What does CySEC C418 require for client fund segregation by a Cyprus Investment Firm?

CySEC Circular C418 requires Cyprus Investment Firms to hold client funds promptly in one or more accounts with an eligible institution — a central bank, a credit institution, a third-country bank, or a qualifying money market fund — with the account title clearly identifying it as a clients' account. Beyond the account structure, C418 requires: daily two-sided reconciliation for active trading firms, at least two signatories with combined powers on the client account, a 20% limit on deposits with group-affiliated entities, a single officer appointed with overall responsibility for safeguarding compliance, a board-approved written policy for any buffer of own funds held in client accounts, and annual review of safeguarding procedures by both the internal auditor and the compliance officer.

How often must a Cyprus Investment Firm reconcile its client funds?

Where a CIF undertakes transactions for clients on a daily basis, CySEC expects reconciliations to be performed on each business day, based on the previous business day's closing position. The reconciliation must be conducted on two legs: first, the CIF's internal records against the actual bank or third-party statements; second, the CIF's internal records against clients' equity — the actual funds owed to each client, which includes deposits and withdrawals, credits, and realised and unrealised profit and loss. Reconciling items should only arise from timing differences and should be cleared within a few days.

What is the 20% group deposit limit for CIF client funds?

Where a CIF deposits client funds with a bank or qualifying money market fund belonging to the same group, those deposits must not exceed 20% of all client funds held. CySEC permits a small balance exception where the balance does not exceed the lower of €3,000,000 or 50% of total client funds. Using this exception requires a written assessment notified to CySEC, reviewed at least annually. Where the threshold is exceeded due to circumstances outside the CIF's control — a client transfer, a dividend, a coupon payment, or interest — the CIF must take immediate action to bring the balance within the permitted limit.

Who can be a signatory on a CIF's client account?

CySEC requires at least two persons with combined signatory powers on client accounts. Two categories of person are explicitly excluded: those involved in preparing client money reconciliations, and shareholders of the CIF who do not hold executive duties within it. CySEC identifies the expected pool of signatories as the Chief Executive Officer, the Chief Financial Officer, the Head of the Accounting Department, or an Executive Director.

Client Fund Segregation for Cyprus Investment Firms: What CySEC C418 Requires

Section 17(9) of the Investment Services and Activities and Regulated Markets Law is unambiguous: a Cyprus Investment Firm that holds funds belonging to clients must make adequate arrangements to safeguard the rights of those clients and prevent the use of client funds for its own account. CySEC Circular C418 defines what adequate arrangements mean in practice. The correctly titled client account with an eligible institution is where that definition starts. What follows is more specific.

The account: structure, title, and eligible institutions

Upon receiving any client funds, a CIF must promptly place those funds into one or more accounts opened with one of four categories of institution: a central bank; a credit institution as defined in the Business of Credit Institutions Law; a bank authorised in a third country; or a qualifying money market fund. The title of the account must sufficiently distinguish it from any account used to hold the CIF's own funds — it must be denoted as a clients' account.

Where local law in the jurisdiction in which the account is held prevents separate titling, C418 sets out a specific fallback. The CIF must notify the institution that it is obliged to keep client funds separate from its own, must demonstrate that there was no alternative, and must demonstrate that it exhausted all efforts to obtain a separately titled account elsewhere. If it cannot demonstrate all three, CySEC may require the CIF to segregate an equivalent amount of its own funds in a separately titled account in a jurisdiction where separate titling is possible.

One further constraint applies regardless of structure: client accounts may only be used for the CIF's own clients. They cannot be used for the clients of other entities within the same group.

The PSP/EMI complication: merchant accounts are not client accounts

CIFs commonly maintain merchant accounts with PSPs and EMIs for the clearing and settlement of client payment transactions. C418 is precise about what those merchant accounts are and are not. They are transit arrangements. Client funds must be transferred to the CIF's properly titled client accounts immediately after the clearing and settlement of payment transactions. A merchant account is not a permitted holding arrangement for client money.

Two situations arise regularly in practice that create a harder obligation. Where a PSP or EMI withholds funds as a rolling reserve or fixed deposit for chargeback or other purposes, the CIF cannot treat the withheld amount as a timing issue. It must transfer an equivalent amount from its own funds into the client account to ensure the full client balance is maintained. The PSP's commercial risk management arrangement does not reduce the CIF's regulatory obligation.

