The main legislation governing the banking sector in Cyprus is the Business of Credit Institutions Law of 1997, Law No 66(I)/1997 (as amended) (the Banking Law). The Banking Law deals with the licensing, ownership and membership of banks as well as their winding up, among other matters.
A number of directives have been issued by the Central Bank of Cyprus (the CBC) pursuant to the provisions of the Banking Law, including the Assessment of the Fitness of the Members of the Management Body and Key Function Holders of Authorised Credit Institutions Directive of 2020 (the Fitness Directive) and the Directive on Internal Governance of Credit Institutions of 2021 (the Governance Directive).
There are also various EU regulations relevant to the banking sector that have direct effect in Cyprus, including Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (the CRR) and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (Regulation 1024/2013).
The provision of payment services and electronic money services is regulated separately by the Law on the Provision and Use of Payment Services and Access to Payment Systems, Law No 31(I)/2018 (as amended) (the Payment Services Law) and the Law on Electronic Money, Law No 81(I)/2012 (as amended).
The regulators responsible for supervising banks in Cyprus are the European Central Bank (the ECB) and the CBC.
Requirement for a Licence
Subject to what is stated in the next paragraph, a bank must obtain a banking licence from the CBC before it commences its activities in Cyprus or its activities abroad from Cyprus.
A bank authorised and supervised by the competent authorities of another European Economic Area country (an EEA State) can carry out the activities listed in Annex IV to the Banking Law in Cyprus (see below) without the need for a licence from the CBC, provided these activities are covered by its licence and that it complies with the relevant notification requirements to the CBC. Such a bank can operate in Cyprus through either the establishment of a branch or the provision of cross-border services.
Activities and Services Covered
The activities and services covered by a banking licence include:
The Banking Law prohibits banks from carrying out any commercial activity that is not one of the activities set out in Annex IV to the Banking Law, unless the activity constitutes an ancillary services undertaking (as defined in Article 4(1)(18) of the CRR).
Conditions for Authorisation
A banking licence is only granted to a legal person established in Cyprus under the Companies Law, Cap. 113 (as amended) (the Companies Law) or to a credit institution established and authorised in a country other than an EEA State (a third country) under corresponding legislation of that country in order to operate in Cyprus through a branch.
The conditions for granting a banking licence include the following:
Procedure for Applying for Authorisation
The application for a banking licence must be made in writing by or on behalf of the applicant to the CBC. No application fee is payable.
The application form must be accompanied by the following, among others:
The CBC can require further information and/or documents.
The CBC rejects the application if the applicant does not comply with the conditions for authorisation under national law. If the applicant complies with such conditions, the CBC must propose granting the authorisation but the ultimate decision is made by the ECB (Regulation 1024/2013).
If the CBC rejects the application, it must notify the applicant of its decision and the reasons for it within six months of receiving the application or, where the application is incomplete, within six months of receiving all the information required for the decision. Any decision by the CBC must be issued within 12 months of receiving the application.
If the CBC recommends the ECB grant the authorisation, the draft decision of the CBC is deemed to be adopted unless the ECB objects within a maximum period of ten working days, extendable once for the same period in duly justified cases. The ECB can object to the draft decision only where the conditions for authorisation set out in relevant EU law are not met. The ECB must state the reasons for the rejection in writing.
Requirements for Acquiring or Increasing Control over a Bank
Under the Banking Law, anyone who individually or in concert with others decides either to acquire, directly or indirectly, a qualifying holding in a bank established in Cyprus or to increase, directly or indirectly, such a qualifying holding, as a result of which the proportion of the voting rights or of the capital held by such person would reach or exceed 20%, 30% or 50% or so that the bank would become its subsidiary, must give prior written notice to the CBC, setting out the size of the intended holding and other information required under the Banking Law. "Qualifying holding" is defined in the CRR as a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or that makes it possible to exercise a significant influence over the management of that undertaking.
