Changes to payments safeguarding - what firms need to know

On 7 August 2025, the FCA published its policy statement on changing the safeguarding regime for payments and e-money firms. Firms had been waiting for the results of the FCA's consultation on the changes with some trepidation, given the FCA's proposals to overhaul the traditional regime and replace it with requirements based on the longer-standing Client Assets Sourcebook (CASS) regime for investment businesses.

The reality for the foreseeable future is nowhere near as radical as it could have been, but the changes to the regime nevertheless require affected firms to take action and implement new procedures within a short timeframe.

In this article, written for Compliance Monitor, and complementing our article that focussed on the impact of the changes in the context of insolvencies, we look at what affected firms should be doing to prepare for the changes.

Who do the changes affect?

The changes apply to firms who are subject to the safeguarding requirements in the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs)– that is, almost all authorised payment institutions, authorised e-money institutions, small e-money institutions and credit unions which issue e-money in the UK. They don't apply to payment institutions whose only regulated payment services are payment initiation or account information services, and they apply to small payment institutions only if the institution opts-in to them.

Why was change needed?

The FCA has long been concerned about the standard of compliance with the payments safeguarding rules, particularly about:

• Lack of documented processes to consistently identify "relevant funds" (that is, funds that must be safeguarded)
• Inadequate reconciliation procedures
• Lack of due diligence on providers of safeguarding accounts, with providers also not properly acknowledging their understanding of the accounts.

It is particularly important to have strong customer protections in this sector because customers of failed payments firms do not have recourse to the Financial Services Compensation Scheme. The FCA had already set out its expectations in its "Approach Document" to regulating e-money and payment institutions, and in various supervisory letters. But it felt it needed to do more.

What did the FCA propose?

The FCA had in mind a gradual move to full CASS-style regulation in two stages, first with "Interim Rules" and then ultimately with "End-State Rules", which it proposed would take effect 6 months after the Interim Rules.

The aim of the "Interim Rules" was to shore up existing requirements by imposing on firms greater checks and record keeping and reporting requirements, as well as to require firms to submit to an annual safeguarding audit. The FCA planned this to:

• Support a greater level of compliance with the existing requirements
• Support more consistent record keeping
• Enhance reporting and monitoring requirements to identify shortfalls in relevant funds and improve supervisory oversight.

The “End-State” rules would then include:

• A requirement to receive relevant funds directly into an appropriately designated account at an approved bank (with some exceptions)
• A ban on agents and distributors receiving relevant funds unless their principal safeguards sufficient equivalent funds
• Imposing a statutory trust over relevant funds held by payment firms, and relevant assets, insurance/guarantees and cheques
• Greater detail on when the safeguarding obligations starts.

So, the ultimate proposal was to replace the current safeguarding requirements in the PSRs and EMRs with a regime requiring relevant funds and assets be held on trust.

What the FCA has decided - the new "Supplementary Rules"

When the FCA published its feedback statement, it explained that it would not currently proceed with the proposed "End-State Rules", but instead with an almost unchanged-from-consultation version of the "Interim Rules" now called the "Supplementary Rules". These will create new Chapters 10A and 15 in CASS: while effectively in a large part transferring into the FCA Handbook the expectations set out in the Approach Document, they are now written very much in the normal FCA Rules style. They also include some new requirements, which mean firms will have to plan to be compliant by May 2026.

Organisational requirements

Firms will be required to allocate oversight of compliance to an appropriate individual within the firm, who will report to the governing body.

Reconciliations

Firms must have in place adequate policies and procedures to ensure compliance with the "relevant funds" requirements. Specifically, the new rules require firms to:

• Be able at any time and without delay to distinguish between relevant funds and other funds, and clearly identify relevant funds that are not held in a "relevant funds bank account"
• Carry out reconciliations at least once every "reconciliation day" (broadly, business days excluding bank holidays or days in which other relevant markets are closed) at selected points
• Determine the reason for, and promptly resolve, any discrepancy that the reconciliations identify
• Tell the FCA in writing and without delay if:
  • Their internal records are materially out of date, inaccurate or invalid
  • They will not be able to perform a reconciliation or remedy, and/or
  • At any time in the previous year there was a material difference between the amount of relevant funds safeguarded and the amount they should have been safeguarding
• Keep all relevant records for five years.

Resolution packs

A new requirement on firms is that they must keep a resolution pack, which will need to include all records and documents that would help get funds back to customers quickly in the event of the firm’s insolvency, and which would allow retrieval of relevant information within 48 hours of a request. CASS 10A sets out the detail of what the FCA expects the pack to comprise, including executed copies of letters and agreements with organisations providing safeguarding accounts and their contact details.

