Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Interim Guidance on Payment and E-money Safeguarding Assurance Engagements

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

© The Financial Reporting Council Limited 2026

The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 13th Floor, 1 Harbour Exchange Square, London, E14 9GE

Contents

1. Purpose and Scope

Context

1The Financial Conduct Authority (FCA's) changes to the safeguarding regime required by the Electronic Money Regulations 2011 (EMRs) and Payment Services Regulations 2017 (PSRs) introduce enhanced requirements for recordkeeping, reconciliations, and governance for payment and e-money institutions (firms). These enhancements respond to weaknesses identified in current safeguarding practices and are designed to reduce consumer harm while strengthening market integrity. Collectively, these changes are referred to as the Supplementary Regime, which includes amendments to the FCA's "Payment Services and Electronic Money – Our Approach” Document (Approach Document). The Supplementary Regime will come into force on 7 May 2026. Safeguarding auditors will play a critical role in providing assurance over compliance with these requirements. For the purposes of this Guidance, the legacy safeguarding regime refers to the safeguarding requirements set out in the EMRs and the PSRs, as they apply before the implementation of the Supplementary Regime on 7 May 2026.

Objective

2This Interim Guidance establishes principles and provides guidance for auditors performing reasonable assurance safeguarding assurance engagements for firms subject to the safeguarding requirements during the “transition period”. The transition period is defined as the time between the FCA's Supplementary Regime rules coming into force on 7 May 2026 and the publication of a final assurance standard by the FRC, which is anticipated for H1 2027.

3This Guidance has been developed with reference to the principles in the FRC's existing Client Asset (CASS) Assurance Standard. This does not preclude safeguarding auditors from applying other appropriate performance standards, such as ISAE (UK) 3000, during the transition period. However, this Guidance does not include reference material to support safeguarding auditors who elect to apply other appropriate performance frameworks. Safeguarding auditors should be aware that a dedicated performance standard annexed to the CASS Assurance Standard will apply to all safeguarding audits once issued. See Section 9 of this Guidance for further details of the future standard.

4This Guidance supports safeguarding auditors in carrying out work to meet their obligations under the FCA's rules, and should not be interpreted as creating new requirements or a performance standard.

The objective of this Guidance is to:

  • support high-quality assurance engagements during the transition period;
  • promote consistency in approach across engagements;
  • clarify the importance of professional judgement in determining the nature, timing and extent of procedures necessary; and
  • support safeguarding auditors in applying an appropriate framework to provide assurance with respect to compliance with the FCA's safeguarding requirements.

5The Guidance is intended for safeguarding auditors. It is not intended to serve as implementation guidance for firms or preparers.

Scope

6This Guidance applies to engagements for firms that arrange an annual safeguarding audit under SUP 3A, including:

  • Authorised payment institutions (excluding those providing only payment initiation or account information services);
  • Authorised and small e-money institutions;
  • Credit unions issuing e-money;
  • Small payment institutions that have opted in.

7Firms are exempt from the audit requirement if they have not been required to safeguard more than £100,000 of relevant funds at any time during a period of at least 53 weeks. Unlike certain existing CASS audits, they are not obliged to submit a limited assurance safeguarding audit report to the FCA and limited assurance does not form part of the safeguarding audit framework under SUP 3A.

8Voluntarily arranging an audit remains permissible under the FCA's rules. As noted in SUP 3A.1.3G, firms that are exempt from the audit requirement must still maintain adequate safeguarding arrangements, and a voluntary safeguarding audit as a reasonable assurance engagement may help them demonstrate that those arrangements meet regulatory expectations.

9The term "safeguarding audit” describes the work performed by a "safeguarding auditor' in providing a reasonable assurance safeguarding report to the FCA. Strictly, such engagements are assurance engagements rather than audit engagements; however, the terms "safeguarding audit' and 'safeguarding auditor' are used because they are commonly understood expressions. The use of these terms is not intended to change the nature of the engagement to an audit.