From the date it acknowledges receipt of the notification and all documents required to be attached to the notification, the CBC has a maximum of 60 working days to assess the suitability of the prospective acquirer and the financial soundness of the proposed acquisition. The CBC takes the following criteria into account in making such assessment, among others:
Other Reporting Requirements
The Banking Law requires banks incorporated in Cyprus to inform the CBC upon becoming aware of any acquisitions of qualifying holdings in their capital that increase the thresholds referred to above.
In addition, under the Transparency Requirements (Securities Admitted to Trading on a Regulated Market) Law of 2007, Law No 190(I)/2007 (as amended), a person who acquires shares in a bank admitted to trading on a regulated market that carry the right to vote must, within the required time period, notify the bank and the Cyprus Securities and Exchange Commission (CySec) of the percentage of their voting rights if such percentage reaches or exceeds 5%, 10%, 15%, 20%, 25%, 30%, 50% or 75% of the total voting rights of the bank as a result of the acquisition. The bank must notify the CySec and the Cyprus Stock Exchange (in its capacity as the national Mechanism for the Central Storage of Regulated Information) and publish the information on its website.
The Business of Insurance and Reinsurance and Other Related Matters Law of 2016, Law No 38(I)/2016 (as amended) imposes additional reporting requirements if the bank concerned holds shares in an insurance undertaking.
Law and Regulation
The main sources of a bank's corporate governance requirements are as follows:
In addition, the articles of association of a bank incorporated in Cyprus regulate (subject to the provisions of the Companies Law) matters such as shareholders' and directors' meetings, the powers of the directors and transfers of shares.
The Banking Law requires each bank to have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, and effective processes to identify, manage, monitor and report the risks to which it is or may be exposed, as well as adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices that are consistent with and promote sound and effective risk management.
Such arrangements, processes and mechanisms must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the bank's business model and activities.
The Governance Directive requires that, inter alia:
Senior managers must be sufficient in number and have the necessary know-how to manage the bank's operations.
Assessment Procedure and Criteria
The procedure and criteria that banks should take into account in assessing the fitness of candidates for the management body and key function holders are set out in the Fitness Directive, which requires that the assessment of the fitness of members of the management body and key function holders is carried out before their appointment.
In particular, a bank must assess whether the candidate:
The bank must provide the CBC with the results of the assessment and, where the bank is a significant supervised entity, the CBC provides the results to the ECB. The relevant candidate is only appointed with the consent of the CBC or, in the case of significant supervised entities, with the consent of the ECB.
Roles of Management Body and Senior Management
According to the Governance Directive, the management body has the primary responsibility for internal governance. It must define, supervise and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the bank, including the segregation of duties and the prevention of conflicts of interest. Such arrangements must comply with the following principles:
Among other things, banks are also required to:
The management body of a bank is responsible for supervising senior management. It must establish appropriate policies, practices and procedures to ensure that senior management carries out its duties and responsibilities in accordance with the relevant provisions of the Governance Directive.
The chief executive and other senior managers are responsible for directing and overseeing the effective management of the bank within the authority delegated to them by the management body, and in compliance with the applicable laws and regulations.
Senior management is responsible for the following, among other matters:
The Governance Directive requires every bank to have remuneration policies and practices (including in respect of the salaries and discretionary pension benefits of, among others, senior managers, staff engaged in internal controls and risk takers) that are consistent with, and promote, sound and effective risk management.
The rules on remuneration policies include the following:
A breach of the provisions of the Governance Directive may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.
The main piece of legislation dealing with the prevention of money laundering and terrorist financing is the Law on the Prevention and Suppression of the Legalisation of Proceeds from Illegal Activities, Law No 188(I)/2007 (as amended) (the AML Law). As the supervisory authority for banks under the AML Law, the CBC has issued the directive on the prevention of money laundering and terrorist financing (the AML Directive).
