Changes to the safeguarding regime for payment firms – the test of time

The Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) established the current safeguarding framework for Payment Firms, which is intended to ensure the protection of customer funds when Payment Firms fail. This is particularly important because if a Payment Firm fails, Payment Firms' customers cannot access the Financial Services Compensation Scheme.

This new policy statement sets out the FCA's response to its earlier consultation (CP24/20) (published in September 2024 and summarised here) and the associated feedback on its proposed 'interim rules' and 'end-state rules' now referred to as the Supplementary Regime and Post-Repeal Regime respectively. 

A number of factors led to the FCA's consultation:

• The FCA has serious concerns with deficiencies in Payment Firms' compliance with the current safeguarding framework. In CP24/20, the FCA noted that it had seen an increase in the number of firms with safeguarding issues and that the average customer fund shortfall where Payment Firms failed between Q1 2018 and Q2 2023 was 65%. The government's 2023 review and call for evidence on the PSRs also noted shortcomings in safeguarding rules.
• The FCA is particularly concerned if a large Payment Firm with inadequate safeguarding practices failed, the resulting consumer harm could be very far-reaching and have adverse consequences for vulnerable consumers.
• Legal uncertainty, which was introduced when the Court of Appeal found against the FCA's arguments in Ipagoo in 2022, where it held that there was no statutory trust over relevant funds.

In February of this year, the FCA reiterated its concerns regarding lack of robust safeguarding practices in its 2025 portfolio letter to Payment Firms. More recently, it published a multi-firm review, which drew attention to deficiencies in risk-management and wind-down planning in Payment Firms.

PS25/12 follows extensive stakeholder engagement and 85 responses from Payment Firms, advisory firms and industry bodies alike. 

The Supplementary Regime, which will be effective from 7 May 2026, introduces Rules covering improvements to three key areas: 

• books and records requirements
• monitoring and reporting
• safeguarding elements

We discuss each area in further detail in the sections below.

The Rules, along with associated guidance, will be contained in CASS 10A, CASS 15, SUP 3A, SUP 16.14A and the updated Approach Document, and will sit alongside the requirement to deliver good outcomes under the Consumer Duty.

The FCA has listened to the concerns raised in response to CP24/20 relating to the then end-state rules (and now Post-Repeal Regime proposals). The good news for Payment Firms is that for now it has decided to delay further work on this regime, which included proposed rules requiring:

• The receipt of relevant funds directly into relevant funds bank accounts (with exceptions applying).
• The imposition of a statutory trust over relevant funds.
• Payment Firms to no longer rely on agents and distributors to segregate funds on their behalf.

According to PS25/12, the FCA will not consult on the Post-Repeal Regime earlier than Q4 2027 (after a full-audit period following the implementation of the Supplementary Regime). Ultimately the transition to the Post-Repeal Regime will depend on the government's approach to revoking the PSRs and the EMRs.

We also await the FCA's consultation on the Payments and Electronic Money Special Administration Regime, which was established by the Payment and Electronic Money Institution Insolvency Regulations 2021.

Reconciliations

• Payment Firms will have to perform internal and external reconciliations at least once each day (other than on weekends, public holidays and days when relevant foreign markets are not open). 
• The Supplementary Regime builds upon the existing Approach Document guidance related to reconciliation methods. Where the balance in the safeguarding account is lower than what should be in the account, the shortfall should be topped up with relevant funds where possible and, if not, with own funds.
• Payment Firms seeking to use a non-standard internal safeguarding reconciliation method must first document how this method will fulfil their obligations under the Rules. An independent auditor must review the method and provide written confirmation that it meets the Payment Firm's obligations.

Resolution Packs

• Payment Firms must create and maintain a CASS resolution pack, which must be reviewed on an ongoing basis to ensure that it remains accurate. Inaccuracies must be updated promptly. 
• The Payment Firm's governing body must also receive annual reports on its compliance with the resolution pack requirements. The documents related to the resolution pack must be retrievable within 48 hours. 

Allocation of Funds

• Pending client allocation, Payment Firms must record relevant funds as 'unallocated relevant funds'. Where funds are not identifiable to a client, they must be recorded as 'unidentified relevant funds'. 

