For regulated investment firms, complaint handling is far more than a customer-service formality. Under the EU regulatory architecture, anchored by MiFID II and given further force by ESMA guidelines and CySEC circulars, it is a core compliance obligation, a conduct-risk control, and a direct signal to supervisors of how a firm treats its clients. Get it right, and you demonstrate operational integrity. Get it wrong, and you risk regulatory sanction, reputational damage, and civil liability.

This guide sets out the full complaint-handling lifecycle for investment firms authorised under MiFID II, with particular emphasis on the requirements of the Cyprus Securities and Exchange Commission (CySEC).

1. The Regulatory Foundation

Before examining each procedural step, it is worth mapping the regulatory instruments that bind investment firms:

• MiFID II (Directive 2014/65/EU) and Commission Delegated Regulation (EU) 2017/565 supplementing Directive 2014/65/EU – Article 26 of the Regulation provides the detailed implementing rules on complaints-management, including the need for written complaints policies, designated responsible persons, and internal escalation channels.
• ESMA & EBA Joint Guidelines on complaints handling for the securities and banking sectors (JC 2018 35) harmonise supervisory expectations across the EU.
• CySEC Circular C338 on complaints-handling for the securities sector sets out the specific procedural and reporting obligations applicable to Cyprus Investment Firms (CIFs), including mandatory submission of complaints data in the CySEC Portal.
• The Alternative Dispute Resolution Directive (2013/11/EU), transposed in Cyprus by the Consumer ADR Law of 2017, requires firms to inform dissatisfied retail clients of their right to refer unresolved complaints to a certified ADR entity, namely the Financial Ombudsman of the Republic of Cyprus.

Key Point: Compliance with complaint-handling rules is not limited to client-facing procedures. Regulators assess whether the firm’s internal framework (governance, staffing, data capture, and board oversight) supports effective resolution.

2. What Constitutes a “Complaint”?

A common error is for firms to classify only formal written grievances as complaints, thereby under-reporting to the regulator and triggering inadequate internal processes for legitimate client concerns expressed informally.

ESMA and CySEC adopt a broad definition: a complaint is a statement of dissatisfaction addressed to a firm by a natural or legal person relating to the provision of an investment service provided under MiFID.

This deliberately wide scope means that a client’s telephone call disputing a trade execution, a message sent through a social media platform, or a remark made at a branch must all be captured, logged, and handled under the complaints procedure if they contain an expression of dissatisfaction relating to services provided. Firms should train their customer-facing staff to recognise the distinguishing features of a complaint and escalate promptly to the designated handling function.

3. Step 1: Receiving, Recording, and Acknowledging

Receiving the complaint

Firms must provide clients with clear information, at the outset of the relationship and on an ongoing basis, about how to submit a complaint. This information must be included in the pre-contractual disclosures and on the firm’s website, and must specify: the complaints procedure, the relevant contact details, the applicable timescales, and the right to escalate to the Financial Ombudsman.

Investment firms shall establish a complaints management function responsible for the investigation of complaints. This function may be carried out by the compliance function.

Recording and the Complaints Register

Upon receipt, every complaint must be logged in a dedicated, time-stamped Complaints Register that records, at a minimum: the client’s identity and account details, the date of receipt, the channel of receipt, a summary of the complaint, the financial product or service involved, the assigned handler, the date of acknowledgement, the date of resolution, and the outcome.

CySEC expects these records to be available for inspection without delay, and firms should ensure that their complaints management system, whether bespoke or off-the-shelf, can generate exportable reports in the format required by the CySEC Portal.

Acknowledgement

An acknowledgement must be sent to the client promptly upon receipt. CySEC indicates that acknowledgement should be provided within five business days of receipt. The acknowledgement must: confirm that the complaint has been received, provide the reference number assigned to the complaint, identify the responsible handler, and set out the expected timeline for investigation and response.

Regulatory Risk: Delays in acknowledgement are a frequent focus of CySEC examinations. A failure to acknowledge within the prescribed period is treated as indicative of a broader operational failure, and can trigger more intrusive supervisory follow-up.

4. Step 2: Investigation

The investigation is the substantive heart of the complaint-handling process. It must be conducted fairly, objectively, and by a person with the appropriate knowledge and authority to assess the underlying issues, who is not the same person whose conduct is the subject of the complaint.

Scope of investigation

The investigating officer should gather and review: the client’s account opening documentation and suitability assessment (under MiFID II Articles 25 and 54-57 of Delegated Regulation 2017/565), all relevant order and trade records, communications between the client and the firm, the applicable product documentation (including KID / PRIIPs documentation, where relevant), internal policies applicable to the situation, and any prior complaints from the same client.

