The main legislation governing the banking sector in Cyprus is the Business of Credit Institutions Law of 1997, Law No 66(I)/1997 (as amended) (the “Banking Law”). The Banking Law deals with the licensing, ownership and membership of banks as well as their winding up, among other matters.

A number of directives have been issued by the Central Bank of Cyprus (CBC) pursuant to the provisions of the Banking Law, including the Assessment of the Fitness of the Members of the Management Body and Key Function Holders of Authorised Credit Institutions Directives of 2020 and 2022 (the “Fitness Directive”) and the Internal Governance of Credit Institutions Directives of 2021 and 2023 (the ”Governance Directives”).

There are also various EU regulations relevant to the banking sector that have direct effect in Cyprus, including Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (as amended) (CRR), and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (“Regulation 1024/2013”).

The provision of payment services and electronic money services is regulated separately by the Law on the Provision and Use of Payment Services and Access to Payment Systems, Law No 31(I)/2018 (as amended) and the Law on Electronic Money, Law No 81(I)/2012 (as amended).

The regulators responsible for supervising banks in Cyprus are the European Central Bank (ECB) and the CBC.

Subject to the requirements outlined in 3.1 Requirements for Acquiring or Increasing Control over a Bank, a bank must obtain a banking licence from the CBC before it commences its activities in Cyprus or its activities abroad from Cyprus.

A bank authorised and supervised by the competent authorities of another European Economic Area country (an “EEA State”) can carry out the activities listed in Annex IV to the Banking Law in Cyprus (see below) without the need for a licence from the CBC, provided these activities are covered by its licence and that it complies with certain notification requirements to the CBC. Such a bank can operate in Cyprus through either the establishment of a branch or the provision of cross-border services.

Activities and Services Covered

The activities and services covered by a banking licence include, among others:

• taking deposits and other repayable funds;
• lending;
• financial leasing;
• payment services; and
• trading for own account or for customers in money market instruments, financial futures and options, among others.

Subject to certain exceptions, the Banking Law prohibits banks from carrying out any commercial activity that is not one of the activities set out in Annex IV to the Banking Law, unless the activity constitutes an ancillary services undertaking (as defined in Article 4(1)(18) of the CRR). There are also restrictions applicable to a bank’s ability to hold real estate.

Conditions for Authorisation

A banking licence is only granted to a legal person established in Cyprus under the Companies Law, Cap. 113 (as amended) (the “Companies Law”) or to a credit institution established and authorised in a country other than an EEA State (a third country) under corresponding legislation of that country in order to operate in Cyprus through a branch.

The conditions for granting a banking licence include the following:

• the initial capital of the applicant must be comprised of one or more of the items referred to in Article 26(1)(a)-(e) of the CRR, and must be equal to or exceed EUR5 million;
• at least two persons must effectively direct the activities of the applicant;
• the members of the management body must be of good repute, have adequate knowledge, qualifications and experience, and meet the requirements specified in the Fitness Directive;
• the total composition of the management body must reflect a sufficiently wide range of expertise; and
• the applicant must inform the CBC of the identity of its shareholders or members, direct or indirect, that have qualifying holdings (as defined in the CRR) and of the percentage of those holdings or, if there are no qualifying holdings, of the 20 largest shareholders or members; the CBC will refuse to grant the licence if it is not satisfied as to the suitability of the members or shareholders.

Procedure for Applying for Authorisation

Application form

The application for a banking licence must be made in writing by or on behalf of the applicant to the CBC. The CBC may require applicants to reimburse the CBC for costs associated with the examination of their application.

The application form must be accompanied by the following, among others:

• questionnaires set out in the policy statement on the licensing of banks in the Republic of Cyprus issued by the CBC; the questionnaires can be found on the CBC’s website at www.centralbank.cy;
• memorandum and articles of association or any other incorporation document, or a document determining the establishment of a legal person; and
• a business plan that describes the types of activities envisaged and the organisational structure of the applicant.

The CBC can require further information and/or documents.

Timeline

The CBC rejects the application if the applicant does not comply with the conditions for authorisation under national law. If the applicant complies with such conditions, the CBC must propose granting the authorisation but the ultimate decision is made by the ECB (Regulation 1024/2013).

