Safeguarding is the legal obligation of payment institutions and e-money institutions to hold customer funds separately from their own operational money, under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. Bratby Law advises on the design, implementation and governance of safeguarding frameworks that meet regulatory requirements and operate reliably at scale. Rob Bratby holds a General Counsel appointment at UK Payments Initiative, which provides direct operational perspective on how regulated payment firms manage safeguarding in practice.

When does safeguarding become an issue?

Safeguarding is a regulatory obligation for all authorised payment institutions and e-money institutions that hold relevant funds. It becomes an immediate compliance priority when firms are preparing for the new FCA Supplementary Regime, which came into effect on 7 May 2026. This applies to any firm that is not exempt because it holds below GBP100,000 of relevant funds and has done so for at least 53 consecutive weeks.

Safeguarding also requires urgent attention when firms have experienced safeguarding shortfalls, cash position discrepancies or reconciliation failures. Private equity investors acquiring regulated payment firms increasingly conduct detailed safeguarding due diligence as part of acquisition process, treating it as a key indicator of operational maturity and compliance culture. Similarly, firms facing FCA supervisory engagement on safeguarding need specialist support to remediate control failures and rebuild regulator confidence.

Even firms in stable regulatory standing benefit from periodic safeguarding reviews to ensure that systems and processes continue to operate as designed and to anticipate the full end-state regime (known as the Post-Repeal Regime), which the FCA deferred pending further consultation.

Why safeguarding matters now

Safeguarding has become the most time-sensitive regulatory issue in UK payments. In August 2025, the FCA published final rules under PS25/12, setting out the Supplementary Regime with a come-into-force date of 7 May 2026. This represented a nine-month compliance window for firms to build new infrastructure and processes.

The Supplementary Regime introduced mandatory daily reconciliation of safeguarded funds, monthly safeguarding returns to the FCA due within 15 business days of month-end, annual safeguarding audits by a qualified auditor providing reasonable assurance, and a requirement for a named senior manager responsible for safeguarding oversight. All firms must now maintain a resolution pack containing all information needed to trace and return customer funds in the event of failure or resolution, and this pack must be retrievable within 48 hours.

Only firms that have safeguarded fewer than GBP100,000 of relevant funds for at least 53 weeks are exempt from the annual audit requirement. The FCA has made clear that the full end-state regime, modelled on CASS rules and covering matters such as client money and assets held by third parties, remains under consultation, so further requirements may follow.

Consumer Duty (FCA PRIN 2A) compounds this pressure. It applies to all FCA-regulated firms providing products and services to retail customers, and sets out four outcome areas: products and services must be designed to deliver good outcomes; price and value must be fair; consumers must have the information and understanding they need; and firms must provide appropriate support. For payment firms, this means safeguarding arrangements must be explained clearly to customers and integrated into complaint handling and incident response.

In addition, the mandatory APP fraud reimbursement regime came into force in October 2024, requiring payment service providers to reimburse customers who fall victim to authorised push payment fraud in most cases, unless the customer acted with gross negligence. This interacts with safeguarding by creating additional cash management complexity and reporting obligations.

The FCA’s supervisory approach has shifted perceptibly towards earlier intervention and more assertive enforcement, particularly in payments. Firms with sub-standard safeguarding arrangements now face higher risk of formal action.

Where payment firms get safeguarding wrong

Many payment firms treat safeguarding as a policy document to be produced for regulators, rather than as an operational system that must function reliably every business day. This reflects a misunderstanding of what safeguarding actually is: it is not a compliance function, but an infrastructure. When reconciliation is attempted through manual processes using spreadsheets, even highly diligent teams struggle to scale beyond a few hundred accounts before detection lag becomes unacceptable and discrepancies are discovered weeks or months after occurrence.

Inadequate segregation of funds is common. Some firms co-mingle relevant funds with operational cash to maximise efficiency, which violates the fundamental safeguarding requirement and renders the entire arrangement non-compliant. Others implement safeguarding in the accounting ledger but not in the bank, creating a false sense of security and failing the reality test that will be applied if the firm actually fails.

Insurance-based safeguarding, where firms rely on professional indemnity or fidelity cover to protect shortfalls, is a widespread misconception. Insurance is not a substitute for safeguarding and does not satisfy the regulatory requirement. When shortfalls occur, the insurance claim will be contested and the underlying breach will still be a regulatory failure.

The resolution pack is often treated as a static file to be created once and filed away. In reality, it is a living document that must be updated whenever there are changes to safeguarding accounts, custodial arrangements, account signatories, systems, or customer data. Firms that discover their resolution pack is out of date when they actually need it face both customer impact and regulatory criticism.