Escalation and management oversight

Complex or high-value complaints, complaints alleging fraud or misconduct, or complaints with potential systemic implications must be escalated to senior management or the compliance function as specified in the firm’s internal procedures.

Timescales

A substantive response must be provided to the client within a reasonable period. CySEC’s position is that a final response should be issued within two months and in any case no later than three months from the date of receipt of the complaint. Where an investigation is particularly complex, the firm may send an interim response explaining the reason for the delay and indicating when a final response is expected, but this does not extend the three-month outer limit.

5. Step 3: Assessment and Final Response

Once the investigation is complete, the responsible officer must assess whether the complaint is upheld (in whole or in part) or rejected. This assessment must be documented and must be proportionate to the complexity and financial significance of the complaint.

Upholding the complaint

Where the complaint is upheld, the firm must communicate the outcome clearly to the client, explain the basis for the finding, and set out any redress being offered. Where financial compensation is offered, the firm should document its methodology for calculating the loss to ensure consistency across similar cases and to withstand regulatory scrutiny.

Rejecting the complaint

Where the complaint is rejected, the firm must provide a clear, substantive explanation of the reasons. A formulaic or cursory rejection risks being treated as evidence of bad faith. The rejection letter must also, as a mandatory element under the ADR Directive, inform the client of their right to refer the unresolved complaint to the Financial Ombudsman of the Republic of Cyprus, and provide the Ombudsman’s contact details.

Best Practice: The final response letter should be drafted in plain language accessible to a retail client. A response that relies heavily on legal jargon or that fails to address the specific factual points raised by the client will create additional regulatory exposure.

 

6. Step 4: Redress, Implementation, and Closure

A complaint is not closed upon dispatch of the final response letter. The firm must ensure that any agreed redress is actually implemented within the timeframe communicated to the client, that the client receives confirmation of implementation, and that the complaint record is updated to reflect closure.

Where a complaint reveals a systemic issue (for instance, a recurring failure in order execution or a mis-selling pattern) the firm’s compliance function must conduct a root-cause analysis and design and implement a remediation plan, rather than resolving complaints on a case-by-case basis without structural change.

 

7. Step 5: Record-Keeping, Reporting, and Management Information

Complaint-handling data is a key source of management information and regulatory intelligence. Firms should analyse their complaints data looking for: the volume and nature of complaints by product and service line, the time taken to resolve complaints, patterns suggestive of systemic issues, recurrent complaints from particular segments of the client base, and the proportion of complaints upheld versus rejected.

Under CySEC’s reporting regime, investment firms are required to submit periodic complaints data through the CySEC Portal, including the number of complaints received, resolved, and pending, as well as data on the nature of the complaints and the outcomes.

In addition, firms are expected to present a complaints report to the board of directors or senior management on at least an annual basis. This report should form part of the firm’s annual compliance report and should be used to drive continuous improvement in the complaint-handling function.

 

8. Building a Compliant Framework: Practical Recommendations

In light of the above, firms looking to build or strengthen their complaint-handling framework should consider the following measures:

• Appoint a dedicated Complaints Handling Officer with appropriate seniority and independence, supported by adequate resources and clear terms of reference.
• Draft and implement a Complaint Handling Policy that is proportionate to the firm’s scale and client base, and that is reviewed and updated annually.
• Invest in a purpose-built complaints management system that supports logging, tracking, escalation, automated acknowledgement, and data export for regulatory reporting.
• Develop a training programme for all client-facing staff covering the definition of a complaint, the acknowledgement and escalation procedure, and the firm’s service standards.
• Establish a quarterly complaints review process at the compliance function level and an annual board-level review.
• Ensure that the firm’s website and pre-contractual materials include compliant complaints disclosures, including the ADR entity information and the ODR platform link.
• Build a library of final response letter templates that have been reviewed by legal counsel for compliance with the regulatory requirements, while allowing for meaningful personalisation to each complaint’s specific facts.

 

Conclusion

Complaint handling sits at the intersection of client protection, operational risk management, and regulatory compliance. Under MiFID II and the CySEC regulatory regime, investment firms are expected to treat every complaint as both a legal obligation and an opportunity to identify and correct failures in their services and products. Firms that invest in robust complaint-handling infrastructure (clear policy, trained staff, reliable systems, and active management oversight) not only reduce their regulatory and legal exposure but build the client trust that is fundamental to sustainable business in the financial services sector.

If your firm is seeking to review or strengthen its complaint-handling framework, or if you are facing a CySEC inspection or an adverse Ombudsman determination, our team is available to assist with policy drafting, compliance reviews, and regulatory defence.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Regulatory requirements are subject to change; firms should obtain specialist legal advice tailored to their specific circumstances and regulatory status.