The 30 September 2026 deadline is not a filing exercise. It is the date a supervised, auditor-verified baseline for safeguarding takes effect, and the board is answerable to it from the morning of 1 October.
The letter that reached licensed firms from the Central Bank of Cyprus in December 2025 set a single date, 30 September 2026, by which every payment institution and electronic money institution that holds client funds must file an independent assurance report on how it safeguards those funds, together with a management letter setting out what it will fix. It is tempting to read that as one report, one deadline, one submission. It is not. The report is assured against the 2025 calendar year, but the expectations it tests do not expire when the report is filed. From 1 October 2026 the CBC holds a documented, auditor-verified picture of how safeguarding is supposed to work at your firm, and it will hold you to it.
The deadline is the moment the supervisory conversation moves from "tell us what you do" to "show us you still do it." This piece walks the five areas where the baseline shifts and what the board needs in front of it now. It does not restate what safeguarding is; the mechanics are covered separately in our note on PI and EMI safeguarding.
1. Safeguarding account structure
Before the deadline, most firms already ran a sound structure: a collection or segregation account for incoming client money, one or more client accounts at a bank, and the firm's own capital account. What varied between firms was how far each element was evidenced rather than asserted. Titling conventions differed, acknowledgment letters were in place at some banks and assumed at others, and whether every client account demonstrably sat within a deposit guarantee scheme, and matched the firm's own licence conditions, was not always tested to a single standard. The circular makes that evidence, rather than the arrangement itself, the thing to prove.
After the deadline, the auditor will have looked behind each of those assertions. The expectation is that every account holding client money is titled so that a bank and a liquidator can identify it as client money without reference to the firm, that a signed acknowledgment from each credit institution confirms the account holds client funds and, as these letters are normally drafted, that the bank waives any right of set-off against the firm's own liabilities, and that the accounts sit within a deposit guarantee scheme, a point the circular names directly. Licence conditions matter here too. If your licence requires client funds to be held with credit institutions in the European Union, an account opened outside it is a finding, not a detail, and if funds sit outside the permitted set you need the CBC authorisation to show for it. The board's question is no longer "do we segregate." It is "for each bank we use, can we produce the letter, the title, the scheme position and the licence check."
2. Safeguarding reconciliation frequency
The reconciliation that matters is not the one between two internal records. Practice before the deadline varied: firms typically reconciled the client ledger against their own book daily, while the reconciliation of that book against the actual bank statement was run daily by some and weekly or monthly by others. Where the external step is less frequent a gap opens, because for that interval the daily safeguarding figure rests on numbers the bank has not confirmed, and a failed settlement, a bank charge, a posting error or a fraud can sit inside it while the firm believes it is fully covered.
After the deadline, the methodology and frequency have to be consistent with the firm's own approved policies, and discrepancies resolved without undue delay, with non-month-end reconciliations sampled where relevant. What that pushes toward in practice, and what an auditor testing an active acquirer will look for, is the external reconciliation, internal records against the actual balance at each bank, run as often as the internal one. For a firm with daily acquiring or payment flows that means daily, per bank, with funds in flight identified and the correct deadline applied to each kind of money. Payment service funds are due to be safeguarded by the end of the business day after receipt, and the five business day allowance is specific to electronic money and cannot be stretched across acquiring flows. Where a shortfall appears, it is made good from the firm's own funds the same day, not corrected at the next cycle. Discrepancies need an owner, a resolution time and a record that survives after the fact. Each period, the board should see how many exceptions arose, how long they stayed open, and whether the account was ever short. The parallel treatment in the investment-firm world is set out in our note on CIF client money.
3. Board-level oversight and reporting
Before the deadline, safeguarding oversight was already happening, but its shape was left to each firm. Many boards were receiving safeguarding reporting; what varied was how often, in what detail, and against which controls. In leaner firms accountability could also concentrate in one person, often the CFO, who might open the accounts, approve transfers, review the reconciliations and answer for compliance at once. What the circular does is turn that from a matter of discretion into an explicit, testable standard.
After the deadline, the auditor will have looked for a named individual accountable for safeguarding who is not also the person operating the funds day to day, for a reporting line to the board with a stated frequency, and for management information the board actually receives. In an assurance review, the concentration of incompatible duties in one role reads as a finding in its own right. The structure that holds up is to place accountability with an independent control function, usually compliance, leave execution with finance and treasury, and give the board a standing safeguarding item supported by a regular pack: balances, concentration by bank, invested amounts against the applicable limits, reconciliation exceptions and any open items from the assurance work. Escalation cannot be informal. The board needs a defined route by which a safeguarding incident reaches it, and where required the CBC, quickly. This sits inside the wider governance expectations we cover in the PI/EMI governance note.
