All Playbooks

PLAYBOOK · BANKING · FOREX

Virtual IBANs + Client Money Segregation for CySEC Forex Brokers
DI87-01-ready safeguarding stacks

CySEC's Directive DI87-01 and Circular C418 give CIFs no room to improvise on client money. This playbook covers how virtual IBANs, multi-currency safeguarding accounts, and back-office reconciliation feeds fit together for a CySEC-regulated FX or CFD broker — and where generic vIBAN products quietly fail a safeguarding audit.

CySEC-licensed CIFs that offer CFDs, FX, or other leveraged products sit under one of the strictest client money regimes in the EU. Directive DI87-01 requires that every euro, dollar, or zloty a client deposits is held in a separately titled account, reconciled daily, and protected from the broker's own insolvency. The problem: most banks won't open a 'Clients' account for a CySEC-regulated FX broker — and the EMIs that will often don't understand that this is fundamentally different from a normal operating account.

Why generic vIBANs fail a CySEC audit

A normal corporate vIBAN product is built for marketplaces, BaaS platforms, or PSPs that want to attribute inbound funds to end-users. The funds sit in one pooled account, and segregation is a ledger entry. For a CIF, that pattern is not enough. The Directive requires the account itself — the one at the credit institution or EMI — to be titled to distinguish client money from the firm's own money, and the bank must be notified in writing that the funds are not available to it (no right of set-off). The May 2024 EBA Report on Virtual IBANs flagged that many vIBAN issuers route funds to a master account in a different legal entity or jurisdiction than the client expects — for a CIF, that's a safeguarding fail.

What 'good' looks like for a CIF

  • A master safeguarding account at a tier-1 EU credit institution or a Cypriot/EU EMI, titled to name the CIF as trustee of client funds (e.g. '[CIF Ltd] Clients' Account')
  • A vIBAN layer issued on top of that master account so each retail or professional client gets a unique IBAN for SEPA/SWIFT deposits — eliminating the 'unallocated deposit' problem at month-end reconciliation
  • Daily MT940/camt.053 statement feeds into the back-office (Centroid, B2Core, FXBackOffice, Skale, in-house) so the single safeguarding officer can produce the reconciliation CySEC's QST-CIF return demands
  • Two-signatory release controls on the master account, with signatories who are not involved in reconciliation preparation and not non-executive shareholders
  • Written acknowledgement from the bank/EMI that they have no right of set-off against the client money pool

Money flow for a CySEC CIF in practice

A working architecture has three layers. (1) Client deposits arrive via card acquirer, APMs, or bank transfer into a CIF-named clients' account. Card and APM rails settle T+1 to T+3; bank transfers hit the client's dedicated vIBAN and post same-day. (2) Margin required for open positions is moved intra-day or end-of-day from the clients' account to the LP/prime broker margin account, while the rest stays segregated. (3) Withdrawals are paid out of the clients' account back to the same source where possible (PSD2 same-source-of-funds + AML good practice), with the back-office ledger updated in real time so the MT4/MT5 wallet, the CRM wallet, and the bank ledger reconcile to the cent.

AUDIT TRIGGER

CySEC's enhancement of procedures (Circular C418) made clear that the safeguarding officer must personally sign off the QST-CIF reconciliation. If your vIBAN provider can't deliver a clean daily statement that ties to your CRM wallet ledger, that officer is signing a number they can't defend.

The provider landscape — patterns, not brands

Provider typeFit for CySEC CIFWatch-outs
Tier-1 Cypriot/Greek banksBest for safeguarding title; lowest counterparty riskSlow onboarding (6–12 months), often won't offer vIBANs, may decline new CIFs without a track record
EU EMIs with CIF programmesWorkable — some run dedicated safeguarding products with title language and acknowledgement lettersVerify the EMI itself safeguards client funds in line with EMD2 Article 7; vIBAN issuance chain must be transparent
UK/EEA EMIs with vIBAN productsStrong on tech and per-client IBAN issuance; multi-currency nativeMany won't take CySEC CIFs without an existing relationship; post-Brexit UK EMIs cannot hold EUR safeguarding for an EU CIF as the primary account
Offshore banks (non-EEA)Cheap and fastGenerally not 'approved' under DI87-01 unless equivalent supervisory regime; CySEC pushback likely

