Inside a CySEC Suitability Thematic Review: What the Supervisor Actually Examines

I have been through a CySEC suitability thematic review.

Not a high-level survey. Not a checklist exercise. A detailed, structured examination of how an investment firm collects client information, assesses investment products, matches clients with suitable recommendations, and documents every step of that process.

If you provide portfolio management and/or investment advice at a Cyprus Investment Firm, this is what CySEC is looking at when your firm is selected for review. And the process goes further than most compliance officers expect.

This article walks through the main areas the supervisor examines, what kind of evidence is requested, and what happens after the initial submission.

1. How the Firm Collects Client Information

The first area CySEC examines is the mechanism the firm uses to obtain information from clients. This covers the suitability questionnaire itself, how it captures knowledge and experience, financial situation, and investment objectives, and whether the design of the questionnaire is robust enough to produce meaningful results.

The supervisor wants to understand whether the firm uses different questionnaires depending on the type of advice, the product characteristics, or the client profile. A single generic form applied to every client and every product will attract scrutiny.

CySEC also asks how the firm handles client self-assessments. If a client rates their own risk tolerance or knowledge level, the supervisor wants to see that the firm cross-checks that self-assessment against objective criteria. Open-ended questions, scenario-based testing of risk-return understanding, and verification against actual trading history or financial data are all areas of interest.

Another area of focus is inconsistency detection. If a client's answers contradict each other, does the questionnaire flag it? Does the firm have a process to resolve inconsistencies before proceeding with a recommendation? CySEC expects both design-level safeguards (built into the questionnaire) and operational-level reviews (carried out by staff or compliance).

What this means in practice: Your suitability questionnaire is not just a form. It is the foundation of your entire suitability framework, and CySEC examines it as such. If the questionnaire does not differentiate by product type or client profile, if it relies on unverified self-assessment, or if it has no mechanism for flagging inconsistent answers, the supervisor will identify these as gaps.

2. Client Profile Updates and the Risk of Induced Changes

CySEC pays close attention to how and when client profiles are updated. The supervisor asks what triggers a profile update, whether that is a set review period, a material change in the client's circumstances, or some other event.

But the more important question is about safeguards against induced profile changes. This is the risk that a client's profile is updated specifically to make a product appear suitable when it otherwise would not be. CySEC asks directly whether the firm has procedures to detect this, for example by monitoring whether profiles are updated too frequently or only immediately before a transaction.

What this means in practice: If a client profile is changed and a transaction follows shortly after, the supervisor will examine whether that sequence was legitimate or whether the profile was adjusted to fit the product. Firms that do not monitor for this pattern are exposed.

3. How the Firm Understands Its Investment Products

The second major area of the review is the firm's arrangements for understanding the investment products it offers or recommends. This goes beyond holding a product list. CySEC examines the procedures the firm uses to assess the features of each product, including its complexity, risk profile, expected returns, costs, liquidity, and how it might behave over its lifetime and in different market conditions.

The supervisor asks whether the firm has established general categories for different types of instruments and how the analysis is conducted. Product governance obligations under MiFID II are explicitly referenced here. CySEC wants to see that the product governance process feeds into the suitability process.

There is also a focus on data reliability. CySEC asks whether the firm uses external data providers to classify products, how many providers are used (particularly for complex instruments),what information those providers supply, and how frequently the data is refreshed.

What this means in practice: The supervisor expects a documented product assessment process that is separate from the individual suitability assessment but feeds directly into it. If the firm cannot demonstrate how it assessed a product before recommending it, the suitability of the recommendation itself is called into question.

4. The Suitability Matching Process

Once the client profile is established and the product is assessed, CySEC examines how the firm matches the two. This covers the policies, procedures, and IT systems used to perform the suitability test itself.

The supervisor asks whether all criteria under Article 54 of the MiFID II Delegated Regulation are taken into account, how the algorithms or processes underpinning the test work, and how they are reviewed and updated. Compliance oversight of the suitability process is examined in detail, including the compliance function's role in defining, reviewing, and periodically testing the framework.

The review also covers portfolio-level considerations. Diversification measures, concentration risk controls, and how the firm handles clients whose portfolios are too small to diversify effectively.

What this means in practice: CySEC is not just checking whether the firm performs a suitability test. It is examining the logic behind the test, whether the test considers the full portfolio, and whether compliance has meaningful oversight of how the test works in practice.

5. Cost and Complexity of Equivalent Products

A frequently overlooked area of the suitability framework is the obligation to consider equivalent products. Under Article 54(9) of the MiFID II Delegated Regulation and ESMA Guideline 9, firms must assess whether less costly or less complex alternatives exist before recommending a particular product.

The supervisor examines whether the firm has a process for comparing alternatives before making a recommendation. If a more costly or complex product is chosen over a simpler equivalent, CySEC expects a documented rationale. They also want to know whether this comparison happens centrally or at the individual client level.

