Safeguarding: Reshaping Risk Management for Payment Firms

Time to read: 4 minutes

TL:DR - When you load money into a payment account, you have expectations. The money is yours, it's held securely, and ready when you need it. Recent failures have exposed the weaknesses which the FCA hopes to address with its strengthened safeguarding requirements.

• Introduction
• What's changing?
• Time for action
• Reactions so far
• Know your risks
• How Ruleguard can help
• Contact Ruleguard

Safeguarding: Reshaping Risk Management for Payment Firms 

"Consumers will be better protected when they use payment firms, with the introduction of new rules to protect their money from May 2026. These changes will improve safeguarding practices among payment firms." (FCA, August 2025)

In our earlier blog, we emphasised the importance of robust frameworks, segregated accounts, clear recordkeeping and strong monitoring to safeguard customer funds.  Now that the FCA has delivered its new interim rules, also known as the Supplementary Regime, firms must act now to be compliant when the rules kick in from 7 May 2026.  What does this mean for payment services firms?

What's changing?

Firms need to note the following key areas and take appropriate action. 

Daily Reconciliations

Firms must perform internal (and external) safeguarding reconciliations on designated business days, excluding weekends, holidays, or when foreign markets are closed. Even a simplified internal reconciliation is required, comparing expected safeguarded funds to actual balances, ensuring that any shortfall is immediately covered.

Thresholds for Safeguarding Audits

Firms safeguarding less than £100,000 over the past 53 weeks are exempt from annual audits. Otherwise, firms must have a qualified auditor, under the Companies Act 2006, to review safeguarding compliance.

Monthly Regulatory Returns

Firms will now submit monthly returns on safeguarding arrangements, something already familiar to large firms.

Resolution Packs Required

Each firm must maintain an up-to-date resolution pack, detailing documents needed to return funds promptly in the event of failure, akin to ‘wind-down planning.’

Stronger Governance & Third Party Oversight

Accountability is crucial. Firms must appoint a named individual to be responsible for safeguarding compliance. Equally important, is effective third party risk management. Third party custodians or banks must be carefully selected, diversified, and monitored. Insurance-based arrangements must include guaranteed payouts to safeguarding accounts in insolvency.

Post-Repeal Regime Delayed

The planned end-state, with a statutory trust model similar to investment firm CASS rules, has been deferred. Firms need to need to keep a watchful brief as the FCA has indicated its intention to revisit this after evaluating the Supplementary Regime’s operation.   

Time for action

Firms should take the following steps to avoid regulatory scrutiny:

1. Set up a ‘reconciliation day’ processes and configure systems for same day balance checks
2. Identify audit obligations, choose qualified auditors and build your monthly return
3. Create and maintain resolution packs, consider which documents are to be included
4. Appoint a safeguarding lead, Deliver board training and monitor third party arrangements
5. Equip teams with the new rules, train staff on reconciliation, escalation and reporting
6. Horizon scanning, keep an eye open for FCA guidance on the Post-Repeal phase.

Reactions so far

The reforms respond to alarming data showing failing firms returned only ~35% of safeguarded funds, with an average shortfall of 65% over five years.

It's no surprise that industry groups such as UK Finance are supportive of stronger rules so long as they remain practical and proportionate, especially for smaller firms.

Additionally, advisory teams have lauded the careful calibration in PS25/12, noting how reconciliation training, audit thresholds, and clarity of obligations now make compliance more feasible.

Know your risks

Given that firms have less than 6 months left to demonstrate compliance, firms should review the risks inherent in meeting their obligations.  Firms need to consider how they mitigate the risk and consider how they monitor compliance with the new requirements.

Lack of preparation can be a risk to many firms who don't realise the intricate nature of the implementing the new rules.  This could lead to failing to comply from day one and risk on non-compliance.  

Technology may pose another risk with legacy systems being unable to support daily reconciliation or structured reporting.

Being audit ready is key.  Firms should pay attention to regulatory feedback and do their research.  Choose your auditor carefully, ensuring that they are qualified and ensure that the scope of any reviews are comprehensive to avoid regulatory red flags.

Firms need to avoid governance lapses by ensuring clear ownership of safeguarding responsibilities.  This includes appropriate oversight and escalation processes.

Third party overreach must be avoided.   Firms need to ensure appropriate due diligence and diversification to mitigate the concentration risk from overreliance on a single provider.

And finally, firms need to need to consider complex interactions such as Consumer Duty obligations, trust structures, and safeguarding.  All of which must be aligned strategically. 

The FCA’s PS25/12 crystallises many earlier recommendations into enforceable rules. Firms should:   

• Start now as May 2026 is not that far away
• Consider the bigger picture and take a holistic approach.  From internal controls and audits to governance and resolution plans, approach safeguarding as a comprehensive system
• Stay vigilant.  Even after implementing the Supplementary Regime, be ready for evolution, particularly the deferred CASS-style trust framework.

How Ruleguard can help

Ruleguard provides a GRC platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.

With Ruleguard, firms can manage regulatory risks by:

• Gaining a comprehensive view of their CASS controls  
• Providing assurance to boards via extensive audit trails and dashboards
• Improving collaboration internally and with third parties 
• Providing auditors with secure access to compliance and assurance documentation.

Ruleguard's Client Assets Compliance & Audit Solution enables firms to automate processes, create and maintain the crucial evidence trail, whilst also sharing information with third parties to provide assurance and manage regulatory risk. 

Ruleguard is a comprehensive solution that lets you protect and propel your business forward through the complex regulatory landscape.

Book a tailored discovery call 

Ready to turn GRC into a board-level advantage?
Book a tailored discovery call with Ruleguard to see how leading firms unify risk and compliance, surface the insights executives care about, and stay audit-ready, without the spreadsheet sprawl.