PS25/12 and CASS 15: The 7 May 2026 Safeguarding Guide for Payment Firms

Quick summary. FCA Policy Statement PS25/12 creates a new safeguarding regime under a dedicated CASS 15 sourcebook, in force from 7 May 2026. It applies to every authorised payment institution holding customer funds and every authorised electronic money institution. The regime introduces a statutory trust over customer funds, mandatory daily reconciliation, monthly FCA safeguarding returns, an annual audit under the FRC's new CASS 15 auditing standard, and a CASS 10-style Resolution Pack retrievable within 48 hours. SPIs and SEMIs are not in scope but many adopt CASS 15 voluntarily.

Quick answers

• When does PS25/12 take effect?

• Who is in scope?

• What is the statutory trust?

• What is required for daily reconciliation?

• Who can perform the CASS 15 audit?

• What goes in the Resolution Pack?

The FCA's Policy Statement PS25/12 creates the most significant change to UK payment services regulation since the introduction of the Payment Services Regulations 2017. In force from 7 May 2026, PS25/12 establishes a new client funds regime under a dedicated CASS 15 sourcebook, applying to every authorised payment institution providing services involving customer funds and to every authorised electronic money institution. The regime introduces a statutory trust over client funds, mandatory daily reconciliation, a monthly FCA safeguarding supervisory return, an annual safeguarding audit under the Financial Reporting Council's new CASS 15 auditing standard, and a CASS 10-style Resolution Pack retrievable within 48 hours.

This guide explains exactly what PS25/12 and CASS 15 require, who is in scope, what firms must have in place from 7 May 2026, where implementation gaps remain, and what the FCA expects in supervision and authorisation. It is written for CFOs, MLROs, heads of compliance, heads of finance, board members and general counsel of UK payment institutions and electronic money institutions, and for fintech founders preparing applications in 2026.

Why PS25/12 was introduced

The FCA's case for PS25/12 was set out in CP24/20 in September 2024 and confirmed in PS25/12 in August 2025. The central concern was that the pre-2026 safeguarding regime, based on regulations 23 of the PSRs 2017 and 22 of the Electronic Money Regulations 2011, relied on a contractual segregation arrangement that did not always survive firm failure in practice. Several high-profile UK and international fintech failures from 2020 onwards revealed that customer funds had been commingled with firm money, that reconciliation gaps had gone undetected for extended periods, that safeguarding accounts had been inadequately documented or contractually mischaracterised by their banks, and that insolvency practitioners had been unable to identify and return funds to customers within reasonable timeframes.

The pre-2026 regime also lacked specific reporting and audit requirements. Boards in many firms had limited visibility of safeguarding performance and the FCA had no systematic data on safeguarding controls across the industry. Where issues emerged, they were typically discovered only after firm failure or supervisory visit, at which point remediation was difficult.

PS25/12 addresses each of these weaknesses directly. The new statutory trust survives firm insolvency and protects customer funds from the firm's general creditors. Mandatory daily reconciliation means breaks are detected within 24 hours and cannot accumulate. Monthly FCA returns give the regulator systematic visibility of safeguarding performance across every firm. Annual audits under a dedicated FRC standard ensure independent verification. The Resolution Pack provides insolvency practitioners with the information needed to act within hours rather than weeks.

The model is closely derived from the CASS 7 client money rules that have applied to investment firms since 2007 and have been extensively tested in the failures of MF Global, Lehman Brothers' UK entity and other firms. CASS 7 has worked: in failures over the past 15 years, customer funds protected under CASS 7 have been returned to clients in materially better outcomes than unprotected creditor recoveries. CASS 15 imports the architecture of CASS 7 into the payments and e-money sector, with adjustments for the operational characteristics of payment institutions.

Who is in scope

PS25/12 applies to:

• Every Authorised Payment Institution (API) providing one or more payment services that involve holding or controlling customer funds. In practice this means every API except those authorised solely for account information services (AISPs) and those authorised solely for payment initiation services (PISPs), neither of which holds customer funds.