What does this mean for Payment Firms?

Payment Firms will need to ensure that they can meet the reconciliation requirements in accordance with the new Rules.

Although respondents to CP24/20 asked for clarity on the types of data they may use for internal reconciliations, the FCA did not provide it. Instead, the FCA noted that it will be for Payment Firms to decide which data sources are appropriate for their circumstances. Payment Firms will therefore need to ensure that their respective auditors are comfortable with the data they propose to utilise when performing internal reconciliations. 

The most effective resolution packs tend to be 'living documents'. For Payment Firms not familiar with CASS resolution packs, adopting this approach will benefit from a reduced effort in keeping them up to date. We expect many Payment Firms to invest in external support or internal staff to draft such packs.

The introduction of the 'unidentified relevant funds' concept is novel for Payment Firms and will likely require product and engineering modifications to ensure proper classification of funds that cannot be immediately identified.

Annual safeguarding audits

• In order to help Payment Firms identify breaches, a qualified auditor must conduct an annual audit of safeguarding compliance. The safeguarding auditor may, but does not have to be, the same auditor as a Payment Firm's statutory auditor.
• The period covered by a safeguarding report must not end more than 53 weeks after the period covered by the previous report, or after the Payment Firm becomes subject to the Rules. 
• A Payment Firm can choose whether it wishes to align its audit period to its financial year end.
• If a Payment Firm did not safeguard over £100,000 of relevant funds at any point during a 53-week period, it will not be required to arrange a safeguarding audit. Other Payment Firms, such as small payment institutions (amongst others), are also exempt from the requirement to arrange a safeguarding audit.
• The first safeguarding audit report must be submitted to the FCA six months following the end of the Payment Firm's audit period. Thereafter, audit reports must be submitted to the FCA four months following the end of the audit period. The report submitted to the FCA must follow the prescribed format.

Monthly safeguarding return

• Payment Firms will be required to submit a new monthly return, which covers many areas of safeguarding arrangements from the safeguarding resource and requirements to amounts of safeguarded funds held over the period. 
• Payment Firms will also be required to confirm whether any notifiable circumstances arose and whether they complied with the notification requirements.

Safeguarding director or senior manager

• Payment Firms must appoint a director or senior manager with sufficient skill and authority to oversee operational compliance of safeguarding arrangements. This individual must report to the Payment Firm's governing body. 

What does this mean for Payment Firms?

The initial period of six months following the end of the audit period to submit the audit report to the FCA will alleviate some concerns over audit capacity, as identified by the FCA. Additionally, it will provide Payment Firms with slightly more time to work with their auditors through the new Rules. Notably, the FCA and Financial Reporting Council are jointly working on introducing an auditing standard. 

Relatedly, Payment Firms must appoint an auditor that is eligible for appointment under the Companies Act 2006. Fewer auditors will therefore be eligible for appointment. In our view, there is a real risk that this will lead to higher costs for Payment Firms and the lack of competition also risks the limitation of opposing viewpoints resulting in the entrenchment of conservative interpretations of the Rules.

Payment Firms should become familiar with the monthly safeguarding return form and ensure that they are sufficiently resourced so that they have the capacity to extract data from their systems and populate the returns in a timely manner. 

While the introduction of the individual responsible for safeguarding is not the imposition of the Senior Managers and Certification Regime on Payment Firms, it is a marked step in that direction. We encourage Payment Firms to select individuals to fulfil this role that possess both the skill and experience. Any skill or experience gaps should be addressed with appropriate training.

Due diligence and diversification 

• Payment Firms must act with all due skill, care and diligence when appointing or periodically reviewing third parties that manage or hold relevant funds or assets, or which provide insurance or comparable guarantees.
• The FCA introduced rules on diversification related to these third parties without change, but with additional guidance. For example, Payment Firms will now have to consider whether, among other factors, it should deposit relevant funds at several approved banks and consider market conditions at the time of reviewing a third party.

