EMIs/PIs Safeguarding and the 3.5 Lines of Defence: How a Supervisory Shift Is Reshaping Client Fund Assurance

The Central Bank of Cyprus published its 2025 Annual Report. For Payment Institutions and Electronic Money Institutions, the most consequential paragraph in the entire document was a single phrase tucked into the section on supervisory priorities for 2026: zero tolerance on the safeguarding of client funds.

Two words. They deserve close reading.

1. What "zero tolerance" actually means

"Zero tolerance" — μηδενική ανοχή in the original Greek — is not a description of how a supervisor reacts after a failure. It is a description of how confident the supervisor wants to be, in advance, that no failure exists. The distinction matters. The first is enforcement language. The second is assurance language. They imply different supervisory tools, different evidence requirements, and different demands on regulated firms.

Confidence of this kind cannot come from the entity alone. A firm's own attestation that its safeguarding arrangements are sound is, by construction, not independent. It cannot come from the firm's financial statement auditor either, because that practitioner has a pre-existing relationship with the entity's records and governance structures that compromises independence for this specific purpose. And it cannot come from the firm's internal audit function, because internal audit is itself part of the governance structure that the supervisor is asking to be assessed.

The supervisor wants assurance from someone outside all three of those positions.

2. The 3.5 line of defence

The traditional lines of defence model, used widely across European prudential supervision, identifies three:

The first line is operational management, the people running the business and owning day-to-day controls. The second line is risk management and compliance, the oversight, policy-setting, and continuous monitoring of the first line. The third line is internal audit, independent assurance to the Board on whether the first two lines are working as designed.

What the CBC has done, in practice, amounts to inserting a 3.5 line of defence into the safeguarding model.

The 3.5 sits between the third line and the supervisor itself. It is an externally appointed independent practitioner, a statutory auditor under the Auditor's Laws of 2017, whose only role in the engagement is to give the regulator assurance ahead of supervisory engagement. The practitioner is not part of the firm's permanent governance structure. The engagement is not part of the financial statement audit. The work product is not for management's benefit. It is prepared for the regulator's benefit, and its credibility depends on the practitioner being independent of every existing relationship the firm already has.

That is what zero tolerance looks like when it is operationalised rather than merely written.

What this means in practice: the safeguarding obligation is not satisfied by having a segregated account, a written policy, and an internal auditor who has reviewed it. The supervisor wants confirmation from a practitioner who is independent of the firm's existing governance arrangements, including the internal audit function itself.

3. Why safeguarding is the leading example, not the only one

Safeguarding has been chosen as the testing ground for this approach because it is concrete and measurable. Every PI and EMI has a duty to safeguard client funds. The duty has a clear legal basis under the Provision and Use of Payment Services and Access to Payment Systems Laws and the Electronic Money Institutions Directive. The arrangements can be examined against documented criteria. The reconciliations can be tested. The governance can be evidenced.

But the underlying logic is broader. Across Cyprus supervision, the direction of travel is from policy review to evidence review. Supervisors are increasingly less interested in whether a firm has written down what it does. They are increasingly interested in whether what the firm actually does, day to day, matches what is written, and whether someone independent has tested the match.

The same shift is reaching CIFs in the form of suitability file reviews, AMLCOs in the form of CDD inspection-readiness expectations. Safeguarding is the leading indicator because it is the cleanest test case. It will not be the only one.

4. What this asks of Boards

For PIs and EMIs in Cyprus, this raises a procurement question that most have not previously had to answer. The independent practitioner conducting the safeguarding assurance engagement cannot be the firm's existing financial statement auditor. It cannot be its internal audit function or the outsourced provider of that function. For most firms, that means appointing a new audit firm specifically for this purpose, often the first time the entity has engaged a separate practitioner for assurance work outside of its statutory audit.

That decision is not delegable. It is a Board-level decision with three observable consequences.

The first is timing. Procurement of a new practitioner takes weeks at best. Onboarding, document gathering, and substantive testing under ISAE 3000 (Revised) take longer. Firms that begin this process earlier will have meaningfully more practitioner choice and meaningfully more time to remediate findings before those findings become supervisory ones.

The second is governance evidence. The Board's selection of the practitioner, its approval of the assurance report, and its approval of the Management Letter responding to findings all create documentary records that the supervisor will, in turn, examine. A Board that approves a Management Letter and then does not track its execution has not discharged its oversight function. It has documented a plan and walked away from it. The supervisory record traces the failure back to the Board itself.

The third is the Management Letter as an ongoing instrument. The remediation actions and timelines that the Board approves in the Management Letter are commitments the Board owns until they are complete. Active oversight of those commitments, not ceremonial, is what closes the loop.

5. The technical depth

Citius Trust, a company within our group, has published a detailed analysis of what an independent safeguarding assurance engagement examines, including the adequacy and effectiveness dimensions of the assessment, the two-person sign-off requirement on daily reconciliations imposed by licence conditions, and the operational areas where written procedures and daily practice most often diverge. For compliance officers, internal audit functions, and Boards at PIs and EMIs preparing for engagement with the supervisor, it is the technical reference.

The article is written from the practitioner's perspective. This article is written from the trainer's perspective. The two are complementary. The practitioner explains what an assurance engagement examines. The trainer explains why supervisors have made these engagements central to their 2026 priorities, and what compliance officers should be doing internally to prepare.

6. The broader signal for Cyprus compliance

The 3.5 line of defence framing is specific to safeguarding. The underlying supervisory shift is not. It is reasonable to expect that, in the years ahead, supervisors across the Cyprus regulatory landscape will increasingly look for independent verification of arrangements that until recently they were content to assess through firm self-attestation and routine inspection.

The compliance officers and Boards that recognise this early will treat it as a positive feature of the supervisory environment. Independent assurance, when it is done well, is not a tax on the firm. It is the cheapest way to know whether what the firm is doing actually works, before someone else asks the same question with consequences attached.

The firms that recognise this late will spend the next decade catching up.

Know what supervisors are looking for. Supervisory priorities, enforcement themes, and the regulatory architecture behind them are at the centre of the seminars and analysis we publish. If your work involves keeping a Board informed of what the supervisor will ask for next, our content is built for you.

Explore seminars at cpds.academy

Sources referenced in this article: Central Bank of Cyprus, Annual Report 2025; Citius Trust, "The safeguarding obligation does not end when you open a segregated account. It begins there." (April 2026); Provision and Use of Payment Services and Access to Payment Systems Laws of 2018 to 2025; Electronic Money Institutions Directive of 2025; Auditor's Laws of 2017 (Law 53(I)/2017); ISAE 3000 (Revised).

This article is for educational purposes and does not constitute legal, audit, or compliance advice.