What does the CySEC fit and proper test assess for CIF directors?

The CySEC fit and proper assessment goes beyond clean criminal records and non-bankruptcy certificates. CySEC evaluates whether each director or key person genuinely understands the investment activities the firm proposes to conduct, the regulatory obligations they will personally bear, and the risk and compliance frameworks the firm will operate under. A clean background with no relevant financial services experience is not sufficient. CySEC is assessing whether the person is actually capable of discharging the governance responsibilities of the role — not merely whether they are free from disqualifying history.

Do CIF directors need to live in Cyprus to get a CySEC licence?

Yes. CySEC requires a Cyprus Investment Firm to have at least two executive directors who are resident in Cyprus. The majority of the board must be Cyprus residents. This is not merely a paper requirement: CySEC expects the firm's mind and management to genuinely operate from Cyprus. Directors who are nominally resident but travel frequently or are effectively based elsewhere will receive scrutiny. The question CySEC is asking is not where a director is registered, but where the firm's decisions are actually made.

What substance does CySEC require for a CIF licence — what counts as a real office?

CySEC requires a genuine physical office in Cyprus — not a registered address, a shared hot-desk arrangement, or a virtual office. The office must be equipped and operational, with the capacity to conduct the firm's regulated activities. CySEC will visit the premises as part of the licensing process. What is being assessed is not the quality of the furniture but whether the office functions as the real operational base of the firm: whether compliance, risk, and executive management are genuinely conducted there, and whether the infrastructure — systems, records, staff — is present and working.

What happens after CySEC approves a CIF application in principle?

CySEC's approval in principle is not the licence. After approval in principle, the firm enters the activation phase: it must deposit the required regulatory capital in a Cypriot bank account and obtain a bank certificate confirming the balance, establish and equip the physical office, engage all required key personnel under formal contracts, and demonstrate that its compliance and risk infrastructure is live and operational. CySEC will conduct a pre-licensing inspection. Only once these conditions are verified does CySEC issue the formal authorisation. This phase is typically two to four months and is where timelines extend most unpredictably.

What source of wealth documentation does CySEC require for CIF shareholders?

CySEC requires every significant shareholder of a CIF applicant to document the source of their wealth — not only to demonstrate that the regulatory capital is clean, but to establish that the owner has sufficient financial depth to support the firm if it needs it. Acceptable documentation depends on the nature of the wealth: tax returns, audited personal or corporate accounts, business sale proceeds, investment portfolio statements, or inheritance records. Vague declarations without supporting evidence are not accepted. For complex structures involving holding companies or multi-jurisdictional ownership, the source of wealth exercise must be conducted at every layer through to the ultimate natural persons. Incomplete or inconsistent source of wealth documentation is one of the most common triggers for additional information requests and licensing delays.

CySEC Is Not Reviewing Your Application. It Is Reviewing You.

There is a widespread belief that the CySEC licensing process is primarily a document exercise. Submit the right paperwork, demonstrate the right capital, and the licence follows. That belief is wrong, and it accounts for most of the delays that extend a standard application from eight months to eighteen.

The documents are evidence. What CySEC is actually doing is forming a view about the people, the governance, and whether the structure being proposed will genuinely exist and function after the licence is issued. Capital requirements can be met by anyone with sufficient funds. The assessment that determines whether an application succeeds or stalls is the one nobody puts on a checklist.

What “fit and proper” actually covers

Every guide to CIF licensing mentions the fit and proper test. Most describe it as a background check: a clean criminal record, a non-bankruptcy certificate, evidence of relevant experience. Those requirements are real, but they describe the floor, not the standard.

What CySEC is examining, beneath the paperwork, is whether each director and key person genuinely understands what they are being authorised to do. The examination is not bureaucratic. It is substantive. A director who cannot explain the firm’s proposed investment process in sufficient detail, who cannot articulate the regulatory obligations they will personally bear, or whose understanding of the firm’s risk framework is superficial, will trigger a request for additional information. That request, and the months it takes to resolve, is what most applicants experience as a licensing delay.

