PS25/12: Enhanced Monitoring and Reporting for Payments and E-money firms

Article
Updated: 

Following the release of PS25/12, and our initial considerations for firms to think about:

This is the first of several releases where we will be delving into each of the key talking points to break down the policy statements and accompanying rules as well as more importantly what this means for you and what you should be doing to stay ahead of the curve and ensure compliance by the 7 May 2026.

Firstly, we explore - Enhanced Monitoring and Reporting.

Within CP24/20, the FCA consulted on codifying the requirements for safeguarding audits, including extending the firms in scope for safeguarding audits, implementation of a limited assurance engagement for firms that claim not to be holding client funds and introduction of a new monthly regulatory return, which would replace the current questions on safeguarding in existing returns.

Safeguarding audits are crucial for ensuring firms comply with the regulations outlined in the policy statement and as a result protect customer funds. The FCA amendments, aim to enhance reliability and integrity of the audits performed whilst bringing Statutory auditor expertise and accountability, to ensure consistency and high-quality audit outcomes. This in turn aims to strengthen the safeguarding framework, promoting trust and transparency in the sector.

The finalised rules within PS25/12 include:

  • Requirement for Safeguarding audits to be conducted by a qualified auditor. The term ‘qualified auditors’ are defined under the Companies Act 2006 requirements. The FCA acknowledged that some payment firms were using compliance consultants to carry out their safeguarding audit previously, however under the new rules the firms who can undertake these audits going forward have tightened. This includes, the requirements to ensure that the auditor has the appropriate expertise and skills to perform the audit and this should be confirmed by the auditor
  • Firms are not required to appoint the same auditor for their safeguarding audit and statutory financial statement audits, as such you can arrange your safeguarding audit to be undertaken separately (and by a different statutory auditor) to your financial statement audit
  • The audit period does not need to align to a firm’s financial statement year end, however, the period covered by an audit report must not end more than 53 weeks after the period covered by the prior audit. For example, if your financial statement audit period is 31 December, your safeguarding audit can be the same or a different period end, however each safeguarding audit report cannot cover more than a 53-week period and there should be no gaps in the period covered
  • Materiality thresholds for audit breaches have not been specified but should be recorded and assessed to see if any materiality thresholds have been breached, this means that audit firms will have processes in place to both assess individual breaches, as well as the whole audit report to assess any impact on the overall opinion
  • The timing of submission for the first safeguarding audit has been extended from 4 months to 6 months. This means that if you have a December 2026 year end, the first audit report will be due for submission by 30 June 2027, going forward this will revert back to the 4 month timelines and be due by 30 April (if your firm has aligned their Safeguarding audit with your Statutory Audit)
  • Exemption from the safeguarding audit requirements for firms who safeguard small amounts of relevant funds. If a payments firm has not been required to safeguard more than £100,000 of relevant funds, at any time over a period of at least 53 weeks, it will not need to arrange a safeguarding audit
  • Removal of the requirement for a limited assurance audit, i.e where a firm claims not to have been required to safeguard relevant funds. The initial proposed rules within CP24/20 have not materialised and as such there will be no need to undertake a limited assurance audit. However, the FCA have added guidance clarifying that failing to safeguard relevant funds will usually be of material significance and should be communicated to the FCA by statutory auditors (and the firm itself)
  • The FCA are working closely with the FRC on the introduction of an auditing standard and seeking to align timelines, as far as this is possible with the FRC. The longer implementation period (9 months) should help support this. The implementation of an FRC audit standard will assist the market in ensuring consistency in the audit framework and as such the audits undertaken
  • Where an audit period covers a date when new rules came into force, the audit is expected to assess payment firms against the rules that were in place at the time. This would mean that if the audit period straddles the 7 May 2026 implementation date, firms will be assessed against both current rules within the Approach Document (for the period prior to 7 May 2026) as well as these amended rules (for the period post 7 May 2026).


What should you be doing now?

