CASS 15 Safeguarding Audits

What Is a CASS 15 Safeguarding Audit?

CASS 15 went live on 7 May 2026. UK payment institutions and e-money firms are now operating under the FCA's new safeguarding regime, and the first annual CASS 15 audit reports will start landing with the FCA in the months ahead. Black Maple is a registered audit firm authorised to perform that audit and issue the report. If your year-end is anywhere between now and March 2027, the conversation about who is doing the work is one you want to have in the next sixty days, not the week before the deadline. The annual CASS 15 audit is not a tick-box exercise. Daily reconciliations of relevant funds, documented cut-off times, and a clear audit trail of the safeguarding account itself are all in scope. We've seen the rules through every draft since the FCA consultation paper, and we've been doing client-money work under the previous regime for over a decade.

The rules require these firms to safeguard relevant funds (being customer money received for payment transactions or in exchange for e-money), by holding it in designated accounts at approved banks, or in qualifying liquid assets, kept strictly separate from the firm's own money.

Under the new regime, any firm that holds £100,000 or more in relevant funds during a 53 week period must arrange an annual safeguarding audit and submit the resulting report to the FCA. This audit must be conducted by a registered auditor, regulated by a recognised supervisory body such as the ICAEW. Prior to CASS 15, safeguarding reviews could be carried out by compliance consultants with no auditor registration or professional accountability to the FCA. That is no longer permitted.

The key changes introduced by CASS 15 include, but are not limited to:

  • Mandatory annual safeguarding audit conducted by a registered auditor and submitted directly to the FCA by the firm, replacing the previously informal and inconsistently applied review process;

  • Daily reconciliations of safeguarded funds, both internal and external, on every business day;

  • Resolution packs must be maintained per CASS 10A. These will contain all documentation an insolvency practitioner would need to identify and begin returning customer money and must be retrievable within 48 hours of appointment;

  • Monthly safeguarding return submitted to the FCA providing standardised data on the firm's safeguarding position;

  • Named senior manager accountability with a single director or senior manager responsible for operational oversight of the regime and annual reporting to the board;

  • Third-party due diligence requirements on all banks, custodians, and other parties involved in holding or managing relevant funds; and

  • Prescribed acknowledgement letters now mandatory in a standard template form (CASS 15 Annex 1) for every relevant funds bank account and relevant assets account, replacing the previously guidance-based expectation

Who needs a Safeguarding Audit?

From 7 May 2026, a mandatory annual safeguarding audit is required for any firm that falls within the scope of CASS 15 and holds £100,000 or more in relevant funds during its audit period. The following firm types are in scope:

  • Businesses authorised by the FCA to provide payment services, such as money transfer companies, payment processors, and firms that move funds on behalf of customers

  • Businesses authorised to issue electronic money, such as digital wallets, prepaid card providers, and fintech firms that hold customer funds in an e-money account

  • Smaller e-money issuers that operate under a lighter-touch registration rather than full authorisation, typically where the total outstanding e-money issued does not exceed certain thresholds

  • Member-owned financial cooperatives that have expanded into issuing electronic money products alongside their traditional savings and lending activities

  • Smaller payment firms that are not required to safeguard but have chosen to do so, bringing themselves within the full CASS 15 regime

Firms that solely provide payment initiation services or account information services are excluded. The audit must be conducted by a registered auditor and the report submitted to the FCA by the firm within six months of the first audit period end, and within four months for all subsequent periods.

Contact us for more information

Do you need a CASS 15
safeguarding audit?

Answer four questions to find out whether your firm has a legal obligation to appoint a registered auditor under FCA PS25/12 and SUP 3A.

FCA PS25/12 · In force 7 May 2026
Find out in minutes whether your firm needs a safeguarding audit

This tool follows the decision logic of CASS 15 and SUP 3A as introduced by the FCA's Payments and Electronic Money (Safeguarding) Instrument 2025. Your result includes the relevant regulatory references.

What the Audit Covers.

