The FCA believes that some payments firms do not currently have sufficiently robust safeguarding practices. This poses a risk of harm to consumer and market integrity that the FCA is seeking to mitigate. The FCA previously consulted on making changes to the current regime in two stages: ‘interim rules' (the Supplementary Regime) and ‘end-state rules' (the Post-Repeal Regime). It has now published a policy statement setting out its responses to the consultation feedback on its proposals and the final rules and guidance for the Supplementary Regime, which will come into force on 7 May 2026. For the time being, the FCA's final position on a number of key Post-Repeal Regime proposals (eg the requirement that all relevant funds and amounts paid out under a guarantee or insurance policy be protected via a statutory trust) remains unknown and will depend on ‘if and when' it progresses to implementation of this second reform phase.
Of particular interest to: Authorised payment institutions (PIs) and e-money institutions (EMIs), small EMIs, credit unions issuing e-money in the UK under the PSRs and EMRs, small PIs opting in to safeguarding requirements, EEA firms in supervised run-off under the financial services contracts regime (FSCR).
Chapter 1
What should firms be thinking about?
- The implementation period for the Supplementary Regime has been extended from 6 to 9 months, with the new rules and guidance and related amendments to the Payment Services and Electronic Money Approach Document (the Approach Document) now coming into force on 7 May 2026.
- While largely representing an enhanced “BAU” for firms already subject to the current safeguarding regime, the changes being introduced under the Supplementary Regime are still likely to impact firms’ day-to-day operations significantly, including in terms of technological, legal and financial adjustments.
- Relevant payments firms will have to comply with requirements which will need to be incorporated into compliance processes – including:
- daily internal and external safeguarding reconciliations (although these now won’t need to be performed on weekends, bank holidays, or days when relevant foreign markets are closed);
- monthly regulatory reports on safeguarding arrangements;
- maintenance of resolution packs;
- ensuring safeguarding arrangements remain appropriate and fit for purpose; and
- annual audits.
- In particular, systems and controls changes will be needed. The FCA itself acknowledges that the costs of some of its changes may mean that some firms exit the market. The extended implementation period of 9 months remains a potentially challenging timeline – especially for smaller payments and e-money firms.
- The FCA has considered feedback to its consultation and, among other things, it has aimed to make the final requirements more proportionate for smaller firms. Most notably, there will be an exemption from the annual safeguarding audit requirement for those firms safeguarding no more than £100,000 of relevant funds at any time over a period of at least 53 weeks).
- It appears the FCA is planning to reconsider some aspects of its Post-Repeal Regime proposals – and whether to proceed to the second stage at all.
- In the policy statement, the FCA refers in particular to many expressions of concern from respondents to the consultation about the impact of imposing a statutory trust and receiving relevant funds directly into a designated safeguarding bank account. It plans to consider these concerns post-implementation of the Supplementary Regime.
- The government has doubled down on its pro-growth agenda which includes an emphasis on reducing the regulatory burden for businesses (note, for example, its March 2025 Action Plan for regulators). Given that, as consulted on, the Post-Repeal Regime would represent a more significant departure from the current way of doing things and a divergence from the European requirements implemented to date, the possibility of an FCA re-think to ensure alignment with the government’s direction of travel would be welcome news for relevant firms – including those also subject to EMD2 and PSD2 in Europe.
- In any case, any further safeguarding changes would be some way off as the FCA won’t be revisiting the Post-Repeal Regime proposals until a full audit period has been completed following entry into force of the Supplementary Regime in May 2026. Any transition to the Post-Repeal Regime would obviously also be dependent on HM Treasury’s approach to revoking the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs).
Chapter 2
What’s the context for the policy statement?
The policy statement is part of the FCA’s work to strengthen the safeguarding regime and address weaknesses in current safeguarding practices by:
- Reducing shortfalls in safeguarded relevant funds;
- Ensuring that funds are returned to customers as cost-effectively and quickly as possible if a payments firm fails; and
- Developing the FCA’s ability to identify and intervene in payments firms that do not meet its safeguarding expectations to ensure these outcomes are met.
It follows the FCA’s September 2024 consultation on the safeguarding regime (see our previous article here), and sets out the FCA's final rules and guidance for the Supplementary Regime. The requirements do not apply to small PIs that have not opted-in to complying with safeguarding requirements or credit unions that do not issue e-money.
We have provided further details of some of the key points from the FCA’s response to the consultation feedback on the Supplementary Regime below.
