Contributed By Georgiades & Pelides
The main legislation governing the banking sector in Cyprus is the Business of Credit Institutions Law of 1997, Law No 66(I)/1997 (as amended) (the “Banking Law”). The Banking Law deals with the licensing, ownership and membership of banks as well as their winding up, among other matters.
A number of directives have been issued by the Central Bank of Cyprus (CBC) pursuant to the provisions of the Banking Law, including the Assessment of the Fitness of the Members of the Management Body and Key Function Holders of Authorised Credit Institutions Directives of 2020 and 2022 (the “Fitness Directive”) and the Internal Governance of Credit Institutions Directives of 2021 and 2023 (the ”Governance Directives”).
There are also various EU regulations relevant to the banking sector that have direct effect in Cyprus, including Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (as amended) (CRR), and Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (“Regulation 1024/2013”).
The provision of payment services and electronic money services is regulated separately by the Law on the Provision and Use of Payment Services and Access to Payment Systems, Law No 31(I)/2018 (as amended) and the Law on Electronic Money, Law No 81(I)/2012 (as amended).
The regulators responsible for supervising banks in Cyprus are the European Central Bank (ECB) and the CBC.
Subject to the requirements outlined in 3.1 Requirements for Acquiring or Increasing Control over a Bank, a bank must obtain a banking licence from the CBC before it commences its activities in Cyprus or its activities abroad from Cyprus.
A bank authorised and supervised by the competent authorities of another European Economic Area country (an “EEA State”) can carry out the activities listed in Annex IV to the Banking Law in Cyprus (see below) without the need for a licence from the CBC, provided these activities are covered by its licence and that it complies with certain notification requirements to the CBC. Such a bank can operate in Cyprus through either the establishment of a branch or the provision of cross-border services.
Activities and Services Covered
The activities and services covered by a banking licence include, among others:
Subject to certain exceptions, the Banking Law prohibits banks from carrying out any commercial activity that is not one of the activities set out in Annex IV to the Banking Law, unless the activity constitutes an ancillary services undertaking (as defined in Article 4(1)(18) of the CRR). There are also restrictions applicable to a bank’s ability to hold real estate.
Conditions for Authorisation
A banking licence is only granted to a legal person established in Cyprus under the Companies Law, Cap. 113 (as amended) (the “Companies Law”) or to a credit institution established and authorised in a country other than an EEA State (a third country) under corresponding legislation of that country in order to operate in Cyprus through a branch.
The conditions for granting a banking licence include the following:
Procedure for Applying for Authorisation
Application form
The application for a banking licence must be made in writing by or on behalf of the applicant to the CBC. The CBC may require applicants to reimburse the CBC for costs associated with the examination of their application.
The application form must be accompanied by the following, among others:
The CBC can require further information and/or documents.
Timeline
The CBC rejects the application if the applicant does not comply with the conditions for authorisation under national law. If the applicant complies with such conditions, the CBC must propose granting the authorisation but the ultimate decision is made by the ECB (Regulation 1024/2013).
If the CBC rejects the application, it must notify the applicant of its decision and the reasons for it within six months of receiving the application or, where the application is incomplete, within six months of receiving all the information required for the decision. Any decision by the CBC must be issued within 12 months of receiving the application.
If the CBC recommends the ECB grant the authorisation, the draft decision of the CBC is deemed to be adopted unless the ECB objects within a maximum period of ten working days, extendable once for the same period in duly justified cases. The ECB can object to the draft decision only where the conditions for authorisation set out in relevant EU law are not met. The ECB must state the reasons for the rejection in writing.
Branches
Banks established in Cyprus cannot maintain a branch or representative office outside Cyprus without the prior approval of the CBC. Banks established outside Cyprus may not maintain a representative office in Cyprus without the prior approval of the CBC. In each case, the approval may be issued subject to any conditions deemed appropriate by the CBC.
Qualifying Holding
Under the Banking Law, anyone who individually or in concert with others decides either to acquire, directly or indirectly, a qualifying holding in a bank established in Cyprus or to increase, directly or indirectly, such a qualifying holding, as a result of which the proportion of the voting rights or of the capital held by such person would reach or exceed 20%, 30% or 50% or so that the bank would become its subsidiary, must give prior written notice to the CBC, setting out the size of the intended holding and other information required under the Banking Law. “Qualifying holding” is defined in the CRR as a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights of such undertaking, or that makes it possible to exercise a significant influence over the management of that undertaking.
