Embedding CASS 15 safeguarding compliance for payments and e-money firms

In August 2025, the FCA published its long‑awaited policy statement PS25/12, following its consultation paper CP24/20. These reforms include the introduction of the new CASS 15 sourcebook. The new safeguarding rules for firms confirm sweeping changes to the regime for payments and e‑money firms.

Rather than treating compliance as a one‑off project, the focus is on how to embed daily reconciliations, keep a living resolution pack, strengthen third‑party oversight and automate monthly reporting with clear ownership and evidence.

To meet the new requirements, firms need to address several issues in their operations:

• Fix the cadence and point‑in‑time: Run reconciliations at a consistent, documented time each reconciliation day (excluding weekends, UK bank holidays and relevant foreign market closures), aligning internal and external reconciliation points to reduce timing mismatches
• Standardise the method: Where you use non‑standard reconciliation methodologies (such as complex multi‑currency sweeps), document the method and obtain independent approval
• Engineer the break lifecycle: Implement a central break log, with root‑cause codes, SLAs for clearance, and automated alerts for aged or material breaks. Review trend management information (MI)  weekly and escalate persistent themes to governance forums 

CASS 15 moves reconciliation from guidance to codified rule. Firms that hard‑wire their time windows, approval routes and MI create predictable evidence for both the FCA and auditors. It also assists with highlighting issues before they become shortfalls.

• Automate population: Maintain a CASS resolution pack (CASS 10A) that pulls authoritative data (accounts, agents and distributors, safeguarding flows, policies, contracts etc.) from source systems rather than spreadsheets
• Drill for 48-hour readiness: Run quarterly 48-hour recovery drills to prove you can produce all artefacts within regulatory expectations, including bank confirmations, safeguarding account details and fund flow maps
• Govern the updates: Build resolution pack refresh into operations; after new products, third-party changes or account openings, require evidence of resolution pack updates as part of change closure

In the event of a firm failure, delays and losses usually stem from uncertainty over where safeguarded funds are held and how they have been managed or transferred. The FCA expects immediate, evidence‑based traceability.

A resolution pack that is both current, regularly tested, removes ambiguity, proves effective control and enables regulators or insolvency practitioners to execute an orderly wind‑down quickly and with minimal disruption.

• Quarterly pre‑audit sprints: Run short, focused review cycles that sample transactional evidence, tie reconciliations back to bank confirmations and verify that reconciliation methods, sign‑offs and dating are complete and audit‑ready
• Clarify the audit perimeter: Confirm your qualified auditor status and scope, note any exemptions (e.g. average relevant funds less than £100k across 53 weeks) and align timelines (first report due for submission six months after period end, then four months thereafter)
• Close the loop: Convert audit findings into tracked actions with owners, due dates and governance reporting until closure

CASS 15 standardises safeguarding audits to raise quality and comparability. Getting, and staying, audit-ready all year round reduces the likelihood of any end- period disruption and avoids repeat findings. 

• Design for “right first time”: Build a repeatable workflow for the monthly safeguarding returns that includes clear data lineage, fully reconciled inputs, an approval step where one person prepares and another independently reviews and signs off, and controls to manage any late changes before submission
• Data quality (DQ) rules: Implement automated DQ checks for completeness, thresholds (eg large variances vs prior month) and reconciliation to general ledger and bank statements
• MI alignment: Mirror FCA data fields in internal dashboards so issues surface before submission

Monthly reporting gives the FCA a lens on risk. Firms that industrialise data controls can evidence accuracy and avoid remediation cycles. 

• Risk-based due diligence: Maintain structured onboarding and periodic reviews for all safeguarding counterparties (banks, EMIs, payment partners, insurers and guarantors). Include financial resilience, operational controls, legal terms and exit plans
• Contract hygiene: Ensure insurance or comparable guarantees have no payout restrictions other than certification of insolvency; document verification and renewal checks
• Continuous monitoring: Use key risk indicators for settlement delays, reconciliation discrepancies and service-level breaches; escalate to governance forums with agreed remediation paths

Weak third‑party management has repeatedly been identified as a failure point under the existing payment services and e‑money safeguarding rules, where firms have lacked clear evidence of counterparties’ suitability, contract robustness or ongoing monitoring.

Under the new CASS 15 safeguarding regime, the FCA makes explicit that firms must maintain documented, ongoing oversight of banks, EMIs, insurers and any other safeguarding counterparties, not to just carry out checks at onboarding. Strengthening oversight end‑to‑end reduces dependency risk and helps ensure counterparties do not become a source of consumer harm during stress or wind‑down.

• Single source of truth: Refresh safeguarding policies to reflect CASS 15 changes (daily reconciliations, monthly returns, resolution pack, third party oversight), and cross reference procedures, RACI charts and system workflows
• Governance rhythm: Put safeguarding on board agendas with supporting MI on breaks, reconciliations, third party issues, audit actions and reporting quality. Be clear on what information is needed, to enable informed challenge and documented decisions. Also, ensure audit trails from governance discussions are well maintained

Firms that treat policies as operating manuals, not shelfware, reduce ambiguity and shape consistent behaviours across teams and locations. 

• Role-based training: Build targeted learning for operations (break management), finance (reconciliation design, ledger tie-outs), product management (change impact), compliance (reporting and policy) and senior managers (oversight duties)
• KPIs and incentives: Embed safeguarding KPIs into objectives, from reconciliation timeliness to audit finding closures, to reward the right behaviours

CASS 15 is as much about culture and competence as it is about rules. Staff understanding what safeguarding is and why it is important, as well as training that maps to job tasks, is what changes outcomes on the ground. 

• Safeguarding impact assessments: Require impact analysis and control sign off for any product, system or process change affecting fund flows, account structures or reconciliation logic
• Gatekeeping: Make compliance/finance cosignatories for go live; post-deployment, verify that reconciliations run correctly and MI/reporting remains accurate

Many safeguarding failures emerge after change. A disciplined change gate prevents degraded controls from slipping into business-as-usual practice. 

• Automate reconciliation pipelines: Reduce manual reconciliations for volume, multi-currency and high velocity flows; implement exception routing and dashboards
• Document management: Use controlled repositories for policies, procedures, reconciliations and audit evidence with immutable logs and version control

The May 2026 deadline may feel distant, but tooling lead times (selection, build, testing, go live) are real. Early investment prevents bottlenecks and improves control quality.

• Set the tone and hold the line: Assign clear responsibility, demand MI that enables challenge (breaks, trends, DQ issues, third- party risk, audit status) and require periodic demonstrations (e.g. resolution pack drills)
• Resource appropriately: Ensure teams and systems are sized for daily reconciliations, monthly reporting and continuous monitoring, not just project-mode compliance

The FCA’s reforms are a clear signal of its intent to raise standards and protect consumers in the payments and e-money space. Firms that act early will not only reduce compliance risk but also position themselves as trusted providers in a more demanding regulatory environment.

Whether you’re a payments or e-money firm looking to strengthen your safeguarding arrangements or preparing for increased regulatory scrutiny, we’re here to help. We support organisations in implementing both interim and end-state safeguarding requirements, ensuring you have the right expertise at every stage.