What documents are required for a CySEC CIF licence application?

A CySEC CIF licence application requires, among other things, an Internal Operations Manual, an AML and KYC Policy, a Risk Management Framework, a Best Execution Policy, a Conflicts of Interest Policy, a Complaints Handling Procedure, a three-year Business Plan, and the firm's Governance and Organisational Structure. Once submitted and accepted by CySEC, these documents are binding on the firm. They define how the firm is expected to operate, and CySEC inspectors assess compliance against them.

What are the consequences of non-compliance found during a CySEC inspection?

CySEC has a range of enforcement tools available including administrative fines, corrective action programmes, public censure, licence suspension, and licence revocation. Fines imposed by CySEC on individual entities for compliance breaches have ranged from tens of thousands to over one million euros. Where supervisory findings identify material gaps, the regulator expects prompt remediation and will escalate sanctions where this does not occur.

Why do CySEC licensing documents sometimes fail to reflect how the firm actually operates?

CySEC licensing documents are often produced under time pressure by providers who rely on template-based approaches. The resulting documents satisfy the regulatory checklist for the initial application but may not accurately reflect the firm's actual business model, client base, transaction volumes, staffing structure, or technology. Because the applicant is focused on obtaining the licence rather than critically reviewing the operational accuracy of the documents, misalignments between the documented framework and actual operations frequently go unnoticed until an inspection reveals them.

The CySEC licensing documents you approved without reading.

Q: What does CySEC look for during an inspection of a Cyprus Investment Firm?

CySEC inspectors assess whether the firm's actual operations conform to its documented policies and procedures. Key inspection areas include governance arrangements, AML and KYC process implementation, compliance function effectiveness, client fund safeguarding, sanctions screening, best execution policy application, and the maintenance of required records and reports. The primary risk for a CIF is a material gap between what its Internal Operations Manual and other policies describe and what the firm demonstrably does in practice.

There is a moment in the CySEC licensing process that deserves more attention than it typically receives. It comes early in the engagement, typically in the first month or two and well before the application is submitted to CySEC, when the licensing provider sends across a folder of documents for the applicant to review and approve. The applicant reviews them at a high level, confirms the organisational chart looks right, and signs off. The application is submitted. Months later, the licence is granted.

This is where the difficulties begin.

What those documents actually are

The application bundle for a CySEC licence is not a formality. It is the constitutional document of the regulated entity. Once submitted and accepted by CySEC, the firm is bound by it. The folder typically contains an Internal Operations Manual, an AML and KYC Policy, a Risk Management Framework, a Best Execution Policy, a Conflicts of Interest Policy, a Complaints Handling Procedure, a three-year Business Plan, and the Governance and Organisational Structure.

Each document runs to dozens of pages. Each is technically compliant with MiFID II and CySEC's requirements. And each describes not an aspiration but a commitment. The compliance officer is expected to implement them. The internal auditor is expected to test compliance against them. When CySEC conducts an inspection, and it will, inspectors compare what the firm actually does against what the documents say it does.

The gap between what a firm actually does and what its licensing documents say it does is the primary measure of its regulatory risk.

This is not a theoretical observation. CySEC has been explicit on the point. Following a series of thematic reviews and on-site inspections, the regulator has noted that a significant number of firms do not maintain adequate policies and procedures, or maintain them in a form that does not reflect how the business actually operates. The internal operations manual is a specific area of recurring inspection findings: firms that have documented procedures that are inconsistent with their actual licence type, their real client base, or the services they genuinely provide.

The template problem

Licensing providers are in the business of obtaining licences. That is a legitimate and valuable service. The best among them invest genuine effort in tailoring documents to each applicant's business model. Many, however, operate on volume. A template-based approach is economically rational from the provider's perspective: the same core documents, adjusted for the applicant's name, jurisdiction focus, and selected services, can be produced quickly and will satisfy CySEC's initial review in most cases.

The applicant, focused on obtaining the licence, has limited incentive to challenge this. They typically lack the regulatory depth to identify where a template diverges from their actual intended operations. They are usually in a hurry. And the documents are, by design, dense and procedural: written to satisfy a regulatory checklist, not to be read critically by a business owner.

The result is a set of documents that describe a firm that does not yet exist, and may never exist in quite the way the documents contemplate. The AML policy specifies transaction monitoring thresholds that bear no relation to the firm's actual client base. The complaints procedure describes a multi-stage escalation process requiring staffing levels the firm does not have at launch. The best execution policy commits to order routing practices the firm's technology cannot yet support.

None of this necessarily prevents the licence from being granted. CySEC reviews documents for completeness and regulatory compliance, not for operational plausibility. An application that is internally inconsistent or operationally aspirational may still pass. The problem surfaces later, often much later, and at considerable cost.

