Welcome to our UK site – choose your Jurisdiction

The New CASS 15 Auditor Appointment Requirement: What Payment and E-Money Firms Need to Do Now

The much-reported changes to the FCA’s safeguarding regime for payment institutions and e-money institutions has introduced a significant enhancement to regulatory oversight: the mandatory appointment of an external auditor for firms within scope of the new SUP 3A audit framework. While much of the industry discussion has focused on safeguarding reconciliations, resolution packs and annual safeguarding audits, a surprisingly large number of firms have overlooked a more immediate requirement; the obligation to appoint an auditor and notify the FCA of that appointment. 

As the implementation of the FCA’s revised safeguarding regime continues, and the FCA starts to test that implementation, firms should ensure they do not inadvertently fall foul of what is, in regulatory terms, a relatively straightforward obligation. 


Which Firms Are Caught? 

SUP 3A applies to Authorised Payment Institutions (APIs) and Electronic Money Institutions (EMIs) (authorised and registered), unless they qualify for an exemption from audit based on safeguarding activity. Specifically, a firm may be exempt where it has not been required to safeguard more than £100,000 of relevant funds at any point during a period of at least 53 weeks. 

Importantly, Senior Management bears responsibility for monitoring whether that exemption continues to apply. If management determines that the firm is no longer exempt, it must appoint an auditor. 

This means firms cannot simply assume that historic exemption status remains valid indefinitely. The assessment should form part of ongoing safeguarding governance and compliance monitoring. 


What Does the FCA Actually Require? 

The relevant provision is found at SUP 3A.3.2R, and requires a relevant institution to: 

  • appoint an external auditor; 
  • notify the FCA if a vacancy in the office of auditor arises or is expected to arise; 
  • appoint a replacement auditor where necessary; 
  • ensure any replacement can take office as soon as reasonably practicable; and 
  • notify the FCA of the auditor’s appointment, including the auditor’s name, business address and effective appointment date. 

Notably, the FCA’s wording is deliberate. This is not merely a requirement to obtain an annual safeguarding audit report. It is an ongoing obligation to maintain an appointed auditor and keep the regulator informed of changes. 


Is There a Deadline? 

This is one of the questions we are increasingly being asked by firms. 

The rules do not specify a grace period measured in days or months for the initial appointment. Instead, SUP 3A.3.2R states that a relevant institution “must appoint an external auditor”. Once appointed, the FCA must then be notified of the appointment. 

As a result, firms already within scope of SUP 3A should not assume they can defer the appointment until shortly before their first safeguarding audit becomes due. 

A common misconception is that the six-month transitional period for the first safeguarding audit report also delays the requirement to appoint an auditor. In reality, those are separate obligations. While firms benefited from a transitional period in respect of their first audit submission, the requirement to have an appointed auditor arises immediately under SUP 3A itself. 

The prudent interpretation is therefore straightforward: if your firm is in scope and does not qualify for an exemption, you should already have appointed an auditor and notified the FCA. 


Firms Applying for Authorisation 

For applicant firms, the position is slightly different. 

The SUP 3A obligations apply to “relevant institutions”, namely APIs and EMIs within scope of the regime. As a matter of strict regulatory interpretation, a firm does not generally become subject to those requirements until it becomes authorised (or, in the case of small electronic money institutions, registered). 

However, firms should avoid treating this as a reason to delay planning. 

The payment and e-money audit market remains relatively specialised. Not every audit firm possesses the expertise, resource or appetite to perform safeguarding audits under the FCA’s new framework. Firms that leave auditor engagement until after authorisation may find themselves facing unnecessary delays or higher costs. Industry advisers have consistently encouraged firms to engage with audit providers well in advance of becoming subject to the new requirements. 

From a regulatory readiness perspective, having identified an appropriate auditor during the authorisation process is likely to be viewed favourably. 


