Προς όλα τα μέλη του Συνδέσμου Τεχνική Εγκύκλιος Αρ. 58 Από την Επιτροπή Χρηματοοικονομικών Υπηρεσιών 17 Απριλίου 2014 Θέμα: Ενδεικτικό πρόγραμμα λογιστικού ελέγχου σε σχέση με την έκδοση της Έκθεσης Ανεξάρτητου Ελεγκτή προς την Επιτροπή Κεφαλαιαγοράς Κύπρου δυνάμει του Άρθρου 116 του περί Επενδυτικών Υπηρεσιών και Δραστηριοτήτων και Ρυθμιζόμενων Αγορών Νόμου του 2007 ως τροποποιήθηκε το 2009 και το 2012 To Άρθρο 116 των περί Επενδυτικών Υπηρεσιών και Δραστηριοτήτων και Ρυθμιζόμενων Αγορών Νόμων του 2007 μέχρι 2012 [Ν144(Ι)/2007, Ν106(Ι)/2009, Ν141(Ι)/2012 και Ν154(Ι)/2012] (ενοποιημένοι εφεξής αναφερόμενοι ως ο «Νόμος»), απαιτεί από τους εξωτερικούς ελεγκτές μιας Κυπριακής Επιχείρησης Παροχής Επενδυτικών Υπηρεσιών («KEΠEY») να υποβάλλουν στην Επιτροπή Κεφαλαιαγοράς Κύπρου («EK»), εντός τεσσάρων μηνών από τη λήξη κάθε οικονομικού έτους, έκθεση σχετικά με την καταλληλότητα των μέτρων που έλαβε η ΚΕΠΕΥ για τη διαφύλαξη των περιουσιακών στοιχείων πελατών, σύμφωνα με τις απαιτήσεις του Μέρους VI της Οδηγίας ΟΔ1442007-01 της ΕΚ για τις προϋποθέσεις χορήγησης άδειας και λειτουργίας των ΚΕΠΕΥ (η «Οδηγία»). Για σκοπούς γενικής καθοδήγησης σε σχέση με την πιο πάνω έκθεση, η Επιτροπή Χρηματοοικονομικών Υπηρεσιών του Συνδέσμου έχει ετοιμάσει, στην Αγγλική γλώσσα, το συνημμένο πρόγραμμα ελέγχου το οποίο περιέχει προτεινόμενες διαδικασίες λογιστικού ελέγχου, που στοχεύουν στην ικανοποίηση των απαιτήσεων του μέρους VI της Οδηγίας. Τονίζεται ότι τα γεγονότα και οι περιστάσεις που ισχύουν για κάθε ΚΕΠΕΥ πιθανόν να διαφέρουν από περίπτωση σε περίπτωση, επομένως το προτεινόμενο πρόγραμμα λογιστικού ελέγχου πρέπει να θεωρείται μόνο ως ενδεικτική αλλά όχι πλήρης λίστα των αναγκαίων διαδικασιών λογιστικού ελέγχου. Πρόσθετες διαδικασίες λογιστικού ελέγχου πρέπει να λαμβάνονται υπόψη κατά περίπτωση. Συνημμένο Technical Circular No. 58, 17 April 2014 To all members of the Institute Technical Circular No. 58 From the Financial Services Committee 17 April 2014 Subject: Indicative audit program in relation to the issuance of the Independent Auditor’s Report to the Cyprus Securities and Exchange Commission pursuant to Section 116 of the Investment Services and Activities and Regulated Markets Law of 2007 as amended in 2009 and 2012 Section 116 of the Investment Services and Activities and Regulated Markets Laws of 2007 to 2012 [L144(I)/2007, L106(I)/2009, L141(I)/2012 and L154(I)/2012] (consolidated hereafter referred to as the “Law”), requires the external auditors of a Cyprus Investment Firm (“CIF”) to submit to the Cyprus Securities and Exchange Commission (“CySEC”), within four months from the end of each financial year, a report in relation to the suitability of the measures taken by the CIF for the safeguarding of client assets, pursuant to the provisions of Part VI of the CySEC Directive DI144-2007-01 of 2012 for the Authorization and Operating Conditions of CIFs (the “Directive”). For general guidance purposes in relation to the abovementioned report, the Financial Services Committee of the Institute has prepared the attached indicative audit program, in English, with suggested audit procedures aimed at addressing the specific provisions of Part VI of the Directive. It is emphasized that the facts and circumstances of each CIF may vary from case to case, therefore the proposed audit program should be considered only as an indicative but not exhaustive list of the necessary audit procedures. Additional audit procedures must be considered on a case by case basis. Attachment 2 Technical Circular No. 58, 17 April 2014 APPENDIX Indicative audit program in relation to the issuance of the Independent Auditor’s Report to the Cyprus Securities and Exchange Commission pursuant to section 116 of the Investment Services and Activities and Regulated Markets Law of 2007 as amended in 2009 and 2012 1. Safeguarding of clients financial instruments and funds (section 1 of 6) Article 18(1)(a) Requirement Indicative audit procedures The CIF must keep such (I) (a) Obtain the company's client list from the system which should records and accounts as contain as a minimum the following for each client: Client ID are necessary to enable it number, Client name, categorization (e.g. professional vs. retail) at any time and without and closing balance as of the end of the reporting period. delay to distinguish assets (b) Select a sample of clients from this list and check that the held for one client from company's systems (i.e. trading platforms and back office) can assets held for any other produce, at any point in time, a snapshot of each client's holdings, client, and from its own showing client name and/or ID, amount and type of investments, assets. transaction date and time, opening and closing balance. In case of companies with own investments, check that the system can produce a similar snapshot for the own equity (i.e. cash and investments), giving particular attention to the name in which the own assets are recorded. (II) Review the company's procedures for distinguishing assets held for one client from those held for another by verifying that each client is