Banking Regulation 2022

Last Updated September 17, 2021

Cyprus

Law and Practice

Authors



Georgiades & Pelides is a leading Cypriot law firm with a broad corporate, banking, commercial and litigation practice and a distinct international focus. The firm was formed in 1998 by the merger of Georgiades & Georgiades with Nicos Pelides & Co, and offers a unique blend of dynamism and experience. It currently has 21 lawyers (including partners) and advises on all aspects of banking law, including secured commercial lending, project and corporate finance, the raising of loan finance, the enforcement and realisation of securities, leasing and hire purchase. The firm has advised many banks and financial institutions on transactions involving sovereign guarantees, derivatives, the drafting of margin account trading documentation and multi-currency loan facility agreements, as well as syndicated project finance transactions. It also advises on the regulatory regime relating to banks in Cyprus, including the establishment and acquisition of banks and substantial stakes in such institutions.

The main legislation governing the banking sector in Cyprus is the Business of Credit Institutions Law of 1997, Law No 66(I)/1997 (as amended) (the Banking Law). The Banking Law deals with the licensing, ownership and membership of banks as well as their winding up, among other matters.

A number of directives have been issued by the Central Bank of Cyprus (the CBC) pursuant to the provisions of the Banking Law, including the Assessment of the Fitness of the Members of the Management Body and Key Function Holders of Authorised Credit Institutions Directive of 2020 (the Fitness Directive) and the Directive on Internal Governance of Credit Institutions of 2021 (the Governance Directive).

There are also various EU regulations relevant to the banking sector that have direct effect in Cyprus, including Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (the CRR) and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (Regulation 1024/2013).

The provision of payment services and electronic money services is regulated separately by the Law on the Provision and Use of Payment Services and Access to Payment Systems, Law No 31(I)/2018 (as amended) (the Payment Services Law) and the Law on Electronic Money, Law No 81(I)/2012 (as amended).

Regulators

The regulators responsible for supervising banks in Cyprus are the European Central Bank (the ECB) and the CBC.

Requirement for a Licence

Subject to what is stated in the next paragraph, a bank must obtain a banking licence from the CBC before it commences its activities in Cyprus or its activities abroad from Cyprus.

A bank authorised and supervised by the competent authorities of another European Economic Area country (an EEA State) can carry out the activities listed in Annex IV to the Banking Law in Cyprus (see below) without the need for a licence from the CBC, provided these activities are covered by its licence and that it complies with the relevant notification requirements to the CBC. Such a bank can operate in Cyprus through either the establishment of a branch or the provision of cross-border services.

Activities and Services Covered

The activities and services covered by a banking licence include:

  • taking deposits and other repayable funds;
  • lending;
  • financial leasing;
  • payment services; and
  • trading for own account or for customers in money market instruments, financial futures and options, among others.       

The Banking Law prohibits banks from carrying out any commercial activity that is not one of the activities set out in Annex IV to the Banking Law, unless the activity constitutes an ancillary services undertaking (as defined in Article 4(1)(18) of the CRR).

Conditions for Authorisation

A banking licence is only granted to a legal person established in Cyprus under the Companies Law, Cap. 113 (as amended) (the Companies Law) or to a credit institution established and authorised in a country other than an EEA State (a third country) under corresponding legislation of that country in order to operate in Cyprus through a branch.

The conditions for granting a banking licence include the following:

  • the initial capital of the applicant must be comprised of one or more of the items referred to in Article 26(1)(a)-(e) of the CRR;
  • at least two persons must effectively direct the activities of the applicant;
  • the members of the management body must be of good repute, have adequate knowledge, qualifications and experience, and meet the requirements specified in the Fitness Directive;
  • the total composition of the management body must reflect a sufficiently wide range of expertise; and
  • the applicant must inform the CBC of the identity of its shareholders or members, direct or indirect, that have qualifying holdings (as defined in the CRR) and of the percentage of those holdings or, if there are no qualifying holdings, of the 20 largest shareholders or members. The CBC refuses to grant the licence if it is not satisfied as to the suitability of the members or shareholders.

Procedure for Applying for Authorisation

Application form

The application for a banking licence must be made in writing by or on behalf of the applicant to the CBC. No application fee is payable.

The application form must be accompanied by the following, among others:

  • questionnaires set out in the policy statement on the licensing of banks in the Republic of Cyprus issued by the CBC. The questionnaires can be found on the CBC's website at www.centralbank.cy;
  • memorandum and articles of association or any other incorporation document, or a document determining the establishment of a legal person; and
  • a business plan that describes the types of activities envisaged and the organisational structure of the applicant.

The CBC can require further information and/or documents.

Timeline

The CBC rejects the application if the applicant does not comply with the conditions for authorisation under national law. If the applicant complies with such conditions, the CBC must propose granting the authorisation but the ultimate decision is made by the ECB (Regulation 1024/2013).

If the CBC rejects the application, it must notify the applicant of its decision and the reasons for it within six months of receiving the application or, where the application is incomplete, within six months of receiving all the information required for the decision. Any decision by the CBC must be issued within 12 months of receiving the application.

If the CBC recommends the ECB grant the authorisation, the draft decision of the CBC is deemed to be adopted unless the ECB objects within a maximum period of ten working days, extendable once for the same period in duly justified cases. The ECB can object to the draft decision only where the conditions for authorisation set out in relevant EU law are not met. The ECB must state the reasons for the rejection in writing.

