Blog
Custody

The FCA's safeguarding regime: what to do before May 2026

On 7 May 2026, the FCA's Supplementary Regime for payment and e-money institutions comes into force. The regime introduces the most significant changes to safeguarding rules since the Payment Services Regulations 2017. For platforms that hold client funds, whether directly or through custodial arrangements, the compliance requirements are specific, prescriptive, and urgent. There is no phase-in period. All requirements apply from day one.

The motivation behind PS25/12 is not abstract. The FCA found that payment firms that failed between 2018 and 2023 had an average shortfall of 65% in funds owed to clients. Customers recovered 35 pence per pound on average. The proportion of UK consumers using non-bank payment firms rose from 1% in 2017 to 12% in 2024, and e-money institutions were safeguarding approximately £26 billion by 2024, more than double the £11 billion held in 2021.

The market has grown substantially. The safeguarding infrastructure has not. The new rules are designed to close that gap. They apply to all FCA-authorised payment institutions and electronic money institutions, with limited exemptions. The key new requirements include:

  • Daily reconciliation of safeguarded funds, replacing previous guidance-based approaches with mandatory, enforceable rules.
  • Resolution packs maintained as living documents, enabling insolvency practitioners to locate and return client funds without relying on internal systems.
  • Prescribed safeguarding acknowledgement letters with mandatory verification, retention, and annual review.
  • A named senior manager personally responsible for safeguarding, with board-level approval of the safeguarding policy.
  • Annual safeguarding audits conducted by a qualified statutory auditor, under a new CASS 15 auditing standard.
  • Monthly regulatory returns covering reconciliations, safeguarding methods, amounts held, shortfalls, and breaches.

The cumulative effect is a compliance architecture that must be always-on, not periodic. This is the closest the UK payments sector has come to a CASS-style regime for client funds.

Daily reconciliation and resolution packs

Payment firms must now perform reconciliation at least once per "reconciliation day," a new definition that formally excludes weekends, bank holidays, and days when relevant foreign markets are closed. The previous practice of periodic or weekly reconciliation will no longer satisfy regulatory expectations. Firms must maintain accurate records that distinguish safeguarded funds from other funds at all times.

Each firm must maintain a resolution pack: a living document containing current reconciliations, contracts, safeguarding account details, executed acknowledgement letters, and lists of agents and distributors involved in safeguarding. This pack must be reviewed at least annually and kept current at all times. Its purpose is direct: if the firm fails, an insolvency practitioner should be able to identify, locate, and return client funds without relying on internal systems that may no longer function.

Prescribed safeguarding acknowledgement letters are now mandatory. Firms must verify the signatory's authority, retain letters for five years after account closure, and review them annually. According to Proskauer's analysis, insurance policies used for safeguarding can only be cancelled for non-payment with 90 days' notice to both the firm and the FCA. The regime treats insurance-based safeguarding as inherently fragile and requires tight management.

Senior management accountability and audit

A named senior manager must be personally responsible for safeguarding. Board-level approval of the safeguarding policy is mandatory, including defining what constitutes a "material discrepancy" in safeguarded funds. This is not a compliance task that can be delegated to operations without senior oversight. The FCA has made clear that it expects safeguarding governance to sit at the highest level of the firm.

Most authorised payment institutions and EMIs must arrange annual safeguarding audits conducted by a qualified statutory auditor. The FRC is developing a new CASS 15 auditing standard, expected before the May 2026 implementation date. Firms that have safeguarded under £100,000 over a rolling 53-week period are exempt. The first audit report must be submitted within six months of the period end, then within four months in subsequent years.

New monthly returns to the FCA will cover reconciliations, safeguarding methods, amounts held, shortfalls, breaches, and details of safeguarding accounts. This represents a fundamental shift from periodic oversight to continuous monitoring. The FCA gains ongoing visibility into how firms hold client money, rather than discovering problems after insolvency. Auditor capacity is expected to be a constraint as the implementation date approaches.