Procedures to Prevent Money Laundering and Terrorist Financing
Article 58 of the AML Law requires banks (among other persons) to implement adequate and appropriate policies, controls and procedures, proportionate to their nature and size, in order to mitigate and manage effectively the risks related to money laundering and terrorist financing, in connection with the following:
The AML Law requires banks to appoint a member of the board of directors to be responsible for the implementation of the provisions of the AML Law, any directives, circulars and regulations issued under the AML Law and any relevant acts of the European Union. The AML Law also requires the establishment, in certain cases, of an independent internal audit function, which will be responsible for verifying that the bank implements the policies, controls and procedures required under the AML Law.
As the supervisory authority for banks under the AML Law, the CBC evaluates and supervises the implementation by banks of the provisions of the AML Law and directives issued by the CBC under the AML Law. If a bank fails to comply with the provisions of the AML Law, the provisions of any directive issued by the CBC under the AML Law or the provisions of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, the CBC may take any or all of the measures set out in the AML Law, which include the following:
Deposit Guarantee and Resolution of Credit and Other Institutions Scheme (DGS)
The DGS was established and has been operating in Cyprus since 2000. The relevant legal framework consists of the Guarantee of Deposits and Resolution of Credit and Other Institutions Law of 2016, Law No 5(I)/2016 (as amended) and regulations issued thereunder. The DGS constitutes a separate legal public entity and consists of the deposits of credit institutions guarantee fund (the Deposits Guarantee Fund) and the resolution of credit and other institutions fund (the Resolution Fund).
A management committee (the Committee) has been established to serve the purposes of and manage the Deposits Guarantee Fund and the Resolution Fund. The Committee consists of five members. The chairman is the governor of the CBC and the remaining four members are staff from the Ministry of Finance and the CBC (appointed by a decision of the governor of the CBC for a term of five years, which may be extended for a maximum period of three months).
The purposes of the DGS are to compensate the depositors of banks that pay contributions to the Deposits Guarantee Fund if a bank becomes unable to repay its deposits, and to fund the implementation of resolution measures.
All deposits (other than deposits excluded by the Deposit Guarantee and Resolution of Credit and Other Institutions Scheme Regulations of 2016 (as amended) – the Deposit Guarantee Regulations), in euro or other currency, held in banks and branches of a bank that operate abroad but pay a contribution to the Deposits Guarantee Fund (including accrued interest until the maturity date of the deposit or the date the deposit became unavailable, whichever occurred first) are eligible for compensation from the DGS.
The following categories of deposits are excluded by the Deposit Guarantee Regulations from the payment of any compensation from the DGS:
Amount of Compensation
Subject to what is stated below, the maximum amount of compensation for each depositor per bank is EUR100,000. This limit applies to the aggregate deposits held with a particular bank.
Deposits resulting from real estate transactions relating to private residential properties and deposits that serve social purposes are covered up to EUR300,000, in addition to the amount of EUR100,000 referred to above, for a maximum period of 12 months from the date on which the amount was credited or the date on which it can be legally transferred to the beneficiary, whichever is earlier.
When calculating the amount of compensation payable to a depositor, the deposits are set-off with all kinds of counterclaims the bank has against the depositor, provided and to the extent that these have become due before or on the date on which the deposits became unavailable, and provided further that such set-off is permitted in accordance with the statutory and contractual provisions that govern the contract between the bank and the depositor.
Funding of the DGS
Membership in the DGS is obligatory for all banks licensed in Cyprus, including branches of Cypriot banks that operate in other Member States. The Committee may, in its discretion and subject to the provisions of the Deposit Guarantee Regulations, exclude from membership in the DGS a branch of a Cypriot bank that operates in a country other than a Member State and a branch of a bank that operates in Cyprus but whose head office is outside the European Union.
The DGS is primarily funded from contributions from its members. Every bank that receives a licence in Cyprus must pay an initial contribution to the Deposit Guarantee Fund (currently amounting to EUR50,000) and then an annual contribution (calculated based on the covered deposits and the risk profile of each member).