The safeguarding audit under SUP 3A is a reasonable assurance engagement. The auditor assesses whether the firm has complied with the relevant funds regime under CASS 15 across the full audit period. The audit covers:

What the CASS 15 Safeguarding Audit Covers | Black Maple
What does a CASS 15 safeguarding audit cover? Seven areas covered by a CASS 15 safeguarding audit under SUP 3A, evenly spaced around a central hub. What the audit covers SUP 3A reasonable assurance Relevant funds Were all customer funds correctly recorded? Breaches Were breaches investigated and reported to the FCA? Third parties Were banks and custodians properly vetted? Governance Was a named senior manager accountable? Resolution pack Was the resolution pack complete and retrievable? Reconciliations Were daily reconciliations performed accurately? Segregation Were funds held at approved banks with valid letters?

Why Appoint black Maple

CASS 15 is a new regime. No firm large or small has a back catalogue of safeguarding audits under the new rules. What matters is whether your auditor understands the framework, has built their methodology around the right source material, and can demonstrate the competence that SUP 3A requires firms to assess before appointing them.

Black Maple is an ICAEW-regulated audit and advisory firm. Our safeguarding audit work is conducted under ISAE (UK) 3000, the assurance standard underpinning the FRC's Interim Guidance on Payment and E-Money Safeguarding Assurance Engagements, published in March 2026. We have built our engagement methodology directly around that guidance and the source instrument, FCA 2025/38, rather than working backwards from a generic audit approach.

Every engagement is led and delivered by a senior qualified professional. There are no juniors on our teams. For a regime where the FRC has explicitly flagged auditor competence as a threshold requirement, that matters.

For firms requiring a larger or more complex engagement, we work in association with a top 15 firm with established FCA-regulated audit capability.

Frequently Asked Questions

  • Under the PSRs 2017, relevant funds are:

    • sums received from, or for the benefit of, a payment service user for the execution of a payment transaction; and

    • sums received from a payment service provider (PSP) for the execution of a payment transaction on behalf of a payment service user.

  • They are separate engagements with different objectives, different governing standards, and different reporting outputs. Your statutory audit is an audit of your financial statements conducted under International Standards on Auditing (UK), with the objective of forming an opinion on whether those statements give a true and fair view. It is addressed to your shareholders and filed at Companies House.

    The safeguarding audit is an assurance engagement conducted under ISAE (UK) 3000, with the objective of assessing whether your firm has complied with the relevant funds regime under CASS 15 across the audit period. It is addressed to both your governing body and the FCA, and submitted directly to the regulator. The two audits can be conducted by the same firm, but they are distinct pieces of work with distinct reports.

    The safeguarding audit period does not need to align with your financial year end, though many firms will find it convenient to do so.

  • A resolution pack is a set of documents and records that an insolvency practitioner would need to identify and begin returning customer money in the event your firm fails.

    The requirement is set out in CASS 10A, a new chapter of the FCA Handbook introduced alongside CASS 15 and in force from 7 May 2026.

    Every firm subject to CASS 15 must maintain a resolution pack, regardless of whether they are also required to appoint a safeguarding auditor.

    The pack must include

    • a master index

    • details of all approved banks and accounts holding relevant funds

    • copies of all executed agreements and acknowledgement letters

    • details of any third-party service providers involved in safeguarding operations

    • the firm's safeguarding procedures;

    • and a document identifying key individuals responsible for the regime.

    The critical operational requirement is retrievability. The complete pack must be capable of being produced within 48 hours of an insolvency officer being appointed or an FCA or Bank of England request. Certain core documents including the list of banks and accounts, acknowledgement letters, and the most recent reconciliation must be immediately available rather than within 48 hours.

    The resolution pack is one of the areas we assess as part of the safeguarding audit. We will test not only whether the pack exists and is complete, but whether the firm has a documented process for keeping it current and has tested its ability to retrieve it within the required timeframe.