• Every Authorised Electronic Money Institution (AEMI), in respect of both e-money in issue and any payment services provided.

• Small Payment Institutions (SPIs) and Small Electronic Money Institutions (SEMIs) are not in scope of the mandatory CASS 15 regime, although the existing voluntary safeguarding option under the PSRs 2017 and EMRs 2011 continues to be available and many small firms will adopt CASS 15 in substance as part of their transition to authorised status. RAISPs and standalone PISPs are out of scope because they do not hold customer funds.

• Credit institutions (banks and building societies) are out of scope because customer funds with credit institutions are protected by the Financial Services Compensation Scheme deposit protection regime rather than safeguarded under the PSRs or EMRs. Credit institutions providing payment services do so under their banking authorisation and are subject to the Capital Requirements Directive and Bank of England prudential standards rather than CASS 15.

The "in scope" question deserves careful attention for hybrid firms. A firm with both an API authorisation and a credit institution authorisation must apply CASS 15 to the API activity even where the bank holds the customer funds. A firm with both an EMI authorisation and a separately regulated investment business must apply CASS 7 to the investment business and CASS 15 to the EMI activity, with clear separation of records and reconciliation processes.

The five pillars of CASS 15

CASS 15 is structured around five interlocking obligations. Each must be in place from 7 May 2026 and each is examined in supervision and audit.

1. Statutory trust over customer funds

Under CASS 15, customer funds received by an API or EMI for the execution of payment transactions or in exchange for electronic money are held on statutory trust for the customer from the moment of receipt. The trust is created by operation of law, not by contract, and protects the funds from the firm's general creditors in the event of firm insolvency.

The practical implications are significant. Funds must be paid into a designated safeguarding account at an authorised credit institution (or, where permitted, invested in approved liquid assets or covered by an insurance or guarantee arrangement) by the next business day, in line with the FCA's specified "as soon as practicable" expectation. The safeguarding account must be appropriately titled to reflect its trust status and the credit institution must provide a written acknowledgement confirming that it understands the safeguarded status of the account and that it will not assert a right of set-off, lien or counterclaim against the safeguarded funds in respect of debts owed by the firm. This acknowledgement is a hard prerequisite: a safeguarding arrangement without a properly worded acknowledgement is not compliant.

Permitted alternatives to credit institution segregation include investment in approved liquid assets (UK government securities, certain qualifying money market funds and certain other low-risk instruments specified by the FCA), insurance from an authorised insurer not part of the same group, or a comparable guarantee from a credit institution not part of the same group. The credit institution segregation route is by far the most common in practice and is the route on which most firms have built their compliance.

The trust is enforceable: customers have a beneficial interest in the safeguarded funds and can trace their claim through any breach of trust by the firm. Insolvency practitioners are required to return safeguarded funds to customers in priority to general creditor claims, subject only to the costs of distribution.

2. Daily reconciliation

CASS 15 requires firms to perform a documented reconciliation of internal records of customer funds against the safeguarding account balance at the safeguarding institution every business day. The reconciliation must be performed by a person with appropriate seniority and independence from the operational team that processes customer transactions, and must be documented in a form that can be retrieved on regulator request.

Reconciliation breaks (differences between internal records and external balances) must be investigated and resolved within strict timelines. The general expectation is that breaks identified on a business day must be investigated immediately and resolved within five business days. Material breaks (defined by reference to internal thresholds approved by the board) must be reported to the FCA. Persistent or unresolved breaks are a serious supervisory concern and can trigger requirements, restrictions or skilled person reviews.

The operational reality of daily reconciliation is more demanding than many firms expected when the regime was first proposed. Reconciliation requires a complete, accurate and up-to-date internal ledger of customer funds (often called a "shadow ledger") that captures every transaction in real time or near-real time, integrates with the firm's core payment processing systems, and produces an independently verifiable balance at end of business each day. Many firms have invested heavily in reconciliation tooling over the past 12 months: building, buying or licensing platforms that can support the daily cadence. A material number of firms approaching 7 May 2026 are still completing their reconciliation build, and audit findings on reconciliation are likely to dominate the first cycle of CASS 15 audits.