Requirements for Acquiring or Increasing Control over a Bank

Qualifying holding

Under the Banking Law, anyone who individually or in concert with others decides either to acquire, directly or indirectly, a qualifying holding in a bank established in Cyprus or to increase, directly or indirectly, such a qualifying holding, as a result of which the proportion of the voting rights or of the capital held by such person would reach or exceed 20%, 30% or 50% or so that the bank would become its subsidiary, must give prior written notice to the CBC, setting out the size of the intended holding and other information required under the Banking Law. "Qualifying holding" is defined in the CRR as a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or that makes it possible to exercise a significant influence over the management of that undertaking.

Assessment criteria

From the date it acknowledges receipt of the notification and all documents required to be attached to the notification, the CBC has a maximum of 60 working days to assess the suitability of the prospective acquirer and the financial soundness of the proposed acquisition. The CBC takes the following criteria into account in making such assessment, among others:

  • the reputation of the proposed acquirer;
  • the reputation, knowledge, competencies and experience (as defined in the Fitness Directive) of any member of the management body who will direct the business of the bank as a result of the proposed acquisition;
  • the financial soundness of the proposed acquirer; and
  • whether there are reasonable grounds to suspect that, in connection with the proposed acquisition, money laundering or terrorist financing is being committed or attempted or has been committed or attempted, or that the proposed acquisition could increase the risk thereof.

Other Reporting Requirements

The Banking Law requires banks incorporated in Cyprus to inform the CBC upon becoming aware of any acquisitions of qualifying holdings in their capital that increase the thresholds referred to above.

In addition, under the Transparency Requirements (Securities Admitted to Trading on a Regulated Market) Law of 2007, Law No 190(I)/2007 (as amended), a person who acquires shares in a bank admitted to trading on a regulated market that carry the right to vote must, within the required time period, notify the bank and the Cyprus Securities and Exchange Commission (CySec) of the percentage of their voting rights if such percentage reaches or exceeds 5%, 10%, 15%, 20%, 25%, 30%, 50% or 75% of the total voting rights of the bank as a result of the acquisition. The bank must notify the CySec and the Cyprus Stock Exchange (in its capacity as the national Mechanism for the Central Storage of Regulated Information) and publish the information on its website.

The Business of Insurance and Reinsurance and Other Related Matters Law of 2016, Law No 38(I)/2016 (as amended) imposes additional reporting requirements if the bank concerned holds shares in an insurance undertaking.

Law and Regulation

The main sources of a bank's corporate governance requirements are as follows:

  • the Banking Law and directives issued by the CBC under the Banking Law (including the Governance Directive);       
  • the Companies Law, which deals with the formation and management of companies in Cyprus, among other matters; and
  • common law (developed by case law). For example, the directors of a bank established in Cyprus are subject to a number of common law duties that apply generally to companies incorporated in Cyprus.

In addition, the articles of association of a bank incorporated in Cyprus regulate (subject to the provisions of the Companies Law) matters such as shareholders' and directors' meetings, the powers of the directors and transfers of shares.

The Banking Law requires each bank to have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, and effective processes to identify, manage, monitor and report the risks to which it is or may be exposed, as well as adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices that are consistent with and promote sound and effective risk management.

Such arrangements, processes and mechanisms must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the bank's business model and activities.

Management Body

The Governance Directive requires that, inter alia:

  • the size and composition of the management body must take into account the size and complexity of the bank and the nature and scope of its activities, ensuring that:
    1. there are at least seven and no more than 13 members;
    2. at least 50% of the members of the management body (rounded down) plus one member are independent;
    3. there are at least two executive members, representing not more than 25% of the members of the management body (rounded down), one of whom must be the chief executive officer;
    4. the management body (i) is sufficiently diverse in age, gender and educational and professional background to reflect an adequately broad range of experience and facilitate a variety of independent opinions and critical challenge, and (ii) possesses adequate collective knowledge, skills and experience to be able to understand the bank's activities, including the main risks; and
  • the management body must have committees of the appropriate size, composition, structure and responsibilities for the effective discharge of its roles and responsibilities.

Senior Management

Senior managers must be sufficient in number and have the necessary know-how to manage the bank's operations.

Assessment Procedure and Criteria

The procedure and criteria that banks should take into account in assessing the fitness of candidates for the management body and key function holders are set out in the Fitness Directive, which requires that the assessment of the fitness of members of the management body and key function holders is carried out before their appointment.

In particular, a bank must assess whether the candidate:

  • has a good reputation;
  • has sufficient knowledge, skill and experience;
  • can act with honesty, integrity and independence; and
  • can dedicate enough time to the performance of his or her duties and whether the limitations on the number of positions that can be held by such person on other boards are complied with.

The bank must provide the CBC with the results of the assessment and, where the bank is a significant supervised entity, the CBC provides the results to the ECB. The relevant candidate is only appointed with the consent of the CBC or, in the case of significant supervised entities, with the consent of the ECB.

Roles of Management Body and Senior Management

Management body

According to the Governance Directive, the management body has the primary responsibility for internal governance. It must define, supervise and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the bank, including the segregation of duties and the prevention of conflicts of interest. Such arrangements must comply with the following principles:

  • the management body has the overall responsibility of the bank and approves and oversees the implementation of its strategic objectives, risk strategy and internal governance;
  • the management body ensures the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards; and
  • the management body oversees the process of disclosure and communications, and is responsible for supervising senior management.