10This Guidance is intended as transitional support and does not replace or overrule applicable law or regulation. Safeguarding auditors are required to exercise professional judgement, in accordance with the applicable ethical and assurance frameworks, and may refer to principles in the CASS Assurance Standard where relevant. Safeguarding auditors may refer to paragraphs 37-39 of the CASS Assurance Standard.

11The references to specific paragraphs of the CASS Assurance Standard included in this Guidance are intended to be illustrative and are not intended to be an exhaustive list. Safeguarding auditors should exercise professional judgement in determining which principles and provisions of the CASS Assurance Standard, or other appropriate frameworks, are relevant to the circumstances of each engagement.

12This Guidance should be read alongside the FCA Handbook chapters CASS 15 and SUP 3A, regulation 23 of the PSRs and regulations 20-24 of the EMRs. Auditors may refer to the FCA's updated Approach Document for context on the EMRs and PSRs only.

13Auditors may also refer to the FCA Handbook chapters CASS 10A and SUP 16.14A for additional details of the Supplementary Regime, although these chapters are outside the scope of the audit requirement under SUP 3A.

14The latest version of extant FCA rules can be found on the FCA website at: https://www.handbook.fca.org.uk/.

2. Definitions

15For the purposes of this Guidance, the relevant definitions are those set out in the FCA Handbook Glossary and in the EMRs and PSRs. This includes terms such as insurance or guarantee method, relevant funds, safeguarding institution, and segregation method.

16The FCA's Approach Document contains additional definitions that may assist safeguarding auditors when interpreting safeguarding requirements. The “Definitions” section of the CASS Assurance Standard (paragraph 10) may also assist safeguarding auditors in interpreting principles from that Standard for payment and e-money safeguarding assurance engagements.

17This Guidance does not reproduce those definitions. Safeguarding auditors must ensure they have the requisite knowledge of applicable FCA rules and the CASS Assurance Standard when applying this Guidance.

3. Ethical and Independence Considerations

18Safeguarding assurance engagements for payment and e-money institutions are mandatory under the FCA's rules. Accordingly, these should be considered Public Interest Assurance Engagements and are subject to the FRC's Revised Ethical Standard (ES) 2024. Auditors must comply with relevant ethical and independence requirements, as these requirements are designed to protect auditor independence and apply whether or not the safeguarding auditor is also the firm's statutory auditor. Safeguarding auditors applying the CASS Assurance Standard should refer to the Ethical Requirements set out in paragraphs 22–23 of that Standard. Safeguarding auditors who elect to apply ISAE (UK) 3000 should refer to the Ethical Requirements set out in paragraphs 19-1-20 of that Standard.

19The safeguarding auditor assesses whether those performing the engagement have appropriate competence and capabilities, including specialist knowledge of safeguarding requirements and the applicable legal and regulatory requirements. Where statutory auditors undertake these engagements, they ensure that the engagement team includes individuals with relevant expertise. Safeguarding auditors applying the CASS Assurance Standard should refer to the principles set out in paragraphs 24-26 and 35 of that Standard. Safeguarding auditors who elect to apply ISAE (UK) 3000 should refer to the principles set out in paragraphs 22-23 and 31-32 of that Standard.

4. Understanding Safeguarding Methods

20The safeguarding auditor obtains an understanding of the firm's business model sufficient to ensure complete coverage and correct identification of relevant and non-relevant funds. This understanding encompasses the nature of services provided, sources and destinations of cash flows, and relationships with third parties. Safeguarding auditors may refer to paragraphs 11-13 of the CASS Assurance Standard on obtaining an understanding of the firm's business model and permissions.

21The safeguarding auditor determines which safeguarding method the firm uses and evaluate whether its implementation aligns with FCA requirements and guidance. Safeguarding methods include:

  • Segregation method: Holding relevant funds in a relevant funds bank account with an authorised credit institution or relevant assets in a relevant assets account with an authorised custodian.
  • Insurance or comparable guarantee method: Arrangements that provide equivalent protection for relevant funds under an insurance policy given by an authorised insurer or a comparable guarantee given by an authorised credit institution. This method is a safeguarding approach specific to CASS 15.

