The CASS rules govern how firms must hold and protect customer money and assets. Up to now, the stricter CASS rules largely applied to investment firms (e.g. under CASS 7). But many electronic money institutions (EMIs) and firms under the Payment Services Directive (PSD firms) had lighter obligations.
With CASS 15, the FCA is closing that gap. As of 7 May 2026, EMIs and PSD firms will need to follow significantly tougher safeguarding rules—bringing their obligations closer to those for investment firms.
Why this change? The FCA wants better protection of customer funds, more transparency, and earlier detection of problems. It also wants to reduce the chance that firm failures leave customers scrambling to recover money. The new rules impose auditing, reconciliation, reporting, and failure-planning obligations that many EMIs/PSD firms haven’t faced before.
Key new rules under CASS 15
Annual audits by qualified auditors
- Before, many EMIs/PSD firms were not required to have CASS-style audits. Under CASS 15, an independent audit of safeguarding systems is mandatory annually (for those above a threshold).
- The audit must be done by a qualified, regulated auditor. The audit should check that the firm’s books and records properly show the client money held, and that the firm has good internal systems/controls to safeguard it.
- There’s an exemption, however: firms that never exceed £100,000 of “relevant funds” over a 53-week period may be exempt from the audit requirement. But even exempt firms are encouraged to do a voluntary audit to ensure proper controls.
Daily reconciliations / checks
• Firms will need to carry out daily safeguarding reconciliations. The idea is to check each “reconciliation day” (rather than every single business day) whether the money they should be holding (the “requirement”) matches what they actually are holding (the “resource”).
• If the “resource” is less than the “requirement,” the firm must act to fix the shortfall.
• Firms must document and explain how they plan to meet those obligations in internal policies and procedures.
• Also, as part of these requirements, firms must create and maintain a resolution pack. This is a set of documents that explains: where the safeguarded funds are held, who the firm’s agents or distributors are, how funds move, and how clients’ money would be returned if the firm fails.
Monthly reporting to the FCA
• Under CASS 15, EMIs and PSD firms must report monthly to the FCA on how much client money they are safeguarding.
• This reporting must align with the new “D+1 segregation” standard (i.e. comparing what should be held vs what is held), discussed above.
• The aim is to give regulators ongoing, proactive insight into risks and to detect issues early.
Planning for failure / firm collapse
• The rules expect firms to have plans in place so that if they fail, customer funds can be returned swiftly and in an orderly manner.
• Firms should hold safeguarded funds in approved, secure, liquid assets so that those funds can be quickly accessed when needed.
• Part of this is showing that the firm will not use safeguarded funds to settle its own obligations.
What firms should do now to prepare
Although the new rules do not come into force until May 2026, firms should not delay preparation. The first step is to carry out an impact assessment to understand exactly which parts of the business will be affected. This should be followed by a gap analysis, highlighting where existing processes fall short of the new standards. For example, some firms who are not used to CASS-style audits, may lack strong reconciliation procedures, may not have a resolution pack in place or appropriate organisational and control arrangements. Others might find that their systems are not designed to produce the data required for daily checks or monthly reporting.
Once those gaps are clear, firms need to strengthen their processes and technology so they can meet the new demands. One important task is creating or updating a resolution pack. This document should include details of client money flows, the accounts used, agent arrangements, contracts, and internal procedures, as well as a clear plan for how customer funds would be returned if the firm fails. It should not be treated as a one-off piece of work but as a living document that can be updated regularly.
Another priority is engaging with a qualified auditor well ahead of time. Choosing an auditor who is experienced with CASS obligations will help ensure that the safeguarding audit runs smoothly and that reports can be submitted to the FCA within the required deadlines. Alongside this, firms must invest in training for staff so that compliance, finance, and operations teams fully understand the new obligations. Policies and procedures should be reviewed and updated so that safeguarding requirements are embedded into day-to-day operations rather than treated as a separate, box-ticking exercise.
Why this is a big shift (and what it means for customers)
For many EMIs and PSD firms, the safeguarding rules in the past were less demanding. CASS 15 represents a significant shift because it introduces far greater scrutiny and makes safeguarding an ongoing responsibility rather than an occasional check. Daily reconciliations, monthly reports, and annual audits will place these firms under a level of oversight that they have not experienced before. While this will require investment in systems, processes, and people, it is designed to create a stronger framework for customer protection.
From the customer’s perspective, the changes are positive. The new rules should ensure that their funds are safeguarded more carefully, with problems identified and corrected quickly. If a firm fails, the expectation is that money can be returned in an orderly and timely way, reducing uncertainty and loss. For firms, however, the risks of non-compliance increase significantly. Falling behind could expose them to regulatory intervention, fines, or even restrictions on their business. CASS 15 raises the bar for safeguarding standards and, while demanding, it is a step intended to strengthen trust and stability across the payments and e-money sector.
If these changes raise questions for your business, or if you’d like support in preparing for CASS 15 or require an independent qualified auditor to conduct a CASS 15 audit, our team is here to help. Get in touch with us today to discuss how we can guide you through the new safeguarding rules with confidence.