Practical Challenges for Firms 

First, some firms are assuming that their statutory auditor automatically satisfies the SUP 3A requirement. While this may often be the case, firms should verify that the appointed auditor is both willing and able to undertake safeguarding audit work under the FCA framework. The auditor appointed under SUP 3A may, but does not have to, be the same auditor engaged under the Companies Act. 

Second, firms should ensure that auditor engagement letters clearly contemplate safeguarding work and FCA reporting obligations. The new safeguarding audit report is addressed directly to the FCA and carries specific reporting requirements.  

Third, boards should ensure that responsibility for monitoring auditor appointments and FCA notifications is clearly allocated within governance arrangements. Auditor changes often occur during financial year-end planning, creating a risk that regulatory notifications are overlooked. 


Choosing the Right CASS 15 Audit Firm 

Perhaps the most important decision firms will make is not simply appointing an auditor but appointing the right auditor. 

Historically, many payment and e-money firms that were caught by the safeguarding audit obligation viewed such appointments through a pragmatic and commercial lens. The FCA’s new safeguarding regime fundamentally changes that dynamic. 

A CASS 15 safeguarding audit is not a traditional financial statement audit. It requires auditors to assess safeguarding systems, controls, reconciliations, governance arrangements, record keeping, due diligence over third-party institutions, resolution packs and compliance with detailed safeguarding requirements. Firms therefore need an audit provider with genuine regulatory expertise, not merely accounting experience.  


Look Beyond the Lowest Fee 

As with many areas of regulatory compliance, the cheapest option can often prove a false economy in the long term (price does not necessarily equate to value). 

A low-cost provider with limited payments-sector experience may struggle to understand the firm’s business model, safeguarding methodology or regulatory obligations. This can lead to protracted audit processes, repeated information requests and avoidable findings that consume management time. 

Boards should instead assess overall value, including: 

  • safeguarding expertise; 
  • knowledge of payment and e-money regulation; 
  • previous experience auditing similar firms; 
  • responsiveness and accessibility; 
  • ability to provide continuity of service; and 
  • understanding of FCA expectations. 

The safeguarding audit will increasingly become an important component of a firm’s regulatory relationship with the FCA. Choosing an auditor solely on price may therefore create unnecessary regulatory risk. 


Assess Sector Expertise 

Firms should ask prospective auditors: 

  • How many APIs or EMIs do they currently audit? 
  • Do they have dedicated payments and fintech specialists? 
  • Have they performed safeguarding reviews/audits previously? 
  • What experience do they have with safeguarding reconciliations and resolution planning? 
  • Do they understand the specific risks associated with payment flows and safeguarding arrangements? 

For many firms, sector expertise will ultimately be more valuable than the size of the audit firm itself. 


Consider Capacity and Timing 

A challenge that was highlighted early in the consultation period is audit capacity. The introduction of mandatory safeguarding audits has created significant demand for audit firms with suitable expertise. Many providers are already experiencing increased enquiry volumes, particularly from smaller and mid-sized payment firms that had not previously required specialist safeguarding assurance or sourced this from reputable and experienced consultants such as Complyport. 

Firms should therefore engage auditors early and secure appointments well ahead of reporting deadlines. Leaving engagement discussions until an audit is due may reduce the number of available providers and increase costs. 

This is particularly relevant for firms currently seeking authorisation. While the legal obligation to appoint an auditor generally arises once a firm becomes a relevant institution under SUP 3A, applicants would be well advised to identify and engage potential auditors during the authorisation process itself. 


Look for a Constructive Relationship 

The best safeguarding audits need not be viewed as adversarial exercises. A strong auditor will challenge where necessary while also helping management understand emerging regulatory expectations and areas for improvement. Although auditors must remain independent, firms benefit significantly from working with professionals who understand the commercial realities of the payments sector. 

Boards should consider whether the audit team demonstrates: 

  • practical regulatory knowledge; 
  • commercial understanding; 
  • clear communication; 
  • proportionate challenge; and 
  • long-term commitment to the sector. 