Assessment Criteria
From the date it acknowledges receipt of the notification and all documents required to be attached to the notification, the CBC has a maximum of 60 working days to assess the suitability of the prospective acquirer and the financial soundness of the proposed acquisition. The CBC takes the following criteria into account in making such assessment, among others:
Other Reporting Requirements
The Banking Law requires banks incorporated in Cyprus to inform the CBC upon becoming aware of any acquisitions of qualifying holdings in their capital that increase the thresholds referred to above. Additionally, persons who intend to directly or indirectly dispose of a qualifying holding, or to reduce a qualifying holding below the thresholds referred to above, in a bank established in Cyprus, must provide advance notice to the CBC.
Banks whose shares are admitted to trading on a regulated market must inform the CBC, at least on an annual basis, of the names of their members who hold a qualifying holding and their shareholding percentages. Additionally, information regarding the ultimate beneficial ownership of every shareholder holding 5% or more of a bank must be submitted to the CBC.
In addition, under the Transparency Requirements (Securities Admitted to Trading on a Regulated Market) Law of 2007, Law No 190(I)/2007 (as amended), a person who acquires or disposes of shares in a bank admitted to trading on a regulated market that carry the right to vote must, within the required time period, notify the bank and the Cyprus Securities and Exchange Commission (“CySEC”) of the percentage of their voting rights if such percentage reaches or exceeds (or, in the case of a disposal, falls below) 5%, 10%, 15%, 20%, 25%, 30%, 50% or 75% of the total voting rights of the bank as a result of the acquisition. The bank must notify the CySEC and the Cyprus Stock Exchange (in its capacity as the national Mechanism for the Central Storage of Regulated Information) and publish the information on its website.
The Business of Insurance and Reinsurance and Other Related Matters Law of 2016, Law No 38(I)/2016 (as amended) imposes additional reporting requirements if the bank concerned holds shares in an insurance undertaking.
Law and Regulation
The main sources of a bank’s corporate governance requirements are as follows:
In addition, the articles of association of a bank incorporated in Cyprus regulate (subject to the provisions of the Companies Law) matters such as shareholders’ and directors’ meetings, the powers of the directors and transfers of shares.
The Banking Law and the Governance Directives require each bank to have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, and effective processes to identify, manage, monitor and report the risks to which it is or may be exposed, as well as adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices that are consistent with and promote sound and effective risk management. Such arrangements, processes and mechanisms must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the bank’s business model and activities.
Management Body
The Governance Directives require that, inter alia:
Senior Management
Senior managers must be sufficient in number and have the necessary know-how to manage the bank’s operations.
Banking Secrecy
Under the Banking Law, members of the management body, chief executives, managers, officers, employees and agents of a bank – as well as persons who have access to the records of a bank by any means – are prohibited from providing, communicating, revealing or using for their own benefit any information whatsoever regarding the account of any particular customer of the bank, either during their employment or professional relationship with the bank or after its termination. This obligation is subject to a number of exceptions.
Assessment Procedure and Criteria
The procedure and criteria that banks should take into account in assessing the fitness of candidates for the management body and key function holders are set out in the Fitness Directive, which requires that the assessment of the fitness of members of the management body and key function holders is carried out before their appointment.
In particular, a bank must assess whether the candidate:
The bank must provide the CBC with the results of the assessment and, where the bank is a significant supervised entity, the CBC provides the results to the ECB. The relevant candidate is only appointed with the consent of the CBC or, in the case of significant supervised entities, with the consent of the ECB. No person may be appointed to the position of member of the management body or key function holder of a bank established in Cyprus if such person has been declared bankrupt, has been convicted of an offence relating to fraud or dishonesty in any jurisdiction, or has been convicted of an offence under the Banking Law.
Roles of Management Body and Senior Management
Management body
According to the Governance Directives, the management body has the primary responsibility for internal governance. It must define, supervise and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the bank, including the segregation of duties and the prevention of conflicts of interest. Such arrangements must comply with the following principles:
Among other things, banks are also required to:
The management body of a bank is responsible for supervising senior management. It must establish appropriate policies, practices and procedures to ensure that senior management carries out its duties and responsibilities in accordance with the relevant provisions of the Governance Directives.
Senior management
The chief executive and other senior managers are responsible for directing and overseeing the effective management of the bank within the authority delegated to them by the management body, and in compliance with the applicable laws and regulations.