3. Monthly safeguarding supervisory return

From 7 May 2026, every in-scope firm must submit a monthly safeguarding supervisory return to the FCA. The return covers, at minimum: the value of safeguarded funds at month end, the average and peak value during the month, the safeguarding institutions used and the proportion held with each, the categories of safeguarding method used (credit institution segregation, approved liquid assets, insurance, guarantee), reconciliation breaks identified during the month and their resolution status, material safeguarding incidents, and any changes to safeguarding institutions or methods during the month.

The return is submitted via FCA Connect and must be filed within 15 business days of month end. The FCA will use the monthly returns to identify outliers, monitor trends across the industry and direct supervisory attention. Firms with persistent outlier metrics (high reconciliation break rates, concentrated safeguarding institution exposure, high incidence of material incidents) will attract closer supervisory engagement.

The monthly return is in addition to, not in substitution for, existing regulatory returns. APIs continue to file REP-018 quarterly safeguarding returns and REP-007 annual financial returns, and EMIs continue to file FSA042 and related returns. The monthly safeguarding return adds to the reporting load and firms should plan their reporting calendar accordingly.

4. Annual safeguarding audit

Every in-scope firm must obtain an annual safeguarding audit by a qualified statutory auditor under the Financial Reporting Council's new CASS 15 auditing standard. The audit covers the firm's compliance with CASS 15 across the entire financial year and is in addition to the firm's annual financial statement audit.

The CASS 15 audit is a substantive examination, not a light-touch review. The auditor tests the firm's safeguarding controls, reconciliation processes, account documentation, client identification, segregation arrangements, governance and reporting. The auditor issues an opinion in one of three categories: clean (no material weaknesses), qualified (specific weaknesses identified), or adverse (material weaknesses across the framework). The opinion and the audit report must be submitted to the FCA within four months of the firm's year end, with a remediation plan addressing any qualified or adverse findings.

A qualified or adverse opinion is a serious supervisory matter. The FCA expects the firm to remediate findings promptly and may impose requirements, restrictions or skilled person reviews where remediation is inadequate. Repeated qualified opinions across audit cycles can support enforcement action against senior managers under the SM&CR.

The market for CASS 15 audits is concentrated and audit capacity is a real planning issue. The FRC has approved a limited number of audit firms to perform CASS 15 audits and, as of early 2026, the audit market is fully booked for the first cycle. Firms that have not appointed a CASS 15 auditor by mid-2026 will struggle to obtain coverage for their first audit cycle. The cost of a CASS 15 audit is substantially higher than firms historically paid for their financial statement audit alone, and many firms have been surprised by the quotes received during the first cycle.

5. CASS 10-style Resolution Pack retrievable within 48 hours

CASS 15 requires every in-scope firm to maintain a Resolution Pack that contains the information an insolvency practitioner would need to identify, segregate and return customer funds in the event of firm failure. The Pack must be retrievable in full within 48 hours of a request by the FCA or by an insolvency practitioner.

The Resolution Pack must include: a complete schedule of customer accounts and balances at a recent date, documentation of safeguarding accounts and acknowledgements, identification of safeguarding institutions and contacts, a description of reconciliation processes and the location of reconciliation records, the firm's CASS 15 policy and procedures, key personnel contact information, IT system documentation and access procedures, third-party provider documentation including outsourcing arrangements, and a wind-down playbook that an insolvency practitioner could follow.

The 48-hour retrievability requirement means firms must invest in document management and process discipline, not maintain the Pack as a static binder updated annually. The expectation is that the Pack is updated continuously and that any element can be produced from current systems within hours. A reasonable test is whether a senior person who has not previously worked with the Pack can locate, retrieve and present any element to the FCA within a single business day. Firms whose Pack relies on undocumented institutional knowledge or on individual employees will fail this test.

