FCA Safeguarding Rules 2026: A Compliance Checklist for 7 May
Payment institutions and e-money institutions have been required to safeguard relevant funds since the Payment Services Regulations 2017 (PSRs 2017, regulations 23 to 25) and the Electronic Money Regulations 2011 (EMRs 2011, regulations 20 to 22) came into force. What changes on 7 May 2026 is how those obligations must be met. The FCA’s new CASS 15 sourcebook chapter replaces high-level guidance with prescriptive operational rules on daily reconciliation, monthly reporting, annual audit, resolution packs and third-party due diligence. This article, building on our earlier analysis of the supplementary regime, sets out what the FCA safeguarding rules 2026 require firms to do before the deadline and where the operational pressure points lie.
From guidance to rules: why CASS 15 changes safeguarding compliance
The obligation to safeguard relevant funds is not new. Authorised payment institutions must safeguard funds received for payment transactions under PSRs 2017, regulations 23 to 25, either by segregating them in a separate account with an authorised credit institution or by covering them with an insurance policy or comparable guarantee. E-money institutions face equivalent requirements under EMRs 2011, regulations 20 to 22. What has been missing is a detailed, enforceable rulebook specifying how firms must carry out those obligations in practice. The FCA’s Approach Document provided guidance, but compliance varied widely. For firms that failed between Q1 2018 and Q2 2023, there was an average shortfall of 65% between funds owed to customers and funds actually safeguarded. The supplementary regime in PS25/12 (August 2025) fills that gap by codifying operational safeguarding requirements in CASS 10A, CASS 15, SUP 3A and SUP 16.14A. It applies to authorised payment institutions (except those providing only payment initiation or account information services), authorised e-money institutions, small e-money institutions, and credit unions issuing e-money.
Daily safeguarding reconciliation under CASS 15
Regulation 23(7) of the PSRs 2017 already requires authorised payment institutions to keep relevant funds segregated by the end of the business day following receipt. CASS 15 specifies how that segregation must be verified: firms must perform internal and external safeguarding reconciliations at least once each reconciliation day. The FCA defines reconciliation days as all days other than weekends, bank holidays, and days when relevant foreign markets are closed. This is a change from the consultation draft in CP24/20, which required reconciliation every business day, including weekends. The amendment followed industry feedback on the operational cost and limited value of weekend reconciliations when banks are closed.
The internal reconciliation compares the relevant funds that should be held in relevant funds bank accounts, or as relevant assets in relevant assets accounts (the D+1 segregation requirement), against the balances of those accounts (the D+1 segregation resource). If the segregation resource is lower than the segregation requirement, the firm must remedy the shortfall from its own funds. The external reconciliation compares the firm’s internal records against those of third parties such as banks.
Monthly safeguarding return to the FCA
The existing regulatory returns for payment and e-money institutions included safeguarding questions, but reporting was limited and inconsistent. CASS 15 replaces those questions with a dedicated monthly safeguarding return, giving the FCA standardised data across the sector for the first time. The return covers the D+1 segregation requirement and resource, confirms reconciliations have been completed, and collects data on relevant assets and custodians.
Annual safeguarding audit requirements
The PSRs 2017 and EMRs 2011 do not require a safeguarding audit, though the FCA has long expected firms to obtain one as good practice. CASS 15 and SUP 3A now make it a binding requirement: most payments firms must arrange an annual safeguarding audit carried out by a qualified auditor and submitted to the FCA. The first audit report must be submitted within six months of the end of the firm’s audit period (extended from four months in the consultation, to allow capacity to build across the audit sector). Subsequent reports are due within four months. The audit period must not exceed 53 weeks from the end of the previous report period, or from the date the firm became subject to the rules. Firms may choose whether to align the audit period with their financial year end. The FCA is working with the Financial Reporting Council on a new audit standard for safeguarding audits.
There is a proportionality threshold. A firm that has not been required to safeguard more than 100,000 pounds of relevant funds at any point over a period of at least 53 weeks is exempt from the audit requirement. Senior management must determine on a continuing basis whether the exemption applies.