Implementation realities

Standing up a compliant safeguarding stack for a new CIF typically takes 3–6 months of elapsed time, even with a warm introduction. The slow paths are KYB on the CIF entity, UBO checks on shareholders, evidence of CySEC licence (or in-principle approval), AML policy review, and a model walk-through of the broker's deposit and withdrawal flow. For an established CIF migrating from a single-bank setup, 6–10 weeks is realistic if the back-office can ingest MT940/camt.053 from the new provider. Expect a security deposit or rolling reserve from any EMI taking on a high-risk CIF, and plan to refresh the bank/EMI acknowledgement letter annually.

Pre-requisites before you approach providers

  • CySEC CIF licence number (or in-principle approval letter for applicants)
  • Latest QST-CIF return and audited financials
  • AML/CFT policy, client categorisation procedure, and complaints policy
  • Diagram of deposit/withdrawal flow with named PSPs and rails
  • Identification of the single safeguarding officer and the two account signatories (with evidence they are not reconciliation preparers)

HOW ICETREE APPROACHES IT

Our approach for merchants in this combination.

  • We pre-screen our 50+ banking and EMI partners for those with a documented CySEC CIF safeguarding programme — not general corporate accounts dressed up as 'segregated'
  • We package the CIF application (licence, QST-CIF, AML, flow diagram, signatory list) once, then submit to 3–5 fit partners in parallel rather than serially
  • We verify the underlying vIBAN issuance chain so you know exactly which legal entity holds the master account and under which licence
  • We line up the bank/EMI acknowledgement letter and the title language with your compliance team before contracts are signed — not after the first audit
  • We're free to the broker because our partners pay us on placement; you keep optionality across acquirers, vIBAN providers, and orchestration

FAQ

Common questions answered.

Generally no — post-Brexit, a UK EMI is a third-country institution for an EU-licensed CIF, and CySEC expects safeguarding at an approved EEA credit institution or qualifying entity. A UK EMI can sit alongside for GBP collection or operating flows, but the main client money pool should be inside the EEA.

The vIBANs themselves are addressing layers — what matters is the title of the underlying master account they route into. As long as that master account is titled as a CIF clients' account at an approved institution, with the right acknowledgement letter, vIBANs are an accepted mechanism for attributing client deposits.

Pooled segregation (one master clients' account with ledger-level attribution via vIBANs) is permitted and is the standard model. CySEC focuses on whether the daily reconciliation between the broker's internal ledger, client equity, and the bank/EMI statement is accurate and auditable — not on the number of physical accounts.

With a clean file (licence, audited accounts, AML policy, flow diagram, signatories) we typically see 6–10 weeks for an EMI and 4–8 months for a tier-1 EEA bank. CIF applicants in pre-authorisation can run banking and licensing in parallel but should expect EMIs to want the in-principle approval letter before contracting.

It's a common finding. CySEC expects client funds to reach a clients' account 'immediately after clearing/settlement.' If your card acquirer or APM provider settles into a firm operating account and you sweep daily, you're holding client money outside a safeguarded account for that window. The fix is to redirect PSP settlement directly into the clients' account or to use an orchestration layer that routes settlement appropriately.

No. Under the enhanced procedures, the persons preparing client reconciliations cannot be signatories on the clients' account, and non-executive shareholders cannot be signatories at all. Plan for at least three roles: the single safeguarding officer, a reconciliation preparer, and two independent payment signatories.

RELATED PLAYBOOKS

FOREX · Cyprus

Card Acquiring for CySEC-Regulated Forex / CFD Brokers

CRYPTO ·

Virtual IBANs for FCA-Registered Crypto Exchanges

FOREX ·

Client Withdrawal Flows at Scale for Forex Brokers

FOREX ·

Chargeback Management for High-Volume Forex / CFD

Want IceTree on your side?

Run the Approval Predictor for a 2-minute estimate of your acquirer fit, expected reserve range, and what to prepare — specific to and .

Run Approval PredictorBook a Call

We use cookies to analyse site performance and measure the effectiveness of our outreach. Privacy policy