Among other things, banks are also required to:

  • have appropriate evaluation procedures for the performance of the management body as a whole, each committee and each individual member of the management body, which must be carried out at least annually;
  • carry out a review and evaluation of the composition, efficiency and effectiveness of the management body and its committees, through external consultants, at least every three years; and
  • have appropriate policies and procedures for selecting, developing and, where necessary, replacing the chief executive officer or other senior managers, and have appropriate succession plans in place, having due regard to the importance and critical nature of their duties.

The management body of a bank is responsible for supervising senior management. It must establish appropriate policies, practices and procedures to ensure that senior management carries out its duties and responsibilities in accordance with the relevant provisions of the Governance Directive.

Senior management

The chief executive and other senior managers are responsible for directing and overseeing the effective management of the bank within the authority delegated to them by the management body, and in compliance with the applicable laws and regulations.

Senior management is responsible for the following, among other matters:

  • managing and overseeing the day-to-day operations of the bank;
  • providing the management body with recommendations on business objectives, strategies, business plans and major policies that govern the operation of the management body, for its review and approval; and
  • providing the management body with comprehensive, relevant and up-to-date information that will enable it to review business objectives, business strategy and policies, and to hold senior management accountable for its performance.

The Governance Directive requires every bank to have remuneration policies and practices (including in respect of the salaries and discretionary pension benefits of, among others, senior managers, staff engaged in internal controls and risk takers) that are consistent with, and promote, sound and effective risk management.

The rules on remuneration policies include the following:

  • taking into account the national criteria on wage setting, the remuneration policy must distinguish between (i) basic fixed remuneration, which should reflect relevant professional experience and management responsibility as set out in an employee's job description, and (ii) variable remuneration, which should reflect a sustainable and risk-adjusted performance as well as performance in excess of that required to fulfil the employee's job description;
  • the total variable remuneration must not limit the ability of the bank to strengthen its capital base;
  • banks must set appropriate ratios between the fixed and variable components of the total remuneration, applying the principles set out in the Governance Directive;
  • guaranteed variable remuneration is exceptional, is given only when hiring new staff (provided the bank has a sound and strong capital base) and is limited to the first year of employment; and
  • payments relating to the early termination of a contract should reflect performance achieved over time and should not reward failure or misconduct.

A breach of the provisions of the Governance Directive may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.

Legislation

The main piece of legislation dealing with the prevention of money laundering and terrorist financing is the Law on the Prevention and Suppression of the Legalisation of Proceeds from Illegal Activities, Law No 188(I)/2007 (as amended) (the AML Law). As the supervisory authority for banks under the AML Law, the CBC has issued the directive on the prevention of money laundering and terrorist financing (the AML Directive).

Procedures to Prevent Money Laundering and Terrorist Financing

Article 58 of the AML Law requires banks (among other persons) to implement adequate and appropriate policies, controls and procedures, proportionate to their nature and size, in order to mitigate and manage effectively the risks related to money laundering and terrorist financing, in connection with the following:

  • client identification and due diligence;
  • record keeping in relation to clients' identity and their transactions;
  • internal reporting to the compliance officer (a senior staff member appointed by the bank to whom any information or other matter that proves or creates suspicion that a client is engaged in money laundering or terrorist financing activities should be reported) and reporting to the Unit for Combating Money Laundering;
  • internal control, assessment and management of risk in order to prevent money laundering and terrorist financing;
  • the thorough investigation of every transaction that, because of its nature, is considered particularly susceptible to being connected with offences related to money laundering or terrorist financing, especially complicated or unusually large transactions and all unusual transactions that are executed without an obvious financial or legitimate purpose;
  • briefing and regular training of staff;
  • risk management practices;
  • compliance management; and
  • recruitment and assessment of employees’ integrity.

The AML Law requires banks to appoint a member of the board of directors to be responsible for the implementation of the provisions of the AML Law, any directives, circulars and regulations issued under the AML Law and any relevant acts of the European Union. The AML Law also requires the establishment, in certain cases, of an independent internal audit function, which will be responsible for verifying that the bank implements the policies, controls and procedures required under the AML Law.

Supervisory Authority

As the supervisory authority for banks under the AML Law, the CBC evaluates and supervises the implementation by banks of the provisions of the AML Law and directives issued by the CBC under the AML Law. If a bank fails to comply with the provisions of the AML Law, the provisions of any directive issued by the CBC under the AML Law or the provisions of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, the CBC may take any or all of the measures set out in the AML Law, which include the following:

  • requiring the bank to take such measures within such time period as the CBC shall specify to remedy the situation;
  • imposing administrative fines; and
  • amending, suspending or cancelling the bank's licence.

Deposit Guarantee and Resolution of Credit and Other Institutions Scheme (DGS)

The DGS was established and has been operating in Cyprus since 2000. The relevant legal framework consists of the Guarantee of Deposits and Resolution of Credit and Other Institutions Law of 2016, Law No 5(I)/2016 (as amended) and regulations issued thereunder. The DGS constitutes a separate legal public entity and consists of the deposits of credit institutions guarantee fund (the Deposits Guarantee Fund) and the resolution of credit and other institutions fund (the Resolution Fund).

A management committee (the Committee) has been established to serve the purposes of and manage the Deposits Guarantee Fund and the Resolution Fund. The Committee consists of five members. The chairman is the governor of the CBC and the remaining four members are staff from the Ministry of Finance and the CBC (appointed by a decision of the governor of the CBC for a term of five years, which may be extended for a maximum period of three months).