Chapter 3
Improved books and records
The FCA’s new record keeping and reconciliation rules build on the existing guidance in Chapter 10 of the Approach Document. Changes include more detailed record-keeping and reconciliation requirements for safeguarding, building on existing guidance and similar to existing requirements in CASS 7 for investment firms, and a requirement to maintain a resolution pack, including requirements on the types of documents and records to be included.
Record keeping
The FCA has clarified that payments firms may use third party data for the purpose of creating and maintaining their internal records where no other method is reasonable.
Safeguarding reconciliations
Safeguarding reconciliations are required at least once each reconciliation day, rather than (as originally proposed) every business day. This excludes weekends, bank holidays and days on which relevant foreign markets are closed. There is now also additional guidance that:
- this does not prevent firms from deciding it is appropriate to perform a reconciliation on business days that are not reconciliation days due to the nature, volume and complexity of their business; and
- reconciliations are intended to check the accuracy of a firm’s books and records, rather than being used as the means to maintain books and records.
The internal safeguarding reconciliation rules have been simplified:
- The relevant funds deposit resource and requirement reconciliation has been replaced with a higher-level comparison of the relevant funds that should be held in relevant funds bank accounts, or as relevant assets in relevant assets accounts (the ‘D+1 segregation requirement’) against the balances of those accounts (the ‘D+1 segregation resource’).
- There is additional guidance emphasising that relevant funds received in respect of e-money must be safeguarded separately from those received for unrelated payment services. There must also be separate safeguarding reconciliations for each.
- Payments firms may use a non-standard method of internal safeguarding reconciliation where it follows certain steps set out in the rules. For example, there must be an independent auditor review and written report confirming the proposed method meets the firm’s obligations (separate from, and in addition to, the requirement for an annual auditor’s safeguarding report). However, firms will not be allowed to deviate from the requirements on frequency, regardless of the method of internal safeguarding reconciliation they use.
For external reconciliations, the rules have been amended to only require external reconciliations to be carried out on reconciliation days.
- There is additional guidance that, where possible, the records and accounts used for the external safeguarding reconciliation should relate to the same point in time as the reconciliation point(s) used for internal safeguarding reconciliations. Where this is not possible, firms should set out in their policies and procedures how they will ensure the external safeguarding reconciliations will achieve their purpose.
- The requirement to make and retain records of the decision on the frequency with which a firm will undertake external safeguarding reconciliations has been removed.
Resolution packs
The FCA has introduced the requirements on resolution packs largely as proposed. In response to some respondents’ concerns about the cost and proportionality of implementing and maintaining a resolution pack, it highlights a ‘living documents’-based resolution pack, which contains links to the latest versions of the relevant records, as a good example seen under CASS 10.
Chapter 4
Enhanced monitoring and reporting
Changes being introduced under the Supplementary Regime include a requirement to complete a new monthly regulatory return to be submitted to the FCA covering safeguarded funds and safeguarding arrangements. There is also a requirement to have compliance with safeguarding requirements audited annually, with the audit submitted to the FCA, and a requirement to allocate oversight of compliance with the safeguarding requirements to an individual in the firm.
Annual safeguarding audits
Noting industry concern over auditor capacity, the FCA has extended the timing of submission for the first audit from four to six months following the end of the payments firm’s first audit period. After this, auditors will be required to submit the audits within 4 months of the end of the period.
The FCA states that it is working closely with the Financial Reporting Council (FRC) on the introduction of an applicable auditing standard.
In the interests of proportionality, the FCA has removed the requirement for a limited assurance engagement where a payments firm claims not to have been required to safeguard relevant funds during the audit period. Guidance has instead been introduced to clarify that failing to safeguard relevant funds will usually be of material significance, so should be communicated to the FCA by statutory auditors under the existing notification requirements in regulation 24(3) of the PSRs and regulation 25(3) of the EMRs.
For small firms which safeguard funds, two changes have been introduced in the final rules and guidance:
- There will now be an exemption from the safeguarding audit requirement for firms safeguarding no more than £100,000 of relevant funds at any time over a period of at least 53 weeks. The FCA warns that it will monitor the use – and in particular any potential misuse - of this exemption once the rules come into force. Firms’ senior management will be responsible for determining, on a continuing basis, whether they fall within the exemption. If a firm is no longer exempt, a new auditor must be appointed.
- The FCA will not apply the audit requirement as guidance to safeguarding institutions that are not required to obtain an audit. In lieu of this, there is additional guidance that voluntarily arranging an audit may help ensure that such institutions meet their obligations to have adequate safeguarding arrangements in place.