In cases where the available financial means of the DGS are insufficient to repay depositors when deposits become unavailable, the members are also required to pay extraordinary contributions not exceeding 0.5% of their covered deposits per calendar year. Higher contributions may be required in exceptional circumstances.
The DGS is also allowed to obtain financing from loans or other means of support from third parties, and from the liquidation of assets or investments.
Statutory Duty of Confidence
Under the Banking Law, members of the management body, chief executives, managers, officers, employees and agents of a bank – as well as persons who have access to the records of a bank by any means – are prohibited from providing, communicating, revealing or using for their own benefit any information whatsoever regarding the account of any particular customer of the bank, either during their employment or professional relationship with the bank or after its termination.
The Banking Law contains an extensive list of exceptions to the above prohibition, including the following:
A breach of the relevant provisions of the Banking Law may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.
Contractual and Other Duties of Confidence
It is an implied term of the contract between a banker and their customer that the bank will not divulge to third persons the state of the customer's account, any of the customer's transactions with the bank, or any information relating to the customer acquired through the keeping of their account. There are four exceptions to this duty:
The duty of confidence arises once the relationship of banker and customer is established. It does not cease when the customer closes his or her account, nor presumably after the customer’s death.
Breach of the duty of confidence gives rise to a claim for damages.
Banks also have a common law equitable duty of confidence.
Implementation of Basel III
The Basel III standards developed by the Basel Committee on Banking Supervision have been implemented by the CRR (which is directly applicable in Cyprus) and Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD IV), which has been implemented in Cyprus by statute.
The Banking Law requires each bank to have effective processes to identify, manage, monitor and report the risks to which it is or may be exposed and adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices, that are consistent with and promote sound and effective risk management.
Banks incorporated in Cyprus are also required to have sound, effective and comprehensive strategies and processes to assess and maintain on a continuous basis the amounts, composition and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or may be exposed.
The Governance Directive sets out the following risk management rules for banks, among others:
Risk committee and risk management function
Banks are required to establish a risk committee and a risk management function. The duties of the risk committee include:
The risk management function must be independent of the business and support units it monitors and controls, and must have the right to report its findings and assessments directly to the management body and the relevant committees, independent from senior management through clear reporting lines. It must:
The capital adequacy framework for banks in Cyprus consists of the CRR, the CRD IV and Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (as these are implemented in Cyprus) which, among others, require banks to satisfy the following own funds requirements at all times:
Systemically important banks are required to maintain an additional capital buffer.
In addition to meeting the general liquidity coverage requirement imposed under Article 412(1) of the CRR, banks must ensure that long-term assets and off-balance-sheet items are adequately met with a diverse set of funding instruments that are stable under both normal and stressed conditions.
The Commission Delegated Regulation (EU) 2015/61 of 10 October 2014 to supplement Regulation (EU) No 575/2013 of the European Parliament and the Council with regard to liquidity coverage requirement for Credit Institutions (Regulation 2015/61) sets out rules specifying in detail the liquidity coverage requirement provided for in Article 412(1) of the CRR. Regulation 2015/61 has been directly applicable in Cyprus since 1 October 2015, with the following transitional provisions:
The CBC has issued a directive to banks on the computation of prudential liquidity in all currencies, which sets out, among other matters, the principles that banks should implement for the management of liquidity risk.
The CRR requires banks to calculate their leverage ratio and report it to the CBC.
Regulation (EU) 2019/876 (which amends the CRR) has introduced a leverage ratio requirement of 3%, which has applied since 28 June 2021.
The relevant provisions relating to the winding-up of banks incorporated in Cyprus are set out in Part XIII of the Banking Law and Part V of the Companies Law, and in winding-up rules issued under the Companies Law.
The recovery and resolution regime for banks is based on:
The Resolution Regulation establishes the Single Resolution Board, which is responsible for drawing up the resolution plans and adopting all decisions relating to resolution for, among others, the entities referred to in Article 2 of the Resolution Regulation (including banks established in Cyprus) that are not part of a group, and groups considered "significant" under Article 6(4) of Regulation (EU) 1024/2013.
