Menu
Member's Hub
Login
Join us

Navigating the FCA’s new safeguarding rules for payments firms

17 October 2025
by Payments Intelligence

LinkedIn
Email
X
WhatsApp
Facebook

The Financial Conduct Authority’s overhaul of the safeguarding framework for payments and e-money firms marks one of the most significant regulatory shifts in the sector since the introduction of the Payment Services Regulations in 2017. Against a backdrop of rapid industry growth and recent firm failures, the regulator is seeking to strengthen consumer protection and restore confidence in how customer funds are managed and reconciled.

The new Supplementary Regime, set to take effect in May 2026, introduces tighter governance, reporting, and auditing requirements that bring the sector closer to the client asset standards applied to investment firms. While welcomed by many as a necessary evolution, the transition presents substantial operational and compliance challenges for firms, as well as practical questions regarding audit capacity and implementation timelines.

Introduction

“Following active consultation with industry, we recently published new rules to better protect customers' money, should a payments firm fail. They will also make it easier for us to identify and intervene earlier if firms don't meet our expectations. From next year we will require annual audits, monthly reporting, daily safeguarding checks and better planning for firm failures. We’re continuing to work closely with firms to support implementation—including running webinars and making more information available on our website soon. We’d encourage firms to make the most of these resources and speak to us if they have further questions.”
Matthew Long
Matthew LongDirector of payments and digital assets, The Financial Conduct Authority (FCA)
“Our project to develop an auditing standard is at a very early stage. We can confirm that we are working closely with the FCA, audit practitioners, and other stakeholders to develop a proportionate approach to the auditing requirements arising from the FCA’s new rules (CASS 15). We are currently aiming to consult on a draft auditing standard in H2 2026, with the publication of any final standard taking place in 2027. However, this is a preliminary timetable and may be subject to change.”
Spokesperson
SpokespersonFinancial Reporting Council
“The FCA's updated safeguarding regime mandates significant changes for payments and e-money firms, setting new standards for governance, record-keeping, reconciliation, diversification, and management of safeguarding institutions. Firms face a tight deadline and increased costs. While industry and regulators have collaborated, the scope, audit period, and standards of the new audit requirements, alongside a potential lack of adequate audit firms, remain a concern. Further clarity is needed before the new policy takes effect in May 2026.”
Willem Wellinghoff
Willem WellinghoffChief compliance officer, Ecommpay
“While the FCA’s willingness to listen to feedback and relax the proposed requirements on business day reconciliations should be welcomed, the transitioning of safeguarding requirements to CASS is a clear signal of intent after years of regulatory warnings about compliance standards within the industry. Timely and effective implementation is likely to be seen by supervisors as a strong indicator of the overall effectiveness of a firm's wider board governance and oversight arrangements.”
Nicholas Webb
Nicholas WebbManaging director - digital finance, Cosegic
“The Supplementary Regime imposes a significant compliance uplift for many firms. For example, daily safeguarding reconciliations and more frequent regulatory returns are new obligations. But the more challenging aspects of the regime may be those that depend on third parties, such as ensuring that safeguarding insurance policies and comparable guarantees comply with the new requirements. Firms should therefore factor these third-party dependencies into planning for compliance from 7 May 2026.”
Chris Hurn
Chris HurnOf counsel, Herbert Smith Freehills Kramer LLP
“Following the publication of CP24/20, it was expected that firms would undertake a GAP analysis to assess and consider changes needed. Following the issuance of the PS25/12, key changes include having distinct internal and external reconciliations, as well as statutory auditors undertaking safeguarding audits. Firms now have under seven months to ensure compliance, and they must have projects (including the use of the 3LOD) in place to ensure compliance is achieved by 7 May. If affected by the need to change auditors, firms should begin conversations to ensure the audit firm is in place prior to the implementation date.”
Tiana Raviranjan
Tiana RaviranjanDirector - FS advisory, BDO
“Now is a critical time for payments firms to make the necessary investment in automated systems that support ongoing compliance and operational efficiency. Manual processes are no longer sustainable, given the increased expectations from the regulator around CASS governance oversight, daily and monthly safeguarding reporting, and errors and breaches logs. Automation of these processes not only reduces the risk of human error potentially resulting in fines, but also enables firms to scale compliance efforts, adapt quickly to regulatory updates, and maintain a defensible safeguarding framework.”
Nick Botha
Nick BothaVP payments and retail banking, AutoRek
“This is not just a repapering exercise. The new resolution packs go far beyond the existing expectations for documenting safeguarding procedures and are more like a library of documents and information sources that need to be kept up-to-date and readily accessible to external parties at all times. There hasn't been enough discussion about the more rigorous diversification requirements under the new rules. If the FCA takes a stringent approach, they could be the most expensive and operationally challenging aspect of the new rules, as firms may need to maintain multiple banking relationships and possibly pay for additional insurance or guarantees.”
Max Savoie
Max SavoiePartner, Ashurst LLP
"The CASS 15 audit standard is yet to be defined by the FRC and there is very little transparency, as yet, as to how the wider qualified auditor sector, nevermind the safeguarding institution sector, can feed into the development of the standard. Nor is it clear by when the standard will be finalised and, indeed, whether it will be available before the 7 May 2026. This leaves the sector very exposed in trying to implement in this expectation-vacuum."
Alison Donnelly
Alison DonnellyDirector, fscom
“Now that the rules are settled, for the time being at least, the focus is on implementation. Firms have a wide range of new requirements to implement by 7 May, so this will need significant focus over the coming months. Firms will need to get a statutory auditor lined up while also dealing with some tricky compliance areas, such as how to operationalise the notification requirements for reconciliation discrepancies. Early planning and coordination across compliance, legal, finance and operations teams will be key to ensuring a smooth transition.”
Omar Salem
Omar SalemPartner, financial regulation, Fox Williams LLP

