, within six months of receiving all the information required for the decision. Any decision by the CBC must be issued within 12 months of receiving the application.
If the CBC recommends the ECB grant the authorisation, the draft decision of the CBC is deemed to be adopted unless the ECB objects within a maximum period of ten working days, extendable once for the same period in duly justified cases. The ECB can object to the draft decision only where the conditions for authorisation set out in relevant EU law are not met. The ECB must state the reasons for the rejection in writing.
Requirements for Acquiring or Increasing Control over a Bank
Under the Banking Law, anyone who individually or in concert with others decides either to acquire, directly or indirectly, a qualifying holding in a bank established in Cyprus or to increase, directly or indirectly, such a qualifying holding, as a result of which the proportion of the voting rights or of the capital held by such person would reach or exceed 20%, 30% or 50% or so that the bank would become its subsidiary, must give prior written notice to the CBC setting out the size of the intended holding and other information required under the Banking Law. "Qualifying holding" is defined in the CRR as a direct or indirect holding in an undertaking which represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise a significant influence over the management of that undertaking.
From the date it acknowledges receipt of the notification and all documents required to be attached to the notification, the CBC has a maximum of 60 working days to assess the suitability of the prospective acquirer and the financial soundness of the proposed acquisition. The criteria which the CBC takes into account in making such assessment include, inter alia:
Other Reporting Requirements
The Banking Law requires banks incorporated in Cyprus to inform the CBC upon becoming aware of any acquisitions of qualifying holdings in their capital that increase the thresholds referred to above.
In addition, under the Transparency Requirements (Securities Admitted to Trading on a Regulated Market) Law of 2007, Law No 190(I)/2007 (as amended), a person who acquires shares in a bank admitted to trading on a regulated market that carry the right to vote must, within the required time period, notify the bank and the Cyprus Securities and Exchange Commission (CySec) of the percentage of his voting rights if such percentage reaches or exceeds, as a result of the acquisition, 5%, 10%, 15%, 20%, 25%, 30%, 50% or 75% of the total voting rights of the bank. The bank must notify the CySec and the Cyprus Stock Exchange (in its capacity as the national Mechanism for the Central Storage of Regulated Information) and publish the information on its website.
The Business of Insurance and Reinsurance and Other Related Matters Law of 2016, Law No 38(I)/2016 (as amended) imposes additional reporting requirements if the bank concerned holds shares in an insurance undertaking.
Law and Regulation
The main sources of a bank's corporate governance requirements are as follows:
In addition, the articles of association of a bank incorporated in Cyprus regulate (subject to the provisions of the Companies Law) matters such as shareholders' and directors' meetings, the powers of the directors and transfers of shares.
The Banking Law requires that each bank has robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, and effective processes to identify, manage, monitor and report the risks to which it is or may be exposed, as well as adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices that are consistent with and promote sound and effective risk management.
Such arrangements, processes and mechanisms must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the bank's business model and activities.
The Governance Directive requires that, inter alia:
Senior managers must be sufficient in number and have the necessary know-how to manage the bank's operations.
Assessment Procedure and Criteria
The procedure and criteria that banks should take into account in assessing the fitness of candidates for the management body and key function holders are set out in the Fitness Directive.
The Fitness Directive requires that the assessment of the fitness of members of the management body and key function holders is carried out before their appointment.
In particular, a bank must assess whether the candidate:
The bank must provide the CBC with the results of the assessment and, where the bank is a significant supervised entity, the CBC provides the results to the ECB. The relevant candidate is only appointed with the consent of the CBC or, in the case of significant supervised entities, the consent of the ECB.
Roles of Management Body and Senior Management
According to the Governance Directive, the management body has the primary responsibility for internal governance. It must define, supervise and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the bank, including the segregation of duties and the prevention of conflicts of interest. Such arrangements must comply with the following principles:
Among other things, banks are also required to:
The management body of a bank is responsible for supervising senior management. It must establish appropriate policies, practices and procedures to ensure that senior management carries out its duties and responsibilities in accordance with the relevant provisions of the Governance Directive.