In relation to other entities and groups (ie, those not listed in Article 7(2) of the Resolution Regulation), the CBC in its capacity as the Resolution Authority is responsible for, among other matters, adopting resolution decisions and applying resolution tools in accordance with the provisions of the Resolution Law (unless the Resolution Board decides, under the Resolution Regulation, to exercise the relevant powers in relation to any such entity or group). The Resolution Law applies to banks established in Cyprus and, subject to the conditions set out in the Resolution Law, to branches of banks of third countries established in Cyprus.
The Resolution Authority must obtain the approval of the Minister of Finance before it implements decisions that have a direct financial impact or systemic consequences.
The Resolution Authority takes action for the resolution of a bank only if it considers that the following conditions are met:
The resolution tools under the Resolution Law are as follows:
The Resolution Authority can apply the resolution tools individually or in any combination, except that the asset separation tool can only be applied together with another resolution tool.
Sale of business tool
The Resolution Authority has the power to demand the transfer of the following to a purchaser that is not a bridge institution:
A transfer made under this tool is made on commercial terms and is considered to be valid without obtaining the consent of shareholders of the bank under resolution or any third person other than the purchaser, and irrespective of any restriction imposed by law, contract or otherwise.
Bridge institution tool
The Resolution Authority can transfer the following to a bridge institution:
A transfer made under this tool (as well as the asset separation tool) is made without obtaining the consent of the shareholders of the bank under resolution or any third person, and without complying with any procedural requirements under company or securities law. The bridge institution is a legal person wholly or partly owned by the Resolution Fund and is controlled by the Resolution Authority.
Asset separation tool
The Resolution Authority has the power to transfer the assets, rights or liabilities of a bank under resolution or a bridge institution to one or more asset management companies. An asset management company is a company wholly or partly owned by the Resolution Fund and is controlled by the Resolution Authority and manages the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.
The Resolution Authority has the power to demand the application of the bail-in tool for any of the following purposes:
The Resolution Law gives the Resolution Authority all the powers necessary to apply the resolution tools to banks, including the power to take control of a bank under resolution and exercise all the rights and powers conferred on the shareholders, other owners and the management body of the relevant bank.
The Resolution Regulation contains the same resolution tools as the Resolution Law, and the powers of the Resolution Board under the Resolution Regulation are similar to the powers of the Resolution Authority.
All deposits that are eligible for the payment of compensation from the DGS are fully protected up to the maximum amount set out in the Deposit Guarantee Regulations if resolution measures are taken in relation to a bank. All other deposits rank pari passu in a bank’s resolution.
There are no upcoming regulatory developments.
Banking Regulation – 2021 CBC Directive
The Central Bank of Cyprus (the CBC) recently published the Directive on Internal Governance of Banks of 2021 (the Directive). The Directive sets out the internal governance arrangements that should be implemented by banks operating in Cyprus, to ensure the prudent and effective management thereof. It repeals and replaces the previous CBC directive on these matters (the Governance and Management Arrangements Directive of 2014) in its entirety.
The Directive is extensive and covers a very wide variety of topics; this article summarises some of the key requirements and guidance provided.
The Directive specifies that the internal governance framework and procedures of a bank should be proportionate to the nature, size and complexity of the risks inherent in the business model and activities of the bank. In developing their internal governance arrangements, therefore, banks must take into account a variety of factors set out in the Directive, including the bank’s business model and strategy, its organisational structure, risk appetite and risk profile, the types of customers it services and the complexity of its products and the activities it outsources.
Composition of the board of directors
The Directive sets out specific requirements regarding the role and composition of the executive body of a bank (which is most frequently its board of directors). Key points include the following:
The Directive also requires banks to provide their shareholders with adequate information regarding their board members. The composition, performance and effectiveness of the board must also be assessed by an external adviser at least once every three years.