recorded in the system with a unique identification code (ID). (III) (a) Take a sample of client money receipts and payments (e.g. deposits, withdrawals, dividends, interest, transaction settlements, etc.) and test that they are paid into or out of the client bank account no later than 3 business days after they have been received/need to be paid. In cases where there are no other alternatives or a client erroneously deposits money into a company own bank account, check and verify that it is paid into a client bank account no later than the next business day following receipt. Withdrawals of client money should take place only based on prescribed purposes. (b) Test, on a sample basis, that client transactions (i.e. purchases and sales of client instruments) are recorded promptly and properly in the Company's internal records (trading platform, back office, accounting). Also check that internal records are updated promptly and properly with regards to the receipt of documents of title or other assets in physical form on behalf of clients, and their transfer to clients or other parties upon clients' request. 3 Technical Circular No. 58, 17 April 2014 1. Safeguarding of clients financial instruments and funds (section 2 of 6) Article 18(1)(b) Requirement Indicative audit procedures The CIF must maintain its (IV) (a) records and accounts in a way that ensures their accuracy, and in particular their correspondence to the financial instruments and funds held for clients. Check whether the Company maintains accurate records of the following items: (i) Daily opening and closing balances, per client (ii) List of open positions providing trade details such as trade date and time, open price, instrument type, numbers of lots/units, unrealised profit/loss, etc. (iii) Information on cash movements, i.e. deposits, withdrawals, receipts, transfers, credit limits, charges, fees, etc., per client (iv) Information on interest earned and bonus granted, per client, indicating amounts and dates paid to each client (here, also check the Company's workings for the calculation of the interest and bonus paid to each customer) (v) Client money and Client instruments reconciliations (vi) Statements of holdings sent to clients on a periodic basis (in this respect, check also that statements are sent to clients at the required intervals, as specified by the client agreements) (b) Review customer complaints and correspondence with the Cyprus Securities and Exchange Commission for evidence of any issues concerning the accuracy of the internal records of the Company. 4 Technical Circular No. 58, 17 April 2014 1. Safeguarding of clients financial instruments and funds (section 3 of 6) Article 18(1)(c) Requirement Indicative audit procedures The CIF must conduct, on (V) (a) Check whether the Company has performed daily reconciliations a regular basis, of clients' money and clients' financial instruments throughout the reconciliations between year under review. Also, verify that reconciliations are performed its internal accounts and as soon as reasonably possible after the date to which the records and those of any reconciliation refers, and that any reconciliation differences are third parties by whom promptly identified, properly explained and cleared as soon as those assets are held. possible (where clearance entails any shortfall to be topped up and any excess to be withdrawn). The reconciliation of clients' financial instruments should consist of the comparison/matching of the trading platform(s) with external sub-custodian statements and should take into consideration not only the client instruments held by third party custodians, but also the ones held in physical form at the Company's premises (in which case the reconciliation will consist of a physical count and comparison with internal records) or in dematerialised form by the Company. As for the clients' money reconciliation, to be considered complete it should be performed at the following levels, or any combination of these: - Bank & other Third Party statements Vs. Client Assets (as per TB) - Bank & other Third Party statements Vs. Client Liabilities (as per TB) - Client Liabilities (as per TB) Vs. Clients' Equity (as per Trading Platform(s)) Our tests should consider whether the necessary controls exist to ensure that all client accounts and third party statements are reconciled properly at regular intervals. For this purpose, obtain a list of all accounts opened in third parties, indicating the client accounts and whether they are used for holding funds or financial instruments. (b) Consider whether there is adequate segregation of duties between the person performing the reconciliations and the person(s) who maintain the records to be reconciled and are involved in the recording and moving of client assets, always with a view to the proportionality principle. Also consider whether there are appropriate procedures for review. (VI) For the year end, agree the total value of client funds to third party records, at the three levels indicated above. Where third party records are maintained by the third party on a client by client basis, agree on a sample basis the total value of funds per client to the third party records. Consider sending on a sample basis confirmation letters to third parties where funds are kept. Investigate any difference upon receiving of confirmation replies. Perform alternative procedures for non-replies (e.g. review post year end movement). 