The purposes of the DGS are to compensate the depositors of banks that pay contributions to the Deposits Guarantee Fund if a bank becomes unable to repay its deposits, and to fund the implementation of resolution measures.

Covered Deposits

All deposits (other than deposits excluded by the Deposit Guarantee and Resolution of Credit and Other Institutions Scheme Regulations of 2016 (as amended) – the Deposit Guarantee Regulations), in euro or other currency, held in banks and branches of a bank that operate abroad but pay a contribution to the Deposits Guarantee Fund (including accrued interest until the maturity date of the deposit or the date the deposit became unavailable, whichever occurred first) are eligible for compensation from the DGS.

The following categories of deposits are excluded by the Deposit Guarantee Regulations from the payment of any compensation from the DGS:

  • deposits made by other banks on their own behalf and for their own account;
  • own funds as defined in Article 4(1)(118) of the CRR;
  • deposits arising out of transactions in connection with which there has been a criminal conviction for money laundering in accordance with the provisions of the AML Law;
  • deposits by financial institutions as defined in Article 4(1)(26) of the CRR;
  • deposits by investment firms;
  • deposits the holder of which has never been identified when they have become unavailable;
  • deposits by insurance and reinsurance undertakings;
  • deposits by collective investment undertakings;
  • deposits by pension and retirement funds, subject to certain exceptions;
  • deposits by public authorities with an annual budget exceeding EUR500,000; and
  • debt securities issued by a bank and liabilities arising out of own acceptances and promissory notes.

Amount of Compensation

Subject to what is stated below, the maximum amount of compensation for each depositor per bank is EUR100,000. This limit applies to the aggregate deposits held with a particular bank.

Deposits resulting from real estate transactions relating to private residential properties and deposits that serve social purposes are covered up to EUR300,000, in addition to the amount of EUR100,000 referred to above, for a maximum period of 12 months from the date on which the amount was credited or the date on which it can be legally transferred to the beneficiary, whichever is earlier.

When calculating the amount of compensation payable to a depositor, the deposits are set-off with all kinds of counterclaims the bank has against the depositor, provided and to the extent that these have become due before or on the date on which the deposits became unavailable, and provided further that such set-off is permitted in accordance with the statutory and contractual provisions that govern the contract between the bank and the depositor.

Funding of the DGS

Membership in the DGS is obligatory for all banks licensed in Cyprus, including branches of Cypriot banks that operate in other Member States. The Committee may, in its discretion and subject to the provisions of the Deposit Guarantee Regulations, exclude from membership in the DGS a branch of a Cypriot bank that operates in a country other than a Member State and a branch of a bank that operates in Cyprus but whose head office is outside the European Union.

The DGS is primarily funded from contributions from its members. Every bank that receives a licence in Cyprus must pay an initial contribution to the Deposit Guarantee Fund (currently amounting to EUR50,000) and then an annual contribution (calculated based on the covered deposits and the risk profile of each member).

In cases where the available financial means of the DGS are insufficient to repay depositors when deposits become unavailable, the members are also required to pay extraordinary contributions not exceeding 0.5% of their covered deposits per calendar year. Higher contributions may be required in exceptional circumstances.

The DGS is also allowed to obtain financing from loans or other means of support from third parties, and from the liquidation of assets or investments.

Statutory Duty of Confidence

Under the Banking Law, members of the management body, chief executives, managers, officers, employees and agents of a bank – as well as persons who have access to the records of a bank by any means – are prohibited from providing, communicating, revealing or using for their own benefit any information whatsoever regarding the account of any particular customer of the bank, either during their employment or professional relationship with the bank or after its termination.

The Banking Law contains an extensive list of exceptions to the above prohibition, including the following:

  • if the customer or their authorised representative gives written consent for this purpose;
  • if the customer has been declared bankrupt or, in the case of a company, is being wound up;
  • if civil proceedings have been instituted between the bank and the customer or the customer's guarantor in relation to the customer's account;
  • if the information is provided to the police under the provisions of any law or to a public officer who is duly authorised under the relevant law to receive that information, or to a court during the prosecution or the trial of a criminal offence under the relevant law;
  • if the information is provided pursuant to the provisions of the AML Law;
  • if the information is provided to the Cyprus tax department for purposes of compliance with the provisions of multilateral or intergovernmental agreements or with provisions of any law; or
  • if the provision of the information is necessary for reasons of public interest or for the protection of the interests of the bank.

A breach of the relevant provisions of the Banking Law may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.

Contractual and Other Duties of Confidence

It is an implied term of the contract between a banker and their customer that the bank will not divulge to third persons the state of the customer's account, any of the customer's transactions with the bank, or any information relating to the customer acquired through the keeping of their account. There are four exceptions to this duty:

  • where disclosure is under compulsion by law;
  • where there is a duty to the public to disclose;
  • where the interests of the bank require disclosure; and
  • where the disclosure is made by the express or implied consent of the customer.

The duty of confidence arises once the relationship of banker and customer is established. It does not cease when the customer closes his or her account, nor presumably after the customer’s death.

Breach of the duty of confidence gives rise to a claim for damages.

Banks also have a common law equitable duty of confidence.

Implementation of Basel III

The Basel III standards developed by the Basel Committee on Banking Supervision have been implemented by the CRR (which is directly applicable in Cyprus) and Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD IV), which has been implemented in Cyprus by statute.