Governance accountability

The FCA's design of PS25/12 places explicit governance accountability on the board and on specific senior managers under the Senior Managers and Certification Regime.

The board is accountable for the firm's safeguarding arrangements and must approve the firm's annual safeguarding policy, the appointment of the safeguarding auditor, any material change in safeguarding institutions or methods, and the firm's response to material safeguarding incidents. The board must receive monthly management information on safeguarding, including the metrics required for the FCA monthly return, reconciliation break rates and resolution timeliness, audit findings and remediation status, and changes to safeguarding institutions or methods.

The CFO or equivalent is the typical senior manager owner of safeguarding under SMF, with the head of compliance or MLRO frequently sharing accountability for the policy and reporting elements. The firm's allocation of safeguarding accountability must be clear in the senior managers' statements of responsibilities and there must be a documented chain of escalation from operational reconciliation up to the board.

The FCA has signalled that it will use SM&CR enforcement powers against senior managers whose firms fail materially under CASS 15, particularly where the failure reflects inadequate oversight rather than a one-off operational incident. Senior managers who have not personally engaged with their firm's CASS 15 build, who do not understand the firm's reconciliation arrangements, or who cannot articulate the firm's safeguarding methodology, are exposed.

Common implementation gaps as of May 2026

With the regime in force from 7 May 2026, the FCA has signalled that it will engage with firms that are not fully compliant from day one, with the expectation that any residual gaps are remediated quickly and transparently. Common implementation gaps observed across the industry in early 2026 include:

Reconciliation tooling that is partially built. Many firms have functioning daily reconciliation in their main payment flows but residual manual processes for specific products, currencies or settlement paths. The expectation under CASS 15 is comprehensive automated reconciliation with manual processes only as exception handling.

Safeguarding bank acknowledgements that are not properly worded. Several firms have discovered late in the implementation cycle that their existing safeguarding acknowledgements do not meet the CASS 15 standard, particularly the requirements on set-off and lien. Re-papering acknowledgements requires bilateral negotiation with the safeguarding bank and can take months.

Audit appointments that are unconfirmed. As noted above, audit market capacity is constrained and firms that have not yet appointed a CASS 15 auditor face difficulty obtaining coverage. Firms in this position should engage the audit market urgently and, if necessary, signal to the FCA that audit appointment is in progress.

Resolution Pack content that exists but is not 48-hour retrievable. Many firms have the underlying information but do not have it organised, indexed and tested for rapid retrieval. The CASS 15 expectation is operational readiness, not documentary completeness alone.

Board oversight that is insufficiently developed. Some firms have built strong operational safeguarding compliance but have weak board reporting and governance around it. The board must be able to demonstrate active oversight, not formal sign-off on management reports it does not engage with.

SM&CR allocation that is unclear. Where safeguarding accountability is shared between CFO, head of compliance and head of operations, statements of responsibilities have sometimes left material ambiguity. The FCA expects clear, unambiguous allocation.

Firms with material gaps across more than one of these categories should consider engaging external specialist support to close the gaps before the first FCA monthly return is due (15 business days after May 2026 month end).

What CASS 15 means for new applicants

PS25/12 affects authorisation as much as it affects supervision. From 2026 onwards, the FCA expects every API and EMI applicant to demonstrate CASS 15 readiness in the application file at submission. The Regulatory Business Plan must include a comprehensive safeguarding section that addresses each of the five pillars; the firm's policies must be drafted to the CASS 15 standard; the firm's chosen safeguarding institutions must be identified and engaged; the firm's reconciliation tooling must be specified and ideally already built; the firm's audit arrangements must be planned; and the senior manager allocation must be clear.