Introduction

Payment institutions (PIs) and e-money institutions (EMIs) have become integral to the UK’s financial services sector. In 2017, just 1% of consumers used a PI or EMI, compared to 12% in 2024. The amount safeguarded by these firms has risen accordingly, standing at £26 billion last year for EMIs, according to the Financial Conduct Authority (FCA).

In light of the proliferation of these organisations, the FCA has announced changes to the safeguarding regime for PIs and EMIs. The FCA cites ‘weaknesses in the current safeguarding practices’ and an average shortfall of 65% in funds owed to clients following insolvency as justification for the revised regime. 

The FCA is seeking the following outcomes from the changes:

  • Payments firms hold funds received in exchange for issued e-money, or to execute a payment transaction, safely and securely or make sure they are covered by an appropriate insurance policy or comparable guarantee
  • The right amount of funds is segregated from the payment firm’s own funds
  • The claims of e-money holders or payment service users can be met from the safeguarded asset pool
  • Relevant funds can be returned to customers as quickly and fully as possible if a payments firm fails or decides to wind down and exit the market

In this context, the interim Supplementary Regime will be considered a success if there is a decline in the percentage of shortfalls of relevant funds held by failed payments firms, which are driven by non-compliance with safeguarding requirements. Additionally, the FCA aims for a decline in supervisory cases related to deficient safeguarding, with fewer formal interventions.

Background

The current regime, governed by the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs), requires firms to safeguard funds received for payments or e-money issuance. However, high-level requirements have led to inconsistencies, as highlighted in the FCA’s 2025 portfolio letter to payments firms and a multi-firm review on risk management. Legal uncertainties, such as those from the Ipagoo LLP insolvency, have further complicated matters, questioning the status of relevant funds in shortfalls.

HM Treasury’s Payment Services Regulations Review (2023) and the FCA’s Consultation Paper CP24/20 highlighted widespread weaknesses with the PSRs and EMRs, including poor reconciliation practices, incomplete records, and uncertainty in insolvency law.

The FCA has proposed a two-stage reform:

  • The Supplementary Regime (interim), designed to strengthen existing PSRs and EMRs, improve compliance, and enhance reporting, coming into force on 7 May 2026
  • The Post-Repeal Regime (end-state), a future framework modelled on the Client Assets Sourcebook (CASS), which would hold customer funds in statutory trusts. There is currently no timeline for this

The Supplementary Regime (PS25/12): What’s changing?

PS25/12 responds to feedback from Consultation Paper CP24/20 and the Treasury’s 2023 Payment Services Regulations Review. It focuses on three pillars: improved books and records; enhanced monitoring and reporting; and strengthened safeguarding elements

Based on these principles, the FCA has made the following changes: 

Reconciliations

Firms must now perform internal and external safeguarding reconciliations at least once per “reconciliation day”, which is every day excluding weekends, bank holidays, and days when relevant foreign markets are closed. The daily frequency aims to detect discrepancies early, with shortfalls rectified by the end of the day using the firm’s own funds if necessary.

Resolution Pack (CASS 10A)

A safeguarding institution must maintain and be able to retrieve a CASS resolution pack, containing the necessary documents and records that would enable an insolvency practitioner to return relevant funds held by the safeguarding institution to its clients.

Safeguarding audits

Annual audits must now be carried out by ‘qualified auditors’ (as defined under the Companies Act 2006 requirements); compliance consultants are no longer sufficient. Firms are no longer required to appoint the same auditor for their safeguarding audit as their statutory audit to ensure market competition and help to reduce costs. There is an exemption for firms that have not safeguarded more than £100,000 for more than 53 weeks.