Meetings of the board of directors
The Directive sets out several requirements relating to meetings of the bank’s board of directors, including:
The Directive specifies that each bank must form at least the following committees:
Each committee must have at least three members, and more than 50% of the members of each committee must be independent (and all committee members must be non-executive members). Board members cannot participate in more than two committees. Specific additional requirements are applicable to the heads of the committees, and to banks that are categorised as Global Systemically Important Institutions or Other Systemically Important Institutions.
The Directive defines the key responsibilities of senior management as including the following:
Banks must ensure they have sufficient numbers of senior management, and must ensure the adequate physical presence of such senior management. The individuals heading up the internal control system functions must be senior managers.
The Directive requires banks to implement a coherent remuneration policy (reassessed at least annually) that promotes prudent and effective risk management and discourages excessive risk-taking. The Directive includes the following specific requirements with respect to variable remuneration:
Banks must ensure that their shareholders are kept informed of the total remuneration paid to senior management.
Banks must have a written outsourcing policy that is examined and refreshed at regular intervals and takes account of the impact of outsourcing on the bank’s business activities. It must detail the steps to be taken at each stage of the outsourcing process (from initial conception to the conclusion of the outsourcing agreement). The policy should also capture internal outsourcing, meaning services provided by distinct legal entities within the bank’s group.
A member of staff must be designated as the outsourcing officer; this person will be regarded as a key function holder.
Banks must maintain an up-to-date register of all outsourcing agreements, which must be made available to the CBC on request. The outsourcing of critical functions is subject to pre-approval by the CBC, and banks should not outsource a critical function where the CBC has either opposed such outsourcing or requested that corrective measures be taken with respect to the proposed outsourcing (in this case, prior to receiving confirmation from the CBC that it is satisfied with the corrective measures taken). “Critical functions” are defined by reference to the applicable European Banking Authority (EBA) guidelines, and are also defined as including the management of the core information systems of the bank. The outsourcing of non-critical functions must be notified to the CBC in a report submitted on a yearly basis, but does not require the CBC’s pre-approval.
Conflicts of interest
Banks must introduce appropriate measures for the management and prevention of conflicts of interest, which should include appropriate division of responsibilities and the introduction of information barriers. A bank’s conflicts policy must capture a variety of conflicts, ranging from conflicts resulting from economic interests to conflicts resulting from personal or professional relationships (with shareholders, suppliers and staff) and political relationships or influence.
Specific measures cited by the Directive include:
Reporting and whistle-blowing
Banks must maintain appropriate avenues for staff to report actual or potential infringements of regulatory or internal requirements, as well as whistle-blowing, and must ensure that staff are adequately protected from any negative consequences that could arise from reporting/whistle-blowing. The Directive also makes it clear that staff may approach the regulator directly where they have reason to believe that internal reporting mechanisms may not be effective.
Internal control framework
The Directive specifies four main functions that must be included within a bank’s internal control framework:
The heads of the four functions must report and be accountable directly to the board of directors, and their performance must also be evaluated by the board. They must also each submit an annual report to the board regarding the main developments applicable to each of their functions, as well as regularly reporting to the related committees of the board (for example, the risk and compliance committees).
In accordance with the Fitness Directive, banks must notify the regulator immediately where the head of one of the functions listed above is appointed or removed.
Breaches of applicable law and/or the Directive must be notified to the regulator within one month of the date they are discovered. Within two months of the same date, the corrective measures taken by the bank to address such instances of non-compliance must also be shared with the regulator.
The internal control framework must be assessed by an external auditor (who is not the regular auditor of the bank) at least once every three years. The scope of the assessment must be submitted to the regulator in advance, and the same auditors may not conduct more than two such consecutive assessments.
Reporting to the CBC
In addition to the various reporting required in specific circumstances and highlighted above, the following regular reporting to the CBC is mandated by the Directive: