The safeguarding overhaul is finally here. Now termed ‘the supplementary regime’, the CASS 15 rules will be in play from 7 May 2026, giving payment and e-money institutions nine (better than the originally touted six) months to upgrade systems and controls. The ‘end state rules’ (now termed ‘the post repeal regime’) have been put on the long finger with the FCA promising further consultation.

This blog sets out key changes and what firms should do next.

 

What’s changing? Key features of the Supplementary Safeguarding Regime

The new rules introduce a number of critical changes to the safeguarding framework.

 
Annual safeguarding audits

All payment and e-money institutions will be subject to an annual audit by a ‘qualified auditor’,  except for those who hold less than an average of £100,000 in relevant funds. The FCA accept this is an extra cost but are keen to replicate the standardisation of audit output as per the current CASS audit requirements.

 

Reconciliations

Safeguarding reconciliations are mandatory on an at least once each “reconciliation day,” which excludes weekends and bank holidays. This is a proportionate change from the original proposal of every “business day,” addressing concerns from firms with complex, global business models.

 

Resolution pack

The FCA is sticking with its proposal to require each firm to maintain a detailed resolution pack. This is new terrain for most payment and e-money institutions as they have to be able to generate the specific documents and records within 48 hours of request and is likely to involve tech changes with development and testing lead times. Nonetheless, the FCA believes this “living document,” because it links to existing records, should not be an overly onerous requirement but important in the event of an insolvency.

 

Monthly regulatory reporting

From May, firms must submit a monthly regulatory return to the FCA detailing their safeguarding arrangements. The FCA has maintained the monthly frequency, despite concerns about the burden on smaller firms, arguing that it is a necessary and proportionate measure to facilitate targeted supervision and risk assessment.

 
Third party due diligence

Firms are used to undertaking due diligence on their safeguarding partners but from May, where the arrangements involve third parties, such as other payment or e-money institutions, these too must be subject to periodic review of their suitability.

 
Insurance and guarantees

Payments firms using insurance policies or comparable guarantees for safeguarding must ensure there are no conditions or restrictions on payouts, other than the certification of an insolvency event.

 
What this means for firms?
The good – clarity, consistency and a level playing field

The current regime’s minimalistic rules, which has been supplemented by written guidance from the FCA over the years, is a constant source of strain for payments firms who have sought greater clarity on requirements and expectations. Th greater detail should level the playing field somewhat, making it fairer for firms that were already following robust practices.

Importantly, the FCA has listened to industry feedback, making sensible amendments like allowing non-standard reconciliation methods for complex firms and introducing the audit threshold (under £100,000) to ease the burden on smaller (very small) players. The extended implementation period is also a welcome and positive step to prepare systems, processes and audit engagements.

 

The bad – operational and cost impact

The most significant adverse impact will be potential increased operational costs and resource constraints for many firms, particularly smaller ones.

The monthly reporting requirement, the new audit requirement and the development of a resolution pack will all involve additional cost.

The FCA acknowledges that these costs could lead some firms to exit the market, but considers that this risk is outweighed by the benefits of what it sees as enhanced consumer protection and greater market integrity.

 

The areas to watch – where things don’t quite make sense

While the FCA has made improvements, some areas remain challenging to fully unpack. The definition of “materiality” for record-keeping notifications has not been fully clarified, leaving firms to interpret this on a case-by-case basis, as things stand. The context is that the regulator sees this as acceptable currently under the current CASS regime, but for EMIs and PIs fresh to the approach, this could cause teething issues with quality and consistency.

The lack of a standardised format for reconciliations, while understandable given diverse business models, may also create some uncertainty and a potential for misinterpretation; a lingering issue from the prior framework.

The Post-Repeal Regime, which would have introduced a CASS-style statutory trust, has been shelved for now due to industry concerns, but its eventual re-emergence remains a possibility and an uncertainty.

 

What you need to do now 
  • Conduct a safeguarding health check. Review existing safeguarding practices – reconciliation processes, structures and documentation against new requirements.
  • Start preparing your resolution pack. Treat this as an active, maintained resource, not a one off document.
  • Build internal capacity for regulatory reporting. Ensure your systems support timely and accurate submissions. 
  • If you use the insurance method, plan ahead. Make sure you know when it expires and have a mitigation plan in place. 
  • Review third party safeguarding arrangements. Audit agreements and renegotiate if required.
  • Audit status. Speak with your auditors and consultants to put a plan in place.

In conclusion, the new Supplementary Regime represents a significant step forward in making the UK’s payments and e-money sectors safer. Firms must use the nine month implementation period wisely to review their internal processes, update systems, and ensure they are fully compliant with the new, more prescriptive rules. Failure to do so could lead to supervisory action, including formal interventions and restrictions.

 

How fscom can help

At fscom, our safeguarding specialists combine deep regulatory insight with hands on experience supporting payments and e-money institutions. We don’t just interpret the rules—we work with firms to embed safeguarding practices that are practical, resilient, and aligned with FCA expectations.

Whether you’re preparing for the new requirements under PS25/12 or strengthening existing arrangements, we help you design, review and operationalise safeguarding frameworks that are audit-ready, regulator-proof, and tailored to your business model.

At fscom, our safeguarding audit and advisory teams combine deep regulatory insight with hands on experience supporting payments and e-money institutions. We work with firms to embed safeguarding practices that are resilient, audit ready and aligned with regulatory expectations. Get in touch with our safeguarding specialists today.