FCA safeguarding update: What you need to do before 2026

The FCA has finalised its Supplementary Regime for safeguarding at payments and e-money firms. These rules are now set, with a nine-month runway to implementation.

Below we recap the story so far, what’s changed in the final policy and how payments businesses can get audit-ready with minimal disruption.

The road so far

Back in spring we outlined the FCA’s two-stage approach to fix weaknesses in safeguarding: an interim Supplementary Regime to tighten day-to-day compliance under the existing PSRs/EMRs, followed by a potential Post-Repeal (CASS-style) regime subject to Treasury legislation. The FCA’s policy statement confirms that structure and provides the finalised interim rules.

Why the change?

Recent changes come after the FCA found weaknesses in current safeguarding practices, which have led to shortfalls and delays when firms fail. The new rules hard-wire daily controls and reporting so customers get their money back “as quickly and fully as possible”.

What’s now final

✅Scope and timing

The rules cover authorised payment institutions (other than pure PIS/AIS), authorised and small e-money institutions and credit unions issuing e-money. Small payment institutions can continue to opt in. The effective date is 7 May 2026 after a nine-month implementation period.

✅Reconciliations (daily discipline)

A daily reconciliation discipline is now hard-wired, but with a pragmatic definition: firms must complete internal and external safeguarding reconciliations at least once on each reconciliation day, which excludes weekends, UK bank/public holidays and days when relevant foreign markets are closed.

The FCA also clarifies the core control: compare the D+1 segregation requirement with the D+1 segregation resource and remediate any shortfall promptly (using own funds if necessary).

✅Monthly safeguarding return

Expect a new regulatory return due within 15 business days of each month-end. The purpose is to ensure the FCA receives regular and comprehensive information about safeguarding, enabling earlier identification of potential risks. Among other things, it captures whether reconciliations were completed on every reconciliation day. Submission is electronic via the FCA’s systems.

✅Annual safeguarding audit with a proportionate threshold

Most firms will need an annual safeguarding audit by a qualified auditor, unless they have not been required to safeguard more than £100,000 of relevant funds at any time over a continuous period of at least 53 weeks.

✅Resolution pack becomes mandatory

Borrowing from best practice in CASS, firms must maintain a resolution pack that makes it quick to trace where relevant funds are held, who the agents and distributors are and how records and transfers are controlled. This helps maintain “living” documentation that materially speeds up customer redress in the event of insolvency.

✅Third-party diligence and diversification

When appointing or reviewing banks, custodians, insurers or guarantors, firms must perform due diligence and explicitly consider whether to diversify providers. The rules expect a reasoned, documented view that is revisited periodically, with changes made where appropriate.

✅Acknowledgement letters

The FCA has standardised safeguarding account acknowledgement letters via a template and detailed guidance. Firms must obtain countersigned letters from each relevant bank or custodian, retain them, review them at least annually and promptly replace them if any details change. Keep each countersigned acknowledgement letter for five years after the last account it names is closed.

✅Guidance and implementation

The FCA has published the amendments it intends to make to its Approach Document (effective when the rules go live) and will engage with the industry throughout the implementation period to support adoption.

Why this matters for card programmes and acquiring flows

For programme managers and EMIs, the practical lift is in the daily D+1 rhythm across wallet loads, card spend and settlement with scheme/sponsor banks—plus the evidence trail that feeds the monthly return. The resolution pack should read like a control room: entities, accounts, flows, agreements and up-to-date letters in one place, with links back to the latest reconciliations and policies.

For acquirers and PIs, the same cadence applies to merchant settlement, reserves and collateral accounts, with a new emphasis on documenting why your chosen bank/custodian mix is appropriate—and when you chose to diversify.

🔎How to comply before May 2026

Immediate (0–3 months)

Gap analysis against PS25/12: reconciliations, D+1 logic, external checks, monthly return data model, resolution pack content, third-party due diligence, acknowledgement letters, board reporting
Map data and owners to complete monthly returns within 15 business days—no spreadsheets, no re-keying

Build (3–6 months)

Draft and populate the resolution pack
Implement diversification reviews (with rationale and evidence) for banks/custodians/insurers/guarantors
Refresh and centralise acknowledgement-letters per the FCA template and retention rules

Prove (final 3 months before 7 May 2026)

Run an end-to-end dress rehearsal: daily internal + external reconciliations on reconciliation days, D+1 remediation and a mock monthly return from live data
Train teams; lock auditor engagement where applicable (watch the £100k / 53-week exemption carefully)

Controls that will be scrutinised

D+1 comparison and evidence of prompt remediation of shortfalls/excesses
Completion of attestations in the monthly return—e.g., reconciliations performed on every reconciliation day
Third-party due diligence and diversification reviews with documented conclusions and timing
Acknowledgement letter status, accuracy and replacement process; five-year retention post-closure
Single-owner oversight

Build the habit; earn the trust

The direction of travel is clear: safeguarding must be visible, verifiable and repeatable to ensure quicker, fairer outcomes for customers. Treat it as an operating capability, not a compliance chore, and you turn regulatory pressure into a durable edge.

Firms that embed this now won’t just glide through audits; they’ll move faster with sponsor banks and custodians, reduce operational risk and be ready for whatever comes next—whether that’s supervisory scrutiny or a future, CASS-style regime.

*Information in this article is summarising regulatory events and should not be construed as offering legal advice