  • Assess whether you are in scope for a safeguarding audit- Do you hold client funds? Have you been required to safeguard more than £100,000 of relevant funds at any time, over a 53-week period? If the answer to both is yes, you likely are in scope for a safeguarding audit!
  • Is your current safeguarding auditor a statutory auditor, i.e are they defined as a statutory auditor under the Companies Act and do they have the appropriate skills and expertise to perform the audit? (If the answer is no, you will likely need to appoint a new safeguarding auditor)
  • You should assess the scope and depth of your current audits (particularly if you have not undertaken a safeguarding audit historically). Audit reports which cover or straddle the 7 May 2026 implementation period deadline will be due for submission to the FCA and as such prior audits can serve as validation against the current requirements and lead to less “surprises” when the proposed rules come into effect
  • Finally, you should consider the period the safeguarding audit will cover, are there potential synergies that can be gained from undertaking at the same time as your statutory financial statement audit (i.e IT General Controls testing), or are there limitations in team availability during the period? Once the audit period has been defined, it is unlikely that you would want to change this (unless a change of material significance occurs), thus it is important to ensure the period being covered has been considered.

The Monthly Safeguarding Return is a crucial regulatory requirement for payments firms, designed to enhance oversight of firm’s safeguarding practices. It offers a detailed overview of safeguarded funds and arrangements, replacing previous safeguarding questions in existing regulatory returns such as the financial resilience report or operational risk reports. By submitting this return, firms provide vital information that enables the FCA to adopt a proactive supervisory approach, facilitating the effective assessment of risks across the sector. The monthly reports will allow the FCA to identify potential liquidity or safeguarding failures, thus aiming to reduce risks to consumers and the financial system. It aims to act as an early warning system, enabling the FCA to take preventative measures before issues escalate.

The FCA noted that feedback from the pilot scheme has improved the return's design allowing for additional instructions to be provided and ensuring high-quality data collection, to allow for effective supervision and policy evaluation.

This data collection aims to support trend analysis, benchmarking, and thematic deep dives, enabling the FCA to engage with firms more effectively, especially during stress events. In addition, insights gained will inform strategic decisions and policy development, aiding the FCA in being responsive to industry changes.


Key Components of the Return

The return includes detailed data on several aspects:

  • Safeguarding audit requirements
    • Confirmation on the firm’s safeguarding audit status and confirmation that a statutory auditor has been appointed 
  • Methods used for safeguarding
    • Firms are required to attest to the method of safeguarding used during the reporting period 
    • Further input is then required where investing funds in secure liquid assets or the insurance policy or guarantee, this includes details of the methods used and the exposure/cover obtained
  • Amounts of relevant funds safeguarded
    • This includes the highest and lowest amounts safeguarded during the reporting period
  • Safeguarding reconciliation data from the last internal reconciliation carried out during the reporting period 
    • This should include any excess or shortfall identified and adjustments made and would show the amount by which the safeguarding resource was greater (an excess) or lower (a shortfall) than the safeguarding requirement, before any adjustment was made to correct any excess or shortfall
    • These data fields are broken down by the components noted in the reconciliations rules (15.8), i.e aggregate balance in relevant funds bank accounts, aggregate balance segregated but not placed in relevant funds bank accounts, aggregate value of relevant assets, aggregate value of funds protected using the insurance policy or guarantee method, individual safeguarding balance and amounts received but unallocated
    • D+1 segregation resource vs D+1 segregation requirement and details of any shortfall and adjustments (if required to be carried out)
    • Where safeguarding in various currencies, calculations for figures must use the closing spot exchange rate from the day before the last internal safeguarding reconciliation, conducted during the reporting period
  • Confirmation on the frequency of internal and external reconciliations
    • Firms are required to attest, that they have conducted internal and external safeguarding reconciliation on each reconciliation date during the reporting period
  • Relevant funds bank accounts 
    • Confirmation on the relevant funds and asset accounts held at the beginning of the reporting period, any accounts opened or closed during the reporting period and the total number of accounts held at the end of the reporting period 
    • Firms are then required to confirm the number of accounts covered by acknowledgement letters stating explanations for any differences
  • Notifiable breaches
    • Attestation on whether any circumstances arose related to CASS15.8.60R (on notification requirements) and if so, whether the firm complied with the notification requirements. 

