Safeguarding Without Surprises: Roles, Reconciliations and Control Evidence 

Author: Joel Bailey, Consultant

Safeguarding is the core consumer protection mechanism for protecting  Authorised Payment Institutions (APIs) and Electronic Money Institutions (EMIs), collectively ‘payments firms’, to keep the “relevant funds” of their customers safe. In particular, the Financial Services Compensation Scheme (FSCS) does not protect customer funds held by payments and e-money firms in the same way as deposits held by banks.  

The regulatory requirements for payments firms’ safeguarding obligations are set out in the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs ), and the guidance outlined in the FCA’s Approach Document, which remains the primary reference for how the regulator expects firms to interpret and implement these obligations. 

However, the regulator has taken significant steps to strengthen safeguarding measures for payment firms.  Following an extensive consultation, PS25/12 introduces a new supplementary safeguarding regime and an approach more akin to a CASS-like standard of control, evidence and supervisory visibility (with key requirements taking effect from 7 May 2026).  

This comes after various firms have faced enforcement action by the regulator for issues related to the safeguarding of customer funds. This has also been exacerbated by a number of firm failures, resulting in  disorderly wind-downs, and  customers not always receiving their full entitlement to “relevant funds”. This is something the regulator is keen to minimise with the new changes. This leads nicely into the next part of my article, which outlines what payment firms safeguarding customer funds need to demonstrate.  

What Firms Safeguarding Customer Funds Need to Demonstrate (Operationally and Evidentially) 

A safeguarding framework should answer four fundamental questions, with firms able to provide evidence of the answers in a repeatable way: 

1. Which funds are safeguarded?
   Define “relevant funds” precisely for your model. Where firms operate mixed models, the FCA expects clarity (and in practice, separation) between funds safeguarded for e-money issuance and funds handled for unrelated payment services.  
2. When are they safeguarded?
   Be explicit on timing and frequency. PS25/12 reinforces that safeguarding needs to be timely and evidence-based, particularly where there are settlement lags, cut-off times or third-party dependencies.  
3. How are they safeguarded?
   For segregation models, the FCA now expects stronger control evidence around safeguarding accounts, how they are labelled/treated, and how the firm ensures the safeguarding protection works in practice (including effective CASS acknowledgement letter governance).  
4. What happens when something goes wrong?
   “Safeguarding without surprises” means you have a documented playbook and audit trail for shortfalls, potential commingling, late settlement, file errors, ledger mismatches, third-party data delays, outages, and how issues are escalated, funded, and closed. First port of call is the ‘CASS Resolution Pack’. 

What the New Regime Changes in Practice (PS25/12) 

While safeguarding has always been a core obligation for payments firms, the direction of travel is now clear: repeatable controls, evidence and effective retrievability. 

Reconciliations become a defined, testable control. 

PS25/12 introduces more prescriptive expectations for safeguarding reconciliations, including “reconciliation day” concepts and clearer guidance on how shortfalls are identified and remedied. I know from experience that this is something the industry has long been seeking clarity on, i.e., what constitutes a business day and how often to reconcile funds. It is good that the regulator has taken steps to listen to industry stakeholders.  

FCA expects “control evidence” on demand 

Firms are required to maintain a CASS Resolution Pack and be able to retrieve it within 48 hours (for the firm, an insolvency practitioner, or regulators on request).  

This drives a shift from “policy in a folder” to a living operational pack. Again, from my experience with payments firms, I have often seen them face challenges in this area. Particularly, where there appears to be a slightly less mature prudential and/or monitoring culture, compared to more established investment firms. 

Stronger governance over safeguarding arrangements and third parties 

PS25/12 strengthens expectations around the selection, oversight and periodic review of third parties holding/insuring relevant funds, including diversification considerations. 

Acknowledgement letters  

Firms must use prescribed templates, keep them accurate, review them at least annually and replace them promptly when details change. Despite the previous template provided by the FCA firms, those entering the application process will now need to ensure they can provide CASS acknowledgement letters compliant with the new rules.  

Poor Practice Patterns We Still See (and that PS25/12 may expose) 

• Generic safeguarding policies that do not reflect the actual flow of funds or define relevant funds by product/service line.  
• Reconciliations described but not operationalised: unclear sources of truth, no evidence of maker-checker or consistent sign-off.  
• No exception playbook or inability to demonstrate how shortfalls are funded, escalated and closed within defined timelines.  
• Over-reliance on third parties without documented due diligence, ongoing oversight or an evidence trail.  
• Acknowledgement letters are treated as “one and done”, rather than governed documents that must be kept accurate and current.  
• No resolution pack readiness or inability to retrieve documents and evidence quickly under stress.  

What Good Looks Like Now 

Flow-of-funds clarity
A clear diagram and narrative covering: 

1. Receipt of funds 
2. ledger posting  
3. safeguarding movement  
4. reconciliation  
5. sign-off 
6. exception handling (where applicable). 

Reconciliation design that stands up to scrutiny
Documented reconciliation points, frequency, tolerances, maker-checker controls, sign-off and clear remediation steps for breaks and shortfalls.  

A live exception playbook
Defined triggers, escalation thresholds, ownership and a documented process for remediation and reporting.  

Third-party governance and acknowledgement letter discipline
Evidence of selection rationale, periodic review and maintained acknowledgement letters.  

Resolution pack readiness
A living pack that is accurate, complete, and demonstrably retrievable within the required timeframe.  

Prescribed Responsibility 

A senior manager with sufficient skills and experience must be appointed to oversee the firm’s safeguarding compliance and report to the Board accordingly. 

Audits for all 

In addition to EMIs, all APIs are now required to commission an annual audit of their safeguarding arrangement, to be undertaken by a suitably qualified statutory audit firm. This is a significant regulatory shift compared to the previous regime and will no doubt increase the risk of regulatory scrutiny for various firms.  

What Firms Should be Doing Now 

• Stress-test safeguarding against the actual operating model (including product-by-product relevant funds definitions).  
• Run a safeguarding reconciliation dry-run and produce an evidence pack as if it were being reviewed.  
• Implement and test your exception handling process (desktop testing is a quick win).  
• Ensure acknowledgement letters and third-party oversight are governed and auditable.  
• Build and test resolution pack retrieval capability.  

How Complyport can Help 

To support firms prepare for the PS25/12 supplementary regime, we’ve developed a Safeguarding Gap Analysis Tool designed to provide a structured, regulator-aligned view of readiness. 

In practical terms, the tool helps clients to: 

• Map safeguarding controls and evidence against PS25/12 expectations and the relevant CASS 15 requirements; 
• Identify gaps across the full lifecycle (relevant funds definition, safeguarding method, reconciliations, exceptions, third parties, resolution pack);  
• Produce a clear implementation roadmap prioritised by regulatory risk and operational effort; and 
• Support internal governance with a board-ready safeguarding readiness report and training for key stakeholders. 

If you would like to see the tool in action, we can provide a short walkthrough using a sample reconciliation/evidence pack and demonstrate what “good” evidence looks like under the new regime. 

Contact Complyport today to arrange a meeting with one of our Subject Matter Experts and ensure your safeguarding framework is fully aligned with upcoming regulatory expectations. 

General information only — safeguarding requirements and implementation approach depend on the firm’s model and regulatory status. 

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat