A risk assessment will be performed for all entities at least every year and the outcome will be used to define each entity's monitoring programme for the forthcoming regulatory period. The assessment will be based on the impact, or potential harm that could be caused by a particular set of circumstances, weighted by the estimated probability of those circumstances actually occurring. Risk measures may be quantitative or qualitative. Impact is assessed on the basis of numerical and financial data extracted from the entity's regulatory returns. Probability is assessed on a range of criteria including the entity's governance arrangements and its susceptibility to being used for financial crime.
Based on the assessment regulated entities will be assigned one of four risk ratings, with the intensity of supervision varying with the assessed degree of risk.
CySEC has now issued the risk assessment package relating to providers of corporate management and fiduciary services, which it refers to as administrative services providers (ASPs). All authorised ASPs are required to complete the specified form for the reporting period January 1 to December 31 2014 and submit it via CySEC's electronic transaction reporting system between and January 5 and 16 2015. ASPs that have not received formal authorisation are advised to prepare the requisite information in order to be able to submit it before January 16 2015, as it is likely that the authorisation process will be completed before December 31 2014.