5 Technical Circular No. 58, 17 April 2014 1. Safeguarding of clients financial instruments and funds (section 4 of 6) Article 18(1)(d) Requirement The CIF must take the (VII) necessary steps to ensure that any client financial instruments deposited with a third party, in accordance with paragraph 19, are identifiable separately from the financial instruments belonging to the CIF and from financial instruments belonging to that third party, by means of differently titled accounts on the books of the third party or other equivalent measures that achieve the same level of protection. Indicative audit procedures (a) Obtain the statements of client instruments from third party custodians and check whether the title of client accounts indicates the client ownership (i.e. it contains the term “client(s)” or “client(s) account” or something similar). (b) In cases where Company own instruments are held by the same third party custodian as client instruments, check and make sure that they are deposited in a different account than the account used to hold client instruments, and that the title of this account does not contain the term “client(s)”). Test this by checking the Company's reconciliations of its own portfolio, as well as the clients' portfolio reconciliations, for any evidence of lack of segregation (look for cases of reconciling items relating to client instruments kept in own accounts with the custodian, or vice versa). Where own and client instruments in third party custodian accounts are not separated due to legal reasons, the conditions of paragraph 19(3) of the Directive1 are applicable, and the audit procedures indicated in (XII) below must be performed. (c) In cases where third party custodian records present client instruments on a pooled/aggregated basis without indicating the customer name, ensure that proper records are kept by the Company to enable it to distinguish the instruments that belong to each client separately. To test this, obtain from the trading platform a list of all clients' instruments by client and indicating the third party custodian where each instrument is kept. If this information is not available, this can also be checked through the client securities reconciliations (i.e. test completeness of client instruments and third party custodian accounts and investigate any difference between internal and external records). (d) For bearer documents of title, check that the owner can be identified at all times and that it is readily apparent which investments relate to the Company (if applicable) and which to the client. 1 Cyprus Securities and Exchange Commission Directive DI144-2007-01 of 2012 for the Authorization and Operating Conditions of CIFs. 6 Technical Circular No. 58, 17 April 2014 1. Safeguarding of clients financial instruments and funds (section 5 of 6) Article 18(1)(e) Requirement The CIF must take the (VIII) necessary steps to ensure that client funds deposited, in accordance with paragraph 20, in a central bank, a credit institution or a bank authorised in a third country or a qualifying money market fund are held in an account or accounts identified separately from any accounts used to hold funds belonging to the CIF. Indicative audit procedures (a) Obtain the statements of client accounts with banks and other third parties as per the Directive2 and check whether their title contains the term “client(s)” or “client(s) account” or something similar. Examine whether the client accounts at third parties have a “trust status” (this can be checked by obtaining a written confirmation from the third party, stating that: “All money standing to the credit of the account is held by the Company as trustee (or if relevant, as agent) and that (i) the bank/third party is not entitled to combine the account with any other account or to exercise any right of set-off or counterclaim against money in that account in respect of any sum owed to it on any other account of the Company; and (ii) the title of the account sufficiently distinguishes that account from any account containing money that belongs to the Company, and is in the form requested by the Company”. (b) An exception to the “trust status” mentioned in (a) above is where in the country the cash is deposited for brokerage purposes, the country's legislation does not provide for the concept of nominee (trustee) account holder. In these cases the auditor should ensure that the CIF correctly communicates this issue to the client (e.g. via the client agreements) and advises him that the client cash is not segregated under MiFID3 (since it does not follow MiFID) so his cash is not protected the same manner as in a MiFID jurisdiction. (c) Where own funds are deposited with