Senior management is responsible for the following, among other matters:
The Governance Directives require every bank to have remuneration policies and practices (including in respect of the salaries and discretionary pension benefits of, among others, senior managers, staff engaged in internal controls and risk takers) that are consistent with, and promote, sound and effective risk management, and are gender neutral.
The rules on remuneration policies include the following:
A breach of the provisions of the Governance Directives may lead to the imposition of administrative sanctions and measures by the CBC. It is also a criminal offence punishable with a fine and/or imprisonment.
Legislation
The main piece of legislation dealing with the prevention of money laundering and terrorist financing is the Law on the Prevention and Suppression of the Legalisation of Proceeds from Illegal Activities, Law No 188(I)/2007 (as amended) (the “AML Law”). As the supervisory authority for banks under the AML Law, the CBC has issued the directive on the prevention of money laundering and terrorist financing (the “AML Directive”).
Procedures to Prevent Money Laundering and Terrorist Financing
Article 58 of the AML Law requires banks (among other persons) to implement adequate and appropriate policies, controls and procedures, proportionate to their nature and size, in order to mitigate and manage effectively the risks related to money laundering and terrorist financing, in connection with the following:
The AML Law requires banks to appoint a member of the board of directors to be responsible for the implementation of the provisions of the AML Law, any directives, circulars and regulations issued under the AML Law and any relevant acts of the European Union. The AML Law also requires the establishment, in certain cases, of an independent internal audit function, which will be responsible for verifying that the bank implements the policies, controls and procedures required under the AML Law.
Supervisory Authority
As the supervisory authority for banks under the AML Law, the CBC evaluates and supervises the implementation by banks of the provisions of the AML Law and directives issued by the CBC under the AML Law. If a bank fails to comply with the provisions of the AML Law, the provisions of any directive issued by the CBC under the AML Law or the provisions of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006, the CBC may take any or all of the measures set out in the AML Law, which include the following:
The DGS was established and has been operating in Cyprus since 2000. The relevant legal framework consists of the Banking Law and the Guarantee of Deposits and Resolution of Credit and Other Institutions Law of 2016, Law No 5(I)/2016 (as amended) and regulations issued thereunder. The DGS constitutes a separate legal public entity and consists of the deposits of credit institutions guarantee fund (the “Deposits Guarantee Fund”) and the resolution of credit and other institutions fund (the “Resolution Fund”).
A management committee (the “Committee”) has been established to serve the purposes of and manage the Deposits Guarantee Fund and the Resolution Fund. The Committee consists of five members. The chairman is the governor of the CBC and the remaining four members comprise two staff members from the Ministry of Finance and two staff members from the CBC (appointed by a decision of the governor of the CBC for a term of five years, which may be extended for a maximum period of three months).
The purposes of the DGS are to compensate the depositors of banks that pay contributions to the Deposits Guarantee Fund if a bank becomes unable to repay its deposits, and to fund the implementation of resolution measures.
Covered Deposits
All deposits (other than deposits excluded by the Deposit Guarantee and Resolution of Credit and Other Institutions Scheme Regulations of 2016 (as amended) (the “Deposit Guarantee Regulations”)), in euro or other currency, held in banks and branches of a bank headquartered in Cyprus that operate abroad but pay a contribution to the Deposits Guarantee Fund (including accrued interest until the maturity date of the deposit or the date the deposit became unavailable, whichever occurred first) are eligible for compensation from the DGS.
The following categories of deposits are excluded by the Deposit Guarantee Regulations from the payment of any compensation from the DGS:
Amount of Compensation
Subject to what is stated below, the maximum amount of compensation for each depositor per bank is EUR100,000. This limit applies to the aggregate deposits held with a particular bank.
Deposits resulting from real estate transactions relating to private residential properties and deposits that serve social purposes are covered up to EUR300,000, in addition to the amount of EUR100,000 referred to above, for a maximum period of 12 months from the date on which the amount was credited or the date on which it can be legally transferred to the beneficiary, whichever is earlier.
When calculating the amount of compensation payable to a depositor, the deposits are set off with all kinds of counterclaims the bank has against the depositor, provided and to the extent that these have become due before or on the date on which the deposits became unavailable, and provided further that such set-off is permitted in accordance with the statutory and contractual provisions that govern the contract between the bank and the depositor.
Funding of the DGS
Membership in the DGS is obligatory for all banks licensed in Cyprus, including branches of Cypriot banks that operate in other Member States. The Committee may, in its discretion and subject to the provisions of the Deposit Guarantee Regulations, exclude from membership in the DGS a branch of a Cypriot bank that operates in a country other than a Member State and a branch of a bank that operates in Cyprus but whose head office is outside the European Union.
