Skip to main content

If you run compliance at a CySEC-regulated firm, you already know the hard part isn’t writing the policy — it’s proving the policy actually works. That gap is exactly what two CySEC circulars target. C441 (7 April 2021) lists the weaknesses CySEC found when it reviewed how firms really run their compliance function. C553 (14 March 2023) sets out, in twelve guidelines, how that function should be built and run. Read together, C441 shows what goes wrong and C553 shows the standard you are measured against.

They were issued a few years ago, but they have not dated. C553 is still the live guideline — it repealed and replaced the older C030 and C050 — the failings in C441 are still the ones that surface in supervision, and CySEC tests the function against both at authorisation and in ongoing supervision. In our work with regulated entities, CX Financia regularly returns to Circulars C441 and C553 as key reference points for evaluating the maturity, evidence base and supervisory readiness of the compliance function.

In practice, CySEC expects firms to move beyond formal documentation. The risk assessment should shape the monitoring plan, findings should be reported in writing when they arise, remediation should be actively tracked, and evidence should be retained to show that the compliance framework operates in substance.

Who needs to read this

C441 and C553 are relevant to Cyprus Investment Firms, UCITS Management Companies and AIFMs, where applicable to the services they provide. Within these firms, the circulars should not be treated as material only for the compliance officer or compliance team. They are also relevant to the board, senior management, risk management, internal audit, legal, product governance and complaints handling functions. This is particularly important because C553 makes clear that the board must ensure that the compliance function fulfils the requirements of Article 22 of the Regulation.

How C441 and C553 Fit Together

The most practical way to read C441 and C553 together is to use C441 as the supervisory diagnostic and C553 as the benchmark for remediation. In other words, each weakness identified in C441 should be tested against the relevant C553 guideline to assess whether the compliance function is properly designed, documented and operating in practice.

What CySEC expects from your compliance function

Start with the risk assessment

Everything begins here, and this part is a legal requirement, not just guidance: the compliance function shall carry out a compliance risk assessment and shall build its monitoring programme on top of it. The assessment has to look across all your services and activities — the instruments you trade and distribute, your client types, your distribution channels and, in a group, the wider structure — and it should weigh in your own policies and controls and the findings of past monitoring and audits. The point CySEC keeps making is that the assessment should drive the work programme and where you put resources, and it should be refreshed regularly and whenever something changes.

In practice, the risk assessment is the first thing we look at when we review a firm’s file — and the most common gap is a rating scale that exists on paper but isn’t actually used, or risks written so generally they can’t justify the monitoring that follows.

Build monitoring that flows from it — and isn’t only desk-based

Monitoring should test two things: whether the business is actually meeting its obligations, and whether the controls still work. C553 is explicit that it cannot be only desk-based — you should also check how policies are applied in practice, for example through on-site reviews of the business units. The tools it lists are practical: risk indicators, exception reports, an issues log, trade surveillance, desk reviews, staff interviews and, where it helps, sample checks. The programme should move with the firm — new products, IT changes, acquisitions — and follow up on whether past fixes actually worked. Complaints feed in too: the function should see all customer complaints and treat them as a source of risk information.

Report in writing — and more than once a year

The compliance officer shall report to the board at least once a year. But C441’s clearest finding was that firms leant on that single annual report and let everything else go unwritten. C553 sets out what the annual report should cover: how good the policies are, what changed, how monitoring was done, what was found (breaches, deficiencies, complaints), what was done about it, and any time senior management ignored the compliance officer’s advice. Two firm points to note: the report should reach CySEC within twenty days of the board discussing it and no later than four months after year-end, with the board’s own explanation of the findings and a timetable to fix them; and it is a standalone document — it cannot be folded into another report such as the AML report.

A question we are regularly asked is whether the compliance report can sit inside the AML report to save time. It can’t — C553 is explicit on that, and it’s an easy finding to avoid.

Advise, resource and protect the function

Beyond monitoring and reporting, the function advises the business — training, day-to-day questions, new policies, new products, and material dealings with the regulator. For it to work, the firm should give it enough people and IT, a budget that matches the firm’s risk, and real access to records, systems and meetings. Its people shall have the right skills and the function shall have genuine authority, backed by senior management. It should run permanently, on a schedule, not just when a report is due — and independently, so other units can’t lean on compliance staff. Where senior management overrides the compliance officer’s advice, that should be documented, reported, and if needed flagged to CySEC.