Audit

Firms must commission an annual external safeguarding audit (except if they have been required to safeguard less than £100,000 of relevant funds for at least the past 53 weeks). This entails:

• Appointing an appropriately qualified auditor (with the FCA having power to appoint an auditor if the firm doesn't)
• Co-operating with the auditor, and
• Submitting a prescribed-format annual audit report that confirms compliance with safeguarding requirements, details of any breaches and any remedial actions taken.

SUP now contains an additional chapter addressing these requirements.

Regulatory return

There is a new monthly regulatory return for firms to submit to the FCA giving detailed information on safeguarded funds and arrangements.

Due diligence

Firms must exercise all due skill, care and diligence in selecting, appointing and periodically reviewing all providers – whether of accounts where relevant funds are held, accounts where relevant assets are deposited or held, or of insurance or comparable guarantees. The assessment should take into account matters such as the capital of the provider, the extent to which funds or assets would be protected under a compensation scheme and the creditworthiness of the third party;

Firms may still invest relevant funds in secure liquid assets, but must ensure a suitable spread of investments, and the new rules list the general principles firms must follow when investing. If a firm appoints a third party to manage relevant assets, it needs to exercise good due diligence in selecting the manager and ensure its mandate is appropriate.

Alos, periodically, firms should review whether they should diversify - or further diversify - their range of providers, including considering whether it is appropriate to deposit relevant funds in a range of banks, and keep records of their assessments.

Safeguarding letters

The rules specify the content of letters firms must send to the providers of safeguarding accounts and relevant asset accounts, which clearly set out the purpose of the account, and require the provider to acknowledge the letter by countersigning it. The FCA has provided the text of the letter, which includes some text that cannot be altered at all, and some that can be varied only as appropriate and so long as it does not change the meaning of the "fixed" text.

The FCA also requires firms to:

• Use reasonable endeavours to ensure that the countersignatory of any acknowledgement letter had authority to countersign
• Keep all letters on file until 5 years after the last account to which the letter relates was closed, and
• Review letters at least annually to make sure they are still appropriate and draw up a replacement where any details have changed

Insurance method

Where firms use the insurance or comparable guarantee method of safeguarding, they must:

• Ensure that the insurance or guarantee meets all the conditions already required, but the new rules stress that there must be no restrictions on the policy or arrangement paying out other than certification that an insolvency event has occurred. The rules clarify that this means it must pay out regardless of why the insolvency event occurs, so it would pay out, for example, in the case of fraud or negligence of the directors of the payment firm, and
• Have a contingency plan at least three months before a safeguarding insurance policy or comparable guarantee expires (and notify the FCA at least 3 months before expiry about whether it intends to continue to use the arrangement).

What has happened to the "End-State Rules"?

The FCA received significant feedback on what it now calls the “Post-Repeal Regime”, and now says it will review these proposals and consult again on how the final regime should look after a full audit cycle has been completed.

Many respondents opposed:

• The suggested requirement that relevant funds should be received directly into an approved designated safeguarding account – responses said that replacing several non-bank payment accounts and standard bank accounts with relevant funds accounts would be very costly, not to mention concerns about the availability of suitable accounts and the risk that firms might need to decouple their UK operations from their global infrastructure to meet the requirement, and
• A statutory trust – respondents queried whether the proposals would fundamentally change the legal status of e-money, and also raised questions about the availability of appropriate accounts, the ability of firms to keep interest and potential new fiduciary duties for relevant funds.

When do the changes take effect?

The FCA has given firms nine months to implement the changes, which take effect on 7 May 2026. It had originally proposed a six-month implementation period, but has recognised the amount of work the firms will need to do. It will also be updating its Approach Document to reflect the new rules.

And what for the "Post-Repeal" regime? Well, it's not completely dead, but not only has it been kicked a little into the long grass, not to be reviewed at least until after the first annual audit cycle, the FCA has also acknowledged that where it eventually ends up will ultimately depend on the approach the Government takes to the PSRs and EMRs as part of the long-running post-Brexit review.

What should firms be doing now?

The FCA has given a nine-month lead in period for a reason. It will take time to make the decisions and get in place the policies and procedures needed to comply with the rules – and even for firms who largely have them in place anyway, to fully and properly document them and put in place appropriate monitoring. Firms should also be getting help in reviewing and testing their resolution packs and engaging at an early stage with their auditors.