Safeguarding: How Payment and E-money Firms Can Stay Compliant with CASS 15

If you run an e-money institution (EMI) or payment institution (PI), one of your primary responsibilities is to ensure that clients’ funds are safe and separated from the operational funds of your organisation. Financial regulations are necessary to protect client funds and market integrity. Following insolvencies like Ipagoo in 2019, which revealed an average shortfall of 65% in funds owed to clients, the Financial Conduct Authority (FCA) is prioritising and strengthening safeguarding measures.

By May 2026, when the FCA’s supplementary safeguarding regime (PS25/12) begins, affected firms will need to carry out mandatory daily reconciliations, submit monthly returns to the FCA, comply with annual safeguarding audits and be able to retrieve CASS 10 Resolution Packs within 48 hours' notice.. 

For most firms, manual processes will be insufficient to comply with the new regime. By automating your daily workflow, you can gain the speed, accuracy, and transparency needed to be compliant.

TL;DR: Safeguarding: FCA Requirements for May 2026

• By May 2026, the FCA’s supplementary safeguarding regime will commence.
• Payment institutions, e-money institutions, small e-money institutions, and credit unions that issue e-money in the United Kingdom will be affected.

• These impacted institutions must
  
  • conduct daily internal and external  reconciliations
  • safeguard customer funds within a day
  • file monthly safeguarding returns
  • Carry out annual audits, having safeguarded £100,000 or more that year.
• Some operational challenges firms face in staying compliant include manual reconciliations, fragmented systems and data silos, a shortage of audit-ready information, and the risk of non-compliance or suspension.
• Some safeguarding best practices are to
  
  • Identify and separate relevant funds 
  • Build stronger governance, systems and controls 
  • Diversify third parties 
  • Automate reconciliation processes 
• Compliance can increase stakeholder trust in your brand, help you gain market share, increase your product offering, and even lower the cost per transaction.

The Countdown to Compliance

By May 2026. EMIs and payment institutions in the UK will operate under a more stringent regulatory framework. They’ll need to maintain accurate, up-to-date financial records, meet daily internal and external reconciliation requirements, submit monthly safeguarding returns, and conduct annual safeguarding audits. 

These changes became necessary given:

• The rising use of payment firms by UK consumers (including vulnerable demographics). 10% of UK-based e-money account holders transact mainly with their e-money account.
• The increased volume of safeguarded funds by EMIs (£26bn in 2024, up from 11bn in 2021)
• A 65% shortfall in funds owed to clients between Q1 2018 and Q2 2023 by insolvent firms
• The Financial Services Compensation Scheme (FSCS) only protects clients' funds when the safeguarding bank of a payment firm fails, and not when the payment firm itself fails. 

These trends underscore the FCA’s need to ensure that EMIs and payment firms adequately protect clients' funds. So, from May 2026 onward, safeguarding will be compulsory. To remain compliant without increasing headcount, impacted firms need to embrace automation and professional support.

What’s Changing Under CASS 15

The FCA's reviewed safeguarding policy requires payment institutions and EMIs to: 

• conduct daily payments reconciliation
• safeguard customer funds upon receipt or before the day ends
• file monthly safeguarding returns
• conduct annual audits having safeguarded £100,000 upward that year.

Who will be impacted?

The updated safeguarding policy will apply to payment institutions (except those that solely provide payment initiation services or account information services). Such institutions do not hold client funds but only facilitate payments and provide account-related data. 

It will also impact authorised e-money institutions, small e-money institutions and credit unions which issue e-money in the United Kingdom.

Firms in the European Economic Area (EEA) that are in supervised run-off under the financial services contracts regime are also impacted. However, these changes don't apply to payments firms subject to unsupervised contractual run-off. 

Daily Internal and External Reconciliations

Payment firms and EMIs must reconcile balances (either ledger balances - tracking bank account balances; individual client liability balances; or bank statements that bring in designated safeguarding accounts' balances) at least once per reconciliation day. Unlike in the previous proposal, which required reconciliation every business day, reconciliation days exclude weekends, days when relevant foreign markets are closed, and bank holidays. 

Additionally, the Daily D+1 segregation requirement obliges firms to compare the amount of funds that should be in a safeguarded account with the amount actually held in that account. The payment institution or EMI must correct any shortfalls, using the relevant funds or its own funds. Conversely, excess funds must be withdrawn.

