CSE (BOCH/ΤΡΚΗ) 1.570 -0.020
Last updated 15:49
LSE (BOCH) 1.590 0.030
Last updated 18:29

Internal Controls

Information Security

The mission of the Information Security Department is to assure the confidentiality, integrity and availability of  information as appropriate. To this end, it is responsible for translating the risk appetite of the Group into effective and efficient controls which (a) minimise impact to operations, (b) ensure better risk management, and (c) are compliant with regulations.

The Information Security Department is responsible and accountable for the development and implementation of the information security framework, to assist the Group’s efforts to protect its information assets.

The role of the head of Information Security includes the following (list is not exhaustive):

  • Advise and provide recommendations to the Board on the development of an information security policy in line with the Group’s size and complexity of activities and information distribution channels.
  • Advise and provide recommendations to senior management on the development and implementation of the Group’s information security program in the form of security policies, standards, guidelines, procedures and processes.
  • Oversee the dissemination and implementation of the information security program institution-wide.
  • Cooperate with the Bank’s business and support units and other internal control functions, for the effective implementation of security principles in the development of their policies and procedures.
  • Develop and implement in cooperation with the risk management Division, an information security risk assessment and management program.
  • Participate in the activities required for the implementation of effective security controls in the bank’s IT infrastructure and provide guiding principles to the IT for the operations of network and information systems.
  • Plan, organise and coordinate information security assessment activities throughout the institution.
  • Monitor compliance with information security policies, standards, guidelines, processes and procedures.

The Head of Information Security submits an annual report to the Board, through the Risk Committee which includes among others a summary of the most important information security risks the Bank faces at the time of reporting and a list of all important information security incidents and corrective actions taken to prevent recurrence.



The Bank’s Group Compliance Division (GCD) provides independent oversight of the management of the Bank’s compliance with laws, regulations, guidelines and internal rules relevant to the activities of the Bank and reports directly to the Audit Committee of the Board of Directors.

The activities of the GCD fall into four main areas and their role includes the following: 

Regulatory & Ethics Compliance:

  • Oversees, coordinates, monitors and provides relevant assurance for compliance with existing laws, rules and regulations through the implementation of the Bank’s overall regulatory and governance framework in accordance with the requirements of the Central Bank of Cyprus (CBC) and other regulatory authorities in Cyprus, the European Union, the United Kingdom and Ireland.  Such activity includes but is not limited to the identification and control of compliance risks, prudential reporting obligations as well as compliance training.
  • Tracks and evaluates all new regulations or amendments to existing regulatory issuances and facilitates their implementation by issuing and maintaining compliance related policies and procedures and initiating requests for policy pronouncements or revisions to ensure new regulations are made part of the Bank's policies and procedures.
  • Provides guidance, advice, support and training to employees on significant laws, regulations and ethical guidelines in an effort to establish a corporate culture of ethics.
  • Reports to the Audit Committee of the Board of Directors on significant compliance issues and provides relevant recommendations.
  • Conducts reviews and assessments to ensure effectiveness of controls and procedures in the management of compliance risks and recommends remedial actions.
  • Liaises with the regulatory authorities and appears before their bodies upon summons to clarify matters related to the compliance framework.
  • Annually prepares a report to the CBC on the Bank’s compliance with the CBC’s Directives.

Corporate Governance Compliance:

  • Reviews the effectiveness and adequacy of the corporate governance policy of the Group in coordination with the Nominations and Corporate Governance Committee (NCGC) and makes appropriate recommendations to the Board.
  • Ensures compliance with the Cyprus Stock Exchange (CSE) Corporate Governance Code, the UK Code as well as the relevant directives of the CBC.
  • Facilitates training of the Board members on their duties and responsibilities.
  • Ensures the fitness & probity of all members of the Board and Senior Management and assesses their suitability as per the EBA guidelines and the relevant CBC directives on an on-going basis and reports to this respect on an annual basis.
  • Performs the annual Board performance evaluation in coordination with the NCGC and submits a report to the Board and the CBC.