If the CBC rejects the application, it must notify the applicant of its decision and the reasons for it within six months of receiving the application or, where the application is incomplete, within six months of receiving all the information required for the decision. Any decision by the CBC must be issued within 12 months of receiving the application.

If the CBC recommends the ECB grant the authorisation, the draft decision of the CBC is deemed to be adopted unless the ECB objects within a maximum period of ten working days, extendable once for the same period in duly justified cases. The ECB can object to the draft decision only where the conditions for authorisation set out in relevant EU law are not met. The ECB must state the reasons for the rejection in writing.

Branches

Banks established in Cyprus cannot maintain a branch or representative office outside Cyprus without the prior approval of the CBC. Banks established outside Cyprus may not maintain a representative office in Cyprus without the prior approval of the CBC. In each case, the approval may be issued subject to any conditions deemed appropriate by the CBC.

Qualifying Holding

Under the Banking Law, anyone who individually or in concert with others decides either to acquire, directly or indirectly, a qualifying holding in a bank established in Cyprus or to increase, directly or indirectly, such a qualifying holding, as a result of which the proportion of the voting rights or of the capital held by such person would reach or exceed 20%, 30% or 50% or so that the bank would become its subsidiary, must give prior written notice to the CBC, setting out the size of the intended holding and other information required under the Banking Law. “Qualifying holding” is defined in the CRR as a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights of such undertaking, or that makes it possible to exercise a significant influence over the management of that undertaking.

Assessment Criteria

From the date it acknowledges receipt of the notification and all documents required to be attached to the notification, the CBC has a maximum of 60 working days to assess the suitability of the prospective acquirer and the financial soundness of the proposed acquisition. The CBC takes the following criteria into account in making such assessment, among others:

• the reputation of the proposed acquirer;
• the reputation, knowledge, competencies and experience (as defined in the Fitness Directive) of any member of the management body who will direct the business of the bank as a result of the proposed acquisition;
• the financial soundness of the proposed acquirer;
• the bank’s (continued) ability to comply with the supervisory requirements of the Banking Law and the CRR; and
• whether there are reasonable grounds to suspect that, in connection with the proposed acquisition, money laundering or terrorist financing is being committed or attempted or has been committed or attempted, or that the proposed acquisition could increase the risk thereof.

Other Reporting Requirements

The Banking Law requires banks incorporated in Cyprus to inform the CBC upon becoming aware of any acquisitions of qualifying holdings in their capital that increase the thresholds referred to above. Additionally, persons who intend to directly or indirectly dispose of a qualifying holding, or to reduce a qualifying holding below the thresholds referred to above, in a bank established in Cyprus, must provide advance notice to the CBC.

Banks whose shares are admitted to trading on a regulated market must inform the CBC, at least on an annual basis, of the names of their members who hold a qualifying holding and their shareholding percentages. Additionally, information regarding the ultimate beneficial ownership of every shareholder holding 5% or more of a bank must be submitted to the CBC.

In addition, under the Transparency Requirements (Securities Admitted to Trading on a Regulated Market) Law of 2007, Law No 190(I)/2007 (as amended), a person who acquires or disposes of shares in a bank admitted to trading on a regulated market that carry the right to vote must, within the required time period, notify the bank and the Cyprus Securities and Exchange Commission (“CySEC”) of the percentage of their voting rights if such percentage reaches or exceeds (or, in the case of a disposal, falls below) 5%, 10%, 15%, 20%, 25%, 30%, 50% or 75% of the total voting rights of the bank as a result of the acquisition. The bank must notify the CySEC and the Cyprus Stock Exchange (in its capacity as the national Mechanism for the Central Storage of Regulated Information) and publish the information on its website.

The Business of Insurance and Reinsurance and Other Related Matters Law of 2016, Law No 38(I)/2016 (as amended) imposes additional reporting requirements if the bank concerned holds shares in an insurance undertaking.