Generic safeguarding policies describe the regulatory requirements but fail to explain the firm’s specific process: which accounts hold safeguarded funds, which systems detect discrepancies, who is notified if reconciliation fails, what escalation procedures apply if there is a shortfall, and what records are maintained. Such policies cannot be operated reliably by staff because they contain no operational guidance.

Firms often under-estimate the governance requirement. Safeguarding policy must be approved at board level, and the board must explicitly approve the definition of material discrepancy used by the firm as a trigger for escalation or external reporting. This is not a procedural step to be delegated; it is a matter of substance that goes to the question of whether the firm’s safeguarding arrangements are fit for purpose.

Consumer Duty is sometimes treated as a separate compliance stream from safeguarding. In practice, good Consumer Duty execution requires that safeguarding features and risks are built into product design, that outcome testing is conducted to verify that safeguarding works as the firm represents to customers, and that complaints and incidents are analysed to identify whether safeguarding failures contributed to customer harm.

What good looks like

Safeguarding done well is treated as operational infrastructure, not a compliance document. The firm maintains segregated accounts in one or more banks, has a clear definition of which transactions create relevant funds, and reconciles those accounts daily using an automated system that flags exceptions within hours, not days. Discrepancies are escalated immediately to a named senior manager, recorded in a risk register, and investigated to root cause.

The resolution pack is maintained as a genuinely living document, updated monthly or whenever there are changes to the accounts, systems, processes or customer base. The pack contains not just listing of accounts and customers, but also copies of account acknowledgement letters (signed by the bank confirming safeguarding status), system documentation, reconciliation procedures, and details of any third-party custodians or segregation service providers.

The senior manager function holder for safeguarding has genuine operational understanding, not just knowledge of the regulatory rules. This person understands the reconciliation process, can interpret discrepancies, knows the firm’s bank contacts, and can mobilise the firm rapidly if there is a crisis. The board approves not just the safeguarding policy but also the definition of material discrepancy, the escalation procedure for shortfalls, and the annual audit scope and findings.

Consumer Duty is integrated throughout: safeguarding features are disclosed accurately in terms and conditions and marketing materials, customer communications explain how money is held and what happens if the firm fails, and outcomes are tested by the firm through sample transaction testing and customer feedback to verify that safeguarding operates as promised.

Rob Bratby’s appointment as General Counsel at UK Payments Initiative provides direct perspective on how this infrastructure is built and maintained in well-run payment firms, and how it integrates with treasury, customer service, and complaint handling functions.

When to instruct a safeguarding specialist

Specialist safeguarding advice is essential when preparing for the May 2026 deadline, particularly if the firm’s current arrangements fall short of the Supplementary Regime requirements. Firms that need to remediate shortfalls or upgrade reconciliation systems need external advice to validate the design and implementation plan. If the FCA is conducting supervisory engagement on safeguarding, independent legal advice becomes critical both to manage the dialogue with the regulator and to evidence the board’s commitment to remediation.

Transaction due diligence is a common trigger: buyers of payment firms conduct detailed safeguarding reviews and will identify control weaknesses, and sellers benefit from pre-transaction advice to remediate issues before the buyer uses them as a price reduction tool.

How Bratby Law helps with safeguarding and Consumer Duty

Bratby Law advises payment and e-money firms on all aspects of safeguarding and Consumer Duty implementation. We design safeguarding frameworks from first principles, working from the firm’s business model and customer base through to detailed operational procedures and governance structure. This includes definition of relevant funds, design of segregation architecture, and specification of the daily reconciliation process that will scale as the firm grows.

We design and validate daily reconciliation processes, whether automated or manual, to ensure they operate reliably and detect discrepancies within acceptable timescales. For firms implementing new systems or upgrading existing processes, we advise on exception handling, escalation procedures, and reporting to senior management. We advise on systems selection, data requirements, and control testing to verify that reconciliation works as designed.

We prepare and maintain resolution packs on behalf of firms, ensuring that all required information is current, complete and retrievable within 48 hours. This includes coordinating with banks to obtain and refresh account acknowledgement letters, documenting the firm’s customer database and safeguarding procedures, and creating system documentation that would enable another firm or insolvency practitioner to return funds if the firm failed.

We support firms preparing for the annual safeguarding audit required under PS25/12, working with the firm’s chosen auditor to scope the audit, prepare documentation packages, and respond to audit findings. We also advise on the firm’s response to audit recommendations.

We advise on Consumer Duty implementation for payment firms, including product design review, terms and conditions drafting, outcome testing, and complaint cause analysis. This ensures that safeguarding features are communicated accurately to customers and that the firm can demonstrate it is meeting the four Consumer Duty outcomes.

