The FCA’s updated CASS 15 safeguarding regime for payment and e-money firms came into force on 7 May 2026. The first practical test to follow is the new REP027 monthly safeguarding return, which firms must submit to the FCA within 15 business days of each month-end from July 2026.
It is easy to read that step change as a simple reporting task. It isn’t. The return is a reflection of the processes behind it: data ingestion, reconciliation, calculation, review, sign-off and evidence.
Most firms will produce the first return. The harder question is whether they can produce the same return, the same way, every month.
For payment and e-money firms reviewing their monthly safeguarding return process, this article explores the operating models behind REP027, where they come under pressure and how to test whether your own process is ready.
Why the monthly return is a control test
The monthly safeguarding return gives the FCA a regular supervisory view of how firms manage relevant funds. To produce one properly, a firm needs timely access to reconciled safeguarding balances, resource and requirement calculations, internal and external reconciliation outputs, supporting evidence, explanations for any discrepancies or shortfalls, and sign-off records.
Kani’s safeguarding readiness research suggests many firms are not yet well placed to do this. Asked how they currently complete monthly safeguarding returns, 52% of firms described a semi-automated process combining tools and spreadsheets, and a further 12% rely on spreadsheets only — meaning almost two-thirds still depend on spreadsheets to some degree.
A firm may be able to assemble a return that way once, or even several times. But if every month depends on manually collecting data, copying figures between spreadsheets, checking formulas, chasing owners and rebuilding evidence, the process is fragile.
That fragility is not felt equally. The three operating models firms rely on — fully automated, semi-automated, and spreadsheet-based — hold up very differently as volumes rise and scrutiny increases.
Three operating models and how they behave under pressure
1) Fully automated: controlled, not hands-off
Around 36% of firms use a fully automated solution. That doesn’t mean no human oversight — it means the core process is system-driven rather than manually assembled. Source data is ingested from banks, processors and ledgers; reconciliation logic is applied consistently; resource and requirement are calculated from controlled inputs; outputs are traceable; review and sign-off are recorded.
The value here is consistency, not speed. When the return is generated from a controlled process, there is a clear line from source data to reconciliation output to submission, making it easier to review, evidence and explain. It also reduces reliance on individual knowledge: the process doesn’t depend on one person knowing which files to pull or which adjustments to make.
Under CASS 15, that distinction matters. The standard is not just whether a return can be produced, but whether the firm can show how it was produced.
2) Semi-automated: the dominant model, and the main pressure point
At 52%, semi-automated is the most common model — and it’s no surprise. Safeguarding workflows tend to evolve over time: one system for bank data, another for ledger information, a reconciliation tool for some processes, spreadsheets for adjustments, a manual workflow for sign-off. Each step has an owner, so it can look controlled.
The weakness is that control is spread across too many places. Semi-automated models rely on manual touchpoints between systems — exporting data from one platform to another, adjusting figures before reconciliation, copying outputs into templates, reconciling exceptions outside the main system, collecting evidence after the return is prepared.
The risk is not that the process is ineffective. It is that control becomes distributed and personal. Each handoff makes a single attributable record harder to maintain, every spreadsheet adds version-control and maker-checker risk, and consistency comes to depend on people knowing how the process works. A semi-automated model can produce the right return but often only because the right people are there to make it.
3) Spreadsheets only: possible, but increasingly exposed
The 12% of firms relying exclusively on spreadsheets are not automatically non-compliant — spreadsheets remain familiar, flexible and widely used. But they amplify the exact weaknesses the FCA is trying to reduce: data integrity, undocumented formulas, manual input errors, version control, limited auditability, blurred maker-checker separation, key-person dependency, and difficulty linking outputs back to source records.
In practice, firms using spreadsheets only end up building controls around the spreadsheet to make the process defensible — review logs, access controls, change tracking, documented formulas, evidence folders, approval workflows.
At a certain point, the firm is constructing a control framework around a tool that was never designed to be one. That may hold for a small or simple operation, but as volumes, currencies, products and counterparties grow, the model becomes hard to sustain — and the pressure is operational as much as regulatory.
The viability of all three operating models comes down to the same question: can you produce the return the same way every month, and prove how you did it? Many can manage it once. Far fewer can do it consistently.
What good looks like
The firms best placed for monthly safeguarding returns have six things in common:
✅ Consistent data ingestion
Bank, processor and ledger data is available without manual preparation each month. If the return depends on someone finding, cleaning and reformatting files, it is exposed from the start.
✅ Repeatable reconciliation logic
Matching rules, calculation logic and exception handling are documented and consistent. The reconciliation should not vary depending on who runs it.
✅ Clear resource and requirement calculations
The firm can explain how safeguarding resource and requirement were calculated, including any exclusions, adjustments or timing treatment, by currency.
✅ Visible and explainable differences
Shortfalls, excesses and discrepancies are surfaced and reviewed with recorded actions, not hidden inside spreadsheets or side calculations.
✅ Embedded review and sign-off
Clear ownership and approval workflows produce attributable sign-off, rather than oversight happening informally or outside the system.
✅ Evidence generated by default
Reconciliations, records, approvals and supporting documentation are maintained as part of the safeguarding process, so no pack has to be rebuilt from scratch.
A readiness checklist
For firms reviewing their own monthly return process, these questions are a useful test:
- Can we produce the monthly return within 15 business days without relying on one key person?
- Are all source balances, reconciliations and calculations traceable back to underlying data?
- Are manual adjustments documented, reviewed and attributable?
- Can we explain safeguarding resource and requirement by currency?
- Are shortfalls, excesses and discrepancies visible, with recorded actions?
- Do internal and external reconciliation outputs sit alongside the evidence for the return?
- Can we evidence how every figure in the return was reached?
- Are approvals, reviews and sign-offs recorded in a way an auditor can follow?
- Are spreadsheets part of the process by design, or because systems don’t connect?
If the answer to any of these is unclear, the issue may not be the return itself. It may be the operating model behind it.
From monthly reporting to daily control
The REP027 safeguarding return is best understood as the monthly expression of a daily control environment. It is not created in isolation at month-end. It is built from the reconciliations, records and controls maintained throughout the month.
Where data is fragmented, reconciliations are inconsistent and evidence is assembled retrospectively, the return will always carry operational risk. Where data, reconciliation, calculation, review and sign-off are structured into one repeatable process, it becomes far easier to produce and defend.
The firms best placed for CASS 15 will treat the monthly return not as a separate month-end task, but as the natural output of controlled daily safeguarding.
💡 Preparing for monthly safeguarding returns under CASS 15?
Kani’s Safeguarding compliance solution brings the full process — data, reconciliation, calculation, sign-off and evidence — into one daily control system, making monthly reporting faster, clearer and easier to defend.