Law and Regulation

The main sources of a bank’s corporate governance requirements are as follows:

• the Banking Law and directives issued by the CBC under the Banking Law (including the Governance Directives);       
• the Companies Law, which deals with the formation and management of companies in Cyprus, among other matters; and
• common law (developed by case law); for example, the directors of a bank established in Cyprus are subject to a number of common law duties that apply generally to companies incorporated in Cyprus.

In addition, the articles of association of a bank incorporated in Cyprus regulate (subject to the provisions of the Companies Law) matters such as shareholders’ and directors’ meetings, the powers of the directors and transfers of shares.

The Banking Law and the Governance Directives require each bank to have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, and effective processes to identify, manage, monitor and report the risks to which it is or may be exposed, as well as adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices that are consistent with and promote sound and effective risk management. Such arrangements, processes and mechanisms must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the bank’s business model and activities.

Management Body

The Governance Directives require that, inter alia:

• the size and composition of the management body must take into account the size and complexity of the bank and the nature and scope of its activities, ensuring that:
1. there are at least seven and no more than 13 members;
2. at least 50% of the members of the management body (rounded down) plus one member are independent;
3. there are at least two executive members, representing not more than 25% of the members of the management body (rounded down), one of whom must be the chief executive officer;
4. the management body (i) is sufficiently diverse in age, gender and educational and professional background to reflect an adequately broad range of experience and facilitate a variety of independent opinions and critical challenge, and (ii) possesses adequate collective knowledge, skills and experience to be able to understand the bank’s activities, including the main risks; and
• the management body must have committees of the appropriate size, composition, structure and responsibilities for the effective discharge of its roles and responsibilities; and
• specifically with respect to diversity, the bank should put in place a policy promoting diversity on the management body (which includes a target as to representation of the underrepresented gender), and should more broadly ensure that there is no discrimination on the basis of gender, race, colour, ethnic or social origin, genetic characteristics, language, religion or belief, membership of a national minority, birth, disability, age or sexual orientation.

Senior Management

Senior managers must be sufficient in number and have the necessary know-how to manage the bank’s operations.

Banking Secrecy

Under the Banking Law, members of the management body, chief executives, managers, officers, employees and agents of a bank – as well as persons who have access to the records of a bank by any means – are prohibited from providing, communicating, revealing or using for their own benefit any information whatsoever regarding the account of any particular customer of the bank, either during their employment or professional relationship with the bank or after its termination. This obligation is subject to a number of exceptions.

Assessment Procedure and Criteria

The procedure and criteria that banks should take into account in assessing the fitness of candidates for the management body and key function holders are set out in the Fitness Directive, which requires that the assessment of the fitness of members of the management body and key function holders is carried out before their appointment.

In particular, a bank must assess whether the candidate:

• has a good reputation;
• has sufficient knowledge, skills and experience;
• can act with honesty, integrity and independence; and
• can dedicate enough time to the performance of his or her duties and whether the limitations on the number of positions that can be held by such person on other boards are complied with.

The bank must provide the CBC with the results of the assessment and, where the bank is a significant supervised entity, the CBC provides the results to the ECB. The relevant candidate is only appointed with the consent of the CBC or, in the case of significant supervised entities, with the consent of the ECB. No person may be appointed to the position of member of the management body or key function holder of a bank established in Cyprus if such person has been declared bankrupt, has been convicted of an offence relating to fraud or dishonesty in any jurisdiction, or has been convicted of an offence under the Banking Law.

Roles of Management Body and Senior Management

Management body

According to the Governance Directives, the management body has the primary responsibility for internal governance. It must define, supervise and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the bank, including the segregation of duties and the prevention of conflicts of interest. Such arrangements must comply with the following principles:

• the management body has the overall responsibility of the bank and approves and oversees the implementation of its strategic objectives, risk strategy and internal governance;
• the management body ensures the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards; and
• the management body oversees the process of disclosure and communications, and is responsible for supervising senior management.

Among other things, banks are also required to:

• have appropriate evaluation procedures for the performance of the management body as a whole, each committee and each individual member of the management body, which must be carried out at least annually;
• carry out a review and evaluation of the composition, efficiency and effectiveness of the management body and its committees, through external consultants, at least every three years; and
• have appropriate policies and procedures for selecting, developing and, where necessary, replacing the chief executive officer or other senior managers, and have appropriate succession plans in place, having due regard to the importance and critical nature of their duties.