Financial Crime Compliance: 

  •  Monitors Anti-Financial Crime activity through the investigation of alerts generated by a specialised Anti-Money Laundering (AML) system, the assessment of cash-based business clients, the assessment of internal SARs, the inception of internal AML investigations and the submission of Suspicious Activity Reports (SARs) to the local Financial Intelligence Unit (FIU).
  • Provides AML assurance through the performance of onsite AML specific audits at the various units of the Bank, policy updates and follow-up of supervisory audits / investigations.
  • Provides AML Customer Risk assessment by reviewing High and Significant risk customers, performing country risk assessments, sanction monitoring, responding to Correspondent banks and monitoring the AML regular review campaigns of business lines.
  • Provides Third party Risk assessment by reviewing client accounts, assessing third parties (intermediaries and fiduciary service providers) and performing specialised reviews of Politically Exposed Persons (PEP) customers.
  • Annually prepares a report to the CBC on the Bank's compliance with the CBC's AML Directive including an AML Risk Assessment which is performed using a sophisticated scenario based risk assessment methodology.

Data Privacy Management:

  • Acts as liaison between the Personal Data Commissioner and the Bank of Cyprus.
  • Supports and consults the Bank and the Board of Directors on personal data protection matters.
  • Monitors and ensures the adequacy of established procedures for the implementation of data subject rights, data inventory and vendors management.
  • Ensures that complaints on data protection issues are quickly and effectively handled.
  • Performs reviews and assessments to ensure full compliance to the obligation of the General Data Protection Regulation (GDPR) across the Bank.

Internal Audit

The Bank has in place an independent Audit Function, through which the Bank’s Board, senior management and shareholders may be provided with reasonable assurance that its key organisational and procedural controls are effective, appropriate, and complied with. The role of the Group Internal Audit Division includes the following:

  • Develop and implement an effective annual internal audit program to be approved by the Audit Committee that covers the entire operations of the Bank including subsidiaries and affiliates.
  • Submit to the Audit Committee an annual report on the performance of Internal Audit activities, responsibilities, and performance relative to the audit plans and strategies as approved by the Committee including significant risk exposures, control issues and such matters as may be needed or requested by the Board of Directors and senior management.
  • Conduct independent assessment of adequacy and effectiveness of management and IT control frameworks, risk management and governance processes of all units of the Bank including subsidiaries and affiliates.
  • Monitor the resolution of internal control weaknesses noted during the examination with the end view of mitigating risks and strengthening the control environment.
  • Examine and analyse the organisational structure, checks and balances, methods of operations and use of human and physical resources to reveal defects in order to prevent fraud or irregularities.
  • Certify that the conduct of auditing activities is in accordance with the International standards on the Professional Practice of Internal Auditing.


Risk Management

The Bank’s Group Risk Management Division (GRMD) ensures that all material risks are identified, measured and properly reported. The Division is actively involved in elaborating the institution’s risk strategy and in all material risk management decisions.

The Board ensures the independence of the GRMD by providing it with direct access to the Board and the Risk Committee without any impediment.

The GRMD is independent from executive functions, business line responsibilities, operations and revenue generating functions. The GRMD functionally reports to the Risk Committee and administratively to the CEO.

The role of the GRMD includes the following (list is not exhaustive):

  • Assist the Risk Committee, Board of Directors and senior management to establish and communicate the Bank’s risk management objectives and direction.
  • Assist the Board Risk Committee and senior management to develop and communicate management policies.
  • Facilitate in the identification, measurement, monitoring, reporting and control of risks.
  • Monitor and assess decisions to accept particular risks whether these are consistent with board approved policies on risk tolerance and the effectiveness of the corresponding risk mitigation measures.
  • Report to senior management, the Risk Committee and the Board the results of the assessment and monitoring of risk exposures.
  • Have sufficient expertise and operating experience enabling the challenging of decisions that affect the institution’s exposure to risk.
  • Annually prepare a report to the CBC presenting key issues and developments within the Bank and review of the main risk areas.
  • Submit reports to the Board and relevant Committees and attend their meetings to present said reports and provide additional information and/or classification or assistance on managing the issues raised.
  • Involved in any changes to the institution’s strategy, risk appetite framework and risk limits.
Bank of Cyprus uses cookies on this website aiming to improve your online experience. To accept cookies continue browsing as normal.