the same bank as client funds, test and verify that they are kept in a different bank account than the one used to hold client funds, and that this account is under the Company's name. If own funds are kept in the same third party account as client funds, ensure that there is a valid reason for doing so and that the Company is able to quantify the amount of its own money kept in client accounts at any point in time. A valid rationale would be that the own funds are equal to the credits granted to clients for facilitating their trading activity. (d) In the case where client funds are kept with third parties on an aggregated basis in pooled client accounts, ensure that proper records are kept by the Company to enable it to distinguish the portion of funds which relates to each client separately. To test this, check the client money reconciliations for completeness of client accounts and third party statements, and investigate reconciliation differences between internal and external records upon receiving confirmation replies. Perform alternative procedures for nonreplies (e.g. review post year end movement). 2 Cyprus Securities and Exchange Commission Directive DI144-2007-01 of 2012 for the Authorization and Operating Conditions of CIFs. 3 Markets in Financial Instruments Directive (MiFID) 2004/39/EC of the European Union. 7 Technical Circular No. 58, 17 April 2014 1. Safeguarding of clients financial instruments and funds (section 6 of 6) Article 18(1)(f) Requirement Indicative audit procedures The CIF must introduce (IX) Test and ensure the adequacy of the procedures that the Company has adequate organisational put in place with respect to: arrangements to minimise (a) the prompt and proper recording of client transactions in internal the risk of the loss or systems, such as trading platform, back office and accounting and diminution of client the proper review of transactions recording by control functions assets, or of rights in and/or senior management. connection with those assets, as a result of (b) the carrying out of client money and instruments reconciliations misuse of the assets, on a regular basis (i.e. daily) and as soon as practically possible fraud, poor after the date to which the reconciliation refers (i.e. not later than administration, 5 business days after the reconciliation reference date). inadequate recordkeeping (c) the allocation of responsibility for the client funds and or negligence. instruments reconciliations and the escalating of reconciling items. (c) the record-keeping of client information, considering both physical and IT security issues (back up servers, hard files, etc.). (d) the safekeeping of clients' documents of title and any other client assets held in physical form (this can be achieved through safe boxes, fire-proof rooms and safes, restricted access via password controlled doors or limited access to keys). (e) the carrying out of proper and continuing risk assessments of all third parties holding client money and client instruments. (f) the consideration for diversification of client funds when amounts are of sufficient size. The Large Exposures Directive may be considered on a case by case basis and depending on the particular circumstances of each CIF. 8 Technical Circular No. 58, 17 April 2014 2. Depositing client financial instruments (section 1 of 3) Article 19(1) Requirement Indicative audit procedures A CIF may deposit (X) (a) Obtain listing of third parties which hold financial instruments on financial instruments held behalf of clients on behalf of its clients (b) Inquire about and obtain listing of all third parties with which into an account or client financial instruments are deposited accounts opened with a third party provided that (c) Obtain the CIF procedures applied in the process of selecting and the CIF exercises all due approving these third parties skill, care and diligence in (d) Review the CIF procedures to determine that due skill care and the selection, appointment diligence is exercised in the selection of these third parties. This and periodic review of the can be evidenced through the following (list is not exhaustive): third party and of the arrangements for the (i) The third party is regulated in a reputable jurisdiction and is holding and safekeeping licensed to accept client financial instruments. of those financial (ii) A detailed description of the relevant procedures followed by instruments. the third party has been obtained and reviewed by the CIF. In particular, the CIF is (iii) The third party carries out independent review of its relevant required to take into procedures and makes the report available to the CIF (e.g. account the expertise and ISAE 34024 report). market reputation of the third party as well as any (iv) Client rights in the event of bankruptcy or other financial legal requirements or difficulty of the third party have been assessed by the CIF market practices related to and found to be acceptable and at a minimum in line with the the holding of those CySEC relevant requirements. financial instruments that (v) The expertise of the third party has been adequately assessed could adversely affect by the CIF. clients’ rights. (vi) The rating of the third party (if applicable) is obtained and assessed. (e) Review the CIF procedures for monitoring the third party to ensure that this is an on-going process with at least annual updating of the eligibility of each third party used. (f) Select a sample of third parties and perform walk through testing to test whether the above procedures/policies are applied in practise. International Standard on Assurance Engagements (ISAE) 3402 “Assurance Reports on Controls at a Service Organization”. 