Legal development

UK e-money and payment institutions must comply with new safeguarding rules from 7 May 2026

By Max Savoie, Tharaka Boralessa, Hannah Pack and Rojeene Shadfar

19 August 2025

Share Share
Panels in the sunshine
Share

    On 7 August 2025 the UK Financial Conduct Authority (FCA) issued its long awaited policy statement and new rules for electronic money institutions and payment institutions (together Payments Firms) on safeguarding of customer funds.

    The new rules, together with updates to the FCA's existing guidance on its approach to Payments Firms (the Approach Document) will apply from 7 May 2026.

    This is the most significant set of changes to the safeguarding regime since its inception. Payments Firms within scope of the new rules will need to take a series of actions to ensure they are compliant.

    TLDR summary

    • Payments Firms need to do the following to implement the new rules:
      • 1. Update safeguarding policies and procedures
      • 2. Review internal governance arrangements, including reporting
      • 3. Update reconciliation processes
      • 4. Prepare a resolution pack - which is separate and additional to the firm's wind-down plan - and develop processes to keep it continually updated
      • 5. Conduct a review to determine whether the firm needs to diversify its safeguarding providers and engage additional banks or insurers if required
      • 6. Review bank acknowledgement letters
      • 7. Develop processes to produce monthly safeguarding returns
      • 8. Enhance third-party due diligence processes
      • 9. Implement processes to record unallocated and unidentified funds
      • 10. Review insurance or guarantee agreements (if applicable)
      • 11. Update controls for investing in secure, liquid assets (if applicable)
    • Payments Firms should expect increased regulatory scrutiny as a result of enhanced audit and regulatory notification and reporting requirements.
    • Banks that provide safeguarding accounts to Payments Firms could face additional risks and requirements.
    • The FCA has deferred some of its more controversial proposals, including its proposed statutory trust over relevant funds and requirements for Payments Firms to receive relevant funds directly into a safeguarding account. The FCA plans to review those proposals and issue another consultation paper in 2027/28.

    What do Payments Firms need to do to implement the new rules?

    1. Update safeguarding policies and procedures

    All Payments Firms that are subject to existing safeguarding rules will need to review and update their safeguarding policies and procedures to address the requirements set out below. The FCA and the firm's auditors will generally expect these to be detailed, specific and tailored to a firm's business model. Because of this, there is no one-size-fits-all solution for such updates but there will be common themes in line with the points discussed below.

    2. Review internal governance arrangements

    The new rules impose substantial new internal governance obligations on Payments Firms, including a general requirement to maintain adequate safeguarding arrangements, as well as specific requirements to:

    • appoint a single director or senior manager, with sufficient skill and authority, to be responsible for the Payments Firm's operational compliance with the safeguarding regime;
    • ensure the relevant individual oversees the firm’s compliance with safeguarding requirements, and reports to the firm's governing body;
    • ensure the firm's governing body receives reports at least annually on compliance with safeguarding rules; and
    • maintain various detailed records relating to safeguarding, including a resolution pack (see below).

    How does this impact Payments Firms?

    Payments Firms have long been subject to governance expectations in relation to safeguarding, so the theme of these new rules in nothing new. However, the codification and increased specificity of governance and organisational requirements under the new rules, together with the FCA’s latest Dear CEO letter to Payments Firms dated 3 February 2025, highlight a marked increase in regulatory scrutiny around governance, accountability, and organisation within Payments Firms.

    Payments Firms should ensure that their internal governance arrangements, policies, and record-keeping practices meet the enhanced requirements under the new rules.

    In practice, the increase in regulatory risk, the complexity of the operational arrangements needed to meet the new rules, and the added scrutiny of an annual audit and FCA supervision (see below) make it necessary for most Payments Firms to have a formal governance structure for decision making related to safeguarding. This could take the form of a governance forum chaired by the senior manager responsible for safeguarding and attended by other key senior stakeholders. Payments Firms may also wish to consider implementing a three-lines-of-defence model, with the compliance or internal audit function responsible for conducting independent reviews of the safeguarding control framework.