Risk Management

Rules

The Banking Law requires each bank to have effective processes to identify, manage, monitor and report the risks to which it is or may be exposed and adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices, that are consistent with and promote sound and effective risk management.

Banks incorporated in Cyprus are also required to have sound, effective and comprehensive strategies and processes to assess and maintain on a continuous basis the amounts, composition and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or may be exposed.

The Governance Directive sets out the following risk management rules for banks, among others:

  • the risk management framework of a bank must extend to all its business activities, support functions and control units, and must recognise fully the economic substance of its risk exposures and encompass all relevant risks. The risk framework must also ensure that all material risks are identified and managed, including credit and counterparty risk, residual risk, concentration risk, liquidity risk and market risk;
  • banks must ensure that appropriate, adequate and effective policies, systems, processes and procedures are in place for:
    1. identifying all relevant risks, existing and emerging, at the transaction and portfolio levels, on a continuous basis;
    2. assessing these risks and measuring the bank’s exposure to them, at the transaction and portfolio levels, on an individual and a consolidated basis by recognising interactions between these risks, in an accurate and timely manner; and
    3. monitoring the risk exposures and determining the corresponding capital needs on an ongoing basis;
  • the assessment of risks must not solely or mechanically rely on external assessments such as external credit ratings or purchased risk models, but banks should strive to develop internal assessment capacity proportionate to the size, nature and scale of their activities. Purchased risk models should be validated and adjusted to the bank’s individual circumstances to ensure accurate and comprehensive cover and analysis of its risk profile and risk capacity; and
  • regular and transparent reporting mechanisms should be established so that the management body and all relevant functions are provided with up-to-date, accurate, concise, understandable and meaningful reports and can share relevant information on the identification, measurement or assessment and monitoring of risks.

Risk committee and risk management function

Banks are required to establish a risk committee and a risk management function. The duties of the risk committee include:

  • advising the management body on the bank's overall current and future risk appetite and strategy;
  • assisting the management body in overseeing the effective implementation of the risk strategy by senior management;
  • assessing and monitoring the independence, adequacy and effectiveness of the risk management and information security functions; and
  • advising the management body on the adequacy and effectiveness of the risk management framework.

The risk management function must be independent of the business and support units it monitors and controls, and must have the right to report its findings and assessments directly to the management body and the relevant committees, independent from senior management through clear reporting lines. It must:

  • ensure that all material risks are identified, measured and properly reported;
  • be actively involved in elaborating the bank's risk strategy; and
  • have knowledge of the entire range of risks of the bank.

Capital Requirements

The capital adequacy framework for banks in Cyprus consists of the CRR, the CRD IV and Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (as these are implemented in Cyprus) which, among others, require banks to satisfy the following own funds requirements at all times:

  • a Common Equity Tier 1 (as defined in the CRR) capital ratio of 4.5%;
  • a Tier 1 (as defined in the CRR) capital ratio of 6%; and
  • a total capital ratio of 8%.

Systemically important banks are required to maintain an additional capital buffer.

Liquidity Requirements

In addition to meeting the general liquidity coverage requirement imposed under Article 412(1) of the CRR, banks must ensure that long-term assets and off-balance-sheet items are adequately met with a diverse set of funding instruments that are stable under both normal and stressed conditions.

The Commission Delegated Regulation (EU) 2015/61 of 10 October 2014 to supplement Regulation (EU) No 575/2013 of the European Parliament and the Council with regard to liquidity coverage requirement for Credit Institutions (Regulation 2015/61) sets out rules specifying in detail the liquidity coverage requirement provided for in Article 412(1) of the CRR. Regulation 2015/61 has been directly applicable in Cyprus since 1 October 2015, with the following transitional provisions:

  • 60% of the liquidity coverage requirement from 1 October 2015;
  • 70% from 1 January 2016;
  • 80% from 1 January 2017; and
  • 100% from 1 January 2018.

The CBC has issued a directive to banks on the computation of prudential liquidity in all currencies, which sets out, among other matters, the principles that banks should implement for the management of liquidity risk.

Leverage Ratio

The CRR requires banks to calculate their leverage ratio and report it to the CBC.

Regulation (EU) 2019/876 (which amends the CRR) has introduced a leverage ratio requirement of 3%, which has applied since 28 June 2021.

Legal Framework

The relevant provisions relating to the winding-up of banks incorporated in Cyprus are set out in Part XIII of the Banking Law and Part V of the Companies Law, and in winding-up rules issued under the Companies Law.

The recovery and resolution regime for banks is based on:

  • Regulation (EU) 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund (the Resolution Regulation); and
  • the Resolution of Credit Institutions and Investment Firms Law of 2016, Law No 22(I)/2016 (the Resolution Law), which implements the provisions of Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms.

Resolution Regime

Resolution authority

The Resolution Regulation establishes the Single Resolution Board, which is responsible for drawing up the resolution plans and adopting all decisions relating to resolution for, among others, the entities referred to in Article 2 of the Resolution Regulation (including banks established in Cyprus) that are not part of a group, and groups considered "significant" under Article 6(4) of Regulation (EU) 1024/2013.