An effective auditor becomes a valuable part of a firm’s wider governance framework, helping identify weaknesses before they become supervisory concerns. Firms should treat auditor selection as a strategic governance decision rather than a procurement exercise. The right appointment can provide valuable insight, strengthen safeguarding arrangements and support constructive engagement with the FCA. The wrong appointment may deliver little more than a regulatory headache. Oh, and don’t forget to evidence the criteria used for selection and the decision to appoint. 


Final Thoughts 

As the FCA’s safeguarding regime matures, we are likely to see increasing scrutiny not only of safeguarding controls themselves, but also of the quality of the assurance framework supporting them. Firms therefore need to move beyond asking “Do we have an auditor?” and start asking “Do we have the right auditor?” 

In my experience advising payment and e-money firms, those organisations that engage specialist auditors early, build collaborative relationships and treat safeguarding assurance as part of their governance framework are invariably better positioned when FCA scrutiny arrives. The appointment of a CASS 15 auditor is now a regulatory requirement; choosing the right one is a strategic decision. 

How Complyport Can Help 

Complyport supports payment institutions and EMIs in preparing for and complying with the FCA’s evolving safeguarding requirements. Whether you are appointing an auditor for the first time or strengthening your safeguarding framework, our specialists can provide practical, proportionate support. 

Our services include: 

  • CASS 15 and safeguarding compliance reviews to assess your firm’s readiness against the FCA’s requirements.  
  • Independent safeguarding audits delivered through our experienced CASS specialists.  
  • Safeguarding framework gap analyses to identify weaknesses in governance, controls and documentation before FCA scrutiny.  
  • Resolution pack and safeguarding documentation reviews to ensure they meet regulatory expectations.  
  • Governance and Board advisory support, including assistance with oversight of safeguarding responsibilities and auditor appointments.  
  • Support with selecting an appropriate safeguarding auditor, helping firms identify providers with the necessary regulatory expertise.  
  • Authorisation and regulatory readiness support for payment institutions and EMIs preparing to enter the FCA’s safeguarding regime.  
  • Ongoing compliance advisory services, helping firms respond to regulatory developments and maintain robust safeguarding arrangements.  

Contact Complyport today to book a meeting with one of our Subject Matter Experts and discuss how we can support your firm’s safeguarding compliance. 

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat 

Why Choose Complyport?

Extensive Regulatory Expertise

With over 25 years of experience in the financial services industry, Complyport offers unparalleled expertise in regulatory compliance, ensuring your firm stays ahead of evolving regulations.

Comprehensive Service Offering

From AML audits to risk management and regulatory reporting, Complyport provides a full spectrum of compliance services, allowing you to streamline your compliance processes and focus on your core business activities.

Tailored Compliance Solutions

We provide bespoke compliance solutions that are specifically designed to meet the unique needs of your business, ensuring that all regulatory requirements are met efficiently and effectively.

Client-Centric Approach

We provide bespoke compliance solutions that are specifically designed to meet the unique needs of your business, ensuring that all regulatory requirements are met efficiently and effectively.

Senior-Level Guidance

Our team of seasoned professionals, including former regulators and industry experts, leads all engagements, offering deep insights and practical advice to help you manage compliance risks effectively.

Innovative Fintech, Regtech and AI Solutions

Leveraging cutting-edge fintech, regtech and AI tools, Complyport enhances your compliance processes with advanced technology, ensuring accuracy, efficiency, and real-time regulatory updates. Our innovative solutions empower your firm to stay compliant while maximising operational efficiency.

Key Figures

Over 25 Years

Providing Compliance Excellence

Over 1,500

Successful FCA, EU and UAE Authorisations

Over 1,000

Active Firms Receiving
Regulatory Support

8 Lots

FCA/PRA Skilled Person
& Consultancy Panel

Get In Touch