The FCA has published the long-awaited policy statement on the safeguarding regime (CASS 15). The rules announced are intended to minimise risk to consumers in the context of the growing size of the market, a large proportion of vulnerable customers and a lack of FSCS protection.
It’s safe to say that the policy statement reflects some welcome changes to its proposals originally outlined in CP 24/20. The FCA has specifically responded to concerns about proportionality and the possible pressure points firms and auditors are likely to find when implementing the rules.
One of the changes that firms will welcome is an extension of the implementation period from 6 months to 9 months. However, we would urge caution here – 9 months is still a very tight timescale for making the changes many firms will need.
Another key change relates to the ‘end state’ proposals that were included in the consultation. Key aspects of the proposals were the imposition of a statutory trust and requirements for relevant funds to be received directly into a relevant funds account. Concerns were raised by many in the sector around possible unintended consequences for firms. In light of this, the FCA has effectively pressed pause on this second phase, instead opting to take time for a full audit period to complete before assessing and consulting again. We shouldn’t assume that this means that the imposition of a statutory trust won’t happen in the longer term; we need to remember that the FCA is keen to make sure that the consumer protection issues caused by the Ipagoo judgement are ironed out.
Let’s look at what the new rules cover.
Safeguarding relevant funds
The proposed rules around when safeguarding obligations start and end were to be included in the end state regime, so they will be consulted on again at a later date, with the FCA updating the approach document to give more guidance in the meantime. As noted above, the FCA has also tempered its approach on the receipt of relevant funds, with there being no requirement in the new rules for relevant funds to be received directly into a safeguarding account. However, irrespective of how and where relevant funds are received, they will need to be allocated to individual consumers promptly.
Firms will be required to exercise due skill, care and diligence when appointing third parties to provide safeguarding accounts, manage relevant assets or provide insurance or comparable guarantees. This will need to be done at the outset of the relationship (or on implementation of the rules!) and revisited periodically thereafter. Similarly, diversification of relevant funds will need to be considered and periodically reviewed, ensuring that concentration risk is managed.
Acknowledgement letters will need to be in place for all safeguarding accounts before they are used, with the FCA providing a template for what the content of that letter must be. It’s important that firms take action on this quickly, because it can take time for the relevant banks to return the signed acknowledgement letter. Firms will also need to consider whether they might find additional challenges with overseas banks, which in our experience are sometimes reluctant to sign an acknowledgement letter.
Whilst firms will continue to be able to invest relevant funds into secure, liquid assets, there will still be a limited range of assets available for that investment. The FCA has stated that it has a low risk tolerance to broadening the type of assets that firms can invest in, but it’s possible they may revisit the list once the new rules are implemented.
Firms will also still be able to use the insurance or comparable guarantee method of safeguarding relevant funds, with a three-month lead time for renewals being introduced. Feedback from firms to the FCA noted that the lack of competition in the market makes it difficult for most firms to access this type of cover, making it a less attractive safeguarding method.
Books and records
The focus of many of the new rules is on ensuring firms maintain accurate books and records of relevant funds held at any point in time. An important note for firms operating both e-money and payments business is that records must be maintained and reconciliations carried out separately for each business line.
One of the controls that firms will use to verify the accuracy of books and records is internal and external reconciliations. These will be required at least once on each ‘reconciliation day’, which crucially does not include weekends and bank holidays, although firms can choose to perform them on non-reconciliation days, if appropriate. A standard or non-standard method of reconciliation can be used, albeit with auditor sign-off for any non-standard methods.
An important lesson that payments firms can learn from the investment CASS regime is the importance of using only internal records for your internal reconciliation. This means holding records of the amount of relevant funds you should be holding, as well as records of the balances on relevant funds accounts.
Resolution packs
Payments firms will need to maintain a Resolution Pack to ensure they are easily able to access all information that would be required in the event of insolvency. The pack will comprise information that firms will maintain elsewhere in the business, so it shouldn’t be a significant task to put one together.
Audits
Many payments firms will need to have a safeguarding audit carried out each year by a qualified auditor, with the resulting report being submitted to the FCA. However, the FCA has made a welcome allowance for the firms that hold only small amounts of relevant funds, with a threshold of £100,000 – if a firm has not been required to safeguard relevant funds above that amount at any time over at least the last 53 weeks, no audit will be required. The FCA notes that senior management will need to take care to ensure the firm carefully monitors whether an audit is required and acts accordingly. It’s safe to assume that the FCA will scrutinise the monthly returns it is also introducing to ensure that all firms that need an audit have submitted a report.
Firms will have a responsibility to ensure that the auditor has appropriate skill, resources and experience to undertake the audit. The feedback given to the FCA during the consultation raised concerns that firms would be limited to a small pool of auditors. However, from conversations we’ve had with the audit community, we don’t feel that is the case, with safeguarding audit expertise being found in many audit firms. Another important thing to note is that payments firms don’t need to use the same audit firm for their safeguarding audit as for their statutory audit, and the audit period doesn’t necessarily need to align with the financial year-end. From our experience with investment firms, this can increase flexibility for firms, which can give firms access to more cost-effective audit resource outside of normal audit cycles.
The timescale for submission of the first audit will be 6 months after the period end, with it reverting to the standard 4 months after the first audit period.
Firms that claim not to hold relevant funds can celebrate a small win as the FCA has removed the requirement for a limited assurance audit to be carried out. This has been done in order to ensure proportionality, noting the auditors have an existing obligation to report materially significant issues to the FCA under the PSRs and EMRs.
Regulatory reporting
Monthly safeguarding returns will need to be submitted to the FCA. The intention for these returns is to furnish the FCA with data on safeguarding risks, so they can appropriately target supervisory work. As part of preparing for compliance with the new rules, payment firms should make sure that they have a good framework for producing the returns. We often see investment firms making errors on their equivalent returns because of a lack of consistency in how the guidance is applied from one month to the next, or because of a fundamental misinterpretation of the guidance.
We’re here to help
The new rules will come into force on 7th May 2026. If you need help preparing for the rules, let us know. We can support you in carrying out a gap analysis and assessing your current arrangements against the new requirements. We can also provide training to your business, whether briefing your governing body on the risks they should be aware of or upskilling your operations teams to ready them for the new processes. We can also help you to build new processes and controls from scratch. We have a CASS and Safeguarding team with deep expertise and many years experience of working with payment services and e-money firms as well as investment businesses, insurance brokers and debt management firms. We take a pragmatic approach to implementing the rules and love to work with our clients to find the right approach for them to ensure regulatory compliance whilst achieving operational excellence and commercial success.