The management body of a bank is responsible for supervising senior management. It must establish appropriate policies, practices and procedures to ensure that senior management carries out its duties and responsibilities in accordance with the relevant provisions of the Governance Directives.

Senior management

The chief executive and other senior managers are responsible for directing and overseeing the effective management of the bank within the authority delegated to them by the management body, and in compliance with the applicable laws and regulations.

Senior management is responsible for the following, among other matters:

• managing and overseeing the day-to-day operations of the bank;
• providing the management body with recommendations on business objectives, strategies, business plans and major policies that govern the operation of the management body, for its review and approval; and
• providing the management body with comprehensive, relevant and up-to-date information that will enable it to review business objectives, business strategy and policies, and to hold senior management accountable for its performance.

The Governance Directives require every bank to have remuneration policies and practices (including in respect of the salaries and discretionary pension benefits of, among others, senior managers, staff engaged in internal controls and risk takers) that are consistent with, and promote, sound and effective risk management, and are gender neutral.

The rules on remuneration policies include the following:

• Taking into account the national criteria on wage setting, the remuneration policy must distinguish between (i) basic fixed remuneration, which should reflect relevant professional experience and management responsibility as set out in an employee’s job description, and (ii) variable remuneration, which should reflect a sustainable and risk-adjusted performance as well as performance in excess of that required to fulfil the employee’s job description.
• The total variable remuneration must not limit the ability of the bank to strengthen its capital base.
• Banks must set appropriate ratios between the fixed and variable components of the total remuneration, applying the principles set out in the Governance Directives.
• Guaranteed variable remuneration is exceptional, is given only when hiring new staff (provided the bank has a sound and strong capital base) and is limited to the first year of employment.
• Payments relating to the early termination of a contract should reflect performance achieved over time and should not reward failure or misconduct.

A breach of the provisions of the Governance Directives may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.

Legislation

The main piece of legislation dealing with the prevention of money laundering and terrorist financing is the Law on the Prevention and Suppression of the Legalisation of Proceeds from Illegal Activities, Law No 188(I)/2007 (as amended) (the “AML Law”). As the supervisory authority for banks under the AML Law, the CBC has issued the directive on the prevention of money laundering and terrorist financing (the “AML Directive”).

Procedures to Prevent Money Laundering and Terrorist Financing

Article 58 of the AML Law requires banks (among other persons) to implement adequate and appropriate policies, controls and procedures, proportionate to their nature and size, in order to mitigate and manage effectively the risks related to money laundering and terrorist financing, in connection with the following:

• client identification and due diligence;
• record-keeping in relation to clients’ identity and their transactions;
• internal reporting to the compliance officer (a senior staff member appointed by the bank to whom any information or other matter that proves or creates suspicion that a client is engaged in money laundering or terrorist financing activities should be reported) and reporting to the Unit for Combating Money Laundering;
• internal control, assessment and management of risk in order to prevent money laundering and terrorist financing;
• the thorough investigation of every transaction that, because of its nature, is considered particularly susceptible to being connected with offences related to money laundering or terrorist financing, especially complicated or unusually large transactions and all unusual transactions that are executed without an obvious financial or legitimate purpose;
• briefing and regular training of staff;
• risk management practices;
• compliance management; and
• recruitment and assessment of employees’ integrity.

The AML Law requires banks to appoint a member of the board of directors to be responsible for the implementation of the provisions of the AML Law, any directives, circulars and regulations issued under the AML Law and any relevant acts of the European Union. The AML Law also requires the establishment, in certain cases, of an independent internal audit function, which will be responsible for verifying that the bank implements the policies, controls and procedures required under the AML Law.

Supervisory Authority

As the supervisory authority for banks under the AML Law, the CBC evaluates and supervises the implementation by banks of the provisions of the AML Law and directives issued by the CBC under the AML Law. If a bank fails to comply with the provisions of the AML Law, the provisions of any directive issued by the CBC under the AML Law or the provisions of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, the CBC may take any or all of the measures set out in the AML Law, which include the following:

• requiring the bank to take such measures within such time period as the CBC shall specify to remedy the situation;
• imposing administrative fines; and
• amending, suspending or cancelling the bank’s licence.

