The Question Most Boards Haven’t Answered Clearly
Payment and e-money firms have spent the past nine months preparing for CASS 15. Policies have been written, auditors engaged, reconciliation processes reviewed. But there is one question that often goes unresolved even in well-prepared firms: if the safeguarding framework fails, who is personally accountable?
Not the firm. Not the compliance function as a collective. Who, specifically, is the named individual — with documented responsibilities, regular oversight duties, and a clear line of accountability to the board — whose job it is to ensure safeguarding works?
Under the new regime, that question has a required answer. And the way firms have approached it says a great deal about whether their safeguarding governance is genuine or cosmetic.
What the Rules Actually Require
PS25/12 introduces a specific governance obligation that sits alongside the operational requirements of CASS 15. A named senior manager must be formally designated as responsible for safeguarding compliance. The board must approve the firm’s safeguarding policy — including the definition of what constitutes a material discrepancy — and senior management must receive regular management information against which they can meaningfully exercise that oversight.
This is not a new concept in financial services. The Senior Managers and Certification Regime has placed individual accountability at the heart of regulated firm governance since 2016. But in the payments sector — which came into SM&CR scope more recently, and where the culture around individual accountability has historically been less developed than in banking or investment management — the combination of CASS 15’s governance requirements and SM&CR’s accountability framework creates a position that many senior managers are not yet fully prepared for.
The FCA’s Phase 1 SM&CR reforms, which took effect in April 2026, have also refined the way responsibilities are mapped and documented. Firms updating their safeguarding governance in the context of CASS 15 should be doing so with current SM&CR expectations in mind, not legacy frameworks.
The Gap Between Designation and Accountability
Designating a senior manager as responsible for safeguarding is straightforward. What is harder and where firms frequently fall short – is building the infrastructure around that designation that makes the accountability real.
A senior manager cannot meaningfully oversee safeguarding if they are not receiving the right information at the right frequency. CASS 15’s daily reconciliation requirement generates a daily data point on whether the firm’s safeguarding position is intact. If that information is not reaching the designated individual – or is reaching them in a form that obscures rather than surfaces problems, the governance framework exists on paper but not in practice.
The same applies to breach escalation. CASS 15 requires firms to notify the FCA without delay when a material safeguarding breach has occurred. But before it reaches the FCA, that breach needs to have been identified, assessed and escalated internally. Firms that lack a documented escalation path – from the reconciliation team to compliance to the designated senior manager to the board, are relying on informal processes for a requirement that demands formal ones. When the FCA reviews a breach after the fact, it will look at how it was identified and how quickly it reached the right people. The answers to those questions are a direct reflection of whether individual accountability is functioning.
Worth asking:
If your firm’s named safeguarding lead received a breach notification today, could they demonstrate – not describe – what happened in the four hours that followed? If the answer is uncertain, that is where the accountability gap lives.
Why Wind-Down Planning Is Part of the Same Question
The accountability question extends beyond day-to-day safeguarding operations into how a firm plans for its own failure.
Wind-down planning has been a persistent weakness in the payments sector. The FCA’s multi-firm review published in July 2025 found that almost all of the wind-down plans examined were disconnected from the risk management framework, under-tested, and would not be credible or operable if actually needed. In 8 of the 12 payment firm insolvencies the FCA reviewed between 2018 and 2023, shortfalls exceeded £1 million. The plans that existed did not prevent that outcome.
Under SM&CR, senior managers have responsibility not just for how the firm operates day to day but for how it would behave under stress. A wind-down plan that has never been tested, is not connected to live financial data, and has not been reviewed following material changes to the business is not a plan the responsible senior manager can genuinely stand behind. It is a document.
CASS 15’s requirement for a resolution pack – the documentation needed to return funds to clients in an insolvency – brings this into sharper focus. That pack needs to be accurate, current and retrievable quickly. Keeping it current is not a one-off task; it is an ongoing governance responsibility. Someone owns it. Under the new framework, that ownership should be clearly documented, and the individual who owns it should be able to demonstrate they have exercised active oversight – not just signed off a document that was then filed away.
The Board’s Role
Individual accountability and board oversight are connected, not interchangeable. The designated senior manager carries personal responsibility under SM&CR. But the board carries collective responsibility for the governance framework within which that individual operates and CASS 15 is explicit that the board must formally approve the safeguarding policy.
That approval should not be a rubber stamp. A board that approves a safeguarding policy without understanding what the daily reconciliation process involves, what a material discrepancy is defined as, or what the escalation path for a breach looks like, has not exercised meaningful oversight. The FCA has been clear across multiple contexts that it expects boards to challenge, not merely receive.
For payment firms where safeguarding governance has historically sat below board level – treated as an operational matter rather than a strategic and governance one – CASS 15 requires a reorientation. The board needs to be engaged, informed and on record as having exercised genuine oversight. In the event of a failure, that record – or its absence – will matter.
Final Thought
The operational requirements of CASS 15 have received considerable attention since PS25/12 was published. The governance and accountability requirements have received rather less. That imbalance is worth correcting.
Getting the reconciliation process right is necessary. So is getting the governance right – because when things go wrong, the FCA will look not just at what failed operationally, but at who was responsible, what oversight they exercised, and whether the accountability structures that were supposed to prevent the failure were real or nominal.
For firms that have designated a senior manager for safeguarding, the next question is whether that designation is backed by the information flows, escalation paths and board engagement that make it meaningful.
Get in touch 📧 Email: info@lhiconsult.com | 📞 Phone: +44 203 319 5147 | 🌐 Contact us
