FCA Safeguarding Rules Go Live: Payment and E-Money Firms Enter a More Demanding Era

Written By Gordon Spencer

How AnyAccount Helps

At AnyAccount Ltd, we support FinTech start-ups and scaling businesses with:

  • Regulatory and compliance strategy

  • Governance frameworks for regulated firms

  • Authorisation and regulatory engagement support in the US, UK & EU

  • Operational infrastructure and control design

  • Accounting, finance and reporting frameworks

  • Scalable compliance monitoring and risk management systems

If you would rather build a business that is regulator-ready from the start, instead of retrofitting controls after the questions arrive, speak to us. We help FinTech firms put the right regulatory, operational and governance foundations in place.

Safeguarding Rules Go Live

The FCA’s updated safeguarding guidance, refreshed on 7 May 2026, marks the point where last year’s policy direction becomes this year’s operational reality.

This is not the first warning shot. We have been tracking this reform journey for some time. In our June 2025 piece on CP24/20, we described the consultation as:

“not just a technical update” but “a potential paradigm shift in how customer funds are protected in the UK payments and fintech space.”

That warning now looks well placed. What was then a consultation risk has become a live operating requirement. By December 2025, after PS25/12 was published, the direction of travel had hardened. As we wrote then:

“weak safeguarding arrangements are no longer going to be tolerated, and firms that get this wrong should expect early intervention.”

Now that 7 May 2026 has arrived, the FCA has updated its safeguarding page to reflect the regime firms must actually operate. The short version: safeguarding is no longer something firms can describe broadly in a policy. It must be reconciled, reported, audited and ready for failure.

From CP24/20 to PS25/12: The Reform Journey

When the FCA launched CP24/20, it signalled a major tightening of the safeguarding regime for payment and e-money firms. At that stage, the message was clear enough: safeguarding was moving closer to a CASS-style discipline, with daily reconciliations, stronger audit expectations, clearer wind-down planning and sharper senior management oversight.

At the time, we noted that the FCA was laying down a clear message:

“safeguarding must be watertight, tested, and always fit for wind-down.”

That remains the best short summary of where the regime has now landed. By the time PS25/12 arrived, the shape of the new regime was no longer theoretical. The FCA confirmed the most extensive overhaul of safeguarding since the introduction of the PSRs 2017 and EMRs 2011. The Supplementary Regime would come into force on 7 May 2026, with a future Post-Repeal Regime expected to move safeguarding even closer to a full client-assets model.

In December, we described safeguarding as moving toward:

“CASS — with the paperwork to match.”

The FCA’s May 2026 update confirms exactly that direction, even if the full Post-Repeal Regime is still to come.

What Has Changed?

The updated FCA guidance confirms that payment and e-money institutions must follow the safeguarding requirements under the PSRs 2017, the EMRs 2011, and the new rules embedded across CASS 10A, CASS 15, SUP 3A and SUP 16.

For Authorised Payment Institutions, Authorised E-Money Institutions and Small E-Money Institutions, safeguarding remains mandatory. For Small Payment Institutions, safeguarding is still optional, but the FCA has made the consequence of opting in very clear: once an SPI chooses to safeguard, it must meet the same level of protection expected under the PSRs.

That matters. Firms cannot market or present safeguarding as a comfort point while operating a lightweight version behind the scenes. The FCA is closing that gap.

Monthly Reporting Is Now a Core Control

One of the biggest practical changes is monthly reporting. All APIs, AEMIs, SEMIs and SPIs that choose to safeguard must submit monthly safeguarding reports through My FCA within 15 business days of each calendar month-end.

These returns will give the FCA recurring visibility over:

  • safeguarding arrangements

  • relevant funds held

  • reconciliation outcomes

  • discrepancies and remediation

  • the firm’s continuing compliance position

This is a major shift from periodic supervision to routine data-led oversight. The FCA will no longer need to wait for annual returns, firm failure or whistleblowing before spotting poor safeguarding discipline.

For firms, the operational implication is obvious: the safeguarding numbers must be right every month.

Daily Reconciliation Is No Longer Optional Good Practice

The FCA has also confirmed daily internal and external safeguarding reconciliation requirements, at least once each reconciliation day.