The chief executive and other senior managers are responsible for directing and overseeing the effective management of the bank within the authority delegated to them by the management body, and in compliance with the applicable laws and regulations.
Senior management is responsible for the following, among other matters:
The Governance Directive requires that every bank has remuneration policies and practices (including in respect of the salaries and discretionary pension benefits of, among others, senior managers, staff engaged in internal controls and risk takers) that are consistent with, and promote, sound and effective risk management.
The rules on remuneration policies include the following:
A breach of the provisions of the Governance Directive may lead to the imposition by the CBC of administrative sanctions and measures. It is also a criminal offence punishable with a fine and/or imprisonment.
The main piece of legislation dealing with the prevention of money laundering and terrorist financing is the Law on the Prevention and Suppression of the Legalisation of Proceeds from Illegal Activities, Law No 188(I)/2007 (as amended) (the AML Law). As the supervisory authority for banks under the AML Law, the CBC has issued the directive on the prevention of money laundering and terrorist financing (the AML Directive).
Procedures to Prevent Money Laundering and Terrorist Financing
Article 58 of the AML Law requires banks (among other persons) to implement adequate and appropriate policies, controls and procedures, proportionate to their nature and size, in order to mitigate and manage effectively the risks related to money laundering and terrorist financing, in connection with the following:
The AML Law requires banks to appoint a member of the management body to be responsible for the implementation of the provisions of the AML Law, any directives issued under the AML Law and any relevant acts of the European Union. The AML Law also requires the establishment, in certain cases, of an independent internal audit function, which will be responsible for verifying that the bank has established the policies, controls and procedures required under the AML Law.
As the supervisory authority for banks under the AML Law, the CBC evaluates and supervises the implementation by banks of the provisions of the AML Law and directives issued by the CBC under the AML Law. If a bank fails to comply with the provisions of the AML Law, the provisions of any directive issued by the CBC under the AML Law or the provisions of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, the CBC may take any or all of the measures set out in the AML Law, which include the following:
Deposit Guarantee and Resolution of Credit and Other Institutions Scheme
The Deposit Guarantee and Resolution of Credit and other Institutions Scheme (DGS) was established and has been operating in Cyprus since 2000. The relevant legal framework consists of the Guarantee of Deposits and Resolution of Credit and other Institutions Law of 2016, Law No 5(I)/2016 (as amended) and regulations issued under it. The DGS constitutes a separate legal public entity and consists of the Deposits Guarantee Fund and the resolution of credit and other institutions fund (the Resolution Fund).
A management committee (the Committee) has been established to serve the purposes of and manage the Deposits Guarantee Fund and the Resolution Fund. The Committee consists of five members. The chairman is the governor of the CBC and the remaining four members are staff from the Ministry of Finance and the CBC (appointed by a decision of the governor of the CBC for a term of five years, which may be extended for a maximum period of three months).
The purposes of the DGS are to compensate the depositors of banks that pay contributions to the Deposits Guarantee Fund if a bank becomes unable to repay its deposits, and to fund the implementation of resolution measures.
All deposits (other than deposits excluded by the Deposit Guarantee and Resolution of Credit and Other Institutions Scheme Regulations of 2016 (as amended) – the Deposit Guarantee Regulations), in euro or other currency, held in banks and branches of a bank that operate abroad but pay a contribution to the Deposits Guarantee Fund (including accrued interest until the maturity date of the deposit or the date the deposit became unavailable, whichever occurred first) are eligible for compensation from the DGS.
The following categories of deposits are excluded by the Deposit Guarantee Regulations from the payment of any compensation from the DGS:
Amount of Compensation
Subject to what is stated below, the maximum amount of compensation for each depositor per bank is EUR100,000. This limit applies to the aggregate deposits held with a particular bank.
