Cert. No.
CY-NTF-001
Flag State
CY
Issued
2026-05-26
Rev.
Α

Entry 01 of 08 · Financial services

RegisteredPushEmailSMS

CySEC investor risk-warning notifications: push, email and SMS with a compliance audit trail

CIFs regulated by CySEC must notify clients whenever there is a material change in risk: margin call, position liquidation, MiFID II re-categorisation, or appropriateness warning. 4notify provides a unified push + email + SMS flow with a signed webhook receipt, so the delivery trail is provable under CySEC inspection.

Context

A failed margin call notification is not just a UX miss — it is a regulatory incident. Under a CySEC inspection, the firm must prove every material notice was delivered to the client and that, if it failed, a second attempt was made on an alternative channel.

Legal framework

Ν. 87(Ι)/2017 — MiFID II Κύπρου, άρθρο 24

Duty to inform clients about risk and product-characteristic changes; communication records must be retained for 5 years.

CySEC Circular C443 (2021)

Guidance on margin calls for leveraged products; written notice on a durable medium is required before liquidation.

GDPR άρθρο 32 + CPDP κατευθυντήριες 1/2018

Encryption in transit and at rest, access logging on notification records.

Voyage

Risk signal from the risk engine

The internal risk-management system emits an event with account_id, level (warning / call / liquidation) and required action. 4notify listens on the webhook ingest endpoint.

Multichannel delivery with priority

Order is push (in-app + mobile) → email (signed PDF attachment) → short-form SMS receipt. All dispatched in parallel; the SMS acts as a delivery safety net.

Signed delivery receipt

Each channel returns DLR (SMS), bounce/open (email) and token confirmation (push). All aggregated into an HMAC-signed receipt object with UTC timestamps to the minute.

Retry on alternative channel

If push is not acknowledged within 30 seconds and the email returns a bounce, 4notify raises an escalation event in the dashboard and triggers a voice API confirmation call.

5-year archival

Each receipt is filed in write-once storage; exportable in one click as CSV or signed PDF for CySEC inspectors.

Code

bash
curl -X POST https://api.4notify.net/v1/dispatch \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "template": "cysec_margin_call",
    "channels": ["push", "email", "sms"],
    "recipient": {
      "client_id": "CIF-CY-489201",
      "phone": "+35799123456",
      "email": "[email protected]",
      "push_token": "fcm:xyz..."
    },
    "context": {
      "account_id": "TRD-2026-0481",
      "margin_level": 78.2,
      "required_action": "deposit_or_close",
      "deadline_utc": "2026-05-26T16:00:00Z"
    },
    "compliance": {
      "regulator": "cysec",
      "rule": "C443",
      "retention_years": 5
    }
  }'

Sample message

SMS

YourBroker: Margin call TRD-2026-0481, level 78%. Deposit by 16:00 UTC or position will close. Details in app.

Pre-departure checks

Service-level agreement with 5-year log retention
Webhook ingest with HMAC SHA-256 signature from the risk engine
Test escalation flow (push fail → email fail → voice)
DPIA per GDPR Art. 35 + CPDP guidelines
Written notice template on a durable medium (PDF/A-1b)
Export-to-CySEC-inspector procedure (admin menu)

What 4notify does differently

A single signed delivery receipt across push + email + SMS, one-click exportable for CySEC — no separate compliance platform required.

FAQ

How is delivery proven under a CySEC inspection?

From the admin panel, export the receipts archive as a signed-hash PDF/A-1b. It includes UTC timestamp, channel, status and reason code per recipient.

Does it cover non-EU CIFs serving Cypriot clients?

Yes, provided they are CySEC-regulated as third-country branches. 4notify does not differentiate by the CIF's seat.

What if the client has no mobile app installed?

The push is auto-skipped and the flow starts from email + SMS. This is not counted as a failure; it is logged as „channel_unavailable".