Safeguarding Audit Standard – Version 1

The publication of the Financial Reporting Council’s (FRC) interim guidance on safeguarding audit engagements marks a pivotal moment for the UK payments and e-money sector. At its core, the guidance issued by the FRC is intended to bridge a gap. While a formal, bespoke safeguarding audit standard remains some way away still, the regulator has recognised the immediate need for consistency and rigour in how auditors approach these engagements. The result is a principles-based framework that draws heavily on existing audit standards, most notably the CASS Assurance Standard and ISAE (UK) 3000.

Many payments and e-money firms will argue that publication is long overdue, given the FCA’s strengthened safeguarding regime comes into force on 7 May 2026 and introduces a more prescriptive and outcomes-focused approach to how firms protect customer funds. The requirement for an annual safeguarding audit, coupled with enhanced expectations around reconciliations, record-keeping, and resolution planning, represents a step change for many firms.

New Players

Crucially, these safeguarding audits are no longer open to consulting firms such as Complyport. The Financial Conduct Authority (FCA) has been explicit that such engagements must be undertaken by statutory audit firms i.e. firms eligible to perform statutory audits under UK company law. This is a deliberate choice. By limiting safeguarding audits to within the statutory audit profession, the FCA is seeking to ensure a baseline level of independence, technical rigour and regulatory accountability.

However, this requirement may introduce a challenge for payments firms: not all statutory auditors are equally equipped to perform safeguarding audit engagements. The payments and e-money sector have unique characteristics: high transaction volumes, complex reconciliation flows, reliance on third-party institutions, and evolving regulatory expectations, that sit outside the traditional financial statement audit comfort zone, which is why consulting firms were so well-placed to undertake them.

As such, firms must undertake a robust assessment of auditor capability (and capacity) across the audit firm. This includes evaluating whether the audit firm has:

Demonstrable experience in payments or e-money safeguarding;
A clear methodology aligned to ISAE (UK) 3000 and the FRC guidance;
Sufficient technical understanding of the new safeguarding rules and FCA expectations;
The ability to test high-volume, data-driven reconciliation environments; and
Appropriate resourcing and specialist support, particularly in IT and controls testing.

In practice, this may lead some firms to reconsider long-standing audit relationships. A statutory auditor that is well-suited to a relatively straightforward financial statement audit may not necessarily have the depth of expertise required for a safeguarding engagement. Conversely, firms with specialist payments experience may be better placed to deliver a robust and efficient audit, even if they are not the incumbent statutory auditor.

The risks of getting this wrong are material. An underpowered or inexperienced auditor may fail to identify weaknesses, leading to a false sense of assurance and potential regulatory exposure. Equally, a poorly executed audit can result in delays, rework, and increased scrutiny from the FCA. In a regime where the output is a formal audit report and Opinion submitted to the regulator, the credibility and quality of the auditor are critical.

Same Old, Same Old?

One of the most important clarifications in the FRC guidance is the nature of the engagement itself. A safeguarding audit is positioned as an engagement akin, in many respects, to a statutory audit. Auditors are expected to obtain sufficient appropriate evidence, apply professional scepticism, and reach a positive opinion on whether firms have both designed and operated effective safeguarding arrangements throughout the period under review.

Under this framework, the emphasis shifts decisively to whether those controls are effective in practice. It is not enough to have a reconciliation process; it must be timely, accurate and consistently applied. It is not enough to segregate funds; firms must be able to evidence that segregation remains robust under stressed conditions, including insolvency scenarios.

The scope of the engagement reinforces this point. Auditors are expected to examine a broad range of areas, including:

Segregation of customer funds;
Integrity of internal and external reconciliations;
Adequacy of books and records; and
Effectiveness of governance and oversight.

Increasingly, attention will also fall on CASS Resolution Pack readiness, an area that has gained prominence as the FCA seeks to ensure that customer funds can be returned quickly in the event of firm failure.

This last point is particularly important. Safeguarding is no longer viewed purely as a preventative control; it is also about ensuring orderly outcomes when things go wrong. The inclusion of resolution planning within the assurance scope underscores the regulator’s focus on end-to-end consumer protection.

