The Central Bank of Cyprus issued two directives on Friday concerning the internal organisation and governance of payment institutions and electronic money institutions.
These are businesses that provide payment services as alternatives to traditional banks, usually accessed by the public through digital applications. Their use is increasing across Europe. The Central Bank has licensed and supervises 29 electronic money institutions and 10 payment institutions.
The purpose of the 2026 Directive on the Internal Organisation and Governance of Payment Institutions is to set requirements for the development, implementation and effective oversight of internal governance mechanisms that payment institutions must put in place to ensure their effective and prudent management.
Each institution licensed by the Central Bank must have a sound governance framework that is consistent with, and promotes, the principles of sound and effective management. This must include a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
It must also include appropriate and effective procedures and safeguards for identifying, managing, monitoring and reporting the risks to which the institution is, or may be, exposed, including risks of non-compliance with the applicable regulatory framework.
The framework must also cover network and information systems created and managed in line with Regulation (EU) 2022/2554, adequate internal control mechanisms, including compliance mechanisms linked to the prevention and combating of money laundering and terrorist financing, as well as procedures for monitoring and handling complaints.
The directive also requires appropriate administrative and accounting procedures.
Role of the management body
The management body has ultimate and overall responsibility for the institution’s internal governance. It defines, oversees and is accountable for the implementation of governance arrangements that ensure the effective and prudent management of the institution, including regulatory compliance and effective risk management.
It is also responsible for the effective supervision of senior management.
Where the institution is the parent company of a group, its management body has overall responsibility for adequate internal governance across the group.
All members of the management body and senior management must have full awareness of the institution’s structure and their responsibilities, as well as the allocation of duties between members of the management body, its committees and senior management.
To ensure an appropriate system of checks and balances, the management body’s decision-making process must not be dominated by one member or by a small group of members.
The responsibilities of the management body include establishing, approving and overseeing the implementation of the institution’s overall business strategy and key policies, which must be consistent with the legal and regulatory framework within which it operates. These must take into account the institution’s long-term financial interests and solvency.
The management body must also assess, at least once a year, the effectiveness of the institution’s management of regulatory compliance risk.
It must be familiar with the regulatory environment in which the institution operates, ensure that an appropriate compliance framework is in place and maintain an effective and productive relationship with the competent authorities.
It is also responsible for the institution’s overall risk strategy, including its risk appetite and risk management framework, as well as arrangements ensuring that sufficient time is devoted to risk issues.
The management body must establish an adequate and effective internal governance framework and internal control system, including a clear organisational structure and the proper functioning of independent risk management, regulatory compliance, internal audit and ICT risk management functions. In line with the principle of proportionality, these functions must have sufficient authority, standing and resources to perform their duties.
The directive also provides for internal control mechanisms linked to anti-money laundering and counter-terrorist financing requirements, a process for selecting and assessing the suitability of members of the management body and senior management, and arrangements governing the internal operation of any committees established by the management body.
These arrangements must describe the role, composition and duties of each committee, the appropriate flow of information, including documentation of recommendations and conclusions, and reporting lines between the committees, the management body, the Central Bank and other parties.
The management body must also establish a corporate culture and corporate values that promote responsible and ethical behaviour, including a code of conduct or similar instrument.
It must adopt a conflict-of-interest policy at institutional and group level, as well as for each member of the management body, senior management and other staff.
The directive also requires a policy to safeguard funds received from payment service users or through another payment service provider for the execution of payment transactions. This must include, at a minimum, the safeguarding methods applied by the institution and the methods used to monitor and verify compliance with the requirements of Article 10 of the law.
The management body must also ensure the integrity of accounting and financial reporting systems, including financial and operational controls, compliance with the relevant legal framework and compliance with applicable financial standards.
It must constructively examine and critically assess the proposals, explanations and information it receives when exercising judgement and making decisions.
The management body also oversees the disclosure process and communications with external stakeholders and competent authorities.
All members must be kept informed about the institution’s overall activity, financial position and risks, taking into account the economic environment, as well as decisions taken by each function or business unit that have a major impact on the institution’s operations.
The management body must monitor and periodically review the institution’s procedures, strategies, policies and internal control system. It must take appropriate measures to address any weaknesses identified and periodically assess the effectiveness of the institution’s governance arrangements.
It must also ensure that settlement instructions involving transfers of funds from customer accounts are co-signed either by two members of the management body or by two persons duly authorised by the management body for that purpose.
The management body must approve and regularly review, at least once a year, the institution’s outsourcing policy and oversee its implementation.
It must also appoint one of its members, in line with the requirements of Article 58D of the Prevention and Suppression of Money Laundering Activities Law of 2007, to be responsible for compliance with the laws, regulations and administrative provisions required under that legislation and any related directives, circulars or regulations, including relevant European Union acts.
Responsibilities of senior management
Senior managers are responsible for directing and supervising the effective management of the institution within the powers assigned to them by the management body and in compliance with applicable laws and regulations.
They are also responsible for directing and supervising the institution’s day-to-day operations, in line with the business objectives, strategies and policies approved by the management body and with legal and regulatory requirements.
Senior management must submit recommendations to the management body for consideration and approval regarding business objectives, strategies, business plans and policies governing the institution’s operation.
They must also provide comprehensive, relevant and timely information to the management body, enabling it to review business objectives, business strategy and policies, and to hold senior management accountable for the performance of their duties.
The management body must consist of at least five members. At least two must be executive members, one of whom must be the chief executive officer. At least three members must be independent.
Independent members must hold a majority of the votes on the institution’s management body.
The chair of the management body must be an independent non-executive member and, where the number of members is even, must have the casting vote in the event of a tie.
Members of the management body must have sufficient knowledge, skills and experience to understand the institution’s activities and obligations arising from the legal and regulatory framework, as well as the risks linked to its operations.
Second directive
The 2026 Directive on the Internal Organisation and Governance of Electronic Money Institutions sets out the requirements for a sound governance framework consistent with, and promoting, the principles of sound and effective management.
It also defines requirements for the development, implementation and effective oversight of internal governance mechanisms to ensure the effective and prudent management of electronic money institutions.
The directive further provides for appropriate and effective procedures and safeguards to identify, manage, monitor and report risks to which the institution is, or may be, exposed, including risks of non-compliance with the applicable regulatory framework.
It also requires adequate internal control mechanisms, including compliance mechanisms linked to the prevention and combating of money laundering and terrorist financing.
Investments
The Central Bank also recently issued a directive defining safe, liquid and low-risk assets for the investment of funds subject to safeguarding requirements.
Under the directive, payment institutions must prepare an internal policy for investments in safe, liquid and low-risk assets and notify the Central Bank of that policy at least one month before investments begin.