The inspection arrives

CySEC's supervisory function is not passive. Inspections cover governance arrangements, AML and KYC process implementation, compliance function effectiveness, client fund safeguarding, sanctions screening, best execution policy application, and more. CySEC's thematic review programmes have included targeted assessments of sanctions screening systems across investment firms, fund managers, administrative service providers and payment institutions, examining whether documented screening procedures were actually implemented and functioning.

When an inspector arrives, they do not ask whether the firm intends to follow its procedures. They assess whether it is following them. They ask for evidence: logs, records, board minutes, compliance officer reports, client files, transaction monitoring alerts, complaint registers. The documentation test is simple and unforgiving: does the evidence trail demonstrate that what the documents describe is what the firm does?

A firm operating on the basis of documents it never properly internalised will find that its key functions are not failing so much as duplicating work. The internal audit function is not there to verify that everything in the policies is being done. It is there to check whether the firm's policies are actually applied in practice and to identify where documented requirements and operational reality have diverged. There is an important distinction here: not doing something the business does not actually need to do is a reasonable operational choice. Not doing something that the firm's own policies require, regardless of whether it is genuinely necessary, is a gap. The compliance officer reviewing an AML policy built for a different firm will either apply procedures that create unnecessary burden, or more practically, redraft the policy to reflect the business. Either way, work that should have been done once, correctly, at the outset ends up being done again.

CySEC's supervisory approach is proportionate. Not every inspection finding triggers a significant consequence, and not every gap represents a failure of intent. For a firm setting up for the first time, some divergence between the documented framework and operational reality is a normal part of building a regulated business. The regulator understands this. What matters is whether the firm has a genuine process for identifying gaps and addressing them, and whether its response to a supervisory finding is substantive. The material risk is not the gap that emerges naturally as the business grows. It is the gap that was embedded at the outset because the documents never accurately described what the firm was actually going to do.

What the documents should be

The documents submitted as part of a CySEC licence application should describe how the firm will actually operate. That sounds obvious. It is not how the market works in practice.

For the documents to be operationally accurate, the applicant needs to be an active participant in their production rather than a passive recipient. This means a genuine conversation about business model before a single policy is drafted: what markets and clients the firm will serve, what its transaction volumes are expected to look like in Year One and at scale, what its staffing structure will be at launch, what technology it is using, how its order flow works, and what its actual risk appetite is.

This conversation shapes everything. The three-year business plan submitted to CySEC is not a standalone document. It is the commercial logic that the operational policies need to reflect. A best execution policy written without reference to how the firm's orders actually flow is a best execution policy that will fail an inspection. An AML policy written without reference to the firm's actual client profile creates compliance obligations that are either unachievable or entirely disconnected from the real risks the firm faces.

The documents that emerge from a genuine operational conversation will be different in every material respect from a template. They will also be documents the firm's leadership can understand and stand behind. Critically, they will be documents that a compliance officer can implement without having to reverse-engineer the intentions of a provider who is no longer involved.

Documents that live

The licensing documents are not a starting point to be revised once the firm is operational. They are the operating framework. If the firm's operations evolve, whether through new services, new markets, new client types or new technology, the documents need to be updated to reflect this. The expectation is not solely regulatory. The board, the compliance officer, the risk manager and senior management need the policies and procedures to describe the business they are actually running. Living documents are a governance necessity, not just a CySEC requirement.

This has a direct implication for how firms think about the initial licensing decision. The licence type, the services selected, and the operating model chosen at the outset are not merely structural choices. They define the documented framework the firm will be held against for as long as it holds the licence. Choosing the wrong structure, or choosing the right structure on the basis of an inaccurate picture of the business, creates a compliance burden that compounds over time.

The key persons appointed during the licensing process, the compliance officer, the risk manager, the AML officer, are the individuals who will be expected to implement what the documents describe. A compliance officer handed a set of template policies on the day of activation, with no prior involvement in their production, will not implement a framework they cannot make sense of. They will redraft it. That is the rational response. It is also a second round of work that should not have been necessary if the documents had described the actual business from the outset.

The question worth asking before submission

Before any application is submitted to CySEC, there is a test every applicant should be able to pass. If an inspector arrived tomorrow and asked the compliance officer to demonstrate how the AML policy is implemented, how the best execution policy is applied in practice, and how client complaints are handled end to end: could they do it? Not because they helped write the documents, but because the documents describe something real that the firm actually does.

If the answer is uncertain, the documents are not ready.

Obtaining a CySEC licence is a significant undertaking and a genuine competitive asset. The licence is a permission to operate within a framework. The framework is the documentation. Obtaining the licence without owning the framework is a transaction, not an authorisation, and the difference between the two becomes apparent the first time an inspector asks for the evidence file.

The CySEC licensing documentsyou approved without reading.