Proportionality, Combining Roles and Outsourcing

C553 allows firms to apply proportionality, but not as a shortcut. Smaller or less complex firms may scale the compliance function sensibly, provided the arrangement remains effective, independent and properly documented. A compliance officer must always be appointed, and any reliance on the proportionality exemption should be assessed on a case-by-case basis, justified and recorded.

Combining compliance with another control function may be acceptable only where it does not compromise the function’s effectiveness or independence. Internal audit cannot be combined with the compliance function. Combining compliance with another control area, such as AML, may be possible, but only where conflicts of interest are avoided and sufficient resources remain allocated to compliance.

Outsourcing follows the same principle: tasks may be outsourced, but responsibility remains with the firm. Before outsourcing compliance tasks, the firm should carry out due diligence on the provider, ensure the function remains permanent, monitor the quality and quantity of the services provided, and retain effective oversight. Outsourcing to non-EU providers requires closer monitoring, and firms should also have continuity arrangements in place if the outsourcing arrangement ends.

How CySEC Reviews the Compliance Function

CySEC reviews the compliance function both at authorisation stage and through ongoing, risk-based supervision. Its review focuses on whether the function is properly organised, adequately resourced and supported by effective reporting lines. CySEC also assesses whether the compliance officer has the required skills, knowledge, experience and authority, including through review of the nominated person’s qualifications and, where relevant, an interview.

Firms should also remember that the compliance function must immediately disclose to CySEC any important development that may substantially affect its ability to perform its responsibilities effectively. Changes to the compliance function, including changes to the compliance officer, should therefore be managed carefully and notified to CySEC where required.

What this means for you in practice

In short, these circulars shift the burden from “show me the policy” to “show me it works.” You should be able to demonstrate that you have identified your real risks, that monitoring is risk-based and tests practice, that issues are escalated and reported in writing, that fixes are tracked to completion, that training is recorded, and that the board genuinely oversees all of it. For boards and senior management specifically, the questions to sit with are whether the function has the authority, resources and access it needs, whether the minutes show real discussion of compliance rather than just receipt of a report, and whether the firm follows the compliance officer’s recommendations or documents why it didn’t.

This is where we spend much of our time — helping firms tighten the chain from risk assessment to monitoring to reporting to remediation, and running internal audits and independent reviews so a firm sees the gaps before CySEC does.

Internal Review Checklist

A firm reviewing its compliance function against C441 and C553 should check whether it has:

  • a compliance risk assessment with defined impact, likelihood and ratings, mapped to services, activities, instruments, client types and distribution channels;
  • a risk-based monitoring programme that clearly links each key risk to the relevant tool, methodology, scope and frequency, and tests how policies work in practice;
  • issue logs, exception reports and a remediation tracker showing findings, owners, deadlines, actions taken and follow-up status;
  • regular and, where needed, ad hoc written reports to the board or senior management, supported by board packs, minutes and evidence of discussion;
  • a standalone annual compliance report covering monitoring performed, findings, breaches or deficiencies, actions taken or proposed, and implementation timeframes;
  • product governance and complaints review evidence, including target market, distribution and complaints analysis where relevant;
  • a training plan, training logs and a CySEC communication log;
  • a compliance policy, organisational chart and reporting lines showing the function’s responsibilities, authority, independence and escalation routes;
  • evidence that the compliance officer has sufficient resources, access to information and access to senior management or the board; and
  • where relevant, a documented proportionality assessment, combination-of-functions rationale or outsourcing file.

How CX Financia Can Help

Assessing the compliance function against CySEC Circulars C441 and C553 requires more than a document review. It requires a practical assessment of whether the firm’s risk assessment, monitoring programme, reporting, escalation, remediation and evidence base work together in practice.

CX Financia supports regulated firms through Regulatory Compliance Services, including reviews of the compliance function, compliance monitoring programme and internal governance arrangements. Where an independent assessment is needed, our Internal Audit Services can support a mock supervisory review or targeted review of compliance function effectiveness. For firms preparing for authorisation, our Licensing (CySEC & CBC) services assist with designing and documenting the compliance function as part of the application file.

You can also view our wider Financial Compliance services or contact us to discuss how the circulars apply to your firm.

