From 7 May 2026, the Financial Conduct Authority (FCA) will introduce a new safeguarding regime under CASS 15, requiring most payment institutions and electronic money institutions to obtain an annual safeguarding audit.

For many firms, this will be the first time their safeguarding arrangements are subject to a formal external assurance opinion.

The changes form part of the FCA’s broader effort to strengthen customer fund protection and increase regulatory oversight of the rapidly expanding payments sector.

In this article we explain:

• What CASS 15 is

• Which firms must complete a safeguarding audit

• What auditors will review

• How payment firms should prepare for the FCA safeguarding audit regime

  
  

What Is CASS 15?

CASS 15 is a new section of the FCA Client Assets Sourcebook introducing a supplementary safeguarding regime for payment and e-money firms.

The rules are designed to protect “relevant funds”, which include:

• funds received in exchange for issued electronic money

• funds received for the execution of payment transactions

• funds received from other payment service providers on behalf of users

  
  

These funds must be segregated and safeguarded so that they can be returned to customers if the firm fails.

The new framework was introduced following concerns that weak safeguarding practices in failed payment firms led to delays in returning customer funds and significant shortfalls.

Which Firms Must Comply With CASS 15?

The safeguarding regime applies to most UK payment firms, including:

Firms within scope

• Authorised Payment Institutions (APIs)

• Authorised Electronic Money Institutions (EMIs)

• Small EMIs

• Credit unions issuing e-money

  
  

Potential exemption

Firms may be exempt from the safeguarding audit requirement if they have not been required to safeguard more than £100,000 of relevant funds during a continuous 53-week period.

However, the majority of regulated payment firms will fall within scope.

The New Mandatory FCA Safeguarding Audit

One of the most significant changes introduced by the FCA is the requirement for an annual safeguarding audit.

The audit must be conducted by an independent qualified auditor in accordance with FCA rules (SUP 3A).

In practice, this typically means an eligible statutory audit firm capable of providing a reasonable assurance opinion.

The safeguarding auditor must assess whether:

1. The firm maintained adequate organisational arrangements to comply with safeguarding requirements throughout the audit period, and

2. The firm was compliant with the safeguarding regime at the end of the audit period.

The resulting audit report is addressed to both:

• the firm’s board, and

• the Financial Conduct Authority

  
  

This provides regulators with direct assurance over safeguarding systems and controls.

Key CASS 15 Changes Firms Must Prepare For

The safeguarding audit requirement is only one element of the new regime.

The FCA is also introducing several operational requirements.

Daily safeguarding reconciliations

Firms may be required to perform D+1 reconciliations, comparing:

• the amount of relevant funds that should be safeguarded, and

• the balance actually held in safeguarding accounts.

  
  

These reconciliations must normally be performed every reconciliation day.

Monthly safeguarding reporting

Firms will be required to submit monthly safeguarding returns to the FCA, increasing regulatory oversight of safeguarding arrangements.

Resolution packs

Firms must maintain resolution packs that allow an insolvency practitioner to quickly:

• identify safeguarded funds

• reconstruct customer balances

• return funds to customers in the event of firm failure.

  
  

Third-party due diligence

The FCA expects firms to carry out ongoing due diligence on safeguarding banks and other third parties involved in safeguarding arrangements.

What Will Safeguarding Auditors Examine?

Safeguarding audits are designed to assess the entire safeguarding framework, not just accounting reconciliations.

Auditors will typically review:

Governance

• Board oversight of safeguarding

• defined safeguarding responsibilities

• three-lines-of-defence structures

  
  

Funds flow documentation

• mapping of payment flows

• identification of relevant funds

• segregation arrangements

  
  

Reconciliation controls

• internal reconciliations

• external bank reconciliations

• reconciliation timeliness and accuracy

  
  

IT systems

• safeguarding system configuration

• access controls

• change management

  
  

Breach management

• safeguarding breach logs

• escalation procedures

• reporting to the FCA

  
  

Insolvency readiness

• resolution packs

• record keeping

• ability to reconstruct customer balances quickly.

  
  

Auditors will apply professional scepticism, meaning breaches must be reported even where individually small.

Common Safeguarding Weaknesses Seen in the Sector

Industry reviews have identified recurring safeguarding issues, including:

• incomplete funds flow documentation

• incorrect segregation calculations

• delayed reconciliations

• missing bank acknowledgement letters

• weak safeguarding governance

• lack of approved wind-down plans

  
  

These areas are likely to become key regulatory focus points once CASS 15 audits begin.

A Practical Solution: CASS 15 Readiness and Audit

Many payment firms face a practical challenge under the new rules.

While consultants can help design safeguarding frameworks and controls, the mandatory safeguarding audit must be conducted by an independent qualified auditor.

To address this, K2 Regulatory Consultants has joined forces with an independent audit firm eligible under the FCA’s safeguarding audit requirements.

This collaboration allows K2 to provide firms with a fully integrated CASS 15 readiness and audit solution, including:

• CASS 15 gap analysis

• safeguarding control framework design

• governance, policies and control remediation

• audit readiness preparation

• coordination with an independent qualified auditor to perform the mandatory safeguarding audit

  
  

This joined-up approach enables payment and e-money firms to move efficiently from implementation and remediation through to formal audit assurance.

How Payment Firms Should Prepare Now

With the May 2026 implementation date approaching, firms should prioritise:

1. Conducting a CASS 15 gap analysis

2. Mapping relevant funds flows

3. Implementing daily reconciliation controls

4. Reviewing safeguarding bank arrangements

5. Preparing resolution packs

6. Strengthening safeguarding governance

7. Engaging with safeguarding auditors early

   
   

Many firms are already seeking to secure audit capacity ahead of the regulatory deadline.

The FCA safeguarding audit regime under CASS 15 represents a significant shift in regulatory expectations for payment institutions and e-money firms.

Safeguarding will become a formally audited operational control framework, requiring strong governance, accurate records and robust reconciliation processes.

Firms that begin preparing early will be far better positioned to meet regulatory expectations and demonstrate strong customer fund protection standards.