Resolution packs, third-party due diligence and insurance
Firms must maintain a resolution pack containing the documents and records an insolvency practitioner would need to return relevant funds to customers promptly. The FCA expects this to be a living document covering where relevant funds are held, a list of agents and distributors, and the firm’s procedures for managing and transferring relevant funds.
CASS 15 also requires firms to exercise skill, care and diligence when appointing third parties that hold relevant funds or assets, and to periodically review and consider diversifying those third parties. Firms should request acknowledgement letters from banks and custodians confirming that they are holding relevant funds and how those funds should be treated. Firms using the insurance or guarantee method must ensure the policy has no conditions restricting payout other than certification of an insolvency event, and must decide at least three months before expiry whether to renew or switch to segregation. If you are reviewing your safeguarding and scheme governance arrangements, these third-party and insurance requirements are the areas most likely to need immediate attention.
| Obligation | Frequency | Handbook reference | Key deadline |
|---|---|---|---|
| Internal and external safeguarding reconciliation | Each reconciliation day (excludes weekends, bank holidays) | CASS 15 | 7 May 2026 |
| Monthly safeguarding return | Monthly | SUP 16.14A | First return due June 2026 |
| Annual safeguarding audit (qualified auditor) | Annual (period not exceeding 53 weeks) | SUP 3A | First report within 6 months of audit period end |
| Resolution pack | Maintained on a continuing basis | CASS 10A | In place by 7 May 2026 |
| Third-party due diligence and diversification review | At appointment and periodically | CASS 15 | 7 May 2026 |
| Insurance/guarantee contingency plan | At least 3 months before policy expiry | CASS 15.5 | Ongoing |
FCA safeguarding rules 2026: operational implications for firms
The shift from principles-based guidance to prescriptive rules falls hardest on smaller authorised firms that have, until now, complied with the PSRs 2017 and EMRs 2011 at a high level using the Approach Document as their reference. These firms will need to build or procure reconciliation systems capable of producing the D+1 segregation comparison daily, appoint a safeguarding auditor (a new cost that respondents to CP24/20 said had been underestimated in the FCA’s cost benefit analysis), and establish a monthly reporting workflow. The 100,000-pound audit threshold is low enough that most active firms will be caught.
For larger firms, auditor capacity is the pressure point. The FCA has acknowledged that the qualified auditor requirement, combined with the new FRC audit standard, may restrict the available pool. Firms are not required to use the same auditor for safeguarding and statutory audits, but should be engaging auditors now if they have not already done so.
Viewpoint
The FCA safeguarding rules 2026 represent the most operationally demanding change to payments regulation since the PSRs 2017 themselves. The underlying obligations have not changed, but the level of operational detail now required to demonstrate compliance has increased substantially. In practice, the bottleneck for most firms will not be the reconciliation itself, which many already do to some degree, but assembling the resolution pack and securing audit capacity in time. Firms which have not yet started auditor conversations face a real risk of missing the first reporting deadline. The six-month extension for the first audit submission provides some breathing room, but the monthly return starts from day one. Firms should treat 7 May as a hard go-live date, not a soft deadline with grace periods.
Key sources
PS25/12: Changes to the safeguarding regime for payments and e-money firms (FCA, August 2025). CASS 15: Payment services and electronic money (FCA Handbook, effective 7 May 2026). Payment Services Regulations 2017, regulation 23 (legislation.gov.uk). Electronic Money Regulations 2011, Part 3 (legislation.gov.uk). Payment Services and Electronic Money: Our Approach (FCA, May 2026 draft).
Next steps
If you are assessing your firm’s readiness for the FCA safeguarding rules 2026 under CASS 15, Bratby Law advises authorised payment institutions and e-money institutions on safeguarding compliance, reconciliation systems and regulatory reporting. For advice on the supplementary regime, contact Rob Bratby at Bratby Law.