    Payments Firms will need to dedicate resources to support such governance frameworks, ensure timely and accurate management information, and integrate safeguarding considerations into wider strategic and operational planning.

    3. Update reconciliation processes

    The new rules include more prescriptive requirements on reconciliation processes than the current guidance in the FCA's Approach Document.

    Payments Firms must perform both internal and external safeguarding reconciliations at least once each “reconciliation day”, which excludes weekends, UK bank holidays, and days when relevant foreign markets are closed. Payments Firms may use non-standard reconciliation methods of internal safeguarding reconciliation, provided that they document their approach and obtain reasonable assurance from an independent auditor.

    In addition, the new rules require firms to establish one or more reconciliation cut-off times for the books and records used in the reconciliation process. Firms may set different cut-off times to reflect their operating model, for example, one for manual processes and another for system-based processes.

    How does this impact Payments Firms?

    Payments Firms will need review and, in many cases, upgrade their systems and controls to ensure they can perform and evidence reconciliations in line with the new requirements. This includes processes for tracking all fund transfers closely through different channels.

    Firms should also assess whether their record-keeping systems support separate maintenance of the safeguarding requirement and the safeguarding resources (e.g., client sub-ledgers versus bank/custodian balances). These figures must be derived independently; firms should not calculate one by reference to the other. Payments Firms must ensure that staff are adequately trained and that reconciliation processes are subject to regular review.

    4. Prepare a resolution pack and develop processes to keep it updated

    Payments Firms are required to maintain a comprehensive, up-to-date resolution pack (referred to as a "CASS resolution pack") that must be retrievable within 48 hours. The purpose of the resolution pack is to ensure that, in the event of insolvency or resolution, key stakeholders, such as insolvency practitioners and the FCA, have ready access to all critical information needed to facilitate the prompt and accurate return of customer funds. This is separate from the firm's wind-down plan.

    The resolution pack must be treated as a “living” document subject to continual review, rather than a "set and forget" file. Any inaccuracies must be corrected within five business days.

    Among other requirements, the resolution pack must include:

    • a document identifying each group member involved in operational functions related to the safeguarding regime, specifying the type of entity, its jurisdiction of incorporation, and a description of its related operational functions;
    • a document identifying each third party used for operational functions related to safeguarding, detailing how to access relevant information held by the third party and how to effect a transfer of relevant funds or assets controlled by that third party;
    • a document identifying all senior managers, directors, and other individuals who are critical or important to the performance of operational functions related to any safeguarding operation of the firm; and
    • the standard terms and conditions incorporated into client contracts.

    How does this impact Payments Firms?

    The resolution pack could represent a significant organisational challenge, particularly for Payments Firms that have operations supporting their safeguarding procedures involving group affiliates and multiple individuals. While Payments Firms may be able to draw from their existing safeguarding policies and wind-down plans as a starting point, the resolution pack requires more extensive and detailed information. In practice, the resolution pack will need to be more like a well-organised library than a policy document.

    Payments Firms that do not operate with standardised terms and conditions across all clients will face additional complexity in ensuring that all relevant contractual documentation is included and kept up to date.

    The requirement to update the CASS resolution pack on a continual basis and within five business days of any discrepancies could be particularly demanding. In practice, this necessitates a weekly control to identify changes and update the pack where relevant. Payments Firms should also retain evidence of the performance of any such control, even in weeks when no updates are required.

    Payments Firms must ensure that all relevant information and documents are organised and stored in a manner that enables rapid retrieval. This may require investment in enhanced IT infrastructure, robust data management processes, and regular internal audits to verify ongoing compliance. For example, links to SharePoint pages and shared folders can become inactive over time, requiring periodic testing to ensure continued accessibility.