Monthly regulatory returns

The FCA has already piloted the monthly safeguarding return under SUP 16 Annex 29B. The returns cover a wide range of information, including:

  • Safeguarding audit requirements – confirmation of the firm’s safeguarding audit status and confirmation that a statutory auditor has been appointed
  • What methods are being used for safeguarding
  • Amounts of relevant funds safeguarded and their bank accounts
  • Safeguarding reconciliation data from the last internal reconciliation carried out during the reporting period
  • Confirmation on the frequency of internal and external reconciliations
  • Notifiable breaches

The FCA estimates the return will take a compliance professional 5.25 hours to complete.

Insurance and guarantees

Firms using insurance or comparable guarantees must have contingency plans to switch to segregation at least three months prior to the policy’s expiration if renewal cannot be secured.

Third-party due diligence

Firms must conduct due diligence on any third parties managing or holding safeguarded funds.

Who it applies to

The rules target:

  • Authorised payment institutions (excluding those solely providing payment initiation or account information services)
  • Authorised and small e-money institutions
  • Credit unions issuing e-money in the UK 

Small payment institutions can opt in voluntarily.

Consultation and industry feedback

The FCA received 85 consultation responses from authorised e-money institutions, payment institutions, small e-money institutions, consumer groups, trade associations, professional bodies, auditors and advisors. In response to this feedback, the FCA made several amendments:

  • Reconciliations are not required on weekends and bank holidays
  • Firms safeguarding less than £100,000 will not be required to arrange a safeguarding audit
  • The removal of the requirement for a limited assurance audit for payments firms holding no relevant funds
  • The increase in the implementation period before the rules come into force from six to nine months

The FCA acknowledged calls for the monthly safeguarding return to be made quarterly but stood by monthly reporting being “necessary and proportionate”.

What should firms do now?

 

Prior to the supplementary regime expected to take effect on 7 May 2026, payments and e-money firms should address the following:

Review rules and conduct gap analysis

Study FCA Handbook updates and perform gap analyses, engaging legal counsel if needed to clarify requirements like daily reconciliations and resolution packs.

Upgrade systems for reconciliations and records

Implement automated systems for daily reconciliations on “reconciliation days” (excluding weekends/holidays) and maintain resolution packs detailing fund locations and procedures. Conduct due diligence on third-party providers, leveraging transitional provisions for pre-existing arrangements.

Prepare for audits

Firms holding over £100,000 in relevant funds must arrange annual audits by Companies Act-qualified auditors, due within six months for the first period. Start discussions now to establish who is responsible for overseeing the firm’s audit compliance, so these individuals can then secure auditors and prepare records. Exempt firms should consider voluntary audits. 

The Payments Association is working with the FCA to ascertain what information is required under the new auditing standards.

Set up monthly reporting

Update IT systems for new SUP 16.14A monthly returns, covering safeguarding methods, balances, and breaches, due within 15 business days. Pilot submissions and train staff for compliance.

Review insurance policies

Ensure insurance or guarantees have no payout restrictions beyond insolvency, and prepare contingency plans three months before expiry to switch to segregation if needed.

Engage with FCA

Participate in FCA workshops and monitor updates via trade associations. There will likely be further consultation on the end-state, Post-Repeal regime, but the earliest this will happen is Q4 2027.

Conclusion and key information

From 7 May 2026, authorised payment institutions, EMIs, and credit unions which issue e-money in the UK will have to comply with the strengthened safeguarding requirements set out in PS25/12. 

Firms will have to:

  • Hold funds received in exchange for issued e-money or to execute a payment transaction safely and securely, at all times, or make sure they are covered by an appropriate insurance policy or comparable guarantee
  • Ensure the right amount of funds is segregated from the payment firm’s own funds
  • The claims of e-money holders or payment service users can be met from the safeguarded asset pool
  • Relevant funds can be returned to customers as quickly and fully as possible if a payments firm fails or decides to wind down and exit the market.

With seven months until the changes come into force, firms should:

  • Review the rules and conduct a gap analysis to understand what aspects of their current safeguarding process requires revision
  • Ensure their safeguarding auditor meets the Companies Act 2006 requirements
  • Prepare for monthly safeguarding reporting, ensuring IT systems and staff have the appropriate systems to deal with this and that there will be sufficient capacity
LinkedIn
Email
X
WhatsApp

Read more Payments Intelligence

Q2 2026 Regulation Roadmap

April 21, 2026 No Comments

A forward-looking overview of key regulatory developments across payments, crypto and financial services, with timelines and practical implications.

Read More »

Upload your profile photo

You need to be logged in to do this!

Back to main menu

Membership

Our members

Member benefits

Become a member

Merchant Community Membership

Our merchants

Join the merchant community

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.
Sign in
Become a member
Contact us
Careers
Marketing services
Cart
Youtube Spotify X-twitter Linkedin

Continue reading

Exploring the FCA's expanded safeguarding rules for payments firms effective May 2026. Join The Payments Association to read the full article.

Become a member to continue reading

Become a member
Log in

Member of The Payments Association? Log in to continue reading

Log in