It is also worth noting that firms that operate both e-money businesses and provide unrelated payment services must complete separate sections of the return with SUP 16.14A also outlining the requirements for safeguarding institutions to submit the monthly return (this includes the requirement for the return to be submitted to the FCA within 15 business days of the end of each month).  

 

What should you be doing now?

Below we have outlined some of the key points firms need to consider when completing the return:

  1. Understanding CASS 15 Requirements and data accuracy: It is essential for firms to have a clear understanding of the CASS 15 requirements to ensure the accuracy of submitted data. This includes recognising the difference between standard and non-standard approaches to internal safeguarding reconciliation. Firms must ensure data is accurate and up to date, complying with CASS 15.8 reconciliation requirements, including the safeguarding requirement and safeguarding resource, discrepancies, and adjustments made. Instances where firms need to calculate the D+1 segregation resource and D+1 segregation requirement must also be included in the reconciliation and return. 
  2. Enhance Internal Governance Processes:  Firms will need to consider implementing a formal procedure for preparing and reviewing the monthly return, ensuring an audit trail of the calculations and data used. The individual responsible for operational safeguarding oversight should oversee and approve the process prior to submission. To ensure transparency and accountability, firms should retain evidence of all discussions and approvals related to the submission. This documentation will serve as proof of oversight and demonstrates that the firm has exercised diligence in submission to the FCA.
  3. Incorporate into Governance Framework: Firms will need to consider updating the Safeguarding committee's terms of reference to include the return as a regular agenda item, this update should also integrate the data into the management information used, ensuring that figures are consistently presented to the relevant committees. 
  4. Training and Understanding: Firms should implement training sessions to ensure team members are well-versed in completing the return, focusing on the various sections and submission timelines. These sessions should emphasise the importance of understanding the consequences of errors and inaccuracies, which are crucial for maintaining data integrity and compliance.
  5. Streamlining data automation (where possible): Automating daily processes that feed into the monthly return is essential. Automation improves data accuracy, efficiency, and integrity while reducing the risk of human error in manual calculations and reconciliations. This will not only save time by reducing manual cross-checks but should also free up management time to focus on tasks such as analysis and oversight of the safeguarding balances. This shift enhances both efficiency and the quality of decision-making. In addition, automation provides a clear audit trail of inputs, adjustments, and outputs, strengthening governance, transparency, and regulatory compliance. When enhancing reconciliation processes, whether through in-house or external solutions, firms should carefully consider how data will be combined and collated for the return. A clear understanding of fund flows and transactions enables faster and more effective implementation.

We can support your safeguarding enhanced monitoring and reporting in several areas, including:

  • As a ‘qualified auditor’ (defined under the Companies Act) BDO is able to be appointed to undertake Safeguarding audits under the Supplementary Regime. We can perform independent, annual audits in line with the FCA’s expected scope
  • Perform health checks and GAP analysis against the new requirements to ensure firms can quickly and clearly identify enhancements in the current safeguarding controls and process to ensure compliance with the Supplementary Regime
  • Support in the performance and remediation of gaps identified from annual safeguarding audits:
  • Provide board or staff training on new rules and how they relate and apply to you
  • Assist in the support with the preparation monthly regulatory returns.


You can Stay up to date with the latest developments in the Payments and E-money sector by signing up to Quarterly Payments and E-Money update where we keep senior leaders updated across compliance, risk and regulatory issues within industry.

Sign up


This is the first of our in-depth look at specific sections of the Policy Statement, further in-depth publications will be issued in the coming weeks and the impact these new rules have on your firm. For more information on the policy statement and how BDO can help you please contact us via the form below

Authors

Related insights

Contact us