4 9 Technical Circular No. 58, 17 April 2014 2. Depositing client financial instruments (section 2 of 3) Article 19(2) Requirement Indicative audit procedures If the safekeeping of (XI) (a) From the listing of third parties obtained for audit procedure (X) financial instruments for above, identify third parties operating in a foreign jurisdiction. the account of another (b) For each jurisdiction confirm whether the third parties are person is subject to regulated. This can be evidenced for example by searching the specific regulation and local regulators' web site. If this is not feasible obtain evidence supervision in a from the CIF to confirm that third party is appropriately jurisdiction where the CIF regulated. proposes to deposit client financial instruments with a third party, the CIF does not deposit those financial instruments in that jurisdiction with a third party which is not subject to such regulation and supervision. 10 Technical Circular No. 58, 17 April 2014 2. Depositing client financial instruments (section 3 of 3) Article 19(3) Requirement A CIF does not deposit (XII) financial instruments held on behalf of clients with a third party in a third country that does not regulate the holding and safekeeping of financial instruments for the account of another person unless one of the following conditions is met: (a) the nature of the financial instruments or of the investment services connected with those instruments requires them to be deposited with a third party in that third country; (b) where the financial instruments are held on behalf of a professional client, that client requests the CIF in writing to deposit them with a third party in that third country. Indicative audit procedures (a) Obtain a listing from the CIF of all client financial instruments deposited with a third party in a third country that does not regulate the holding and safekeeping of financial instruments for the account of another person. (b) Test this listing for completeness by selecting a sample from the listing of third parties obtained for audit procedure (X) above to ensure that they are correctly excluded from the list obtained for audit procedure (XII) (a) above. This can be evidenced either by searching the local regulators' web site or by obtaining appropriate evidence from the CIF to support the conclusion that the third party is regulated. (c) For jurisdictions not regulating third parties for the holding and safekeeping of financial instruments for the account of another person, obtain evidence from the CIF to support that one of the following conditions is met: (i) the nature of the financial instruments or of the investment services connected with those instruments requires them to be deposited with a third party in that third country; (ii) where the financial instruments are held on behalf of a professional client, that client requests the CIF in writing to deposit them with a third party in that third country. 11 Technical Circular No. 58, 17 April 2014 3. Depositing client funds (section 1 of 3) Article 20(1) Requirement A CIF is required, on receiving any client funds, promptly to place those funds into one or more accounts, denoted as “ clients” accounts opened with any of the following: (a) central bank; (b) credit institution; (c) bank authorised in a third country; (d) qualifying money market fund. Indicative audit procedures (XIII) (a) Receive the Company's bank accounts statements and review whether the clients' funds are clearly distinguished from the company's own funds. Verify that the clients' funds are deposited in bank accounts clearly denoted as "Clients' accounts" whereas Company's own funds are kept in different bank accounts under the Company's name. Examine whether the client accounts at third parties have a "trust status" (this can be checked by obtaining a written confirmation from the third party, stating that: "All money standing to the credit of the account is held by the Company as trustee (or if relevant, as agent) and that the bank/third party is not entitled to combine the account with any other account or to exercise any right of set-off or counterclaim against money in that account in respect of any sum owed to it on any other account of the Company; and (b) the title of the account sufficiently distinguishes that account from any account containing money that belongs to the Company, and is in the form requested by the Company". (b) An exception to the "trust status" mentioned in (a) above is where in the country the cash is deposited for brokerage purposes, the country's legislation does not provide for the concept of nominee (trustee) account holder. In these cases the auditor should ensure that the CIF correctly communicates this issue to the client (e.g. via the client agreements) and advises him that the client cash is not segregated under MiFID5 (since it does not follow MiFID) so his cash is not protected the same manner as in a MiFID jurisdiction. 