The DGS was established and has been operating in Cyprus since 2000. The relevant legal framework consists of the Banking Law and the Guarantee of Deposits and Resolution of Credit and Other Institutions Law of 2016, Law No 5(I)/2016 (as amended) and regulations issued thereunder. The DGS constitutes a separate legal public entity and consists of the deposits of credit institutions guarantee fund (the “Deposits Guarantee Fund”) and the resolution of credit and other institutions fund (the “Resolution Fund”).

A management committee (the “Committee”) has been established to serve the purposes of and manage the Deposits Guarantee Fund and the Resolution Fund. The Committee consists of five members. The chairman is the governor of the CBC and the remaining four members comprise two staff members from the Ministry of Finance and two staff members from the CBC (appointed by a decision of the governor of the CBC for a term of five years, which may be extended for a maximum period of three months).

The purposes of the DGS are to compensate the depositors of banks that pay contributions to the Deposits Guarantee Fund if a bank becomes unable to repay its deposits, and to fund the implementation of resolution measures.

Covered Deposits

All deposits (other than deposits excluded by the Deposit Guarantee and Resolution of Credit and Other Institutions Scheme Regulations of 2016 (as amended) (the “Deposit Guarantee Regulations”)), in euro or other currency, held in banks and branches of a bank headquartered in Cyprus that operate abroad but pay a contribution to the Deposits Guarantee Fund (including accrued interest until the maturity date of the deposit or the date the deposit became unavailable, whichever occurred first) are eligible for compensation from the DGS.

The following categories of deposits are excluded by the Deposit Guarantee Regulations from the payment of any compensation from the DGS:

• deposits made by other banks on their own behalf and for their own account;
• own funds as defined in Article 4(1)(118) of the CRR;
• deposits arising out of transactions in connection with which there has been a criminal conviction for money laundering in accordance with the provisions of the AML Law;
• deposits by financial institutions as defined in Article 4(1)(26) of the CRR;
• deposits by investment firms;
• deposits the holder of which has never been identified when they have become unavailable;
• deposits by insurance and reinsurance undertakings;
• deposits by collective investment undertakings;
• deposits by pension and retirement funds, subject to certain exceptions;
• deposits by public authorities with an annual budget exceeding EUR500,000; and
• debt securities issued by a bank and liabilities arising out of own acceptances and promissory notes.

Amount of Compensation

Subject to what is stated below, the maximum amount of compensation for each depositor per bank is EUR100,000. This limit applies to the aggregate deposits held with a particular bank.

Deposits resulting from real estate transactions relating to private residential properties and deposits that serve social purposes are covered up to EUR300,000, in addition to the amount of EUR100,000 referred to above, for a maximum period of 12 months from the date on which the amount was credited or the date on which it can be legally transferred to the beneficiary, whichever is earlier.

When calculating the amount of compensation payable to a depositor, the deposits are set off with all kinds of counterclaims the bank has against the depositor, provided and to the extent that these have become due before or on the date on which the deposits became unavailable, and provided further that such set-off is permitted in accordance with the statutory and contractual provisions that govern the contract between the bank and the depositor.

Funding of the DGS

Membership in the DGS is obligatory for all banks licensed in Cyprus, including branches of Cypriot banks that operate in other Member States. The Committee may, in its discretion and subject to the provisions of the Deposit Guarantee Regulations, exclude from membership in the DGS a branch of a Cypriot bank that operates in a country other than a Member State and a branch of a bank that operates in Cyprus but whose head office is outside the European Union.

The DGS is primarily funded from contributions from its members. Every bank that receives a licence in Cyprus must pay an initial contribution to the Deposit Guarantee Fund (currently amounting to EUR50,000) and then an annual contribution (calculated based on the covered deposits and the risk profile of each member).

