The FRC publishes its interim guidance to support safeguarding auditors during the transition to the FCA’s new supplementary regime

The FCA’s Supplementary Regime introduces strengthened requirements for improved books and records, enhanced monitoring and reporting and strengthening elements of the safeguarding regime, directly targeting persistent weaknesses in existing safeguarding practices. These enhancements are part of a multi-year regulatory plan focused on bolstering consumer protection and tightening supervisory oversight across the payments and e‑money ecosystem, as also evidenced by the FCA’s broader policy statements.

In this context, the FRC’s interim guidance steps in as a non‑mandatory but a highly practical resource. It is specifically designed to support safeguarding auditors through the complexity of conducting assurance engagements during a period when legacy rules and new regulatory expectations will operate in parallel.

At its core, the guidance aims to:

• Promote high quality and consistent safeguarding assurance engagements during the first audit cycle under the new regime. This is particularly important to highlight given the large variances we have seen in the scope, depth of review, quality of audit work and audit opinions and reporting undertaken by both audit firms as well as consultants who were previously able to undertake safeguarding reviews
• Help auditors exercise informed professional judgement in a transitional environment
• Offer clarity on how to plan and execute assurance work where requirements are changing.

Notably, the guidance does not create new obligations, nor does it supersede the existing Payment Services Regulations (PSRs), Electronic Money Regulations (EMRs), or the ‘Approach Document’, Policy Statement (PS25/12)/CASS 15 supplementary regime. Instead, it reinforces continuity while acknowledging that the regulatory ground is shifting beneath firms’ feet.

The FRC has drawn on the structure and principles of the traditional CASS Assurance Standard, providing references and signposts where relevant. Yet the FRC have been careful not to over-prescribe the transitional assurance methodology required. A dedicated safeguarding assurance standard will arrive only after consultation (with the final Standard expected in H1 2027) and will ultimately sit as an appendix to the existing CASS Assurance Standard.

The FCA in August 2025 issued their Policy Statement (PS25/12) outlining the changes to the Safeguarding regime and introducing a future CASS 15 regime. This was issued following a consultation earlier on in 2025.

The FCA’s response has been deliberate and multi-phased. The Supplementary Regime (with a 7 May implementation deadline) is positioned as an interim step, tightening the regime in areas that can be legislated and implemented now, while broader structural reforms will follow later as part of the Post Repeal Regime (and following the first set of audit reports being reviewed and assessed by the FCA).

For Safeguarding auditors, particularly those who have not undertaken audits under the previous guidance, this creates a dual challenge:

• Keeping pace with heightened expectations, particularly as reconciliation, record keeping and reporting standards increase
• Maintaining audit consistency and judgement- during a hybrid period where old and new frameworks overlap.

The interim guidance is exactly that: interim. It will remain in place only until the formal safeguarding assurance standard is developed and implemented following further consultation. It signals:

• The FCA’s expectations around consumer protection
• The audit community’s need for clarity, consistency and professional guardrails.

The key elements of the change in methodologies include:

Ethical and independence considerations

•  Safeguarding assurance engagements are mandatory and as such these should be considered Public Interest Assurance Engagements and are subject to the FRC’s Revised Ethical Standard 2024. Auditors must comply with relevant ethical and independence requirements, and this applies whether the safeguarding auditor is also the firm’s statutory auditor or not
• The safeguarding auditor must assess whether those performing the engagement have appropriate competence and capabilities including specialist knowledge of the safeguarding requirements as well as the applicable legal and regulatory requirements. Where statutory auditors undertake these engagements, there is a need to ensure these individuals have the relevant expertise. This also links back to the requirement for firms as stated in PS25/12 and the need, prior to appointment, to ensure the auditor (and any applicable auditor’s expert) has the required skills, resources and experience to perform their functions as the safeguarding auditor.

Understanding safeguarding methods

• The safeguarding auditor must obtain an understanding of the firm’s business model sufficient to enable complete and accurate identification of relevant and non-relevant funds. This understanding must encompass the nature of services provided and the source and destination of funds flow, as well as the firms relationship with third parties
• The safeguarding auditor must understand and determine the method of safeguarding used and whether the firm’s implementation of these align to the FCA’s requirements and guidance. This determination would include review of policies and procedures as well as the structure and operation of safeguarding accounts and the insurance or comparable guarantee arrangements (if applicable) in place.

Third- party appointments

• The safeguarding auditor must assess whether the firm has conducted appropriate initial and periodic due diligence on the third party the firm utilises to manage or hold relevant funds or assets. This will include the firm’s processes for selection and appointment of these third parties as well as the specific diversification considerations.

IT and controls

• The safeguarding auditor is required to obtain an understanding of the firm’s organisational arrangements and controls related to the use of information technology (“IT”). The work required will vary depending on the complexity of the IT dependent CASS controls and processes. However, where IT dependencies are identified substantive procedures alone may not provide sufficient, appropriate evidence. In such cases, additional reasonable assurance procedures will be necessary including, identifying the key IT systems and IT dependencies as well as the subsequent IT General Controls applicable to the CASS 15 rules. After this, a design and operating effectiveness assessment will need to be made to ascertain whether these controls have been implemented appropriately
• Where key IT services are outsourced, the safeguarding audit may consider reviewing and relying on System and Organisation Controls (SOC) Reports, where it has been determined that the level of detail in these reports are sufficient and reliance is appropriate.