22Evaluating whether the firm's implementation aligns with FCA requirements may involve reviewing policies and procedures for compliance with CASS 15, SUP 3A, regulation 23 of the PSRs and regulations 20-24 of the EMRs, and considering whether arrangements meet requirements for liquidity, security, and prompt identification and return of relevant funds to customers in the event of failure. Safeguarding auditors may refer to paragraphs 40-41 of the CASS Assurance Standard on adopting compliance and insolvency mind-sets.

23The safeguarding auditor assesses whether the firm's safeguarding arrangements are supported by adequate documentation and controls, including:

  • Structure and operation of safeguarding accounts;
  • Acknowledgement letters from banks or custodians confirming safeguarding status;
  • Policies and procedures for record-keeping and reconciliations;
  • Evidence that relevant funds are distinguished from other funds and can be determined without delay.

5. Third-Party Appointments

24The safeguarding auditor assesses whether the firm has conducted appropriate initial and periodic due diligence on third parties that manage or hold relevant funds or assets. This assessment includes an evaluation of the firm's process for selecting banks, custodians, insurers or guarantors, and asset managers where applicable, and whether those entities meet FCA requirements. Safeguarding auditors may refer to paragraphs 100-110 of the CASS Assurance Standard for the principles of understanding outsourced/third-party arrangements and obtaining access as the auditor to sufficient appropriate evidence.

25The safeguarding auditor assesses whether the firm has established and documented periodic reviews of third-party arrangements. The safeguarding auditor also assesses whether the firm has considered and, where appropriate, implemented diversification. This may include obtaining evidence of these reviews and confirming that decisions are consistent with the firm's safeguarding policy.

26The safeguarding auditor inspects key documentation supporting safeguarding arrangements and evaluate whether these comply with FCA rules. This includes:

  • Acknowledgement letters for relevant funds and assets from banks or custodians confirming safeguarding status;
  • Insurance or guarantee terms meeting FCA criteria for coverage and enforceability;
  • Contractual provisions ensuring timely auditor access to records and co-operation during the engagement.

27Safeguarding auditors may refer to paragraphs 79-91 of the CASS Assurance Standard for guidance on principles which are directly relevant to inspecting safeguarding documentation and assessing compliance.

6. IT and Controls

28To assess the risk of a firm failing to comply with the CASS 15 rules, the safeguarding auditor obtains an understanding of the firm's organisational arrangements and controls, including those in relation to the use of information technology. Safeguarding auditors may refer to paragraph 81 of the CASS Assurance Standard for the principles relating to the firm's control environment, including the expectation that the firm promotes a culture of honesty and ethical behaviour. Safeguarding auditors may refer to paragraphs 92–99 of the CASS Assurance Standard for the principles to consider when evaluating the design and implementation of internal control activities and determining an appropriate approach to testing their operating effectiveness.

29The work required will vary dependent on the complexity of the IT-dependent CASS controls and processes.

30Where IT dependencies are identified, substantive procedures alone may not provide sufficient appropriate evidence. In such cases, the safeguarding auditor assesses the nature and extent of work required based on the complexity of the IT-dependent CASS controls. This may include performing reasonable assurance procedures, for example:

  • Identifying the key IT systems and IT dependencies and subsequent IT General Controls applicable to the CASS 15 rules;
  • Undertaking an assessment of whether those controls have been designed appropriately; and
  • Obtaining evidence to ascertain that these controls have been implemented appropriately throughout the period, and operated effectively at the period-end date.

31The safeguarding auditor obtains an understanding of the CASS 15 activities for which IT dependencies are relevant. This includes identifying all relevant IT applications, automated procedures, system-generated reports, queries, calculations, and any interfaces or data feeds used as part of the firm's internal control framework relating to the CASS 15 rules.