The compliance function's role is examined here as well. CySEC asks whether compliance gives specific attention to cases where a costlier product is recommended, and whether the client is informed about the decision.

What this means in practice: If your firm recommends Product A over a cheaper or simpler Product B, CySEC expects a documented rationale. The absence of such documentation suggests the comparison was never made, which is a compliance gap the supervisor will flag.

6. Switching Analysis

When a recommendation involves switching from one product to another, whether in the context of investment advice or portfolio management, MiFID II requires the firm to demonstrate that the benefits of the switch outweigh the costs. CySEC examines how the firm defines switching, what cost-benefit analysis is performed, and which monetary and non-monetary factors are considered.

The supervisor also asks whether the suitability report itself explains why the switch is beneficial, and whether the firm has controls to detect situations where a sell recommendation and a subsequent buy recommendation are separated in time but are in reality a single switching transaction.

What this means in practice: Splitting a switch into separate sell and buy recommendations to avoid the switching analysis obligation is a known risk. CySEC is looking for controls that specifically address this pattern.

7. The Suitability Report

The suitability report is the document that proves the advice was suitable. CySEC examines the arrangements and procedures the firm has in place to ensure the report contains all required information: an outline of the advice given, how it meets the client's objectives and personal circumstances, and reference to the investment term, the client's knowledge and experience, attitude to risk, and capacity for loss.

Timing and delivery method matter too. The report must reach the client before the transaction is executed, in a durable medium. CySEC looks at how the firm delivers it, whether the client can access and store it, and for how long.

A further question addresses whether the suitability report is generated fully automatically or whether there is an option for staff to add free-text commentary for information not covered by the template.

What this means in practice: The suitability report is the single most important piece of evidence in any suitability review. If it is generic, incomplete, or delivered after the transaction, the entire recommendation is compromised from a supervisory perspective.

8. What Happens After the Initial Submission

The questionnaire is not where the review ends. It is where it begins.

After the firm submits its responses, CySEC reviews the answers and selects specific items for deeper examination. In my experience, the follow-up requests included:

Actual suitability reports. CySEC requested specific suitability reports provided to named clients during the review period, along with evidence that the reports were delivered before the relevant transactions were executed.

Client onboarding documentation. For a sample of clients, CySEC requested the application form, the full suitability questionnaire with scoring, and the initial meeting questionnaire. This is where the supervisor cross-references the firm's stated policies against the actual files.

Internal procedures. CySEC requested the sections of the internal procedures manual that describe the suitability assessment policies and procedures, as well as the procedures for assessing investment products.

Product assessment evidence. CySEC asked for an example of a product assessment the firm had performed, together with the information used to classify the product and the name of the data provider or other source of information used.

This second phase is where the review becomes granular. The firm's written answers in the questionnaire are tested against what actually exists in the files. Any gap between what the firm described and what the evidence shows is a finding.

What this means in practice: Answering the questionnaire well is necessary but not sufficient. The real test is whether the files support the answers. Firms that describe robust processes in their submissions but cannot produce the evidence when CySEC asks for it face the most difficult follow-up conversations.

9. Supervisory Priorities and Lessons Learned

Having been through this process, a few patterns are clear.

The questionnaire design matters more than firms think. CySEC dedicates substantial attention to how the suitability questionnaire is structured, whether it differentiates by product type and client profile, and whether it can detect inconsistencies. A generic, one-size-fits-all questionnaire is a red flag.

Product assessment is examined as a separate process. Firms are expected to demonstrate a documented process for understanding their products, independent of the individual suitability assessment. The link between product governance and suitability is explicit in the review.

The switching analysis obligation is taken seriously. CySEC examines not only whether the analysis is performed, but whether the firm has controls to prevent circumvention through separated transactions.

The suitability report is the critical document. Timing, content, and delivery method are all examined. A report that is generated after the transaction, that lacks personalised reasoning, or that cannot be stored by the client is a compliance failure.

The follow-up is where findings emerge. The initial questionnaire establishes the framework. The evidence requests that follow determine whether the framework is real or theoretical.

Know what supervisors are looking for.

Download the free Suitability Assessment Compliance Checklist — 8 sections, 53 audit points covering the key areas EU supervisors examine during a thematic review.

For a full walkthrough of the suitability framework, including the evidence firms are asked to produce, explore the Assessment of Suitability seminar at cpds.academy.

Disclaimer: This article reflects the personal professional experience and opinions of the author. It does not constitute legal or regulatory advice. Firms should seek independent professional guidance tailored to their specific circumstances.

Regulatory references: Article 25(2) and 25(6) of MiFID II (Directive 2014/65/EU); Articles 54 and 55 of Commission Delegated Regulation (EU) 2017/565; ESMA Guidelines on certain aspects of the MiFID II suitability requirements (ESMA35-43-869); ESMA Supervisory briefing on the suitability assessment (ESMA35-43-1206).