CX Financia is a Cyprus-based regulatory compliance and advisory firm supporting CySEC-regulated entities, including investment firms, CASPs, fund managers, payment institutions and e-money institutions. Our work covers licensing, compliance, risk, internal audit and governance. Through our training arm, Centre 8 Education and Research Organisation, we also deliver CPD training on regulatory compliance, governance and financial services obligations.

This article provides general information on CySEC Circulars C441 and C553. Firms should read the circulars in full and assess their compliance function by reference to their own business model, services, activities and risk profile.

Frequently Asked Questions: CySEC Circulars C441 and C553

What is CySEC Circular C441?

C441, issued on 7 April 2021, sets out common deficiencies and good practices CySEC found through desk-based reviews of how regulated entities meet the compliance function requirements under Article 17(2) of the Law. It is, in effect, a list of where firms fell short, with better practices to follow.

What is CySEC Circular C553?

C553, issued on 14 March 2023, provides guidelines on certain aspects of the compliance function requirements under Article 17(2) of the Law and Article 22 of the MiFID II Delegated Regulation. It is organised into twelve guidelines covering the function’s responsibilities, its organisation, and how CySEC reviews it.

What is the difference between C441 and C553?

C441 is the supervisory diagnostic — it shows where firms had weaknesses in practice. C553 is the benchmark — it sets out how the compliance function should be organised, resourced, monitored and reported on. Read together, C441 shows what goes wrong and C553 the standard you are measured against.

Are C441 and C553 still relevant in 2026 and beyond?

Yes. They are core, foundational circulars, not dated news. C553 remains the live guideline and has not been superseded, the C441 weaknesses still surface in supervision, and CySEC assesses the compliance function against both at authorisation and through ongoing, risk-based supervision.

Who do C441 and C553 apply to?

C441 is addressed to Regulated Entities — Cyprus Investment Firms and Management Companies, extending to AIFMs and UCITS Management Companies for the relevant services. C553 is addressed to Cyprus Investment Firms, UCITS Management Companies and AIFMs, where applicable to the services they provide.

Did C553 replace any earlier circulars?

Yes. C553 expressly repeals and replaces Circulars C030 and C050. It also states that it should be read together with Circular C447. Firms still referring to C030 or C050 should update those references to C553 across their policies and manuals.

When must the annual compliance report be submitted to CySEC?

C553 states that firms should submit the annual report to CySEC within twenty days of the date the board discusses it, and no later than four months after the end of the calendar year. The board should also provide its explanation of the findings and a timetable for remediation.

Can the annual compliance report be part of the AML report?

No. C553 is explicit that the annual compliance report is a standalone document and cannot form part of another report the firm must prepare, such as the anti-money laundering compliance function report. Keeping it separate is a simple way to avoid a common finding.

What were the most common compliance function deficiencies CySEC found?

In C441: risk assessments that were vague or lacked defined impact and rating; monitoring programmes not built from the risk assessment; over-reliance on the annual report; reports describing policies rather than how they work in practice; thin product governance findings; and missing remedial actions, timeframes and training records.

Does a firm always need a compliance officer?

Yes. C553 states that a compliance officer must always be appointed. Smaller, less complex firms may, under the proportionality principle, avoid a dedicated full-time role, but any reliance on that exemption must be assessed case by case, justified, documented, and arranged so conflicts of interest are minimised.

Can the compliance function be combined with other functions?

It may be combined only where this does not compromise the compliance function’s effectiveness or independence, and the arrangement should be documented with reasons. Internal audit cannot be combined with compliance. Combining with another control area, such as AML, may be acceptable if conflicts of interest are avoided.

Can a firm outsource its compliance function?

Yes, but firms can outsource tasks, not responsibility. The firm should perform due diligence on the provider, ensure the function stays permanent, monitor the quality and quantity of the service, and keep effective oversight. Outsourcing to non-EU providers requires closer monitoring, with continuity arrangements if it ends.

What does CySEC expect from compliance monitoring?

A risk-based monitoring programme that flows from the compliance risk assessment and tests whether the firm meets its obligations and whether controls still work. It should not be only desk-based: it should verify how policies are applied in practice, using tools such as risk indicators, exception reports, an issues log, desk reviews and interviews.

How can CX Financia help with the compliance function?

CX Financia helps firms review and strengthen the compliance function against C441 and C553 through Regulatory Compliance Services [add link on upload], and can run an independent or mock supervisory review through Internal Audit Services [add link on upload]. CPD on these topics is available through Centre 8.