32IT General Controls (ITGCs) will typically represent an important element of safeguarding assurance work. The safeguarding auditor may consider and evaluate controls in place such as access to applications and data, backup and recovery and incident management.

33Where key IT services are outsourced, the safeguarding auditor obtains an understanding of the firm's arrangements with the outsourced providers and plan reasonable assurance procedures over the outsourced IT functions relevant to CASS 15 activities. This includes understanding and confirming the respective responsibilities of the firm and the provider through discussions with management and review of relevant documentation.

34The safeguarding auditor may consider reviewing and relying on the outsourced service provider's System and Organisation Controls (SOC) Report. Where the safeguarding auditor determines that the level of detail provided is sufficient and reliance on the SOC Report is appropriate, the auditor is expected to assess the independence, skills, capacity and quality of work undertaken by the SOC Report provider, and document the assessment and conclusions reached in the audit file. Safeguarding auditors may refer to paragraphs 100–110 of the CASS Assurance Standard for principles on understanding outsourced arrangements and obtaining sufficient appropriate evidence.

7. Reconciliations and Record-Keeping

Records

35The safeguarding auditor assesses whether the firm maintains records in accordance with CASS 15.8.3 and CASS 15.8.6, and is mindful of the overarching requirement in CASS 15.8.1R that the safeguarding institution establish, implement and maintain adequate policies and procedures to ensure compliance with the relevant funds regime. These rules require firms to keep records and accounts that enable them, at any time and without delay, to distinguish relevant funds from other funds, and to ensure the accuracy of the amounts held for clients. In determining whether relevant records are appropriate and sufficient, safeguarding auditors may refer to the definition of "CASS records” in the CASS Assurance Standard.

36The CASS Assurance Standard does not include detailed requirements relating to specific CASS rules on records. Safeguarding auditors may refer to the guidance within the CASS Assurance Standard relating to records more broadly, as this can be applied to CASS 15 and, where relevant, to PSRs and EMRs.

37In forming judgements, the safeguarding auditor adopts an insolvency mind-set to assess whether records would enable an insolvency practitioner to promptly identify, segregate and return relevant funds. Safeguarding auditors may refer to paragraph 41 of the CASS Assurance Standard on adopting an insolvency mind-set.

38Safeguarding auditors may refer to paragraph 125 of the CASS Assurance Standard for guidance on adverse considerations, as this specifically highlights records. This should assist safeguarding auditors in forming an overall conclusion on the safeguarding audit.

39The CASS Assurance Standard does not define what constitutes internal records. Safeguarding auditors should refer to the guidance provided in CASS 15, when forming a view on the records that a firm is required to maintain.

Reconciliations

40The safeguarding auditor obtains an understanding of the firm's reconciliation processes and controls and assess whether these are designed and operated in accordance with the requirements of CASS 15. This includes consideration of internal reconciliations (including the new D+1 internal safeguarding reconciliation), external reconciliations, and any non-standard reconciliation methods used under CASS 15.

41The CASS Assurance Standard does not prescribe detailed testing procedures for specific CASS reconciliation rules. However, the principles in that Standard relating to risk assessment, design and operating effectiveness of reconciliation controls remain relevant when performing work under CASS 15, and where applicable, under the Payment Services Regulations (PSRs) and Electronic Money Regulations (EMRs). Safeguarding auditors may refer to paragraph 112 of the CASS Assurance Standard for guidance relating to testing of compliance at period end.

42The new definition of “reconciliation day” introduced in CASS 15, which is not included in the CASS Assurance Standard and differs from the definition of “business day” used therein, needs to be understood when undertaking these engagements. The safeguarding auditor uses this understanding when designing audit procedures. Firms may choose to apply multiple reconciliation points on each reconciliation day and are required to document these and to perform each reconciliation at the same point(s) on each reconciliation day. Firms may also choose to perform reconciliations on business days which are not reconciliation days, for example on Saturdays, Sundays and UK public holidays.