From our experience and understanding of some safeguarding assurance engagements conducted in the market, to date, ITGCs have not been considered or scoped in, thus it is particularly imperative for payment and e-money firms whose safeguarding reviews have not considered ITGCs historically, to ensure that key controls and processes have been designed, documented and implemented prior to the Supplementary Regime implementation deadline and prior to more formal safeguarding audits being conducted.

Reconciliations and record- keeping

• The CASS 15 reconciliation rules provide further guidance and clarity on the expectations surrounding reconciliations and safeguarding auditors should adopt an insolvency mind-set to assess whether records maintained would enable an insolvency practitioner to promptly identify, segregated and return relevant funds
• The CASS Assurance Standard does not prescribe detailed testing procedures for specific reconciliations rules, however the principles relating to risk assessment, design and operating effectiveness remain relevant when performing work under CASS 15
• Safeguarding auditors are required to provide an independent assurance report offering reasonable assurance over a firm’s use of a non-standard method for the internal safeguarding reconciliations and further guidance can be found in the existing CASS Assurance Standard
• No additional guidance has been provided in respect of forming an overall conclusion and safeguarding auditors are expected to exercise its professional judgments as to the significance of a rule breach as well as its context, duration and incidence of repetition. This includes consideration of the aggregated effect of any breaches.
• In respect of the monthly returns, the safeguarding auditor’s responsibility is limited to considering the Monthly Safeguarding Return as part of forming their understanding of the firm and assessing whether it is consistent with other information obtained during the engagement.

Reporting format and templates

• No additional guidance has been provided in respect of forming an overall conclusion and safeguarding auditors are expected to exercise its professional judgments as to the significance of a rule breach as well as its context, duration and incidence of repetition. This includes consideration of the aggregated effect of any breaches
• The safeguarding report opines on the firm’s compliance with the “relevant funds regime”. This includes the relevant funds rules within CASS 15, as well as the applicable PSR and EMRs. It is noted the FCA’s Approach Document may be referred to for context and may provide a basis for exercising professional judgement, but safeguarding auditors are not required to report on compliance against it
• In the first audit period, it has been confirmed that firms may elect to have their safeguarding auditor submit hybrid reports covering both the period prior to 6 May under the legacy safeguarding regime, as well as the 7 May CASS 15 period under the Supplementary Regime. The alternative is to submit 2 separate audit opinions. An illustrative opinion has been provided in Appendix 1 of the Interim Guidance
• The Interim Guidance reiterated that the concept of materiality does not apply with respect to breach reporting in the Safeguarding report, however the severity and significance of both individual and aggregate breaches remain relevant when the safeguarding auditor forms a view on the qualified or adverse nature of the opinion
• Guidance has also been provided on the context of the breaches noted and that this should include the relevant rules references (both CASS 15 and PSR/EMRs) and description of the breach. Further any applicable quantifying detail on the severity and duration of the breach should be highlighted such as longest/average duration, highest value and the number of times the breach has occurred
• Firms are also reminded they are responsible for providing a response to each breach, including any relevant context and remedial actions taken and this is the responsibility of the firm and not the safeguarding auditor.

Transitional considerations

• Safeguarding auditors are reminded to apply a balanced, risk-based approach that supports audit quality, ensuring appropriate time spent during planning, maintain an agile approach and exercising professional judgement
• The FRC notes that firms are expected to undertake structured internal assessments, including a gap analysis and should ensure that safeguarding risks are appropriately identified, assessed and documented, with risks accurately mapped to mitigating controls. The Interim Guidance notes audit methodology may include review and assessment of the firm’s gap analysis to confirm coverage of relevant key controls. This may also include the firm’s resolution pack as required under CASS 10A, as this may also provide relevant information on a firm’s safeguarding arrangements
• As always, proactive and clear communication between auditors and firms is essential to understand where firms are on their implementation journey and early discussions on findings and intended implementation will help avoid any unnecessary delays.

Assurance mindset and quality control

• The CASS Assurance Standard reflects more prescriptive requirements of the CASS regime when compared to other assurance frameworks such as ISAE 3000 and as a result expectation for documentation are higher
• Audit firms are also required to ensure team members receive formal training and can evidence required competencies prior to accepting an engagement
• The Interim Guidance also highlights the principles relating to quality control include the use of Engagement Quality Reviewers (EQRs) and ensuring the availability of technical specialists with sufficient experience to perform this role.

Timing of first audit submissions and shorter audit periods

• The FRC have reiterated timelines for reporting and that under the Supplementary Regime for audit periods ending within 12 months after the new rules, the deadline for audit report submission is 6 months post period end (prior to standardising this to 4 months post period for subsequent audits). In addition, audit reports cannot cover a period of greater than 53 weeks
• Shorter audit period may also arise given the rules have taken affect mid- cycle and firms may request assurance split over the relevant periods i.e. 1 Jan 2026 to 6 May 2026 (under the legacy safeguarding regime) and 7 May 2026 to 31 December 2026 (under CASS 15 and the “relevant funds regime”).

Future standard

• The final standard will be issued as an appendix to the existing CASS Assurance Standard, and this will occur following a consultation. The consultation will be limited to the new appendix
• The FRC are expecting to release the draft for consultation in Winter 2026 with the final appendix expected in Spring 2027.