Warts and All

Another notable (and, in my opinion, controversial) feature of the guidance is its treatment of materiality. Unlike a financial statement audit, where quantitative thresholds often drive the assessment of materiality, safeguarding audits adopt a more qualitative, consumer-centric approach.

Even relatively small discrepancies may be significant if they indicate systemic weaknesses or could impact customer outcomes. For firms, this raises the bar considerably. Minor reconciliation breaks, delays in resolving differences or gaps in record-keeping may all attract scrutiny.

The guidance also highlights key risk areas that auditors are expected to prioritise. These include incomplete or inaccurate records, weaknesses in reconciliation processes, failures in segregation and over-reliance on third parties such as banks or custodians. None of these are new risks, but their explicit articulation in an audit context signals a more structured and consistent challenge from auditors going forward.

What to Expect

In practical terms, firms should expect a more intrusive and evidence-driven audit process than perhaps they’ve been used to. Walkthroughs, sampling and detailed testing of transactions and controls will become the norm.

Governance arrangements, often treated as a softer aspect of compliance, will be subject to closer examination, with auditors seeking evidence of effective oversight, challenge and escalation from the ‘Responsible Person’.

For many firms, the interaction with third parties will be an area of particular focus. While safeguarding arrangements frequently rely on external institutions, yet the responsibility for compliance remains firmly with the firm itself. The guidance reinforces the expectation that firms must have sufficient visibility and control over these arrangements, supported by robust due diligence and ongoing monitoring.

The reporting dimension is equally important. The output of the engagement is a formal audit report addressed to the FCA, setting out the auditor’s opinion, the scope of work performed, and any identified issues or breaches.

This is not a document that sits quietly on file; it is a regulatory artefact that will inform supervisory engagement and, potentially, subsequent enforcement action.

In Summary

For payments firms, the implications are clear. First, safeguarding must be embedded within the firm’s control framework, with clear ownership, robust processes and comprehensive documentation. Second, firms need to invest in the quality and integrity of their data. Accurate, timely and reconcilable books and records are the foundation of effective safeguarding. Third, governance matters. Boards and senior management must be able to demonstrate active oversight (by the ‘Responsible Person’), informed challenge and a clear understanding and mitigation of safeguarding risks.

Alongside these operational priorities sits the equally important task of auditor selection and oversight. Firms should treat the appointment of their safeguarding auditor as a strategic decision, supported by due diligence, clear scoping, and ongoing engagement. This includes setting expectations around methodology, timelines and deliverables, as well as ensuring that the auditor has access to the necessary data and stakeholders.

It is also worth reiterating the interim nature of the guidance. A dedicated safeguarding audit standard will follow in due course, perhaps 2027(?), likely bringing further refinement and, potentially, additional requirements. In the meantime, safeguarding is no longer simply about having the right processes on paper; it is about demonstrating, with evidence and assurance, that those processes work effectively in practice. As ever was the case.

How Complyport Can Help

Complyport supports payment institutions, e-money firms, fintechs and other regulated entities in designing, implementing, and embedding safeguarding frameworks fully aligned with PS25/12 and FCA expectations.

Our expert-led services include:

Gap Analysis and Maturity Assessment: A detailed review of your current safeguarding framework, including reconciliations, segregation controls and governance structures.
Safeguarding Controls Mapping: We assess your current safeguarding controls against PS25/12 requirements and provide clear, actionable recommendations, supported by expert guidance on regulatory interpretation.
On-Demand Regulatory Advice: Access safeguarding expertise as needed. Whether interpreting FCA guidance, addressing complex safeguarding scenarios or preparing for audits, our team is available to provide timely and practical support.
Internal Safeguarding Assurance Review: Pre-audit assurance reviews to validate evidence, testing and Board documentation ahead of FCA scrutiny or independent audits.
Training and Board Workshops: Delivery of tailored safeguarding training for staff and governance sessions for Boards and senior management, reinforcing oversight responsibilities.