43Under CASS 15.8.37(b), the safeguarding auditor is required to provide an independent report offering reasonable assurance over a firm's use of a non-standard method for the internal safeguarding reconciliation. Safeguarding auditors may refer to paragraph 18 of the CASS Assurance Standard for detailed guidance on the approach to non-standard reconciliations which may be applied on an interim basis and paragraphs 164-171 for example reporting which can continue to be used as a template where relevant.

44Safeguarding auditors may refer to paragraph 125 of the CASS Assurance Standard for guidance on adverse considerations, as this specifically highlights reconciliations. This should assist safeguarding auditors in forming an overall conclusion on the safeguarding audit.

45Safeguarding auditors may refer to paragraphs 73-74 of the CASS Assurance Standard for the principles to take into account when considering the Monthly Safeguarding Return. Consistent with the treatment of other firm-submitted regulatory returns, such as the CMAR, the safeguarding auditor's responsibility is limited to considering the Monthly Safeguarding Return as part of their understanding of the firm and assessing whether it is consistent with other information obtained during the engagement.

8. Reporting Format and Templates

Audit reports

46The FCA regime requires auditors to report on the relevant institution's compliance with the "relevant funds regime". This includes the relevant funds rules within CASS 15, as well as regulations 20-24 of the EMRs and/or regulation 23 of the PSRs (as applicable to the payment or e-money institution), until such time as this existing legislation is repealed and replaced. Further guidance on the FCA's approach to safeguarding can be found in Chapter 10 of the FCA's Approach Document, with an updated version to be published in May 2026 to reflect the implementation of the CASS 15 rules. As noted in Section 1 of this Guidance, the FCA's Approach Document may be referred to by safeguarding auditors for context on the EMRs and PSRs only. Safeguarding auditors are not required to report on compliance with it but it may provide a basis for exercising professional judgement in interpreting CASS 15 requirements. Safeguarding auditors may refer to paragraphs 111-125 of the CASS Assurance Standard when forming the opinion on compliance with the relevant funds regime.

47In the first audit period, relevant institutions may elect to have their auditor submit a hybrid opinion which covers both the period covered by the legacy safeguarding regime (at regulations 20-24 of the EMRs and/or regulation 23 of the PSRs) as well as the period covered additionally by the rules in CASS 15 under the Supplementary Regime. The alternative would be to submit two separate opinions: one for the period ending 6 May 2026 and one for the period beginning on 7 May 2026. An illustrative opinion is provided in Appendix 1 of this Guidance.

Contents of a reasonable assurance auditor's safeguarding report

48The content and wording of the Auditor's Safeguarding Report provided by the safeguarding auditor shall be as prescribed by the Rules of the FCA and follow the templates in SUP 3A Annex 1. Any deviations in content and wording beyond those provided for either in the FCA's template, or the wording in the illustrative example reports set out in Appendix 1 of this Guidance shall only be used with the prior agreement of the FCA. Safeguarding auditors may refer to paragraphs 126-136 of the CASS Assurance Standard when considering the contents of the reasonable assurance report.

49As with existing CASS audits, the FCA expects the safeguarding auditor to prepare and submit a schedule of all breaches identified by the safeguarding auditor, the relevant institution or any third party. The Breaches Schedule is a structured table that sets out all breaches identified during the period. The concept of materiality does not apply with respect to breach reporting. However, the severity and significance of breaches, both individual and in aggregate, will remain relevant when considering whether to form a qualified or adverse opinion.

Institution and Auditor Responsibilities

50As with existing CASS opinions, the safeguarding auditor is responsible for listing the breaches identified by any parties during the relevant period, in accordance with the SUP 3A breaches schedule requirements. This includes recording the relevant rule references and a description of each breach, including the provision(s) in the EMRs and/or PSRs, and/or rule(s) in CASS 15 that the breach relates to. This should also include, where applicable, any quantifying detail on the severity and duration of the breach, such as longest duration, highest value, average durations and values, and number of times specific breaches occurred.

51The relevant institution is responsible for providing a response to each breach, including any relevant context and remedial actions taken. The auditor is not responsible for this column.