5 Markets in Financial Instruments Directive (MiFID) 2004/39/EC of the European Union. 12 Technical Circular No. 58, 17 April 2014 3. Depositing client funds (section 2 of 3) Article 20(2) Requirement A CIF that does not (XIV) deposit client funds with a central bank, it is required to exercise all due skill, care and diligence in the selection, appointment and periodic review of the credit institution, bank or money market fund where the funds are placed and the arrangements for the holding of those funds. A CIF takes into account the expertise and market reputation of such institutions or money market funds with a view to ensuring the protection of clients’ rights, as well as any legal or regulatory requirements or market practices related to the holding of client funds that could adversely affect clients’ rights. Indicative audit procedures (a) Verify that clients' funds are deposited in a central bank, a credit institution, a bank authorised in a third country or a qualifying market fund. Ensure that institutions used by the Company for depositing clients' funds, are properly authorised by obtaining the relevant license/authorisation and review the due diligence procedures followed by the Company. (b) Obtain listing of third parties which hold funds on behalf of clients. (c) Inquire about and obtain listing of all third parties with which client funds are deposited. (d) Obtain the CIF procedures applied in the process of selecting and approving these third parties. (e) Review the CIF procedures to determine that due skill care and diligence is exercised in the selection of these third parties. This can be evidenced through the following (list is not exhaustive): (i) Third party is regulated in a reputable jurisdiction and is licensed to accept client financial instruments. (ii) A detailed description of the relevant procedures followed by the third party has been obtained and reviewed by the CIF. (iii) The third party carries out independent review of its relevant procedures and makes the report available to the CIF (e.g. ISAE 3402 report). (iv) Client rights in the event of bankruptcy or other financial difficulty of the third party have been assessed by the CIF and found to be acceptable and at a minimum in line with the CySEC relevant requirements. (v) The expertise of the third party has been adequately assessed by the CIF. (vi) The rating of the third party (if applicable) is obtained and assessed. (f) Review the CIF procedures for monitoring the third party to ensure that this is an on-going process with at least annual updating of the eligibility of each third party used. (g) Select a sample of third parties and perform walk through testing to test whether the above procedures/policies are applied in practise. 13 Technical Circular No. 58, 17 April 2014 3. Depositing client funds (section 3 of 3) Article 20(3) 20(4) Requirement Where a CIF deposits (XV) funds it holds on behalf of a client with a qualifying money market fund, the units in that money market fund should be held in accordance with the requirements for holding financial instruments belonging to clients. The clients of the CIF have the right to oppose the placement of their funds in a qualifying money market fund. Indicative audit procedures (a) Review the procedures followed for depositing clients' funds with a qualifying money market fund, if these are in line with the requirements of Article 19 of the Directive 6 for holding financial instruments belonging to clients. (b) From the listing of third parties obtained in procedure X above, identify third parties operating in a foreign jurisdiction. (c) For each jurisdiction confirm whether the third parties are regulated. This can be evidenced for example by searching the local regulators' web site. If this is not feasible obtain evidence from the CIF to confirm that third party is appropriately regulated. (d) Obtain a listing from the CIF of all client funds deposited with a third party in a third country that does not regulate the holding and safekeeping of financial instruments for the account of another person. (e) Test this listing for completeness by selecting a sample from the listing of third parties obtained in procedure X above to ensure that they are correctly excluded from the list obtained in procedure XII (a) above. This can be evidenced either by searching the local regulators' web site or by obtaining appropriate evidence from the CIF to support the conclusion that the third party is regulated. (f) For jurisdictions not regulating third parties for the holding and safekeeping of client funds for the account of another person, obtain evidence from the CIF to support that one of the following conditions is met: (i) the nature of the client funds or of the investment services connected with those funds requires them to be deposited with a third party in that third country; (ii) where the client funds are held on behalf of a professional client, that client requests the CIF in writing to deposit them with a third party in that third country. 