In relation to other entities and groups (ie, those not listed in Article 7(2) of the Resolution Regulation), the CBC in its capacity as the Resolution Authority is responsible for, among other matters, adopting resolution decisions and applying resolution tools in accordance with the provisions of the Resolution Law (unless the Resolution Board decides, under the Resolution Regulation, to exercise the relevant powers in relation to any such entity or group). The Resolution Law applies to banks established in Cyprus and, subject to the conditions set out in the Resolution Law, to branches of banks of third countries established in Cyprus.

The Resolution Authority must obtain the approval of the Minister of Finance before it implements decisions that have a direct financial impact or systemic consequences.

Resolution action

The Resolution Authority takes action for the resolution of a bank only if it considers that the following conditions are met:

  • the CBC considers, after consultation with the Resolution Authority, that the bank is insolvent or is likely to become insolvent;
  • there is no reasonable prospect that any alternative private sector measures or supervisory action taken in respect of the bank would prevent the bank’s insolvency within a reasonable timeframe; and
  • a resolution action is necessary for the public interest.

Resolution Tools

The resolution tools under the Resolution Law are as follows:

  • sale of business tool;
  • bridge institution tool;
  • asset separation tool; and
  • bail-in tool.

The Resolution Authority can apply the resolution tools individually or in any combination, except that the asset separation tool can only be applied together with another resolution tool.

Sale of business tool

The Resolution Authority has the power to demand the transfer of the following to a purchaser that is not a bridge institution:

  • shares or other instruments of ownership issued by a bank under resolution; and
  • all or any assets, rights or liabilities of a bank under resolution.

A transfer made under this tool is made on commercial terms and is considered to be valid without obtaining the consent of shareholders of the bank under resolution or any third person other than the purchaser, and irrespective of any restriction imposed by law, contract or otherwise.

Bridge institution tool

The Resolution Authority can transfer the following to a bridge institution:

  • shares or other instruments of ownership issued by one or more institutions under resolution; and
  • all or any assets, rights or liabilities of one or more institutions under resolution.

A transfer made under this tool (as well as the asset separation tool) is made without obtaining the consent of the shareholders of the bank under resolution or any third person, and without complying with any procedural requirements under company or securities law. The bridge institution is a legal person wholly or partly owned by the Resolution Fund and is controlled by the Resolution Authority.

Asset separation tool

The Resolution Authority has the power to transfer the assets, rights or liabilities of a bank under resolution or a bridge institution to one or more asset management companies. An asset management company is a company wholly or partly owned by the Resolution Fund and is controlled by the Resolution Authority and manages the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.

Bail-in tool

The Resolution Authority has the power to demand the application of the bail-in tool for any of the following purposes:

  • to recapitalise a bank to the extent sufficient to:
    1. restore its ability to comply with the conditions of its licence;
    2. continue to carry out the activities for which it is authorised; and
    3. sustain sufficient market confidence in the institution; or
  • to convert to equity or reduce the principal amount of claims or debt instruments that are transferred:
    1. to a bridge institution with a view to providing capital for that bridge institution; or
    2. under the sale of business tool or the asset separation tool.

The Resolution Law gives the Resolution Authority all the powers necessary to apply the resolution tools to banks, including the power to take control of a bank under resolution and exercise all the rights and powers conferred on the shareholders, other owners and the management body of the relevant bank.

The Resolution Regulation contains the same resolution tools as the Resolution Law, and the powers of the Resolution Board under the Resolution Regulation are similar to the powers of the Resolution Authority.

Deposits

All deposits that are eligible for the payment of compensation from the DGS are fully protected up to the maximum amount set out in the Deposit Guarantee Regulations if resolution measures are taken in relation to a bank. All other deposits rank pari passu in a bank’s resolution.

There are no upcoming regulatory developments.

Georgiades & Pelides LLC

16 Kyriakos Matsis Avenue Eagle House, 10th Floor
Agioi Omologites
1082 Nicosia
Cyprus

+ 357 22 889 000

+ 357 22 889 001

info@cypruslaw.com.cy www.cypruslaw.com.cy
Author Business Card

Trends and Developments


Authors



Georgiades & Pelides is a leading Cypriot law firm with a broad corporate, banking, commercial and litigation practice and a distinct international focus. The firm was formed in 1998 by the merger of Georgiades & Georgiades with Nicos Pelides & Co, and offers a unique blend of dynamism and experience. It currently has 21 lawyers (including partners) and advises on all aspects of banking law, including secured commercial lending, project and corporate finance, the raising of loan finance, the enforcement and realisation of securities, leasing and hire purchase. The firm has advised many banks and financial institutions on transactions involving sovereign guarantees, derivatives, the drafting of margin account trading documentation and multi-currency loan facility agreements, as well as syndicated project finance transactions. It also advises on the regulatory regime relating to banks in Cyprus, including the establishment and acquisition of banks and substantial stakes in such institutions.

Banking Regulation – 2021 CBC Directive

The Central Bank of Cyprus (the CBC) recently published the Directive on Internal Governance of Banks of 2021 (the Directive). The Directive sets out the internal governance arrangements that should be implemented by banks operating in Cyprus, to ensure the prudent and effective management thereof. It repeals and replaces the previous CBC directive on these matters (the Governance and Management Arrangements Directive of 2014) in its entirety.

The Directive is extensive and covers a very wide variety of topics; this article summarises some of the key requirements and guidance provided.

Proportionality

The Directive specifies that the internal governance framework and procedures of a bank should be proportionate to the nature, size and complexity of the risks inherent in the business model and activities of the bank. In developing their internal governance arrangements, therefore, banks must take into account a variety of factors set out in the Directive, including the bank’s business model and strategy, its organisational structure, risk appetite and risk profile, the types of customers it services and the complexity of its products and the activities it outsources.