    Staff training will also be essential to ensure that employees understand their responsibilities and are able to maintain the resolution pack to the required standard.

    5. Conduct a diversification review

    Payments Firms will be required to periodically assess whether it is appropriate to diversify the third parties with which they deposit, hold, invest, insure or guarantee relevant funds. Although the current version of the FCA's Approach Document already encourages Payments Firms to consider diversification of their safeguarding arrangements, the new rules codify this expectation into a rule and introduce specific provisions on the frequency, documentation, and rationale for such reviews.

    How does this impact Payments Firms?

    This is not a tick-box exercise and the practical impact on Payments Firms could be significant. The new rules raise the prospect of the FCA adopting a more rigorous approach on supervising and enforcing the diversification requirement.

    Payments Firms will need to exercise judgement and be able to demonstrate the reasoning behind their decisions, as well as any steps taken to mitigate risk. Diversification may require opening and managing safeguarding accounts with several banks, or arranging multiple insurance policies or guarantees. This would require extensive due diligence, ongoing monitoring, and potentially negotiating with reluctant counterparties. For many Payments Firms, especially those with complex operations or limited resources, this could be a major operational and financial undertaking.

    6. Review bank acknowledgement letters

    The new rules introduce more prescriptive requirements for acknowledgement letters which Payments Firms must request from authorised credit institutions and custodians with which they safeguard relevant funds. Payments Firms will be able to continue to rely on acknowledgment letters obtained before 7 May 2026 in the form set out in the existing version of the Approach Document. However, they will be subject to the FCA's rules on reviewing and updating acknowledgement letters at least annually.

    How does this impact Payments Firms?

    Payments Firms will need to implement procedures for reviewing acknowledgement letters and ensure the relevant prescribed wording is used for all new letters.

    While the form of wording prescribed in the new rules does not differ materially from the template wording in the current version of the FCA's Approach Document, some banks have been insisting on changes to the wording in the current template. Where a Payments Firm has accepted such a non-standard version of the acknowledgement letter, it may need to require the relevant bank to update the letter.

    When similar provisions were introduced into the client money rules applicable to other types of FCA regulated firms, auditors took a strict approach to the acknowledgement letter requirements. We expect auditors will take a similar approach to the safeguarding letter requirements under the new rules.

    7. Develop processes to produce monthly safeguarding returns

    Payments Firms must submit a new monthly regulatory return to the FCA relating to their safeguarding arrangements. The safeguarding return must be submitted to the FCA within 15 business days of the end of each calendar month.

    The return covers a wide range of data points, including the methods used to safeguard relevant funds, the number of clients for whom funds are safeguarded, the use of non-standard reconciliation methods, and detailed breakdowns of balances, accounts, and assets.

    The return requires the firm to confirm that any notifiable breaches of the safeguarding requirements have been notified to the FCA (see below). Any errors in reporting must subsequently be notified to the FCA in writing.

    How does this impact Payments Firms?

    Payments Firms will need to make adjustments to their internal processes, systems, and controls to ensure that the new reporting requirements can be met on an ongoing basis.

    Payments Firms should ensure the quality of the data collected and used to populate the return, and establish robust governance processes to ensure that the senior manager responsible for safeguarding has sufficient oversight of the final return submitted to the FCA.

    8. Enhance third-party due diligence processes

    Payments Firms are required to exercise all due skill, care, and diligence in the selection, appointment, and periodic review of third parties involved in safeguarding arrangements. This includes third parties that provide accounts for the receipt, deposit, or holding of relevant funds or assets, as well as those providing insurance or guarantees for safeguarding purposes.

    For Payments Firms that safeguard relevant funds by investing in secure, liquid, low-risk assets (see below), the due diligence process should include ensuring that any third party managing such assets has permission to carry out the regulated activity of management of investments in the UK.

    How does this impact Payments Firms?