4. External auditor scope on safeguarding
This is the change most likely to catch firms out, because it adds something that did not exist before rather than tightening something that did. Before the deadline, safeguarding was not a matter an external auditor gave a separate view on. The statutory audit of the financial statements considered controls only so far as they affected the accounts, and no one issued a standalone opinion on whether client money was actually protected.
After the deadline there is a distinct engagement. The safeguarding assurance is a limited assurance report under ISAE 3000 (Revised), and the CBC is specific about who can sign it: an independent statutory auditor who is not the firm's financial statements auditor and not its internal auditor. The output is a conclusion, unqualified, qualified, adverse or a disclaimer, plus a management letter of findings that the board has to approve. A qualified conclusion is not a footnote. It is a signal to the supervisor that the auditor was not satisfied on a specific area. Separately, the CBC has signalled that safeguarding belongs inside the internal audit plan and should be reviewed on an annual basis, so the assurance is not a single event, and the shape firms are adopting is to rotate through the sub-areas year by year. The board's job is to appoint an eligible practitioner, on time, and to read the management letter for what it is: the list of things a supervisor may ask about next. The licensing context sits in our CySEC licensing hub.
5. Complaints and dispute handling
Complaints look unrelated to safeguarding until you notice that a client chasing money that has not arrived is often the first person to detect a settlement or safeguarding failure. Firms already handle complaints and, in practice, meet the statutory time limits; what has usually been lighter is the evidence trail and the formal link between the complaints function and the safeguarding and reconciliation work.
The baseline here is set in law rather than in the December circular. A payment service user is entitled to a reply to a complaint within fifteen business days, extendable to thirty five in the cases the law allows, and to take an unresolved dispute to the Financial Ombudsman. What changes after 1 October is the standard of evidence the board should hold itself to. The same discipline the assurance work forces onto safeguarding, a named owner, a time limit, a record and reporting to the board, is the discipline a supervisor will expect to find in complaint handling, since complaints are often where a safeguarding weakness surfaces first. A rise in payment or settlement complaints is a safeguarding indicator, not only a service metric, and it belongs in the same board pack.
Three items before September
First, the appointment. Has the firm engaged an eligible practitioner, neither the financial statements auditor nor the internal auditor, with time to test the 2025 period and produce a report the board can approve before 30 September. If not, it is the most urgent item in the building.
Second, the honest account and reconciliation picture. For each credit institution, can the firm produce the acknowledgment letter, the client titling, the deposit guarantee scheme position and the licence check, and is the external reconciliation now running at the frequency the flows actually demand. Where the answer is no, the board sets a date rather than a discussion.
Third, the management letter posture. Assume there will be findings. Decide now who owns each remediation and by when, and make sure the letter the board approves reflects decisions the board actually made rather than a document it saw once. The firms that treat 30 September as a filing date will spend October explaining a qualified conclusion. The firms that treat 1 October as the first day of a standing obligation will already have moved the work into the operating rhythm of the business, which is where the supervisor now expects to find it. The firm's regulated entity licensing practice runs the safeguarding assurance engagement, the governance framework build, and the board-pack redesign on the same mandate.
The 30 September deadline is a filing date. The 1 October reset is an operating obligation. The firms that treat the two as one date will spend the year explaining the difference.
Deadline mechanics frequently asked
Who has to file, and who is exempt?
Every payment institution and electronic money institution licensed by the CBC that holds client funds. Firms that provide payment services without ever holding client funds had to notify the CBC by 15 January 2026 to be exempted from the requirement.
What exactly is due on 30 September 2026?
An independent limited assurance report on the firm's compliance with the safeguarding requirements for the 2025 calendar year, together with a management letter of findings, both approved by the board and submitted to the CBC.
Who can perform the safeguarding assurance?
An independent statutory auditor engaged for that purpose. It cannot be the firm's financial statements auditor and it cannot be its internal auditor.
What assurance standard applies?
Limited assurance under ISAE 3000 (Revised). The auditor's conclusion can be unqualified, qualified, adverse, or a disclaimer of conclusion.
What happens if the conclusion is qualified?
A qualification tells the CBC the auditor was not satisfied on a specific area. The circular does not spell out what follows, but a qualification directs supervisory attention, and the remediation set out in the management letter becomes what the CBC follows up on.