The fit and proper assessment is conducted person by person. Each executive director, the compliance officer, and the risk manager are evaluated individually. A strong CEO does not carry a weak compliance officer. The quality of each person is assessed on its own terms, against the specific responsibilities of the role they will hold.

The four people CySEC looks at hardest

CySEC’s scrutiny is not evenly distributed across all proposed personnel. In practice, four roles receive the most intensive examination.

The Chief Executive Officer, or whoever will be the senior executive director, is assessed on breadth: does this person understand the full regulatory perimeter of the firm’s activities, the capital obligations, the reporting requirements, the governance framework? Candidates who have run regulated businesses before, who have been through supervisory reviews, and who can speak to the regulatory environment from direct experience, move through this assessment smoothly. Those whose experience is primarily commercial rather than regulatory do not.

The compliance officer receives particular scrutiny because they are the individual who will carry the day-to-day regulatory relationship with CySEC. A compliance officer who cannot demonstrate deep, firm-specific knowledge of the investment services being provided — not generic MiFID II awareness, but a precise understanding of how compliance applies to this firm’s specific activities — will generate repeated questions. The compliance officer’s interview, formal or informal, is effectively the licensing committee’s proxy for assessing whether the firm will actually be supervised effectively once authorised.

The risk manager and the second executive director round out the core team. What CySEC is looking for in both cases is not duplication of the CEO but genuine functional depth: does the risk manager understand the firm’s specific risk exposures, and does the second executive director add governance substance rather than simply fulfilling a headcount requirement?

The examination that extends beyond the directors

The fit and proper assessment does not stop at the people who will manage the firm. It extends to the people who own it. CySEC examines the ultimate beneficial owners of a CIF applicant with the same rigour it applies to its directors, and one element of that examination creates more delays than almost any other: source of wealth.

Every significant shareholder must demonstrate, with documentation, not only that the capital being contributed to the firm is theirs and is clean, but that there is depth of wealth behind it. CySEC is not only asking where the regulatory capital came from. It is asking whether the owner has the financial capacity to support the firm if it needs it — whether, in a stress scenario, there is substance behind the shareholder and not merely a one-time capital injection at the margin of their means.

This is a meaningful distinction. A shareholder who can demonstrate that the €150,000 being contributed to the firm represents a small fraction of documented, verifiable net worth is in a fundamentally different position from one for whom that sum represents the totality of liquid assets. CySEC’s concern in the latter case is not primarily AML, though AML is also in play. The concern is prudential: will this firm be adequately supported if its capital is eroded in the first year of operations?

The documentation requirement is substantial. Tax returns, audited personal or corporate accounts, evidence of business sale proceeds, inheritance documentation, investment portfolio statements — what is appropriate depends on the source, but vague or unsupported declarations of wealth are not acceptable. CySEC expects a coherent narrative connecting the declared origin of the wealth to independently verifiable evidence of it. Gaps in that narrative, inconsistencies between declared income and demonstrated assets, or wealth whose origin cannot be clearly traced, will generate a request for further information that can take months to resolve.

For applicants with complex ownership structures — holding companies, trust arrangements, shareholders in multiple jurisdictions — the source of wealth exercise must be conducted at every layer. The transparency requirement runs through to the natural persons at the top of the structure. A well-documented immediate shareholder who sits beneath an opaque holding company does not satisfy the requirement. CySEC needs to understand the full ownership chain and the wealth position of every natural person who ultimately controls or benefits from the applicant.

What CySEC means by substance

The substance requirement for a CIF is frequently misunderstood as a physical office requirement. It is more than that. The question CySEC is asking is not whether you have rented a room in Nicosia. It is whether the firm’s mind and management genuinely operates from Cyprus.

Those are different questions. A firm can have a leased office, a Cyprus address, and two nominally resident directors who travel constantly and make all material decisions from another jurisdiction. CySEC is increasingly sophisticated at identifying this structure, and it does not licence it. The “four eyes” principle — two executive directors resident in Cyprus — is a minimum floor, not a quality benchmark. What the regulator is actually checking is where decisions are made, where compliance operates, and whether the executive directors are genuinely engaged with the business on a full-time basis from within the jurisdiction.