9. Transitional Considerations

52CASS 15 introduces new safeguarding requirements for payment and e-money institutions within the CASS framework. Implementation is limited to the Supplementary Regime.

53As the implementation date approaches, the transition to the Supplementary Regime may present complexity for firms and safeguarding auditors. This stems from overlapping legacy rules and new expectations from regulators and stakeholders. Key considerations for auditor behaviour and firm readiness are set out below.

Audit approach

54Safeguarding auditors apply a balanced, risk-based approach that supports audit quality during transition. Considerations include:

  • Planning: Time to review transitional arrangements as the implementation date approaches.
  • Methodology: Maintaining an agile approach that reflects instances where existing rules remain permissible.
  • Professional judgement: Using judgement to calibrate procedures appropriately in the circumstances.

55To comply with the Supplementary Regime, firms are required to familiarise themselves with the new rules and guidance in CASS 15 and establish systems and controls. To support this, firms are expected to undertake structured internal assessments, such as a gap analysis of current safeguarding arrangements (including an assessment of existing controls) against the new rules, and to identify areas for enhancement. Firms should also ensure safeguarding risks are identified, assessed and documented, with risks accurately mapped to mitigating controls.

56Audit methodology may include assessing the firm's gap analysis and supporting evidence (e.g., controls mapping) to determine implementation progress and audit readiness. The safeguarding auditor may find it helpful to review and challenge the gap analysis to confirm coverage of all relevant key controls, including IT controls. The firm's resolution pack, which is required under CASS 10A, may also provide relevant information on a firm's safeguarding arrangements during implementation.

57Proactive, clear communication with firms is essential to understand where they are on their implementation journey. Early discussions on rule interpretations and intended implementations help avoid delays and support consistent application of the new assurance framework.

Interpretation of CASS 15

58As set out in the Payments and Electronic Money (Safeguarding) Instrument 20251, the rules of the Supplementary Regime will be effective from 7 May 2026. From that date, firms are expected to have systems and controls in place for the Supplementary Regime, including: reconciliations, acknowledgement letters and annual safeguarding audit report submission.

59Differences between the existing safeguarding approach and CASS 15 may add complexity for auditors and firms. The safeguarding auditor assesses whether the firm is compliant with the Supplementary Regime. Early engagement with the regulator and industry forums is encouraged to clarify interpretative questions.

Alignment with Existing Assurance Frameworks

60Many firms and auditors are familiar with the CASS Assurance Standard and broader frameworks such as ISAE (UK) 3000. This provides a strong foundation for transitioning safeguarding audits into a CASS-style regime. Audit firms can leverage established CASS methodologies to support a consistent market approach.

61The CASS Assurance Standard provides a structure for assessing compliance with CASS rules. It provides an obvious starting point for safeguarding audits, especially as the new safeguarding rules are included in the CASS Sourcebook within the FCA Handbook. Using the CASS Assurance Standard as the basis for safeguarding audits will permit auditors to leverage existing expertise and to prepare for the issuance of the new safeguarding appendix that will be incorporated into the Standard from 2027.

62The CASS Assurance Standard sets out how auditors provide reasonable assurance to the FCA on two core areas:

  • the adequacy of systems throughout the period; and
  • compliance with relevant rules at period end, supported by a breaches schedule.

63The CASS Assurance Standard also supports practitioners in addressing the following issues which may not be as prominent within other assurance frameworks:

Assurance Mindset

64The CASS Assurance Standard reflects the more prescriptive requirements of the CASS regime when compared to other assurance frameworks such as ISAE (UK) 3000 in planning, execution and documentation, with a strong focus on controls (including IT controls), covering:

  • assessment of design and implementation; and
  • assessment of operating effectiveness.

65Expectations for documentation are, as a result higher, with emphasis on evidence supporting the existence and operation of controls. As noted above, the Standard has a dual focus on systems adequacy (throughout the period) and rule compliance (at period end). Procedures are designed to support this dual objective.