Monthly regulatory return
Subject to some amendments following a pilot with a ‘representative sample’ of firms, the FCA has maintained the new requirement to submit a monthly regulatory return on safeguarding arrangements in the final rules. The requirement applies to smaller payments firms too as the FCA is concerned that an exemption for this rule would significantly reduce its ability to identify risks of harm.
The FCA will provide support to payments firms on how to complete the return during and after the 9-month implementation period.
Firms should note that the FCA plans to ‘actively use’ the data from the return to inform and focus its supervisory engagement, particularly in relation to firms at risk in a stress event.
Chapter 5
Strengthening elements of safeguarding practices
Aspects of the new Supplementary Regime include: additional safeguards where firms invest relevant funds in secure liquid assets; requirements to consider diversification of third parties with which a firm holds, deposits, insures or guarantees relevant funds that it is required to safeguard and due diligence requirements; and additional safeguards and more detailed requirements on how firms can safeguard relevant funds by insurance or comparable guarantee.
Segregation of relevant funds
The FCA has introduced the proposals on segregation of relevant funds largely as consulted on. This includes guidance on what payments firms should have regard to when considering whether diversification (or further diversification) is appropriate. It explains that it hasn’t provided more detailed guidance because of the large number of different business models in the sector.
Investing relevant funds in secure, liquid assets
The FCA confirms that firms will continue to be able to invest relevant funds in the same range of secure, liquid assets as they currently can. It has the ability to expand the range of approved assets and may consider whether any changes are necessary as part of the Post-Repeal Regime or in line with policy developments in other related areas.
Insurance and comparable guarantees
The FCA has introduced the proposed rules on insurance and comparable guarantees in the Supplementary Regime ‘without substantial change’.
Scope of safeguarding
The FCA has made a note of some queries that it received in relation to when safeguarding starts and ends. It will consider these points ‘if and when’ it progresses to the implementation of the Post-Repeal Regime. In addition, it will bring forward some guidance from the Post-Repeal Regime in the Approach Document, including the following:
- Clarifying that, for an inbound transaction, the obligation to safeguard relevant funds starts as soon as the funds are received by the institution, which will receive funds as soon as it has an entitlement to them.
- Clarifying that firms should ensure they do not use relevant funds that they are required to segregate to settle payments that are made before the funds received to make the payment have been safeguarded.
- Providing new guidance to the effect that where a foreign exchange transaction is carried out independently of any payment services, those funds do not have to be safeguarded. Where funds are treated in this way, the FCA expects to see evidence such as an instruction to return the funds to the customer.
Chapter 6
Transitional provisions
The FCA has added to the transitional provisions to facilitate implementation by:
- Not requiring firms to record why they chose to use third parties appointed before the end of the implementation period; and
- Allowing firms to continue to rely on acknowledgment letters obtained before the end of the implementation period in the form set out in the Approach Document. However, they will be subject to the rules on reviewing and replacing acknowledgement letters.
Chapter 7
Changes to the Payment Services and Electronic Money Approach Document
The FCA has also published the amendments it intends to make to the Approach Document when the final rules come into effect. These include:
- Consequential changes to avoid inconsistency with, or duplication of, the rules and guidance in the Supplementary Regime;
- Clarificatory changes to the guidance around when the safeguarding obligation starts and ends;
- Bringing forward from the Post-Repeal Regime some additional guidance on when the safeguarding obligation starts and ends (as set out above - see ‘Scope of safeguarding’).
Chapter 8
What about the Post-Repeal Regime?
The FCA states that, in relation to the Post-Repeal Regime proposals that it also consulted on in September 2024, it received a large amount of feedback on the impact of imposing a statutory trust and receiving relevant funds directly into a designated safeguarding bank account.
The FCA will consider these concerns alongside its review of the Supplementary Regime – which will be carried out once a full audit period has been completed after entry into force of the Regime - and whether it should progress to further consultation and implementation of the Post-Repeal Regime.
- The Supplementary Regime, and related amendments to the Approach Document, will come into force on 7 May 2026.
- The FCA will engage with industry throughout the implementation period to ensure a clear understanding of the new requirements, provide clarity where possible, and understand any initial impacts.
- The FCA is expected to further consider whether to progress the Post-Repeal Regime and, if necessary, consult again after the Supplementary Regime has come into force.
- As mentioned in the consultation, the FCA will also consider when it would be appropriate to consult on rules for when a payments firm fails and enters an insolvency procedure other than the Payments and Electronic Money Special Administration Regime (PESAR, which is not a compulsory regime for payments firms), and rules to mitigate the impact of the failure of a third party used for safeguarding purposes. In doing so, it will take into account the current government review of the PESAR, the implementation of the Supplementary Regime and any further rule changes.