    These requirements mean that Payments Firms will need to establish robust internal processes for the ongoing assessment and documentation of all third parties used for safeguarding purposes. This will likely involve the development or enhancement of due diligence checklists, risk assessment frameworks, and record-keeping systems to ensure that all relevant factors are considered and documented.

    Payments Firms that safeguard relevant funds by investing in secure, liquid assets and use an asset manager for these purposes should check the UK Financial Services Register to ensure the asset manager has permission to manage the relevant categories of investments.

    9. Implement processes to record unallocated and unidentified funds

    Payments Firms must record any relevant funds that cannot immediately be allocated to a client as "unallocated relevant funds". These must be allocated to the correct client as soon as possible, and no later than the end of the business day after receipt or identification. If funds are received and it is unclear whether they are relevant funds or other funds, they must be recorded as "unidentified relevant funds" while the Payments Firm takes all necessary steps to identify them. If identification is not possible, the firm should consider returning the funds to the sender or source.

    How does this impact Payments Firms?

    These requirements will increase the need for efficient reconciliation processes and may require system upgrades. In particular, Payments Firms may need to update their systems and internal processes to reflect the new concept of "unidentified relevant funds" and ensure that these are correctly recorded.

    Monitoring aged unallocated and unidentified funds, to either allocate or return them, will become a key control. With only one business day to allocate unallocated funds, Payments Firms will need to control tightly the resolution process to ensure the funds are allocated in time.

    10. Review insurance or guarantee agreements

    The new rules maintain the option for firms to safeguard relevant funds using insurance policies or comparable guarantees and codify into mandatory rules most of the FCA's guidance on these in the existing version of the Approach Document.

    Payments Firms using the insurance or comparable guarantee method of safeguarding will also be required to ensure insurers and guarantors have no contractual rights or powers to cancel the insurance or guarantee before the agreed expiry date unless:

    a) the cancellation is due to the non-payment of the premium;

     and

    b) the provider has given the Payments Firm and the FCA at least 3 months’ notice of its decision to cancel the policy or guarantee.

    How does this impact Payments Firms?

    Payments Firms using the insurance or comparable guarantee method of safeguarding should review their agreements against the requirements in the new rules. If an existing insurance policy or guarantee does not meet the applicable requirements, the Payments Firm should request amendments to ensure compliance.

    The new mandatory restrictions on early termination by the provider could mean some providers are less willing to offer insurance or comparable guarantees to Payments Firms, or that they increase premiums or fees.

    11. Update controls for investing in secure, liquid assets

    The new regime allows Payments Firms to continue to safeguard relevant funds by investing in the same range of secure, liquid assets as currently permitted. However, the regime introduces certain additional requirements, including that investments must be suitably diversified, made in accordance with a clear liquidity strategy and credit risk policy, and any foreign investment risks must be prudently managed.

    How does this impact Payments Firms?

    Payments Firms which invest in secure, liquid assets must ensure they have an appropriate liquidity strategy and credit risk policy, as well as appropriate corresponding procedures to ensure their selection of assets is in line with FCA requirements. Payments Firms that have not strictly followed the definition of approved liquid assets in the current version of the Approach Document will need to review the types of assets they currently hold and make any necessary changes to comply with the definition incorporated into the new rules.

    Why will Payments Firms be subject to enhanced oversight of their safeguarding arrangements?

    Extended audit requirements

    Payments Firms, other than a small section of firms which are exempt (holding below £100,000 of relevant funds over a period of at least 53 weeks), will be required to arrange an annual safeguarding audit - separate to their statutory audit - carried out by a qualified independent auditor. The auditor must submit the safeguarding audit report in the prescribed form to the FCA within six months of the end of the first audit period. Subsequent audits must be submitted within four months of the end of the relevant audit period.

    How does this impact Payments Firms?

    Payments Firms in scope of this requirement must ensure the timely appointment of a suitably qualified auditor and take reasonable steps to confirm the auditor’s expertise in the safeguarding regime. This will require early engagement with audit providers, particularly given the increased demand for safeguarding audits across the sector.

