The FCA’s updated safeguarding regime is now in force. From 7 May 2026, every authorised payment institution and electronic money institution operating in the UK is subject to a materially strengthened set of obligations—covering daily reconciliation, monthly regulatory returns, annual audits, resolution pack maintenance and enhanced third-party governance.
For most firms, this represents a structural change to back-office operations, governance and evidential standards—one that many are still working to fully operationalise.
This guide sets out what CASS 15 requires and what operating at the required standard looks like in practice.
The road to CASS 15
Safeguarding has long been a regulatory requirement for payment and e-money firms, but persistent evidence of failure prompted the FCA to act. For firms that became insolvent between 2018 and 2023, the FCA identified an average 65% shortfall between funds owed to customers and those actually safeguarded. CASS 15 (coming into force on 7 May 2026) is the FCA’s response: a materially strengthened regime designed to ensure customer funds can be returned quickly and in full if a firm fails.
Who it applies to
The Supplementary Regime applies to:
- Authorised payment institutions (except those solely providing payment initiation or account information services)
- Authorised e-money institutions
- Small e-money institutions
- Credit unions issuing e-money in the UK
- Small payment institutions that opt in to comply
Firms that solely provide payment initiation or account information services and do not hold relevant funds are out of scope. All others should treat the regime as applying in full from 7 May 2026.
What safeguarding rules now require
✅Daily reconciliation
Firms must complete internal and external safeguarding reconciliations at least once on each reconciliation day. A reconciliation day excludes weekends, UK bank and public holidays and days when relevant foreign markets are closed.
The core control is the D+1 comparison: safeguarding requirement compared against safeguarding resource, with any shortfall remediated promptly—using the firm’s own funds if necessary. This is not a periodic check. It is an operational control that must function reliably every reconciliation day without exception.
Non-standard reconciliation methods require an independent auditor’s report and disclosure in the monthly return.
✅Monthly safeguarding return
Firms must submit a monthly safeguarding return to the FCA within 15 business days of month-end. The return captures total safeguarded funds, a breakdown of how and where those funds are held, and, critically, confirmation of whether reconciliations were performed on every reconciliation day.
The FCA has been explicit that monthly returns are expected to function as a key supervisory tool. Firms that cannot confirm daily reconciliation, or that disclose discrepancies, should expect direct regulatory engagement. The first return covers the month of June 2026, due in July 2026.
✅Annual safeguarding audit
Most firms must arrange an annual safeguarding audit conducted by a qualified independent auditor, submitted to the FCA within four months of the audit period end. A six-month window applies for the first submission. The audit is exempt for firms that have not been required to safeguard more than £100,000 of relevant funds at any point over a continuous period of at least 53 weeks.
The Financial Reporting Council published interim guidance for safeguarding auditors in March 2026, which is explicitly transitional with a dedicated safeguarding assurance standard expected following public consultation in 2027. Auditor capacity is expected to be a constraint across the sector. Firms that have not yet engaged a qualified auditor should do so immediately.
✅Resolution pack
Firms must maintain a resolution pack under CASS 10A that enables rapid tracing of where relevant funds are held, who agents and distributors are and how records and transfers are controlled. Key records—including recent safeguarding reconciliations and acknowledgement letters—must be immediately available. The FCA’s standard expects a 48-hour retrieval window.
The resolution pack is not a document produced on request. It is a standing governance obligation that must be maintained and kept current at all times.
✅Acknowledgement letters
Firms must obtain countersigned acknowledgement letters from each relevant bank or custodian, using the FCA’s standardised template. Letters must be reviewed at least annually, replaced promptly if any details change and retained for five years after the last account they name is closed.
✅Third-party diligence and diversification
When appointing or reviewing banks, custodians, insurers or guarantors, firms must conduct documented due diligence and explicitly consider whether to diversify across providers. That assessment must be revisited periodically, with changes made where the rationale supports them. The FCA expects a reasoned, evidenced view—not a standing assumption that existing arrangements remain appropriate.
✅Books and records
Firms must maintain accurate, up-to-date records of all relevant funds received and held on behalf of customers. The distinction between customer funds and the firm’s own working capital must be unambiguous and verifiable at all times. CASS 15 expects that not merely as policy, but as operational reality.
