The Deadline Has Passed. The Work Has Not.
On 7 May 2026, CASS 15 came into force. The FCA’s new safeguarding regime for payment and e-money firms is no longer something to prepare for — it is something firms are now expected to demonstrate compliance with, from day one.
For some firms, that is a straightforward position. For many others, it is not. A survey of compliance and finance leaders across FCA-regulated firms found that while 32% believed they were already compliant, just 13% were performing the daily reconciliations the rules actually require. The gap between perception and practice is significant — and the FCA will close it.
What CASS 15 Actually Requires
CASS 15 replaces the existing safeguarding provisions under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. It applies to authorised payment institutions, authorised e-money institutions, small e-money institutions, and credit unions issuing e-money in the UK.
The requirements are prescriptive. Firms cannot design their own interpretation. The core obligations are:
Daily reconciliations. Relevant funds must be reconciled every business day, with records that are complete and audit-ready at any point. For firms that have relied on weekly or monthly processes, this is a fundamental operational change.
Monthly returns to the FCA. Firms must submit monthly safeguarding returns from day one. The first return covers the period starting 7 May 2026. There is no grace period.
Annual safeguarding audits. Firms that have safeguarded £100,000 or more in relevant funds must undergo an independent audit by a qualified, regulated auditor — a significant change for an industry that has not previously been subject to CASS audits at all.
CASS 10 Resolution Packs within 48 hours. Firms must be able to produce a full resolution pack — the information an insolvency practitioner would need to return funds to clients — within 48 hours of a request.
Why the FCA Moved Here
CASS 15 is a direct response to what the regulator has observed in the sector. Following a series of firm failures — including the Ipagoo insolvency in 2019, which revealed an average shortfall of 65% in funds owed to clients — the FCA concluded that the previous regime was not delivering the consumer protection it was designed to provide.
The FCA is not treating CASS 15 as a technical housekeeping exercise. It is treating it as a consumer protection priority. Firms that approach it as the former are likely to find that the regulator approaches it as the latter.
Where Firms Are Already Struggling
For firms that were not fully ready on 7 May, the pressure points are becoming clear.
Reconciliation infrastructure. Many firms built their safeguarding processes around manual spreadsheets or periodic reviews. These cannot support daily reconciliations at scale — particularly for firms with multi-currency flows, high transaction volumes or multiple banking partners.
System and data fragmentation. Safeguarding-relevant data often sits across multiple systems — payment processors, banking partners, internal ledgers — that do not communicate in a format suitable for daily reconciliation. Building a compliant process on top of fragmented infrastructure requires significant coordination and clear process ownership.
Audit readiness. Firms that have not previously undergone a CASS audit are often uncertain what audit-ready actually means. The answer is straightforward: at any point, the firm should be able to demonstrate exactly how much in relevant funds it holds, where those funds are, how that reconciles to client balances, and what controls have operated throughout the period. That documentation cannot be assembled retrospectively.
Breach identification. CASS 15 requires firms to proactively identify safeguarding breaches and notify the FCA without delay when a material breach has occurred. A reactive approach — finding problems during audits or third-party reviews — is not acceptable. Firms should have documented processes for identifying breaches as a matter of course.
The Question Worth Asking Now
Most payment and e-money firms have taken CASS 15 seriously. The challenge is the distance between intent and execution.
A firm can have a safeguarding policy that says all the right things, a governance structure that assigns clear responsibility, and an auditor already engaged – and still find itself unable to produce a compliant monthly return or demonstrate that its daily reconciliation process is functioning as documented.
Worth asking: If the FCA reviewed your safeguarding arrangements today, could you demonstrate (not describe) – that your firm has been compliant since 7 May? If there is any doubt about the answer, that is where to start.
Final Thought
CASS 15 represents a permanent shift in how payment and e-money firms are expected to operate. The FCA has been clear about that intention, and clear that it will act where firms do not meet the standard.
The deadline has passed. The question now is not whether to comply — it is how quickly firms can move from partial compliance to a position they can stand behind. For firms with gaps, that window is narrowing.
If you want an independent assessment of where your firm stands, speak to our team.
Get in touch
LHI Consulting works with payment institutions and e-money firms to assess safeguarding frameworks, identify gaps and build compliant operating models quickly and practically.
📧 Email: info@lhiconsult.com | 📞 Phone: +44 203 319 5147 | 🌐 Contact us