Growing companies can meet these compliance requirements with automation. Automated reconciliation software pools transaction data from multiple sources in real time, recording transactions simultaneously. It can calculate safeguarding requirements, initiate segregation transfers to safeguarding accounts, and leave audit trails in a single day.

Annual Safeguarding Audits

Payment firms that have safeguarded up to £100,000 at any point in the year are obliged to appoint an independent professional auditor to conduct yearly safeguarding audits. This audit assures the FCA that the firm has set sufficient systems to safeguard client funds and complies with the new safeguarding rules.

Monthly FCA Reporting and Resolution Packs

Payment firms and EMIs must submit a new monthly safeguarding return to the FCA. The return should include whether shortfalls were recorded during ongoing reconciliation and steps taken to rectify them.

Payment firms are required to maintain a resolution pack (CASS 10A) that includes documents and details necessary to ensure the timely return of client funds during insolvency. The resolution pack should contain: 

• A master document with adequate information to retrieve each required document in the resolution pack.
• Details of all banking partners and custodians holding safeguarded funds.
• Details of directors and key personnel responsible for safeguarding funds.
• Details of agents and third parties involved in handling or distributing safeguarded funds.
• Records of the firm's internal and external reconciliation related to safeguarded funds.
• Client contracts that relate to safeguarding.
• A document containing the firm's safeguarding procedures and policies.
• All records required to differentiate relevant funds from firms' operational funds at any point in time.

“The FCA is tightening expectations, and firms with weak controls almost always end up firefighting. The ones that stay out of trouble are those with consistent reconciliation logic, clear procedures, and a culture where issues are raised early instead of buried.”

Emre Eryilmaz, BDM at Aurum Solutions

Table: FCA Safeguarding Rules (Pre vs Post May 2026)

The Operational Reality: Why Firms Are Struggling

The new safeguarding policy means payment firms will become more reliable and effective at protecting client funds. However, they face some operational constraints.

In some cases, these constraints stem from the firm's internal structure, system of operations, and flow of information. Firms with data silos and manual reconciliation processes might struggle more to comply with the new safeguarding policies than firms that use automation to speed up, collate and standardise financial record-keeping and reconciliation.

• Manual reconciliations:

Meeting daily internal and external reconciliation requirements for clients' funds, as well as monthly safeguarding returns, is difficult with manual systems. Staff will spend hours manually inputting paper records into software or transferring data between systems. Plus, the firm might need to hire more talent.

•  Fragmented systems and data silos:

Some firms store data in separate systems and in formats that are incompatible with other datasets. This can spiral into issues such as inconsistent, inaccurate, or incomplete datasets and duplicate data entries.

Such errors also compound reporting delays, as time spent manually pooling data across systems slows work and delays meeting reporting deadlines.

Additionally, these records differ in format, making it hard for payment firms to obtain a complete and up-to-date picture of clients' funds and to segregate them from the institution's own funds.

• Shortage of audit-ready information:

Some payment firms have poor audit preparation practices and lack complete audit trails, thereby failing to meet compliance requirements. Firms need accurate, complete and audit-ready records of relevant fund transactions to maintain resolution packs and support annual independent audits as stipulated by the FCA.

• Risks of non-compliance or  suspension:

EMIs and payment firms that fall behind the FCA’s safeguarding deadlines risk paying fines of thousands to millions of pounds, licence suspension, and irreparable reputational damage.

“Most teams aren’t fully clear on what the rules actually require, so they end up spending a lot of time and money trying to decode the guidance. The firms that get ahead are the ones willing to go beyond “just enough” and build processes that mirrors CASS 7 because once safeguarding is treated with that level of discipline, everything becomes clearer and far more robust”

Emre Eryilmaz, BDM at Aurum Solutions

Building a Compliant Safeguarding Framework

Here are some step-by-step best practices to align payment firms and EMIs with FCA expectations.

• Identify and Segregate Relevant Funds

The FCA expects PIs and EMIs to use the Payment Services Regulations (PSR) and Electronic Money Regulations (EMR) definitions to identify relevant funds based on their activities and products.

According to the PSR, relevant funds are

• sums received from, or for the benefit of, a payment service user for the execution of a payment transaction
  
  • For example, £500 received by a PI or an EMI from a payment service user who wants to pay a supplier through its payment platform 
• sums received from a payment service provider for the execution of a payment transaction on behalf of a payment service user
  
  • For example, £1,000 received from another payment provider to process a customer's cross-border payment is 'relevant funds'

If you run a PI or EMI, make sure you transfer client funds to their safeguarding account you have a D+1 window to segregate/move funds to designated safeguarded accounts (DSAs), or allocate them to clients (if those funds come in as 'unallocated', in which case they still need to be treated as part of the safeguarding requirement).

