The European Securities and Markets Authority (ESMA) today announced a set of recommendations to the Cyprus Securities and Exchange Commission (CySEC), the first time ESMA has issued such recommendations to a National Competent Authority (NCA).
The recommendations refer to several aspects of the supervisory cycle, encompassing ongoing supervision, investigations and enforcement / sanctioning. The aim of these recommendations is to ensure that CySEC puts in place a fit-for-purpose organisational framework to monitor, promote and enforce compliance by authorised firms.
ESMA says that CySEC should increase the resources directly dedicated to the entire supervisory cycle (authorisations, ongoing supervision and enforcement) of the peer-reviewed activities, to be closer to the average ratio of supervisory FTEs per supervised firms observed in the referenced peer review. This means that CySEC should enlarge its supervisory teams with around 30-40 new members.
Since firms can still provide activities while new supervisory resources are recruited, CySEC is advised to endeavour to conclude the resources increase in a reasonable amount of time and implement interim solutions, including by considering the possibility to temporarily use staff from other non-strategic or less risky areas to strengthen this key area of CySEC supervision.
Further, ESMA recommends to CySEC to put in place a revised annual supervisory plan, spanning ongoing supervision, investigations and – as applicable – enforcement, to increase the supervisory work performed on firms providing the peer-reviewed activities and aiming to improve the effectiveness of CySEC’s supervision in addressing supervisory risks at an earlier stage and responding more forcefully to problems identified.
In particular, this supervisory plan should lay down a concrete strategy on firms’ peer-reviewed activities aimed at ensuring (i) intense supervision of all High and Medium-High risk firms carrying out those activities, as classified by CySEC; and (ii) sustainably compliant behaviour by the firms, with an increased focus on those firms perceived as particularly problematic, which could, where necessary, involve removing the authorisation of firms exhibiting aggressive behaviours.
The outcome of such a plan should result in taking or requesting, in a timely way, actions commensurate to the nature and scale of risks, problems and shortcomings identified, to effectively prevent, mitigate or bring them to an end (including by taking measures – vis-à-vis firms and individuals – whose severity takes into account the repetition or continuation over time as aggravating factors).
Within two months of the date of publication of the recommendations on ESMA’s website, CySEC must notify ESMA whether it (i) complies, (ii) does not comply, but intends to comply, or (iii) does not comply and does not intend to comply with the recommendations.