In cases where the available financial means of the DGS are insufficient to repay depositors when deposits become unavailable, the members are also required to pay extraordinary contributions not exceeding 0.5% of their covered deposits per calendar year. Higher contributions may be required in exceptional circumstances.

The DGS is also allowed to obtain financing from loans or other means of support from third parties, and from the liquidation of assets or investments.

Implementation of Basel III

The Basel III standards developed by the Basel Committee on Banking Supervision have been implemented by the CRR (which is directly applicable in Cyprus) and Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (as amended) (“CRD”), which has been implemented in Cyprus by statute.

Risk Management

Rules

The Banking Law requires each bank to have effective processes to identify, manage, monitor and report the risks to which it is or may be exposed and adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices, that are consistent with and promote sound and effective risk management. Banks incorporated in Cyprus are also required to have sound, effective and comprehensive strategies and processes to assess and maintain on a continuous basis the amounts, composition and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or may be exposed.

The Governance Directives set out the following risk management rules for banks, among others:

• The risk management framework of a bank must extend to all its business activities, support functions and control units, and must recognise fully the economic substance of its risk exposures and encompass all relevant risks. The risk framework must also ensure that all material risks are identified and managed, including credit and counterparty risk, residual risk, concentration risk, liquidity risk and market risk.
• Banks must ensure that appropriate, adequate and effective policies, systems, processes and procedures are in place for:
1. identifying all relevant risks, existing and emerging, at the transaction and portfolio levels, on a continuous basis;
2. assessing these risks and measuring the bank’s exposure to them, at the transaction and portfolio levels, on an individual and a consolidated basis by recognising interactions between these risks, in an accurate and timely manner; and
3. monitoring the risk exposures and determining the corresponding capital needs on an ongoing basis.

• The assessment of risks must not solely or mechanically rely on external assessments such as external credit ratings or purchased risk models, but banks should strive to develop internal assessment capacity proportionate to the size, nature and scale of their activities. Purchased risk models should be validated and adjusted to the bank’s individual circumstances to ensure accurate and comprehensive cover and analysis of its risk profile and risk capacity.
• Regular and transparent reporting mechanisms should be established so that the management body and all relevant functions are provided with up-to-date, accurate, concise, understandable and meaningful reports and can share relevant information on the identification, measurement or assessment and monitoring of risks.

Risk committee and risk management function

Banks are required to establish a risk committee and a risk management function. The duties of the risk committee include, among others:

• advising the management body on the bank’s overall current and future risk appetite and strategy;
• assisting the management body in overseeing the effective implementation of the risk strategy by senior management;
• assessing and monitoring the independence, adequacy and effectiveness of the risk management and information security functions; and
• advising the management body on the adequacy and effectiveness of the risk management framework.

The risk management function must be independent of the business and support units it monitors and controls, and must have the right to report its findings and assessments directly to the management body and the relevant committees, independent from senior management through clear reporting lines. It must:

• ensure that all material risks are identified, measured and properly reported;
• be actively involved in elaborating the bank’s risk strategy; and
• have knowledge of the entire range of risks of the bank.

Capital Requirements

The capital adequacy framework for banks in Cyprus consists of the CRR, the CRD and Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (as amended) (as these are implemented in Cyprus), which, among others, require banks to satisfy the following own funds requirements at all times:

• a Common Equity Tier 1 (as defined in the CRR) capital ratio of 4.5%;
• a Tier 1 (as defined in the CRR) capital ratio of 6%; and
• a total capital ratio of 8%.

Key requirements of the CRR/CRD framework (as this has been implemented in Cyprus) include:

• In addition to the Common Equity Tier 1 and Tier 1 capital ratios, banks must hold an additional capital conservation buffer of 2.5% of risk-weighted assets.
• In accordance with the Macroprudential Oversight of Institutions Law of 2015, Law No 6(I)/2015, a systemic risk buffer may also be applied in order to prevent and mitigate macroprudential or systemic risk not otherwise covered by the CRR.
• Banks must also maintain a countercyclical capital conservation buffer, consisting of Common Equity Tier 1 capital.
• A number of banks in Cyprus have been designated by the CBC as Other Systemically Important Institutions (O-SIIs) and are therefore subject to an O-SII buffer requirement, which is set individually for each bank by the CBC and is reviewed by the CBC on an annual basis.