“In no circumstances should such funds (safeguarding funds and operational funds) be kept together overnight.” — FCA

• Strengthen Systems, Controls, and Governance

The FCA requires payment firms and EMIs to keep records that show and explain safeguarding compliance. You must also document the rationale behind safeguarding processes, systems and controls. Some records you should keep include:

• Safeguarding Procedures: The safeguarding method used (segregation vs insurance), reasons behind the choice, conditions for review or change.
• Fund Classification Procedures: Your firm's process for identifying relevant funds and its escalation procedures for unclear cases.
• Reconciliation Procedures: Daily reconciliation and monthly safeguarding return processes, key personal involved in the safeguarding process, including a designated Safeguarding Officer ,remediations to breaks and breaches alongside evidence, response to discrepancies, and sign-off requirements.

Also, set up control matrices and maintain comprehensive audit trails. Audit trails should include: 

• timestamp of when funds were received
• segregated account details
• date/time reconciliation was performed
• balanced accounts or discrepancies
• corrective actions taken

Consider automating your safeguarding procedures to simplify and speed up audit trail records.

“We found that firms that had documented their rationale for safeguarding decisions were generally more likely to be safeguarding appropriately.” — FCA

“Best practice comes down to three things:

• Daily, transparent reconciliations that stand up to scrutiny
• Safeguarding procedures that everyone, not just auditors can understand
• A CASS mindset, even if you’re not technically under CASS 6 & 7

Strong safeguarding isn’t luck. It’s built intentionally with frameworks that remove ambiguity rather than create it.”

Emre Eryilmaz, BDM at Aurum Solutions

• Oversee third parties and avoid concentration risk

PIs and EMIs will be held responsible for ensuring that third parties segregate funds upon receipt or within one day. You should decide whether to diversify third-party holding clients’ segregated funds. 

When considering diversifying these third parties, ask:

• Should we open accounts at different banks?
• Should we limit how much money we allocate to companies within the same corporate group?
• Does our business model create specific risks that require more diversification?
• What are the current market conditions?
• Have we found any concerns in our checks on the third parties we use?
• Are there concentration risks if one bank or provider holds too much of our customer funds?
• Do we have the systems to manage relationships with multiple third parties?
• Automate for Assurance and Efficiency

To stay ahead of the FCAs' regulatory timelines, you'll need to automate reconciliation and journal entry tasks. Reconciliation software like Aurum’s reconciliation automation solution 

• speeds up reconciliation by automatically collating and categorising transaction data from multiple sources.
• reduces manual work and frees up your team to focus on strategy and other important tasks.
• surfaces exceptions which let you rectify errors before they escalate.
• and provides detailed audit trails. This eases preparation for audits.

“A central system that automates the above daily safeguarding processes, and aggregates all relevant information in one place with adequate and fully auditable segregation of duties enforced, will go a long way in avoiding compliance headaches and inefficiencies that would be costly for Payment Firms. The FCA has been revoking licences at a faster rate this year compared to prior years, and with the new rules coming in, Payment Firms need to adapt quickly and efficiently to avoid facing a similar fate."

Clément Bourcart, Head of Product at Aurum Solutions

Turning Compliance into Competitive Advantage

Compliant payment firms and EMIs build trust with key stakeholders, such as customers, regulatory bodies, and shareholders. This means lower churn, faster FCA approvals, and access to better banking partners. 

Maintaining real-time reconciliation procedures and financial transparency reduces the cost per transaction by increasing speed and eliminating the need for additional headcount or overtime. Lastly, being compliant supports the FCA's consumer duty outcomes.

Automation in Action

To expand services to the UK, DOO Clearing, a FOREX/CFD Liquidity Provider, needed to comply with the FCA’s CASS (and CMAR) regulations. It wasn’t feasible to manually calculate client money daily across different systems, conduct internal and external reconciliations, and maintain audit-ready record keeping.  

DOO Clearing found Aurum, our powerful reconciliation software, which helps the company complete end-to-end reconciliations in 10 minutes. It has saved 2 hours daily (92% less time spent on reconciliation) by automating the process.

Prepare now, and be audit-ready

Don’t wait till you’re out of time to start preparing for the FCA’s 7 May 2026 deadline. Plan your safeguarding processes, speak with our reconciliation experts and book a demo with Aurum today.