6 Cyprus Securities and Exchange Commission Directive DI144-2007-01 of 2012 for the Authorization and Operating Conditions of CIFs. 14 Technical Circular No. 58, 17 April 2014 4. Use of client financial instruments (section 1 of 3) Article 21(1) Requirement A CIF is not allowed to (XVI) enter into arrangements for securities financing transactions in respect of financial instruments held by it on behalf of a client, or otherwise use such financial instruments for its own account or the account of another client of the CIF, unless the following conditions are met: (a) the client must have given his prior express consent to the use of the instruments on specified terms, as evidenced, in the case of a retail client, by his signature or equivalent alternative mechanism; Indicative audit procedures (a) Obtain from the CIF the list of contracts whereby clients have given their consent to the CIF to use their financial instruments for own account. Obtain also the list of transactions relating to the above mentioned contacts. (b) On a sample basis: (i) Review whether the contracts are signed by both parties (CIF and client). (ii) Review the specific terms of the contract according to which client’s consent has been granted. (iii) Test whether the CIF has complied with the contractual terms by: - Reviewing a sample of transactions from the above mentioned list. - Verifying whether the selected transactions are consistent with the terms of the corresponding contract(s). - Confirm that the client receives notice of such transactions performed, for example through separate statements of account sent electronically or other means of notification. (b) the use of that client's financial instruments must be restricted to the specified terms to which the client consents. 15 Technical Circular No. 58, 17 April 2014 4. Use of client financial instruments (section 2 of 3) Article 21(2) Requirement Indicative audit procedures A CIF is not allowed to (XVII) (a) Obtain from the CIF the list of contracts whereby clients enter into arrangements have given their consent to the CIF to use their financial for securities financing instruments for own account as in 21(1) above. transactions in respect of (b) On a sample basis check whether: financial instruments which are held on behalf (1) Client agreements adequately reflect the provision of the of a client in an omnibus law as per article 18(1)(i) of Law 144(I)/2007 as account maintained by a amended by Laws 106(I)/2009, 141(I)/2012 and third party, or otherwise 154(I)/2012. use financial instruments (2) Clients asset custody accounts for those clients that have held in such an account given their consent for the CIF to use their assets are for its own account or for kept separately from those that have not. the account of another client unless, in addition (3) CIF has a policy on how to compensate clients for use of to the conditions set out their assets (even if nil). in subparagraph (1), at (4) CIF reflects the amount of securities used on the client least one of the following statement (or note on the statement that some of the conditions is met: clients’ securities may being used, in cases where it is (a) each client whose not possible to identify the amount of securities used per financial instruments client). are held together in an omnibus account must have given prior express consent in accordance with subparagraph (1)(a); (b) the CIF must have in place systems and controls which ensure that only financial instruments belonging to clients who have given prior express consent in accordance with subparagraph (1)(a) are so used. 16 Technical Circular No. 58, 17 April 2014 4. Use of client financial instruments (section 3 of 3) Article 21(3) Requirement Indicative audit procedures The records of the CIF (XVIII) For a selected sample of transactions (see subparagraph 21(1) must include details of above) verify whether the records of the CIF include appropriate the client on whose documentation such as: instructions the use of the (a) reference to the contract under which consent is granted, financial instruments has been affected, as well as (b) working in relation to the allocation of profits/losses in the number of financial compliance with the contractual terms, instruments used (c) notification to the client regarding the allocated profits or belonging to each client losses, who has given his consent in accordance with (d) evidence of client's acceptance of the allocation, or subparagraph (1), so as to (e) reconciliation between client's position and CIF's position enable the correct regarding the allocation and explanations for reconciling allocation of any loss. items. 17