The office itself must be genuine. Not a shared hot-desk. Not a virtual address. Not a registered office provided by a service firm where no one from the CIF will ever sit. The office must have the capacity to conduct the regulated activities of the firm — the right infrastructure, the right systems, the right records, and the right people present and working. CySEC will inspect it.

The activation phase: what happens after approval in principle

This is the part of the licensing process that receives almost no attention in the literature, and it is where most timelines extend beyond the applicant’s original expectations.

CySEC’s approval in principle is not the licence. It is a conditional decision: CySEC has assessed the application and determined that, if the firm can demonstrate it is operationally ready, authorisation will follow. The activation phase is the demonstration of that readiness, and it has specific requirements.

The regulatory capital must be deposited in a Cyprus bank account before the licence is issued. Not committed, not in transit, not in an account pending regulatory approval to operate — deposited, available, and evidenced by a bank certificate from a Cyprus-licensed credit institution. For firms that have not opened their Cyprus bank accounts early in the process, this alone can add months. Cyprus bank account opening for newly incorporated regulated entities is not fast, and it cannot be expedited purely by escalating internally.

The office must be established, equipped, and operational. Key personnel must be formally contracted. Compliance and risk frameworks must be live, not in draft. Technology infrastructure must be in place. CySEC will conduct a pre-licensing inspection before issuing the formal authorisation. The inspection is not a formality. Firms that present an office that clearly does not yet function as an investment firm will not receive their licence on that visit.

The gap between approval in principle and formal authorisation is typically two to four months for a well-prepared firm. For a firm that has not begun the operational build until after receiving approval in principle, six months is common and twelve is not unheard of.

Why applications stall rather than fail

CySEC rarely formally rejects CIF applications. It requests additional information. Understanding the difference matters, because the request-for-information cycle is where most of the elapsed time in a protracted application disappears.

The triggers for additional information requests fall into recognisable categories. Business plans that read like templates — generic descriptions of investment services that could apply to any firm rather than a precise account of this firm’s specific activities, clients, and operating model — generate questions. CVs that list seniority without demonstrating relevant regulatory experience generate questions. Compliance frameworks structured as tick-box documents rather than firm-specific operational procedures generate questions. An organisational chart that proposes a governance structure internally inconsistent with the business model generates questions.

Each request for additional information resets a clock. CySEC’s target processing time is measured from the date of a complete application, not from the date of first submission. A submission that requires two rounds of additional information requests can, in practice, extend the application window by six months even if each individual response is submitted promptly.

The practical consequence is that the quality of preparation before submission is the single most significant variable in the length of the licensing process. Firms that submit complete, coherent, firm-specific applications receive decisions in the timeframe the legislation contemplates. Firms that submit early and revise later do not.

The practical implication

Preparing a CIF application well means preparing the people before preparing the documents. The directors and key personnel who navigate the fit and proper process most effectively are those who have already engaged seriously with the regulatory obligations of their roles, who understand how MiFID II and the CySEC framework applies specifically to what their firm will do, and who have been involved in building the compliance and risk function rather than simply receiving a summary of it at submission time.

The substance requirement is not satisfied by signing a lease. It is satisfied by making a genuine organisational commitment to operating from Cyprus — with full-time, resident, engaged management actually running the business from within the jurisdiction. Firms that treat Cyprus residence as a regulatory formality rather than an operational reality will encounter a regulator that takes the same view of their application.

The activation phase, finally, should be treated not as something that begins after approval in principle but as something that runs in parallel with the application itself. The bank account, the office, the technology infrastructure, the staffing — all of these have long lead times. Firms that begin building the operational reality of their CIF at the same time as they are preparing the application arrive at approval in principle ready to activate. Firms that wait do not.

The licence does not create the firm. The firm must exist, in substance, before the licence is issued.

CySEC is not reviewingyour application.It is reviewing you.