This takes safeguarding out of the world of policy wording and into daily operational control. Firms must be able to evidence that internal customer entitlement records match the money actually held through safeguarding arrangements.

That means finance, operations and compliance can no longer work in separate rooms with separate spreadsheets and separate versions of the truth. The regulator is expecting one controlled process, with clear ownership and escalation.

Resolution Packs Bring Wind-Down Thinking Into the Present

The new guidance also points firms to CASS 10A resolution pack requirements.

This is one of the clearest signs that the FCA is thinking about failure before failure happens. Firms must maintain information that would allow customer funds to be identified and returned quickly if the business collapses.

A proper resolution pack should cover the key operational anatomy of safeguarding: where funds are held, who has authority, what records exist, how reconciliations work, which third parties are involved and how customers can be identified.

No firm enjoys preparing for insolvency. But in regulated payments, “we did not expect to fail” is not a wind-down plan. It is the first line of a bad administrator’s report.

Safeguarding Audits Raise the Evidence Standard

The updated guidance also confirms the new safeguarding audit expectations under SUP 3A. The first safeguarding audit must be submitted within 6 months of the audit period end. Subsequent audits must be submitted within 4 months.

This audit requirement is important because it introduces external challenge into arrangements that have historically varied widely across the sector. Auditors will look at whether safeguarding arrangements are designed properly and operating effectively.

Firms should expect scrutiny of reconciliation processes, segregation controls, safeguarding account structures, third-party oversight, insurance or guarantee arrangements, governance, breach handling and record keeping. A policy that looks tidy but cannot be evidenced will not be enough.

Third Parties, Insurance and Inbound Funds

The FCA has also tightened the surrounding architecture.

Where third parties hold or manage relevant funds, firms must conduct proper due diligence. This includes banks, insurers, guarantors and other service providers that sit inside the safeguarding chain.

The guidance also clarifies when the safeguarding obligation starts. In many cases, the obligation begins when the firm becomes entitled to the funds, often when they are credited to an account in the firm’s name. This is particularly important for firms with complex inbound flows, platform accounts or layered payment arrangements.

Insurance and guarantees also come under sharper control. Policies must not restrict payout except for confirming insolvency, and firms must have a contingency plan in place three months before expiry. The FCA’s position is simple: protection must work when needed, not merely look comforting in a board pack.

The Direction of Travel Is Now Clear

When CP24/20 was published, the industry could still treat the reforms as a consultation risk. When PS25/12 landed, the direction became settled. With the May 2026 guidance update, the implementation phase has arrived.

The FCA is moving safeguarding toward a more structured, CASS-like regime built around:

  • daily reconciliations

  • monthly reporting

  • safeguarding audits

  • resolution packs

  • stronger third-party due diligence

  • clear senior management ownership

  • better wind-down readiness

For stronger firms, this is manageable. It gives structure, clarity and a more level playing field. For weaker firms, it removes hiding places. As we said when PS25/12 landed:

“For the good actors, this provides clarity and structure. For the weaker ones, the FCA is building mechanisms to identify failures before insolvency administrators stumble over missing millions.”

That is the point of the new regime. It is not merely to improve paperwork. It is to make customer-money failures easier to detect, easier to manage and, ideally, less likely to happen in the first place.

The Bigger Picture

The FCA’s safeguarding reforms are not anti-growth. They are a recognition that payment and e-money firms now sit at the centre of everyday financial activity. If firms hold customer money, the regulator expects that money to be protected with discipline.

Yes, the new regime creates more administration. Yes, it will increase compliance cost. And yes, some firms will discover that their safeguarding arrangements were more theoretical than operational. But the underlying policy direction is difficult to dispute.

Safeguarding is now a live control framework, not a paragraph in an application pack. Firms that treat it that way will be better placed to satisfy the FCA, reassure partners and protect customers if things go wrong. In payments, credibility increasingly depends on what happens after the money arrives.

Gordon Spencer
Previous

The UK Is Still Forming Companies — But Almost as Many Are Disappearing
Next

Companies House Identity Verification Passes 3.7 Million Appointments; A Messy Start, But Probably the Right One