  • Only if they are a registered audit firm under the Companies Act and have the relevant experience. Many firms that handle a payment institution's statutory audit are not set up to issue the CASS 15 report. Ask your current auditor in writing before assuming the answer is yes.

  • We scope it against the size of the safeguarded balance and the complexity of your reconciliation process. For a smaller e-money firm with one safeguarding account and clean daily reconciliations, fieldwork is usually a week to ten days plus a partner review. For larger firms with multiple jurisdictions or complex flows, it's longer. We give you a fixed fee before we start.

  • Any breach of the relevant funds regime identified during the audit must be included in a Breaches Schedule, which forms part of the audit report submitted to the FCA.

    We, as the auditor, are required to describe each breach in sufficient detail to allow the FCA to assess its nature and significance. A modified conclusion may be issued where the auditor concludes that the firm has not complied with the regime in all material respects.

    Certain breaches may also trigger a direct reporting obligation from the auditor to the FCA under the auditor's broader statutory duties, separate from the safeguarding audit report itself. This is most likely where a breach is judged to be of material significance to the regulator.

    Identifying a breach does not automatically result in regulatory action against your firm. The FCA's response will depend on the nature, duration, and severity of the breach, and whether it has been remediated. Firms that identify issues proactively and remediate them before the audit report is finalised are generally in a better position than those where breaches are identified and left unresolved. We would always discuss and try to resolve any findings with management before finalising our conclusions.

  • The safeguarding audit is a reasonable assurance engagement under ISAE (UK) 3000, as set out in the FRC's Interim Guidance on Payment and E-Money Safeguarding Assurance Engagements (March 2026).

    Reasonable assurance sits one level below the assurance provided on a set of financial statements, but it is substantively more rigorous than a review or a compliance checklist exercise.

    In practice, our testing will cover the full audit period rather than just a point in time. We will examine whether your firm correctly identified and allocated all relevant funds throughout the period, test a sample of your daily reconciliations to assess whether they were performed accurately and on time, review your approved bank arrangements and confirm that valid acknowledgement letters are in place for every relevant funds account, assess your resolution pack for completeness and retrievability, and review your governance arrangements including the appointment and activities of your CASS 15.2.4R oversight individual. Where we identify control weaknesses or failures, we will assess their significance and include them in the Breaches Schedule accompanying our report.

    The depth of testing is calibrated to the size and complexity of your firm's safeguarding arrangements. We will agree the specific scope of work with you at the outset of the engagement.

  • Before 7 May 2026, payment and e-money firms were required to safeguard customer funds under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. The obligation existed, but the practical requirements were set out in the FCA's non-binding Approach Document rather than a formal rulebook chapter.

    This meant that while the legal duty to safeguard was clear, the operational standards firms were expected to meet were guidance-based rather than rule-based, and compliance was inconsistent across the market.

    The FCA's own data illustrated the problem. In firms that failed between 2018 and 2023, the average shortfall between funds owed to customers and funds actually safeguarded was 65%.

    Customers were losing money not because the law did not protect them, but because the practical requirements were insufficiently specific and there was no formal mechanism for verifying compliance.

    CASS 15 replaces that guidance-based approach with a binding rulebook chapter. The core safeguarding obligation (holding customer funds separately from the firm's own money) is not new. What is new is the framework around it. Firms must now:

    • perform daily internal and external reconciliations and document them

    • maintain a resolution pack under CASS 10A that is retrievable within 48 hours

    • submit a monthly safeguarding return to the FCA, appoint a named senior manager with individual accountability for the regime, and

    • arrange an annual audit conducted by a registered auditor with the report submitted directly to the FCA.

    The shift is from a principles-based expectation to a rules-based regime with formal supervisory oversight. For firms that were already safeguarding properly under the old regime, the practical change is primarily one of documentation, governance, and reporting. For firms that were not, CASS 15 closes the gap that allowed non-compliance to go undetected.

  • Sixty to ninety days before your year-end is the comfortable window. The first reporting cycle under CASS 15 will be busy — appointing late means you may find the firm you want is already at capacity.