The second situation arises where a CIF credits a client's trading account before incoming funds have cleared, to allow the client to trade with immediate effect. The CIF must transfer the corresponding amount from its own funds to the client account before trading commences. C418 notes that this practice is only available to CIFs licensed to provide the specific ancillary service of granting credits or loans to investors in connection with transactions. It is not available as a general operational convenience.

Merchant accounts themselves may only be used by the CIF for its own clients. They cannot, under any circumstances, be used by connected persons, group entities, or third parties. CySEC also requires CIFs to publish on their website a list of the PSPs and EMIs they cooperate with, along with the competent authority and country that supervises each one.

The reconciliation: two legs, not one

Where a CIF undertakes transactions for clients on a daily basis, CySEC expects reconciliation to be performed on each business day, based on the previous business day's closing position. The reconciliation must be conducted on two legs simultaneously, and both matter.

The first leg compares the CIF's internal records of client account balances against the actual statements from the bank or other third party holding client funds. The second leg compares the CIF's internal records against clients' equity — the actual funds owed to each client, calculated to include deposits and withdrawals, credits, and both realised and unrealised profit and loss. Reconciling items should only arise from timing differences, and should be cleared within a few days.

The second leg is the operationally demanding one. It requires accurate running records of the position owed to each client at any given moment, including open trading positions. A firm that performs only the first leg — confirming that the bank balance matches its own records — is conducting half a reconciliation. The obligation requires both.

Signatory controls: who can act and who cannot

Client accounts must have at least two persons with combined signatory powers. Any transfer from a client account requires both. C418 is explicit about who cannot be appointed to this role: persons involved in preparing client money reconciliations are excluded, as are shareholders of the CIF who do not hold executive duties within it. CySEC identifies the expected pool of eligible signatories as the Chief Executive Officer, the Chief Financial Officer, the Head of the Accounting Department, or an Executive Director.

The exclusion of reconciliation preparers from the signatory list creates a formal separation between the function of calculating what should be in the account and the authority to move funds out of it. In small CIFs where the same individual handles multiple functions, this separation requires structural attention — it cannot be resolved by documentation alone.

The group deposit limit: 20%, with a specific small balance exception

Where a CIF deposits client funds with a bank or qualifying money market fund that belongs to the same group, those deposits must not exceed 20% of all client funds held, aggregated across all group entities. CySEC provides a small balance exception: the limit does not apply where the balance does not exceed the lower of €3,000,000 or 50% of total client funds. Using this exception is not passive — it requires a written assessment notified to CySEC, reviewed at least once per year, and reviewed earlier if circumstances change in a way that would affect the original conclusion.

Where the threshold is exceeded due to circumstances outside the CIF's control — a client transfer, a dividend, a coupon payment, or interest received — the CIF must take immediate action to bring the balance within the permitted limit. The involuntary nature of the breach does not remove the obligation to remediate it promptly.

The single officer, the buffer, and the internal monitors

C418 requires every CIF to appoint a single officer with sufficient skill and authority to hold overall responsibility for compliance with the safeguarding of client financial instruments and funds. The purpose is to prevent fragmented responsibility across departments and to ensure the firm has a single person with overarching sight of how its obligations are being met. The single officer verifies the accuracy and completeness of the client money reconciliation that CIFs submit to CySEC through the QST-CIF form. Their details must be registered and kept current in CySEC's portal.

Where a CIF maintains a buffer of its own funds within client accounts — a permitted practice, used to cover operational timing gaps, PSP and EMI exposures, foreign exchange mismatches between client fund currencies, or possible shortfalls — it must have a board-approved written policy specifying the specific risks being covered and the amount retained. CySEC is clear that those buffered funds are treated as client funds and are subject to all the same regulatory requirements.

The internal audit function and the compliance officer are both expected to review the CIF's safeguarding procedures as part of their annual work plans, including verification of the accuracy and completeness of the client money reconciliation. Where either function identifies a significant weakness, the obligation is to report it to the Board of Directors immediately for corrective action — not to record it for the next scheduled review.

The client account is correctly structured, correctly titled, and correctly funded. CySEC will still find the weaknesses — because the weaknesses are not in the structure. They are in the daily practice.

Having a client accountsatisfies one of CySEC’srequirements for clientfund segregation.C418 defines what comes after.