✅Senior management accountability
CASS 15 places explicit responsibility for safeguarding arrangements at board and senior management level. Firms are expected to demonstrate sufficient understanding at governance level of how safeguarding operates in practice, rather than policies that exist only on paper. This aligns with the FCA’s broader focus on accountability under the Senior Managers and Certification Regime.
What CASS 15 means for different payment firms
The compliance burden under CASS 15 is not evenly distributed. Larger firms with existing CASS infrastructure will find the transition more manageable. For smaller payment institutions and EMIs that have operated with manual processes and limited compliance infrastructure, CASS 15 represents a step change in operational requirements.
✅Card programme managers and EMIs
For programme managers and EMIs, the practical complexity lies in the daily D+1 rhythm across wallet loads, card spend and settlement with scheme and sponsor banks. Multi-currency flows, multi-scheme arrangements and the involvement of multiple banking partners all create reconciliation complexity that manual processes struggle to manage at daily frequency.
The resolution pack must function as a live control room: entities, accounts, flows, agreements and acknowledgement letters in one place, tied to current reconciliations and policies.
✅Acquiring firms and payment institutions
For acquirers and PIs, the same daily cadence applies to merchant settlement, reserves and collateral accounts. The third-party diligence requirements carry particular weight here: the documentation of why a chosen bank or custodian mix is appropriate (and when diversification was considered) must be evidenced and revisited, not assumed.
✅BIN sponsors and programme principals
Where a BIN sponsor or programme principal has downstream programme managers operating under their licence, safeguarding obligations extend across that structure. Clarity on where funds are held, who is responsible for safeguarding at each point in the chain and how the resolution pack captures those relationships is essential. The FCA expects that picture to be immediately traceable.
✅Smaller firms and SPIs
Small payment institutions and smaller EMIs operating below the audit threshold face a specific challenge: limited compliance resource at exactly the point where operational requirements increase most significantly.
The monthly return is likely to be the most immediate pressure point, requiring accurate, timely data from systems that may not have been designed to produce it. Manual compilation creates avoidable errors and audit friction that compounds over time.
What good looks like under CASS 15
The firms best placed under the updated regime are those that treat safeguarding as an operational discipline rather than a reporting obligation. In practice, that means:
- Daily reconciliation as a standing control — executing predictably every reconciliation day regardless of who is running it
- Automated data ingestion — source data from banks, processors and ledgers arrives clean and on time, without manual preparation before reconciliation can begin
- Consistent reconciliation logic — matching rules that are system-defined and applied uniformly, producing repeatable outputs traceable back to source data
- Automated exception management — breaks surfaced and flagged immediately, not discovered at the point where a return is due
- Evidence as a native output — reconciliations, acknowledgement letters and supporting records maintained as a standing state, available on demand
- Documented governance — clear ownership at senior management level, with escalation paths, sign-off controls and notification obligations formally defined and evidenced
The FCA has been clear that meeting the spirit of safeguarding is no longer sufficient. Firms must evidence compliance with clearly defined rules—and that evidence must already exist, not be produced when asked for.
What to focus on now
The regime is live. The immediate priorities are:
- Confirm daily reconciliation is running on every reconciliation day and the D+1 comparison is being performed correctly
- Verify the monthly return process is in place for the June 2026 return, due in July
- Engage a qualified auditor if not already done—capacity across the sector is limited
- Review the resolution pack against the CASS 10A standard and confirm key records are immediately retrievable
- Audit acknowledgement letters for completeness, accuracy and compliance with the FCA template
- Document third-party diligence and diversification assessments with dated, reasoned conclusions
🛡️ Preparing for daily safeguarding?
See how Kani’s safeguarding compliance solution helps firms automate reconciliation, maintain audit-ready evidence and meet the FCA’s daily expectation under CASS 15.
Glossary
PIS — Payment Initiation Services
AIS — Account Information Services
PSRs — Payment Services Regulations
EMRs — Electronic Money Regulations
EMIs — Electronic Money Institutions
PIs — Payment Institutions
SPIs — Small Payment Institutions
CASS — Client Assets Sourcebook
FRC — Financial Reporting Council
*Information in this article summarises regulatory developments and should not be construed as legal advice. Firms should seek independent legal and compliance counsel regarding their specific obligations under CASS 15.