Risk-Based Audit Approach

66Auditors identify key controls established by the firm that mitigate inherent and control risks to safeguarding relevant funds, and tailor procedures to the firm's risk profile. Robust documentation of the risk-based rationale and related conclusions is required by the CASS Assurance Standard.

Competency Expectations with the CASS Framework

67Auditors are required to demonstrate:

  • knowledge of the CASS rules (including CASS 15);
  • understanding of the firm's business model, operational processes and funds flows;
  • experience testing control design, implementation and operating effectiveness; and
  • familiarity with insolvency implications and client asset risks.

68Firms are also required to ensure team members receive formal training and can evidence required competencies before accepting an engagement.

Quality Control

69Safeguarding auditors may refer to paragraph 137 of the CASS Assurance Standard for the principles relating to quality control, including the requirements for applying firms' quality management processes and the use of Engagement Quality Reviewers (EQRs) where appropriate. Assignment of EQRs is expected to enhance audit quality and support strengthened safeguarding oversight. Audit firms ensure the availability of technical specialists with sufficient experience to perform this role.

Reporting

70Reporting under the CASS Assurance Standard is standardised across client asset audits and reflects the dual assurance focus. All breaches, regardless of materiality, must be reported in accordance with the FCA's rules. Extending this structure to safeguarding audits promotes clarity, comparability and a uniform approach to reporting compliance with CASS 15.

71For payment and e-money firms, this shift will require updates to internal controls, documentation and governance to align with the evolving assurance landscape.

Timing of First Audit Submissions

72Under the existing safeguarding regime, the FCA expected safeguarding audit reports to be submitted to the firm within four months of the reporting period end.

73Under the Supplementary Regime, audit reports must be submitted to the FCA. For periods ending within 12 months after the new rules' implementation date (7 May 2026), the deadline is extended to six months after period end.

Example:

  • For a safeguarding audit period 1 January 2026 – 31 December 2026, the report covering the period 7 May 2026 – 31 December 2026 is due 30 June 2027 (not 30 April 2027).

74The maximum period covered by a safeguarding audit report is 53 weeks. Accordingly, the latest date for first audit report submissions subject to the new rules is 13 November 2027.

75Following the first submission after implementation, the deadline reverts to four months after period end.

Short Audit Periods

76Short audit periods may arise where new rules take effect mid-cycle. Firms may request assurance over split periods, provided each period covers no more than 53 weeks.

77Example (year end 31 December 2026):

  • Two report approach:
    • 1 January 2026 – 6 May 2026 under the legacy safeguarding regime and existing assurance framework; and
    • 7 May 2026 – 31 December 2026 under the relevant funds regime.2
  • Hybrid opinion:
    • One opinion covering 1 January 2026 – 6 May 2026 under the legacy safeguarding regime and 7 May 2026 – 31 December 2026 under the relevant funds regime.2

Future Standard

78The FRC intends to develop an appropriate standard for safeguarding auditors, and issue it following a public consultation. The final standard will be issued as an appendix to the existing FRC CASS Assurance Standard and the consultation will be limited to this new appendix. There is no intention to revise the CASS Assurance Standard. The new standard will align with the principles in the CASS Assurance Standard, adapted for payment and e-money safeguarding engagements.

79The anticipated timeline for issuance is as follows:

  • Release of Exposure Draft for public consultation: Winter 2026.
  • Final Appendix: Expected publication in Spring 2027.

80The application timeline is as follows:

  • The FCA's Supplementary Regime rules come into force on 7 May 2026.
  • This interim guidance applies during the transition period and remains in effect until the appendix becomes effective.
  • Firms must submit their first safeguarding audit within six months of the end of the first audit period, and subsequent audits within four months thereafter. Safeguarding auditors should refer to FCA Handbook SUP 3A for audit timing requirements.

10. Appendix 1

Illustrative opinion in a reasonable assurance report on safeguarding

81The CASS auditor has determined that breaches identified on the breaches schedule do not provide evidence of systemic weaknesses in the system of internal control and that therefore its opinion on the maintenance of systems during the period should be qualified in "except for" terms. This breach was corrected before the period end.

