Client fund safeguarding is one of the most fundamental obligations placed on Payment Institutions and Electronic Money Institutions licensed by the Central Bank of Cyprus. The requirement has been defined in the regulatory framework since the transposition of PSD2. What distinguishes entities that satisfy supervisors from entities that merely satisfy themselves is not whether the arrangement exists. It is whether the arrangement works as intended, continuously, under operational conditions.
Most licensed PIs and EMIs have a safeguarding arrangement in place. A segregated account exists. A procedure document describes how it works. An individual is responsible for the daily calculation. On paper, the obligation appears to be met. The supervisory question is whether the paper corresponds to the practice.
What safeguarding actually requires
The obligation requires a PI or EMI to protect client funds from the moment they are received until they are either executed or returned. The legal framework provides two main routes. The first is to hold client funds in a segregated account at a licensed credit institution, ring-fenced from the entity's own assets and from any insolvency proceedings that might affect it. The second is to invest those funds in secure, liquid, low-risk assets held separately from the entity's balance sheet. A third route — an insurance policy or guarantee from a credit institution or insurer covering the safeguarded amount — is available but less commonly used in practice.
In any case, the safeguarded amount must be calculated daily and correspond exactly to the total of client funds held at that point in time. Funds must be segregated without undue delay from the moment of receipt. Records must be maintained in a form that allows the accuracy of the calculation to be independently verified at any given moment. The obligation is continuous. It does not pause between regulatory examinations.
Where the arrangement and the discipline diverge
The gap between a written procedure and a consistently executed one is where supervisory findings live. Most of the gaps that surface during independent assurance work are not the result of bad faith. They are the result of operational drift — the gradual divergence between what the procedure specifies and what the daily practice has become.
The calculation methodology is the most common area of weakness. The daily safeguarding amount is often calculated on a basis that does not fully capture the entity's exposure: funds received but not yet executed, funds in transit across settlement cut-off times, or amounts associated with services where the boundary between client funds and the entity's own working capital is not clearly drawn in the underlying systems. The procedure may be technically correct and still miss material amounts in practice.
Timing is a second area. The regulatory obligation requires segregation without undue delay. In practice, the transfer from a receipts account to the designated safeguarding account often takes longer than the entity's own procedures specify. The procedure says same-day. The practice is next-day. The reconciliation record does not always make this visible.
Documentation is a third. An entity may perform the calculation correctly and still be unable to demonstrate that it was performed correctly, because the supporting records are not maintained in a form that allows rapid independent verification. The discipline was there. The evidence of it was not.
What independent assurance involves
Independent assurance on safeguarding is a structured examination conducted under ISAE 3000 (Revised) as a limited assurance engagement. It addresses two distinct questions: the adequacy of the entity's controls and procedures for safeguarding client funds, and the effectiveness with which those controls and procedures are implemented in practice. These are not the same question, and both matter.
Adequacy examines whether the framework is correctly designed. Does the calculation methodology capture the full safeguarding obligation? Does the segregation procedure reflect the legal requirements precisely? Are the oversight and governance arrangements fit for the purpose they are supposed to serve? A framework can be inadequate on paper without a single execution failure ever having occurred.
Effectiveness examines whether the framework does what it describes. Reconciliations are performed as the procedure specifies. Exceptions are escalated and resolved. The controls operate in practice the way they operate on paper. An entity can have a well-designed framework that is inconsistently executed — and the supervisory risk sits in the gap between the two.
The scope and depth of the engagement is determined by the nature, scale, and complexity of the entity's operations. Smaller and less complex entities are expected to maintain proportionately simpler arrangements and will be assessed accordingly. The standard does not require the same depth of procedure from a single-product PI as from a multi-currency EMI with cross-border payment flows.
The independence requirement and what it means in practice
The assurance practitioner must be an independent statutory auditor as defined under the Auditor's Laws of 2017. This has two important practical consequences. First, independence from the entity means the practitioner approaches the engagement without a pre-existing relationship that creates pressure to present findings in a way that management finds comfortable. The assurance is prepared for the regulator's benefit. Its value depends on the practitioner's willingness to report what the evidence shows.
Second, the statutory auditor already responsible for the entity's financial statements cannot conduct this engagement. Nor can the entity's internal auditor. The financial statement auditor has an established relationship with the entity's records and governance structures that compromises independence for this specific purpose. The internal auditor is part of the governance structure being assessed. A separate, independent appointment is required — one made for this engagement specifically.
The Management Letter and board accountability
The assurance report documents the practitioner's conclusions. The Management Letter documents what the entity intends to do about the findings. Both documents must be approved by the Board of Directors before submission to the regulator.
This creates a governance record with a specific character. The board does not simply receive the findings. It approves the entity's formal response to them — the remediation actions and the timelines within which those actions will be completed. The regulator can then assess not only whether findings exist but whether the board took structured accountability for addressing them.
The parallel with other governance mechanisms is direct. A finding that appears in the assurance report, is acknowledged in the Management Letter with a remediation commitment, and remains unaddressed at the next examination tells a story about the board that is difficult to dispute. The board has its own signature on the document that described the plan and the deadline.
The safeguarding arrangement that cannot be independently verified provides the same protection to clients as one that does not exist. The record of the discipline is part of the discipline.