Deposits resulting from real estate transactions relating to private residential properties and deposits that serve social purposes are covered up to EUR300,000, in addition to the amount of EUR100,000 referred to above, for a maximum period of 12 months from the date on which the amount was credited or the date on which it can be legally transferred to the beneficiary, whichever is earlier.
When calculating the amount of compensation payable to a depositor, the deposits are set-off with all kinds of counterclaims the bank has against the depositor, provided and to the extent that these have become due before or on the date on which the deposits became unavailable, and provided further that such set-off is permitted in accordance with the statutory and contractual provisions that govern the contract between the bank and the depositor.
Funding of the DGS
Membership in the DGS is obligatory for all banks licensed in Cyprus, including branches of Cypriot banks that operate in other Member States.
The DGS is primarily funded from contributions from its members. Every bank that receives a licence in Cyprus must pay an initial contribution to the Deposit Guarantee Fund (currently amounting to EUR50,000) and then an annual contribution (calculated based on the covered deposits and the risk profile of each member).
In cases where the available financial means of the DGS are insufficient to repay depositors when deposits become unavailable, the members are also required to pay extraordinary contributions not exceeding 0.5% of their covered deposits per calendar year. Higher contributions may be required in exceptional circumstances.
The DGS is also allowed to obtain financing from loans or other means of support from third parties, and from the liquidation of assets or investments.
Statutory Duty of Confidence
Under the Banking Law, members of the management body, chief executives, managers, officers, employees and agents of a bank – as well as persons who have access to the records of a bank by any means – are prohibited from providing, communicating, revealing or using for their own benefit any information whatsoever regarding the account of any particular customer of the bank, either during their employment or professional relationship with the bank or after its termination.
The Banking Law contains an extensive list of exceptions to the above prohibition, including the following:
A breach of the relevant provisions of the Banking Law may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.
Contractual and Other Duties of Confidence
It is an implied term of the contract between a banker and his customer that the bank will not divulge to third persons either the state of the customer's account, or any of his transactions with the bank, or any information relating to the customer acquired through the keeping of his account. There are four exceptions to this duty:
The duty of confidence arises once the relationship of banker and customer is established. It does not cease when the customer closes his account, nor presumably after the customer’s death.
Breach of the duty of confidence gives rise to a claim for damages.
Banks also have a common law equitable duty of confidence.
Implementation of Basel III
The Basel III standards developed by the Basel Committee on Banking Supervision have been implemented by the CRR (which is directly applicable in Cyprus) and Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD IV), which has been implemented in Cyprus by statute.
The Banking Law requires that each bank has effective processes to identify, manage, monitor and report the risks to which it is or may be exposed and adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices, that are consistent with and promote sound and effective risk management.
Banks incorporated in Cyprus are also required to have sound, effective and comprehensive strategies and processes to assess and maintain on a continuous basis the amounts, composition and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or may be exposed.
The Governance Directive sets out the following risk management rules for banks, among others:
Risk committee and risk management function
Banks are required to establish a risk committee and a risk management function. The duties of the risk committee include:
The risk management function must be independent of the business and support units it monitors and controls, and must have the right to report its findings and assessments directly to the management body and the relevant committees, independent from senior management through clear reporting lines. It must:
The capital adequacy framework for banks in Cyprus consists of the CRR and the CRD IV (as implemented in Cyprus) which, among others, require banks to satisfy the following own funds requirements at all times:
In addition to the common equity tier 1 capital maintained to meet the own funds requirements imposed by the CRR, banks incorporated in Cyprus are required to keep a capital conservation buffer of Common Equity Tier 1 (as defined in the CRR) equal to 2.5% of their total risk exposure calculated in accordance with article 92(3) of the CRR, on an individual and consolidated basis.
Systemically important banks are required to maintain an additional capital buffer.
In addition to meeting the general liquidity coverage requirement imposed under article 412(1) of the CRR, banks must ensure that long-term obligations are adequately met with a diversity of stable funding instruments under both normal and stressed conditions.