Acknowledgement letters

• Payment Firms will be able to continue to rely on acknowledgement letters, provided by authorised credit institutions and custodians that safeguarding relevant funds, which were obtained before 7 May 2026. 
• Upon renewal and at least annually, Payment Firms must ensure that acknowledgement letters comply with the Rules, which includes ensuring letters contain the prescribed wording, which is broadly similar to the current Approach Document wording.

Secure, liquid Assets

• Payment Firms will be able to invest relevant funds in the same range of secure, liquid assets as they currently can, but will be subject to further requirements. For example, there must be a suitable spread of investments. Furthermore, investments must be made in accordance with an appropriate liquidity strategy and credit risk policy. Any foreign exchange risks must also be prudently managed. 

Insurance policies and comparable guarantees

• Other than the certification of the occurrence of an insolvency event, no conditions or restrictions on safeguarding insurance policies and comparable guarantees paying out are permissible.
• There must be a contingency plan at least three months before a safeguarding insurance policy or comparable guarantee expires. If Payment Firms do not have a replacement policy/guarantee or renewal in place at this point, Payment Firms must be ready to safeguard relevant funds via the segregation method.

What does this mean for Payment Firms?

The due diligence and diversification Rules largely build on the rules that Payment Firms will be familiar with. However, against the backdrop of the broader Rules, Payment Firms can expect to be held to a higher standard by their respective auditors. Therefore, as outlined in the Rules, Payment Firms should keep accurate and up-to-date records of deliberations and decisions relating to the due diligence and diversification of third parties. 

Authorised credit institutions and custodians often want to negotiate and make changes to the wording in the draft acknowledgement letter contained in the current Approach Document. Payment Firms will need to implement processes to ensure that no changes are made to the fixed text set out in the Rules and that letters are updated at least on an annual basis. 

Payment Firms may continue to invest relevant funds in the same range of secure, liquid assets. As with the Rules on due diligence and diversification, Payment Firms will be subject to more rigorous requirements when doing so. Accordingly, Treasury- and other related teams should consider whether they have the skills and expertise to comply with these additional requirements and whether they need to consider further investment in training or personnel. 

The FCA has said that it considers the three-month lead period sufficient to address the risks posed to client funds where funds may not be adequately protected when an insurance policy or guarantee ends. Therefore, no later than three months before a policy or guarantee expires, Payment Firms will need to consider, for example, whether they intend to continue using the insurance or guarantee method of safeguarding, whether they intend to move to the segregation method or take other appropriate action. Payment Firms will also need to consider their associated notification obligations. 

Leadership teams should be briefed so that resources can be made available to ensure that personnel, systems and controls are ready for the Supplementary Regime's effective date of 7 May 2026.

Payment Firms will want to make sure they get this right. When compared to the current safeguarding rules, the Supplementary Regime exposes Payment Firms to greater ongoing scrutiny. For example, Payment Firms will be submitting monthly returns, which will flush out their own breaches from the data submitted.

As we transition to the Supplementary Regime, Payment Firms will also want to ensure that they appoint the most appropriate auditor for their business. For example, if a Payment Firm offers more complex or unusual payments and e-money products, it will want to ensure that its respective auditor understands, or is willing to invest time in understanding, those products. Relatedly, Payment Firms should engage early with their auditors about their auditors' expectations. For example, they should ensure that there is mutual consensus as to what constitutes internal data for the purposes of an internal reconciliation.

The FCA clearly recognises that compliance with the Supplemental Regime alone will require significant amounts of work. For example, it has extended the implementation period for the Supplemental Regime from six months to nine months. It has also extended the first period before audit reports must be submitted to the FCA to six months (the period will be four months thereafter). We expect that the FCA will have very little patience for non-compliance with the Supplemental Regime because Payment Firms will have had more time to build their systems and controls and work with their auditors to get it right. We may well see more enforcement in this area.

To conclude on a brighter note, if Payment Firms can demonstrate their compliance with, and the effectiveness of, the Supplementary Regime, the likelihood that the Post-Repeal Regime will be implemented may be reduced. As reflected in PS25/12, if the Post-Repeal Regime is not implemented, Payment Firms could avoid having to decouple their UK operations from their global operations thereby potentially saving on costs, risks, complexity and disruption.