Composition of the board of directors

The Directive sets out specific requirements regarding the role and composition of the executive body of a bank (which is most frequently its board of directors). Key points include the following:

  • all members of the board must fulfil the requirements set out in the Assessment of the Fitness of Members of the Management Body and Key Function Holders of Authorised Credit Institutions Directive of 2020 (the Fitness Directive), also published by the CBC;
  • the board must include at least seven but no more than 13 members;
  • a minimum of two board members should be executive members, but executive members should not represent more than 25% of the board;
  • members are not permitted to appoint alternates;
  • no person can concurrently act as a board member and as the head of an internal control function of the bank;
  • all board members must be put up for re-election at the bank’s annual general meeting every three years following their appointment date; and
  • the bank must define a maximum number of terms a board member may serve (which, in the case of the chairman of the board and the heads of board committees, cannot exceed six years in total, whether consecutive or not).

The Directive also requires banks to provide their shareholders with adequate information regarding their board members. The composition, performance and effectiveness of the board must also be assessed by an external adviser at least once every three years.

Meetings of the board of directors

The Directive sets out several requirements relating to meetings of the bank’s board of directors, including:

  • at least half the members of each meeting should be physically present at the meeting, and at least one meeting a year should be held where all directors are physically present;
  • the non-executive board members must regularly meet without the executive members, and at least once a year must meet without the presence of the chairman (so that they may assess the chairman’s performance);
  • board members cannot be absent for more than two consecutive meetings, or 25% of all meetings, in each year;
  • each member may utilise proxy voting once a year;
  • persons who have been nominated to the board but have not yet received the regulator’s approval should not participate in meetings (as observers or otherwise); and
  • detailed minutes should be kept and finalised within 15 working days of each meeting.

Committees

The Directive specifies that each bank must form at least the following committees:

  • a risk committee, which evaluates and monitors the independence, adequacy and effectiveness of the risk management and information and communications technology (ICT) and security risk management functions;
  • a candidate selection committee, which evaluates the size, composition and performance of the board of directors, and is responsible for succession planning and evaluating the policies applicable to the appointment and development of staff (including senior management);
  • a remuneration committee, which evaluates the bank’s remuneration policies and makes remuneration decisions and recommendations to the board; and
  • an audit committee, which monitors the bank’s internal audit controls, evaluates the independence and adequacy of the internal audit control function, and selects and supervises the activities of external auditors.

Each committee must have at least three members, and more than 50% of the members of each committee must be independent (and all committee members must be non-executive members). Board members cannot participate in more than two committees. Specific additional requirements are applicable to the heads of the committees, and to banks that are categorised as Global Systemically Important Institutions or Other Systemically Important Institutions.

Senior management

The Directive defines the key responsibilities of senior management as including the following:

  • assigning responsibilities to staff;
  • establishing an organisational structure and hierarchy that promote accountability and transparency;
  • implementing an effective fundraising, liquidity and budgeting programme; and
  • implementing an appropriate risk management framework.

Banks must ensure they have sufficient numbers of senior management, and must ensure the adequate physical presence of such senior management. The individuals heading up the internal control system functions must be senior managers.

Remuneration

The Directive requires banks to implement a coherent remuneration policy (reassessed at least annually) that promotes prudent and effective risk management and discourages excessive risk-taking. The Directive includes the following specific requirements with respect to variable remuneration:

  • caps on the proportion of variable to fixed remuneration (which may, in certain circumstances, be increased with the consent of the bank’s shareholders, but a person’s variable remuneration may not in any circumstances exceed 100% of that person’s fixed remuneration);
  • a requirement for a minimum percentage of variable remuneration to be (i) provided in the form of shares or instruments linked to shares and (ii) deferred for a period of four to five years (increased to a minimum of five years for board members and senior management of significant banks); and
  • guaranteed variable remuneration must only be granted on an exceptional basis, only to new hires and only in respect of their first year of employment.

Banks must ensure that their shareholders are kept informed of the total remuneration paid to senior management.

Outsourcing

Banks must have a written outsourcing policy that is examined and refreshed at regular intervals and takes account of the impact of outsourcing on the bank’s business activities. It must detail the steps to be taken at each stage of the outsourcing process (from initial conception to the conclusion of the outsourcing agreement). The policy should also capture internal outsourcing, meaning services provided by distinct legal entities within the bank’s group.

A member of staff must be designated as the outsourcing officer; this person will be regarded as a key function holder.

Banks must maintain an up-to-date register of all outsourcing agreements, which must be made available to the CBC on request. The outsourcing of critical functions is subject to pre-approval by the CBC, and banks should not outsource a critical function where the CBC has either opposed such outsourcing or requested that corrective measures be taken with respect to the proposed outsourcing (in this case, prior to receiving confirmation from the CBC that it is satisfied with the corrective measures taken). “Critical functions” are defined by reference to the applicable European Banking Authority (EBA) guidelines, and are also defined as including the management of the core information systems of the bank. The outsourcing of non-critical functions must be notified to the CBC in a report submitted on a yearly basis, but does not require the CBC’s pre-approval.