Applications that do not demonstrate CASS 15 readiness will face significant FCA challenge and will not be authorised until the gaps are closed. The FCA has been explicit since CP24/20 that it will not authorise new firms whose safeguarding arrangements do not meet the new standard. Authorisation timelines for firms with weak safeguarding sections of the application have extended materially since PS25/12 was published in August 2025.

For applicants targeting 2026 authorisation, the practical implication is to budget for CASS 15 readiness in the application phase, not as a post-authorisation build. The cost of building safeguarding-ready operations from inception is materially lower than the cost of authorising under the old regime and retrofitting CASS 15.

How Buckingham Capital Consulting can help

Buckingham Capital Consulting has advised payment institutions and electronic money institutions on safeguarding compliance since the introduction of the safeguarding regime in 2009 and has worked extensively on CASS 15 readiness across the UK industry since CP24/20 was published in September 2024. Our team includes specialists in CASS 7 client money compliance from the investment management sector, applied to the operational realities of payment institutions and electronic money institutions.

We support firms across the full CASS 15 lifecycle. For the new safeguarding regime readiness, we conduct gap analysis against the CASS 15 standard, draft and implement compliant policies and procedures, review and re-paper safeguarding bank acknowledgements, design reconciliation processes and shadow ledger architectures, build the Resolution Pack and 48-hour retrievability framework, prepare board reporting templates and governance arrangements, allocate SM&CR responsibilities and update statements of responsibilities, and project-manage the audit appointment process.

For ongoing CASS 15 compliance, we provide reconciliation oversight, monthly FCA safeguarding return preparation and review, audit liaison, board reporting support, incident response, and remediation of audit findings. For firms whose first CASS 15 audit returns a qualified opinion, we provide remediation programme management to restore a clean opinion in the following cycle.

For new applicants, we integrate CASS 15 readiness into the API or EMI application file from the outset, with policies, reconciliation design, safeguarding bank engagement and Resolution Pack architecture all built into the application rather than deferred to post-authorisation.

Through our affiliated platform Safeheld we provide specialist safeguarding compliance technology to authorised firms, including daily reconciliation tooling, monthly return preparation, audit-ready evidence packs and Resolution Pack management. Safeheld is built specifically to the CASS 15 operating standard and is in active use across UK payment institutions and electronic money institutions.

If you are preparing for the 7 May 2026 PS25/12 deadline, addressing CASS 15 audit findings, or building CASS 15 readiness into a new authorisation application, contact our team for an initial assessment.

Email: info@buckinghamcapitalconsulting.co.uk Tel: 0207 866 2512

Frequently asked questions

When does PS25/12 and CASS 15 take effect? PS25/12 and the new CASS 15 sourcebook are in force from 7 May 2026. The regime applies in full from that date with no transition period or phasing. Every in-scope firm must have its safeguarding arrangements compliant with CASS 15 from day one, including the statutory trust, daily reconciliation, board governance and Resolution Pack framework. The first monthly FCA safeguarding return is due 15 business days after the firm's first month end after 7 May 2026, and the first annual CASS 15 audit covers the first financial year ending after 7 May 2026.

Which firms are in scope of CASS 15? CASS 15 applies to every Authorised Payment Institution providing services that involve holding customer funds and to every Authorised Electronic Money Institution. It does not apply to AIS-only firms or PIS-only firms (which do not hold customer funds), to Small Payment Institutions, Small Electronic Money Institutions or RAISPs, or to credit institutions (which are subject to deposit protection rather than safeguarding). Hybrid firms with multiple authorisations must apply CASS 15 to the API or EMI activity even where other parts of the group hold separate authorisations subject to other regimes.

What is the statutory trust under CASS 15? The statutory trust is created by operation of law (under the FCA's CASS 15 rules made under the PSRs 2017 and EMRs 2011) over customer funds received by an API or EMI for the execution of payment transactions or in exchange for electronic money. The trust protects the funds from the firm's general creditors in the event of firm insolvency: customers have a beneficial interest in the funds and can claim them in priority to general creditors. The trust is closely modelled on the CASS 7 client money trust that has applied to investment firms since 2007 and has been extensively tested in firm failures.