82Independent auditor's report on safeguarding to the Financial Conduct Authority in respect of [institution name], firm reference number [number], for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy]

Part 1: Auditor's Opinion on Safeguarding

83We report in respect of [institution name] (''the institution”) on the matters set out below for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy] (''the period'').

84This report covers the period from [dd/mm/yyyy] to 06/05/2026 during which the firm was subject to only the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (together, the “legacy safeguarding regime“), as well as the period 07/05/2026 to [dd/mm/yyyy] during which the firm was subject to the relevant funds rules within CASS 15, the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (together, the "relevant funds regime”).

85Our report has been prepared as required by SUP 3A.9.1R and is addressed to the Financial Conduct Authority (''the FCA'') in its capacity as regulator of payment institutions and electronic money institutions under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011.

Basis of opinion

86We have carried out such procedures as we considered necessary for the purposes of this report in accordance with [specify Standard/Guidance used] issued by the [specify organisation name].

87This opinion relates only to the period, or as at the date, specified. The opinions do not provide assurance in relation to any future period or date as changes to systems or controls subsequent to the date of this report may alter the validity of our opinions.

88[Unmodified/Qualified/Adverse] opinion on adequacy of systems during the period [dd/mm/yyyy] to [06/05/2026]

89In our opinion, [the institution has maintained] [except for.... as described in item x of the attached breaches schedule, the institution has maintained] [Because of....the institution did not maintain] systems adequate to enable it to comply with the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (together, the "legacy safeguarding regime") throughout the period since [the last date at which a report was made] [the institution was authorised or registered].

[Unmodified/Qualified/Adverse] opinion on adequacy of systems during the period [07/05/2026] to [dd/mm/yyyy]

90 In our opinion, [the institution has maintained] [except for.... as described in item x of the attached breaches schedule, the institution has maintained] [Because of....the institution did not maintain] systems adequate to enable it to comply with the relevant funds regime throughout the period since [the last date at which a report was made] [the institution was authorised or registered] [the institution became subject to SUP 3A.10 and we, its auditor, became subject to SUP 3A.9].*

[Unmodified/Qualified/Adverse] opinion on adequacy of systems at period end date

91[Unmodified/Qualified/Adverse] opinion on adequacy of systems at period end date [The institution was] [Except for...the institution was] [Because of....the institution was not] in compliance with the relevant funds regime as at the period end date.*

Other matters

92The report should be read in conjunction with the Breaches Schedule that we have prepared, and which is appended to it.

[Signature of the partner/individual with primary responsibility within the audit firm] [Typed name of signing individual] for and on behalf of [Name of audit firm] Date [Registered office] [Date of report]

Part 2: Identified breaches that occurred during the period

BREACHES SCHEDULE

[Institution name], FCA reference number [number], for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy]

In accordance with SUP 3A.9.13R, Columns A to D have been completed by and are the responsibility of the auditor. In accordance with SUP 3A.10.1G, Column E has been completed by the institution. The auditor has no responsibility for the content of Column E.

Column A Column B Column C Column D Column E
Item No. Regulation or Rule Reference(s) Identifying party Breach Identified Institution's Comment
1

Financial Reporting Council

London office: 13th Floor, 1 Harbour Exchange Square, London, E14 9GE

Birmingham office: 5th Floor, 3 Arena Central, Bridge Street, Birmingham, B1 2AX

+44 (0)20 7492 2300

www.frc.org.uk

Follow us on Linked in

  1. FCA, Payments and Electronic Money (Safeguarding) Instrument 2025 

  2. Safeguarding auditors may refer to relevant principles from the CASS Assurance Standard, where appropriate to safeguarding engagements. 

File

Name Interim Guidance on Payment and E-money Safeguarding Assurance Engagements
Publication date 16 March 2026
Type Guidance
Format PDF, 377.1 KB
Download original
Back to top