    Payments Firms will need to maintain comprehensive, accurate, and up-to-date records to facilitate the audit process. This includes ensuring that all reconciliations, record-keeping, and safeguarding arrangements are fully documented and readily accessible. The new rules have tightened requirements for both Payments Firms and auditors, so Payments Firms may wish to carry out a separate suitability assessment before formally appointing an auditor.

    Firms should expect the FCA to use the audit reports as a key supervisory tool. Any significant adverse findings or repeated breaches may trigger supervisory or enforcement action.

    Additional FCA notification requirements

    The new regime requires Payments Firms to notify the FCA without delay of issues affecting safeguarding, including:

    • if their internal records are materially out of date, inaccurate or invalid;
    • if they are unable to perform an internal or external reconciliation;
    • if they are unable to remedy a discrepancy in their reconciliations; or
    • material discrepancies in the amount of relevant funds safeguarded.

    This is in addition to: (i) other notification requirements, such as changes to insurance or guarantee arrangements, and auditor appointments and independence, and (ii) regular monthly safeguarding returns (see above).

    How does this impact Payments Firms?

    The enhanced notification requirements are a double-edged sword. They increase the day-to-day compliance burden and serve as a powerful tool for the FCA to monitor, challenge, and, where necessary, intervene in firms’ safeguarding practices. Firms that fail to take these requirements seriously risk not only increased scrutiny but also the possibility of being compelled to make significant changes to their operations - or, in the worst cases, enforcement action that could threaten their ability to operate.

    To meet the notification requirements, Payments Firms will need to establish a materiality policy and governance process to identify, assess, and report incidents in line with that policy.

    Implications for banks

    Banks that provide safeguarding accounts to Payments Firms will be affected by the new rules as follows:

    • Banks may be subject to additional risks where Payments Firms fail to meet the more prescriptive new safeguarding rules. In the event a Payments Firm is unable to pay out relevant funds to its customers (e.g. in the event of insolvency), this could result in the bank being required by the FCA to cover such underlying customer losses.
    • Banks will need to ensure their safeguarding acknowledgement letters conform with the prescribed wording under the new rules.
    • Additional account and transaction information may be required from banks in relation to reconciliation and audit processes.
    • The requirements for Payments Firms to diversify their safeguarding providers could result in:
      • a) more requests from Payments Firms to open safeguarding accounts;
      • b) decreasing volumes of transactions from larger Payments Firm clients of the bank; and
      • c) increased scrutiny by the FCA of the bank's compliance with its obligations to provide Payments Firms with non-discriminatory access to bank accounts.

    How do the new rules differ from what the FCA proposed in its consultation paper?

    The FCA published a consultation paper on its proposed changes to the safeguarding rules in September 2024. These included the main changes in the new rules summarised above, which were referred to in the consultation paper as the "interim rules". They also included more controversial proposals to:

    • create a statutory trust over relevant funds;
    • require Payments Firms to receive relevant funds directly into a safeguarding account; and
    • restrict Payments Firms from holding relevant funds through agents or distributors.

    These were referred to in the consultation paper as the "end-state rules". The FCA plans to consider these further and consult again in 2027/28.

    The new rules also include certain changes to the draft "interim rules", including that:

    • reconciliations will not be required on weekends or bank holidays;
    • Payments Firms holding less than £100,000 relevant funds are excluded from the safeguarding audit requirements; and
    • the implementation period has been extended from six to nine months.

    This is a joint proposal from Ashurst LLP, Ashurst Risk Advisory LLP and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst LLP is a limited liability partnership registered in England and Wales under number OC330252. It is a law firm authorised and regulated by the Solicitors Regulation Authority of England and Wales under number 468653. Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883.

    Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    Ashurst Risk Advisory LLP and Ashurst Risk Advisory Pty Ltd services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services.

    Key Contacts