We advise on the APP fraud mandatory reimbursement regime and its interaction with safeguarding and cash management. This includes claims assessment procedures, consumer support arrangements, and interaction with FCA Consumer Duty expectations.

We support firms during FCA supervisory engagement on safeguarding, including response to information requests, liaison with the FCA, remediation planning, and governance documentation to evidence board-level commitment to remediation.

Frequently asked questions about safeguarding and Consumer Duty

What are the FCA safeguarding requirements for payment institutions?

Authorised payment institutions and e-money institutions must safeguard customer funds as required by the Payment Services Regulations 2017 and Electronic Money Regulations 2011. Funds must be held in segregated accounts separate from the firm’s operational funds, and the firm must reconcile them regularly and maintain records demonstrating compliance. From 7 May 2026, the Supplementary Regime adds mandatory daily reconciliation, monthly reporting to the FCA, annual audits (for most firms), and a resolution pack.

What changes are coming on 7 May 2026?

The FCA’s Supplementary Regime, set out in PS25/12 (published August 2025), introduces four new requirements. First, firms must reconcile safeguarded funds daily rather than on an ad hoc basis. Second, firms must report monthly to the FCA on relevant funds held, with reports due within 15 business days of month-end. Third, most firms must commission an independent qualified auditor to conduct an annual safeguarding audit and provide a reasonable assurance report. Fourth, firms must maintain a resolution pack containing all information needed to trace and return customer funds, and this pack must be retrievable within 48 hours. Firms holding below GBP100,000 for at least 53 consecutive weeks are exempt from the audit requirement.

What is a resolution pack?

A resolution pack is a comprehensive document or file system containing all information an insolvency practitioner, administrator, or another firm would need to identify and return customer funds if the firm failed or entered resolution. It includes details of all safeguarding accounts, customer names and identification, amounts held per customer, copies of bank account acknowledgement letters, systems documentation, reconciliation procedures, and contact details for banks and custodians. The pack must be maintained as a living document and kept up to date whenever circumstances change. It must be capable of being retrieved within 48 hours.

Do small payment institutions need a safeguarding audit?

Most payment institutions must commission an annual safeguarding audit by a qualified auditor under PS25/12. However, the FCA exempts firms that have not safeguarded more than GBP100,000 of relevant funds for at least 53 consecutive weeks before the deadline or reporting period in question. Small payment institutions that exceed this threshold must conduct an audit; those that remain below it are exempt.

How does Consumer Duty apply to payment firms?

FCA Consumer Duty (PRIN 2A) applies to all authorised payment firms providing products or services to retail customers. The four outcome areas are: products and services must be designed and sold to deliver good outcomes; price and value must be fair; consumers must have information and support enabling them to make good decisions; and firms must provide appropriate support after sale. For payment firms, this means safeguarding arrangements must be accurately disclosed, outcomes must be tested to verify safeguarding operates as promised, and consumer complaints must be analysed to identify if safeguarding failures contributed to harm.

What is the APP fraud mandatory reimbursement requirement?

The mandatory reimbursement regime for authorised push payment (APP) fraud came into force on 7 October 2024. Payment service providers must now reimburse customers who fall victim to APP fraud in most cases, unless the customer acted with gross negligence. The reimbursement is capped at GBP85,000 per claim, and the cost is shared equally between the sending and receiving payment firms. This creates significant compliance and cash management obligations for payment institutions, and interacts with safeguarding by affecting the firm’s cash position and reporting to the FCA.

How often must firms reconcile safeguarded funds?

Under the Supplementary Regime (PS25/12), firms must reconcile safeguarded funds daily. Reconciliation must be completed on each reconciliation day (which the FCA defines as each business day unless the firm can justify a different frequency). Daily reconciliation is intended to ensure that discrepancies are detected and investigated within hours rather than days or weeks, enabling faster resolution and minimising the risk that a shortfall grows undetected.

When should I review my safeguarding arrangements?

All payment institutions and e-money institutions should review their safeguarding arrangements now, particularly if they have not done so since PS25/12 was published in August 2025. The Supplementary Regime came into force on 7 May 2026, so any firm that is not yet compliant faces immediate regulatory risk. Additionally, if the firm has experienced any cash position discrepancies, reconciliation failures, or disputes with its bank, a specialist review is essential to understand root causes and prevent recurrence. Changes to the firm’s customer base, business model, or banking arrangements should also trigger a safeguarding review.

Related payments regulation pages

See also our other payments regulation pages:

• Payments Regulation
• Authorisation and Licensing
• Open Banking and Variable Recurring Payments
• PSR and Scheme Governance
• Operational Resilience and DORA
• E-Money Regulation and EMI Compliance