Liquidity Requirements

In addition to meeting the general liquidity coverage requirement imposed under Article 412 of the CRR, banks must ensure that long-term assets and off-balance-sheet items are adequately met with a diverse set of funding instruments that are stable under both normal and stressed conditions (the stable funding requirement).

The Commission Delegated Regulation (EU) 2015/61 of 10 October 2014 to supplement Regulation (EU) No 575/2013 of the European Parliament and the Council with regard to liquidity coverage requirement for Credit Institutions (Regulation 2015/61) sets out rules specifying in detail the liquidity coverage requirement provided for in Article 412(1) of the CRR.

The CBC has issued a directive to banks on the computation of prudential liquidity in all currencies, which sets out, among other matters, the principles that banks should implement for the management of liquidity risk.

Leverage Ratio

The CRR requires banks to calculate their leverage ratio and report it to the CBC.

Regulation (EU) 2019/876 (which amends the CRR) has introduced a leverage ratio requirement of 3%, which has applied since 28 June 2021.

Legal Framework

The relevant provisions relating to the winding-up of banks incorporated in Cyprus are set out in Part XIII of the Banking Law and Part V of the Companies Law, and in winding-up rules issued under the Companies Law.

The recovery and resolution regime for banks is based on:

• Regulation (EU) 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund (the “Resolution Regulation”); and
• the Resolution of Credit Institutions and Investment Firms Law of 2016, Law No 22(I)/2016 (the “Resolution Law”), which implements the provisions of Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms.

Resolution Regime

Resolution authority

The Resolution Regulation establishes the Single Resolution Board, which is responsible for drawing up the resolution plans and adopting all decisions relating to resolution for, among others, the entities referred to in Article 2 of the Resolution Regulation (including banks established in Cyprus) that are not part of a group, and groups considered “significant” under Article 6(4) of Regulation (EU) 1024/2013.

In relation to other entities and groups (ie, those not listed in Article 7(2) of the Resolution Regulation), the CBC in its capacity as the Resolution Authority is responsible for, among other matters, adopting resolution decisions and applying resolution tools in accordance with the provisions of the Resolution Law (unless the Resolution Board decides, under the Resolution Regulation, to exercise the relevant powers in relation to any such entity or group). The Resolution Law applies to banks established in Cyprus and, subject to the conditions set out in the Resolution Law, to branches of banks of third countries established in Cyprus.

The Resolution Authority must obtain the approval of the Minister of Finance before it implements decisions that have a direct financial impact or systemic consequences.

Resolution action

The Resolution Authority takes action for the resolution of a bank only if it considers that the following conditions are met:

• the CBC considers, after consultation with the ECB, that the bank is insolvent or is likely to become insolvent;
• there is no reasonable prospect that any alternative private sector measures or supervisory action taken in respect of the bank would prevent the bank’s insolvency within a reasonable timeframe; and
• a resolution action is necessary for the public interest.

Resolution tools

The resolution tools under the Resolution Law are as follows:

• sale of business tool;
• bridge institution tool;
• asset separation tool; and
• bail-in tool.

The Resolution Authority can apply the resolution tools individually or in any combination, except that the asset separation tool can only be applied together with another resolution tool.

Sale of business tool

The Resolution Authority has the power to demand the transfer of the following to a purchaser that is not a bridge institution:

• shares or other instruments of ownership issued by a bank under resolution; and
• all or any assets, rights or liabilities of a bank under resolution.

A transfer made under this tool is made on commercial terms (taking circumstances into account) and is considered to be valid without obtaining the consent of shareholders of the bank under resolution or any third person other than the purchaser, and irrespective of any restriction imposed by law, contract or otherwise.

Bridge institution tool

The Resolution Authority can transfer the following to a bridge institution:

• shares or other instruments of ownership issued by one or more institutions under resolution; and
• all or any assets, rights or liabilities of one or more institutions under resolution.