The DGS is primarily funded from contributions from its members. Every bank that receives a licence in Cyprus must pay an initial contribution to the Deposit Guarantee Fund (currently amounting to EUR50,000) and then an annual contribution (calculated based on the covered deposits and the risk profile of each member).
In cases where the available financial means of the DGS are insufficient to repay depositors when deposits become unavailable, the members are also required to pay extraordinary contributions not exceeding 0.5% of their covered deposits per calendar year. Higher contributions may be required in exceptional circumstances.
The DGS is also allowed to obtain financing from loans or other means of support from third parties, and from the liquidation of assets or investments.
Implementation of Basel III
The Basel III standards developed by the Basel Committee on Banking Supervision have been implemented by the CRR (which is directly applicable in Cyprus) and Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (as amended) (“CRD”), which has been implemented in Cyprus by statute.
Risk Management
Rules
The Banking Law requires each bank to have effective processes to identify, manage, monitor and report the risks to which it is or may be exposed and adequate internal control mechanisms, including sound administration and accounting procedures and remuneration policies and practices, that are consistent with and promote sound and effective risk management. Banks incorporated in Cyprus are also required to have sound, effective and comprehensive strategies and processes to assess and maintain on a continuous basis the amounts, composition and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or may be exposed.
The Governance Directives set out the following risk management rules for banks, among others:
Risk committee and risk management function
Banks are required to establish a risk committee and a risk management function. The duties of the risk committee include, among others:
The risk management function must be independent of the business and support units it monitors and controls, and must have the right to report its findings and assessments directly to the management body and the relevant committees, independent from senior management through clear reporting lines. It must:
Capital Requirements
The capital adequacy framework for banks in Cyprus consists of the CRR, the CRD and Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (as amended) (as these are implemented in Cyprus), which, among others, require banks to satisfy the following own funds requirements at all times:
Key requirements of the CRR/CRD framework (as this has been implemented in Cyprus) include:
Liquidity Requirements
In addition to meeting the general liquidity coverage requirement imposed under Article 412 of the CRR, banks must ensure that long-term assets and off-balance-sheet items are adequately met with a diverse set of funding instruments that are stable under both normal and stressed conditions (the stable funding requirement).
The Commission Delegated Regulation (EU) 2015/61 of 10 October 2014 to supplement Regulation (EU) No 575/2013 of the European Parliament and the Council with regard to liquidity coverage requirement for Credit Institutions (Regulation 2015/61) sets out rules specifying in detail the liquidity coverage requirement provided for in Article 412(1) of the CRR.
The CBC has issued a directive to banks on the computation of prudential liquidity in all currencies, which sets out, among other matters, the principles that banks should implement for the management of liquidity risk.
Leverage Ratio
The CRR requires banks to calculate their leverage ratio and report it to the CBC.
Regulation (EU) 2019/876 (which amends the CRR) has introduced a leverage ratio requirement of 3%, which has applied since 28 June 2021.
Legal Framework
The relevant provisions relating to the winding-up of banks incorporated in Cyprus are set out in Part XIII of the Banking Law and Part V of the Companies Law, and in winding-up rules issued under the Companies Law.
The recovery and resolution regime for banks is based on:
Resolution Regime
Resolution authority
The Resolution Regulation establishes the Single Resolution Board, which is responsible for drawing up the resolution plans and adopting all decisions relating to resolution for, among others, the entities referred to in Article 2 of the Resolution Regulation (including banks established in Cyprus) that are not part of a group, and groups considered “significant” under Article 6(4) of Regulation (EU) 1024/2013.
In relation to other entities and groups (ie, those not listed in Article 7(2) of the Resolution Regulation), the CBC in its capacity as the Resolution Authority is responsible for, among other matters, adopting resolution decisions and applying resolution tools in accordance with the provisions of the Resolution Law (unless the Resolution Board decides, under the Resolution Regulation, to exercise the relevant powers in relation to any such entity or group). The Resolution Law applies to banks established in Cyprus and, subject to the conditions set out in the Resolution Law, to branches of banks of third countries established in Cyprus.
The Resolution Authority must obtain the approval of the Minister of Finance before it implements decisions that have a direct financial impact or systemic consequences.