The Commission Delegated Regulation (EU) 2015/61 of 10 October 2014 to supplement Regulation (EU) No 575/2013 of the European Parliament and the Council with regard to liquidity coverage requirement for Credit Institutions (Regulation 2015/61) sets out rules specifying in detail the liquidity coverage requirement provided for in article 412(1) of the CRR. Regulation 2015/61 has been directly applicable in Cyprus since 1 October 2015, with the following transitional provisions:
The CBC has issued a directive to banks on the computation of prudential liquidity in all currencies, which sets out the principles that banks should implement for the management of liquidity risk.
The CRR requires banks to calculate their leverage ratio and report it to the CBC, but it does not impose any particular leverage ratio requirement.
The CRR has been amended by Regulation (EU) 2019/876, which has introduced a leverage ratio requirement of 3%. The relevant amendment will apply from 28 June 2021.
The relevant provisions relating to the winding-up of banks incorporated in Cyprus are set out in part XIII of the Banking Law and part V of the Companies Law, and in winding-up rules issued under the Companies Law.
The recovery and resolution regime for banks is based on:
The Resolution Regulation establishes the Single Resolution Board, which is responsible for drawing up the resolution plans and adopting all decisions relating to resolution for, among others, the entities referred to in article 2 of the Resolution Regulation (including banks established in Cyprus) that are not part of a group, and groups considered "significant" under article 6(4) of Regulation (EU) 1024/2013.
In relation to other entities and groups (ie, those not listed in article 7(2) of the Resolution Regulation), the CBC in its capacity as the Resolution Authority is responsible for, among others, adopting resolution decisions and applying resolution tools in accordance with the provisions of the Resolution Law (unless the Resolution Board decides, under the Resolution Regulation, to exercise the relevant powers in relation to any such entity or group). The Resolution Law applies to banks established in Cyprus and, subject to the conditions set out in the Resolution Law, to branches of banks of third countries established in Cyprus.
The Resolution Authority must obtain the approval of the Minister of Finance before it implements decisions that have a direct financial impact or systemic consequences.
The Resolution Authority takes action for the resolution of a bank only if it considers that the following conditions are met:
The resolution tools under the Resolution Law are as follows:
The Resolution Authority can apply the resolution tools individually or in any combination, except that the asset separation tool can only be applied together with another resolution tool.
Sale of business tool
The Resolution Authority has the power to demand the transfer of the following to a purchaser that is not a bridge institution:
A transfer made under this tool is made on commercial terms and is considered to be valid without obtaining the consent of shareholders of the bank under resolution or any third person other than the purchaser, and irrespective of any restriction imposed by law, contract or otherwise.
Bridge institution tool
The Resolution Authority can transfer the following to a bridge institution:
A transfer made under this tool (as well as the asset separation tool) is made without obtaining the consent of the shareholders of the bank under resolution or any third person and without complying with any procedural requirements under company or securities law. The bridge institution is a legal person wholly or partly owned by the Resolution Fund and is controlled by the Resolution Authority.
Asset separation tool
The Resolution Authority has the power to transfer assets, rights or liabilities of a bank under resolution or a bridge institution to one or more asset management companies. An asset management company is a company wholly or partly owned by the Resolution Fund and is controlled by the Resolution Authority and manages the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.
The Resolution Authority has the power to demand the application of the bail-in tool for any of the following purposes:
The Resolution Law gives the Resolution Authority all the powers necessary to apply the resolution tools to banks, including the power to take control of a bank under resolution and exercise all the rights and powers conferred on the shareholders, other owners and the management body of the relevant bank.
The Resolution Regulation contains the same resolution tools as the Resolution Law, and the powers of the Resolution Board under the Resolution Regulation are similar to the powers of the Resolution Authority.
All deposits that are eligible for the payment of compensation from the DGS are fully protected up to the maximum amount set out in the Deposit Guarantee Regulations in the event resolution measures are taken in relation to a bank. All other deposits rank pari passu in a bank’s resolution.
There are no upcoming regulatory developments.