What this means for platform infrastructure

For platforms operating on pooled account structures, the compliance burden is particularly heavy. When client funds sit in omnibus accounts tracked by internal ledgers, every reconciliation requires matching ledger entries against bank-held balances. Every discrepancy requires investigation. Every audit requires the auditor to verify that ledger-based tracking accurately reflects actual fund positions. The complexity scales poorly as the platform grows.

Named account structures reduce this burden by design. When each client's funds sit in a distinct named custody account, the reconciliation question simplifies from "do our internal ledger entries match the bank's aggregate balance" to "does each account hold what it should." The resolution pack becomes a list of named accounts rather than a complex ledger reconstruction. The audit becomes a verification of account structures rather than an interpretation of internal databases.

The EU is moving in parallel

The UK is not acting alone. PSD3, expected to take effect in the EU by 2027, requires funds to go directly into safeguarding accounts at receipt with no commingling. MiCA introduces separate safeguarding requirements for e-money tokens. As A&O Shearman's 2026 payments outlook notes, cross-border firms will need to design safeguarding frameworks that satisfy both the UK's trust-based approach and the EU's strict segregation model simultaneously.

The FCA has paused the Post-Repeal Regime, which would introduce a full statutory trust framework, stating it will review implementation once a full audit period has been completed under the Supplementary Regime. HM Treasury has separately launched an independent review of the Payment and Electronic Money Special Administration Regime (PESAR) to assess whether insolvency procedures are delivering for consumers. The direction is clear: safeguarding requirements will continue to tighten on both sides.

For platforms serving clients across jurisdictions, the infrastructure question is increasingly urgent. A custody architecture that satisfies the FCA's requirements by design, with structural segregation, daily reconciliation capability, and auditable account structures, will also position platforms well for PSD3 compliance when it arrives. Building for the stricter regime satisfies both automatically.

Preparing for 7 May 2026

The deadline is less than two months away. Platforms should be working through a specific preparation checklist:

  1. Verify that daily reconciliation processes are operational and produce accurate, real-time views of client fund positions across all safeguarding accounts.
  2. Complete the resolution pack: current reconciliations, contracts, safeguarding account details, executed acknowledgement letters, and agent/distributor lists.
  3. Designate a named senior manager with personal responsibility for safeguarding, and secure board-level approval of the safeguarding policy.
  4. Engage a qualified statutory auditor. Capacity constraints are expected, and firms that have not yet secured an auditor should do so urgently.
  5. Build monthly return capability: structured reporting covering reconciliations, safeguarding methods, amounts held, shortfalls, and breaches.
  6. Review custody architecture against the new standards. Platforms on pooled accounts should assess the reconciliation and resolution burden under the new regime and evaluate whether structural segregation reduces compliance cost.

Platforms that rely on correspondent banking for multi-currency clearing should verify that their custodial arrangements meet the new standards. Platforms considering new markets should factor safeguarding infrastructure into their expansion planning from the outset, particularly given the parallel regulatory trajectory in the EU under PSD3 and the convergence with the US GENIUS Act's custody requirements for stablecoin reserves.

Lorum provides custody infrastructure designed for this regulatory environment. Named accounts, structural segregation, and cash management infrastructure across 30+ markets, built for compliance as a feature of the architecture rather than a layer applied after the fact. The Supplementary Regime takes effect on 7 May 2026. The preparation window is measured in weeks, not months.

Author image
Jelle van Schaick
January 9, 2026

Enter new markets with 
speed and certainty

Speak with our team to power local settlement and custody accounts in your next market
Contact sales
API Platform
Horizontal beige ridged texture fading to white towards the top.

Read more

Blog post thumbnail image

Clearing infrastructure for payroll and EOR platforms

Platform guides
Blog post thumbnail image

Clearing infrastructure for PSPs and payment platforms

Platform guides
Blog post thumbnail image

Nostro, vostro, loro: how clearing accounts shape settlement outcomes

Clearing
View all