What is required for daily reconciliation under CASS 15? Daily reconciliation requires a documented comparison of the firm's internal records of customer funds against the actual balance at each safeguarding institution at end of business each business day. Reconciliation must be performed by a person with appropriate seniority and independence from operational processing. Breaks must be investigated immediately and resolved within prescribed timelines. Material breaks must be reported to the FCA. The reconciliation must be supported by a complete, accurate and current internal ledger of customer funds (often called a shadow ledger) and the supporting evidence must be retrievable on regulator request.

Who can perform the annual CASS 15 audit? The CASS 15 audit must be performed by a qualified statutory auditor approved by the Financial Reporting Council to carry out CASS 15 audits under the FRC's new CASS 15 auditing standard. The market for CASS 15 audits is concentrated and capacity is constrained; firms should appoint their auditor well in advance of their year end. Audit fees are substantially higher than firms historically paid for financial statement audit alone, and the first cycle in particular reflects the new methodology and tooling investment required of auditors.

What goes into the Resolution Pack and how often is it updated? The Resolution Pack contains all the information an insolvency practitioner would need to identify, segregate and return customer funds in the event of firm failure. It includes customer account schedules, safeguarding account documentation, safeguarding institution details, reconciliation records, CASS 15 policy and procedures, personnel contacts, IT system documentation, outsourcing details and a wind-down playbook. The Pack must be retrievable in full within 48 hours and must be updated continuously, not as a static annual exercise. A practical test is whether a senior person unfamiliar with the Pack can retrieve any element from current systems within a single business day.

Are Small Payment Institutions and Small Electronic Money Institutions affected by PS25/12? SPIs and SEMIs are not in scope of the mandatory CASS 15 regime. The voluntary safeguarding option that has been available to small firms under the PSRs 2017 and EMRs 2011 continues to be available, and small firms that voluntarily safeguard can choose whether to do so under CASS 15 or under the previous arrangements. Many small firms will adopt CASS 15 in substance as part of their transition to authorised status, particularly where they expect to grow above the SPI or SEMI thresholds.

What happens if my firm has a qualified or adverse CASS 15 audit opinion? A qualified or adverse audit opinion is a serious supervisory matter. The firm must submit the audit report to the FCA within four months of year end together with a remediation plan addressing the findings. The FCA will engage with the firm on remediation progress and may impose requirements, restrictions or a skilled person review under section 166 of FSMA where remediation is inadequate. Repeated qualified opinions across audit cycles can support enforcement action against senior managers under the SM&CR. Firms in this position should engage external remediation support promptly.

Can my firm use multiple safeguarding institutions and how should they be selected? Yes, and many firms do, both for diversification and to support multi-currency operations. The selection of safeguarding institutions is a board decision and must be supported by appropriate due diligence on each institution's financial standing, regulatory status, operational reliability, contractual willingness to provide a CASS 15-compliant acknowledgement and ability to support the firm's reconciliation processes. Concentration risk in a single safeguarding institution is a real concern and the FCA may challenge concentrated arrangements during supervision. Diversification across two or more safeguarding institutions is generally regarded as good practice for firms above a meaningful scale.

What is the relationship between CASS 15 and the EU PSD3 / PSR safeguarding regime? PS25/12 is a UK-only regime made by the FCA under the PSRs 2017 and EMRs 2011. The forthcoming EU PSD3 and PSR will tighten EU safeguarding requirements substantially upwards from the current PSD2 Article 10 minimum, with the detail set out in technical standards under PSR Article 9. The EU regime is expected to be broadly comparable to CASS 15 in operational substance (daily reconciliation, statutory protection, enhanced reporting) although the exact form will differ and the timing of EU applicability is later than the UK (estimated 2026 to 2027 vs UK 7 May 2026). UK firms with EU subsidiaries should plan for parallel compliance, with consistent group-wide standards as far as possible to minimise duplication.