A transfer made under this tool (as well as the asset separation tool) is made without obtaining the consent of the shareholders of the bank under resolution or any third person, and without complying with any procedural requirements under company or securities law. The bridge institution is a legal person wholly or partly owned by one or more public authorities, including the Resolution Fund, and is controlled by the Resolution Authority.

Asset separation tool

The Resolution Authority has the power to transfer the assets, rights or liabilities of a bank under resolution or a bridge institution to one or more asset management companies. An asset management company is a company wholly or partly owned by one or more public authorities, including the Resolution Fund, and is controlled by the Resolution Authority and manages the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.

Bail-in tool

The Resolution Authority has the power to demand the application of the bail-in tool for any of the following purposes:

• to recapitalise a bank to the extent sufficient to:
1. restore its ability to comply with the conditions of its licence;
2. continue to carry out the activities for which it is authorised; and
3. sustain sufficient market confidence in the institution; or
• to convert to equity or reduce the principal amount of claims or debt instruments that are transferred:
1. to a bridge institution with a view to providing capital for that bridge institution; or
2. under the sale of business tool or the asset separation tool.

The Resolution Law gives the Resolution Authority all the powers necessary to apply the resolution tools to banks, including the power to take control of a bank under resolution and exercise all the rights and powers conferred on the shareholders, other owners and the management body of the relevant bank.

The Resolution Regulation contains the same resolution tools as the Resolution Law, and the powers of the Resolution Board under the Resolution Regulation are similar to the powers of the Resolution Authority.

Deposits

All deposits that are eligible for the payment of compensation from the DGS are fully protected up to the maximum amount set out in the Deposit Guarantee Regulations if resolution measures are taken in relation to a bank. All other deposits rank pari passu in a bank’s resolution.

In addition to EU-wide regulatory initiatives that are directly applicable in Cyprus, Section 151A of the Companies Law requires certain Cypriot companies to include certain non-financial reporting in the management report included in their annual financial statements. This reporting should include, inter alia, information that is sufficient to assess the development, performance and position of the company and the impact of its activities in relation to environmental, social and employment matters. The information must include the policies applied by the company in the areas identified, the results of the application of those policies, the main risks identified, and the non-financial performance indicators related to the activities concerned.

This obligation applies to entities that:

• are large companies (ie, companies that fulfil at least two of the following criteria: total balance sheet exceeding EUR20 million, turnover exceeding EUR40 million, and an average number of employees during the year of 250 or more);
• are “public interest undertakings”; and
• have an average number of employees exceeding 500 during the financial year.

“Public interest undertakings” takes its meaning from the Auditors Law of 2017, Law No 53(I)/2017, and includes (among others) credit institutions authorised pursuant to the Banking Law.

Under the EU’s Digital Operational Resilience Act (known as “DORA”), which will apply from 17 January 2025, financial entities will become subject to various obligations concerning the management of risk associated with the information and communication technology (ICT) systems supporting their business processes. DORA provides that member states shall confer on competent authorities the power to apply administrative penalties, subject to the conditions provided for in national law, to members of the management body of financial entities that are in breach of the requirements of DORA. No such national law has been introduced in Cyprus as yet.

Despite the deadline for transposition of Directive (EU) 2021/2167 of the European Parliament and of the Council of 24 November 2021 on credit servicers and credit purchasers and amending Directives 2008/48/EC and 2014/17/EU (the “Credit Servicing Directive”) by EU member states (including Cyprus) having expired in December 2023, Cyprus has not yet implemented the provisions of the Credit Servicing Directive into national law.

An original draft of the implementing legislation, published over a year ago by the Cyprus Ministry of Finance, has now been replaced by a bundle of proposed legislative amendments, which were tabled before the Cypriot Parliament on 25 April 2024. The legislation may change substantially before it is implemented, with the current expectation being that it will be implemented before the end of this year.

If implemented in its current form, the new legislative package will fundamentally amend the existing framework governing authorisation of credit servicers in Cyprus, which was introduced in July 2022. In addition to replacing the existing regime for authorisation of credit servicers, the new proposals will introduce certain fundamental changes to the operation of credit-acquiring companies in Cyprus.

Please refer to our Trends & Developments article for an in depth analysis of the proposals.