Resolution action
The Resolution Authority takes action for the resolution of a bank only if it considers that the following conditions are met:
Resolution tools
The resolution tools under the Resolution Law are as follows:
The Resolution Authority can apply the resolution tools individually or in any combination, except that the asset separation tool can only be applied together with another resolution tool.
Sale of business tool
The Resolution Authority has the power to demand the transfer of the following to a purchaser that is not a bridge institution:
A transfer made under this tool is made on commercial terms (taking circumstances into account) and is considered to be valid without obtaining the consent of shareholders of the bank under resolution or any third person other than the purchaser, and irrespective of any restriction imposed by law, contract or otherwise.
Bridge institution tool
The Resolution Authority can transfer the following to a bridge institution:
A transfer made under this tool (as well as the asset separation tool) is made without obtaining the consent of the shareholders of the bank under resolution or any third person, and without complying with any procedural requirements under company or securities law. The bridge institution is a legal person wholly or partly owned by one or more public authorities, including the Resolution Fund, and is controlled by the Resolution Authority.
Asset separation tool
The Resolution Authority has the power to transfer the assets, rights or liabilities of a bank under resolution or a bridge institution to one or more asset management companies. An asset management company is a company wholly or partly owned by one or more public authorities, including the Resolution Fund, and is controlled by the Resolution Authority and manages the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.
Bail-in tool
The Resolution Authority has the power to demand the application of the bail-in tool for any of the following purposes:
The Resolution Law gives the Resolution Authority all the powers necessary to apply the resolution tools to banks, including the power to take control of a bank under resolution and exercise all the rights and powers conferred on the shareholders, other owners and the management body of the relevant bank.
The Resolution Regulation contains the same resolution tools as the Resolution Law, and the powers of the Resolution Board under the Resolution Regulation are similar to the powers of the Resolution Authority.
Deposits
All deposits that are eligible for the payment of compensation from the DGS are fully protected up to the maximum amount set out in the Deposit Guarantee Regulations if resolution measures are taken in relation to a bank. All other deposits rank pari passu in a bank’s resolution.
In addition to EU-wide regulatory initiatives that are directly applicable in Cyprus, Section 151A of the Companies Law requires certain Cypriot companies to include certain non-financial reporting in the management report included in their annual financial statements. This reporting should include, inter alia, information that is sufficient to assess the development, performance and position of the company and the impact of its activities in relation to environmental, social and employment matters. The information must include the policies applied by the company in the areas identified, the results of the application of those policies, the main risks identified, and the non-financial performance indicators related to the activities concerned.
This obligation applies to entities that:
“Public interest undertakings” takes its meaning from the Auditors Law of 2017, Law No 53(I)/2017, and includes (among others) credit institutions authorised pursuant to the Banking Law.
Under the EU’s Digital Operational Resilience Act (known as “DORA”), which will apply from 17 January 2025, financial entities will become subject to various obligations concerning the management of risk associated with the information and communication technology (ICT) systems supporting their business processes. DORA provides that member states shall confer on competent authorities the power to apply administrative penalties, subject to the conditions provided for in national law, to members of the management body of financial entities that are in breach of the requirements of DORA. No such national law has been introduced in Cyprus as yet.
Despite the deadline for transposition of Directive (EU) 2021/2167 of the European Parliament and of the Council of 24 November 2021 on credit servicers and credit purchasers and amending Directives 2008/48/EC and 2014/17/EU (the “Credit Servicing Directive”) by EU member states (including Cyprus) having expired in December 2023, Cyprus has not yet implemented the provisions of the Credit Servicing Directive into national law.
An original draft of the implementing legislation, published over a year ago by the Cyprus Ministry of Finance, has now been replaced by a bundle of proposed legislative amendments, which were tabled before the Cypriot Parliament on 25 April 2024. The legislation may change substantially before it is implemented, with the current expectation being that it will be implemented before the end of this year.
If implemented in its current form, the new legislative package will fundamentally amend the existing framework governing authorisation of credit servicers in Cyprus, which was introduced in July 2022. In addition to replacing the existing regime for authorisation of credit servicers, the new proposals will introduce certain fundamental changes to the operation of credit-acquiring companies in Cyprus.
Please refer to our Trends & Developments article for an in depth analysis of the proposals.
16 Kyriakos Matsis Avenue
Eagle House, 10th Floor
Agioi Omologites
1082 Nicosia
Cyprus
+357 22 889 000
+357 22 889 001
info@cypruslaw.com.cy www.cypruslaw.com.cy