Conflicts of interest

Banks must introduce appropriate measures for the management and prevention of conflicts of interest, which should include appropriate division of responsibilities and the introduction of information barriers. A bank’s conflicts policy must capture a variety of conflicts, ranging from conflicts resulting from economic interests to conflicts resulting from personal or professional relationships (with shareholders, suppliers and staff) and political relationships or influence.

Specific measures cited by the Directive include:

  • establishing appropriate procedures for related party transactions;
  • prohibiting members of the board of directors from holding positions on boards of competing banks; and
  • ensuring that key function holders and their related parties do not hold non-performing loans.

Reporting and whistle-blowing

Banks must maintain appropriate avenues for staff to report actual or potential infringements of regulatory or internal requirements, as well as whistle-blowing, and must ensure that staff are adequately protected from any negative consequences that could arise from reporting/whistle-blowing. The Directive also makes it clear that staff may approach the regulator directly where they have reason to believe that internal reporting mechanisms may not be effective.

Internal control framework

The Directive specifies four main functions that must be included within a bank’s internal control framework:

  • a risk management function, which must be actively involved in the development of the bank’s risk strategy and in all major risk management decisions, and tasked with ensuring the application of effective risk management procedures;
  • a regulatory compliance function, which monitors compliance with, and changes to, legal, regulatory and business requirements applicable to the bank, ensures that new products and procedures are compliant with the applicable legal framework, and ensures that staff are fully aware of applicable requirements;
  • an ICT and security risk management function; and
  • an internal control function, which is independent of the other internal control framework functions and is tasked with assessing whether all of the bank’s activities comply with the bank’s policies and procedures as well as external requirements. This includes assessment of the effectiveness and efficiency of the internal control framework by conducting regular and specialised assessments.

The heads of the four functions must report and be accountable directly to the board of directors, and their performance must also be evaluated by the board. They must also each submit an annual report to the board regarding the main developments applicable to each of their functions, as well as regularly reporting to the related committees of the board (for example, the risk and compliance committees).

In accordance with the Fitness Directive, banks must notify the regulator immediately where the head of one of the functions listed above is appointed or removed.

Breaches of applicable law and/or the Directive must be notified to the regulator within one month of the date they are discovered. Within two months of the same date, the corrective measures taken by the bank to address such instances of non-compliance must also be shared with the regulator.

The internal control framework must be assessed by an external auditor (who is not the regular auditor of the bank) at least once every three years. The scope of the assessment must be submitted to the regulator in advance, and the same auditors may not conduct more than two such consecutive assessments.

Reporting to the CBC

In addition to the various reporting required in specific circumstances and highlighted above, the following regular reporting to the CBC is mandated by the Directive:

  • the final minutes of any meetings of the board of directors, the risk committee and the audit committee must be submitted to the CBC within one month of the relevant meeting;
  • the annual reports provided by the heads of the four internal control framework functions (see Internal control framework, above), must be submitted within three months of the end of each year;
  • an assessment of the performance of the board of directors, its committees and individual members, prepared by the board of directors, must be submitted within three months of the end of the year;
  • a report on information security must be submitted within two months of the end of the reference period;
  • a report of the outsourcing officer;
  • within a reasonable timeframe and in consultation with the regulator, the external assessments of the internal control framework functions and the composition, effectiveness and efficiency of the board of directors and the committees (see Composition of the board of directors and Internal control framework, above); and
  • by 30 June of each year:
    1. the templates in Schedules 1–3 of the EBA guidelines on the remuneration benchmarking exercise of 2014; and
    2. the templates in Schedule 1 of the EBA Guidelines on the data collection exercise regarding high earners of 2014.
Georgiades & Pelides LLC

16 Kyriakos Matsis Avenue Eagle House
10th Floor
Agioi Omologites
1082 Nicosia
Cyprus

+ 357 22 889 000

+ 357 22 889 001

info@cypruslaw.com.cy www.cypruslaw.com.cy
Author Business Card

Law and Practice

Authors



Georgiades & Pelides is a leading Cypriot law firm with a broad corporate, banking, commercial and litigation practice and a distinct international focus. The firm was formed in 1998 by the merger of Georgiades & Georgiades with Nicos Pelides & Co, and offers a unique blend of dynamism and experience. It currently has 21 lawyers (including partners) and advises on all aspects of banking law, including secured commercial lending, project and corporate finance, the raising of loan finance, the enforcement and realisation of securities, leasing and hire purchase. The firm has advised many banks and financial institutions on transactions involving sovereign guarantees, derivatives, the drafting of margin account trading documentation and multi-currency loan facility agreements, as well as syndicated project finance transactions. It also advises on the regulatory regime relating to banks in Cyprus, including the establishment and acquisition of banks and substantial stakes in such institutions.

Trends and Development

Authors



Georgiades & Pelides is a leading Cypriot law firm with a broad corporate, banking, commercial and litigation practice and a distinct international focus. The firm was formed in 1998 by the merger of Georgiades & Georgiades with Nicos Pelides & Co, and offers a unique blend of dynamism and experience. It currently has 21 lawyers (including partners) and advises on all aspects of banking law, including secured commercial lending, project and corporate finance, the raising of loan finance, the enforcement and realisation of securities, leasing and hire purchase. The firm has advised many banks and financial institutions on transactions involving sovereign guarantees, derivatives, the drafting of margin account trading documentation and multi-currency loan facility agreements, as well as syndicated project finance transactions. It also advises on the regulatory regime relating to banks in Cyprus, including the establishment and acquisition of banks and substantial stakes in such institutions.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.