Safeguarding audit

What is changing and why it matters

The Financial Conduct Authority (FCA) is strengthening the safeguarding regime for payments and e-money firms.

The new regime introduces mandatory safeguarding audits and enhanced reporting, with the aim of:

  • Improving protection of customer funds
  • Increasing consistency across firms
  • Strengthening accountability at board and senior management level
  • Enhancing monitoring and record-keeping

The changes form part of a phased approach. From 7 May 2026, firms will need to comply with an enhanced set of safeguarding rules under CASS 15.

To find out more about the practical impact, you can read our recent blog.

Why choose Price Bailey for safeguarding audits

We have extensive experience delivering FCA assurance engagements, including CASS reports and limited assurance reviews.

Our team brings:

  • Established CASS audit capability
  • Dedicated specialists focused on regulated firms
  • Partner oversight throughout the engagement
  • Clear audit planning, timelines and communication

Safeguarding audit services from Price Bailey

We offer Annual safeguarding audits under CASS 15.

A safeguarding audit can be performed independently of your statutory audit. Some firms appoint us for both engagements; others appoint us solely for the safeguarding assurance report.

Do you need a safeguarding audit?

A firm will require an annual safeguarding audit if it holds more than £100,000 in on average over a period of at least 53 weeks.

Organisations to fall within scope include:

  • Authorised Payment Institutions (APIs)
  • Electronic Money Institutions (EMIs) – both authorised and small EMIs
  • Credit unions issuing e-money in the UK
  • Small Payment Institutions (SPIs) (where they opt into safeguarding requirements)

If your firm handles customer funds, you should assess your position well in advance of your first reporting period.

We can help

Contact us today to find out more about how we can help you with your CASS Safeguarding audit

Get in touch

How to prepare for a safeguarding audit

Firms should focus on ensuring their arrangements are robust from the start of the audit period.

  • Take the time to become familiar with the relevant regulations and guidelines of CASS 15
  • Complete a mapping exercise to identify the safeguarding requirements applicable to your business model and how your organisation ensures compliance
  • Review procedures in place to ensure customer funds are segregated
  • Consider appointing a safeguarding officer with an understanding of the regulatory requirements
  • Provide regular training to employees based on their roles and responsibilities

 If a firm begins its first audit period without compliant processes in place, this may result in:

  • A qualified audit opinion during the period
  • In more serious cases, an adverse opinion.

 

What ‘audit-ready’ looks like in practice

Firms should aim to have clear, well-documented safeguarding arrangements in place and operating effectively from the start of the audit period.

In practice, this means:

  • A risk and controls framework mapped to CASS 15 requirements
  • Documented safeguarding calculations and reconciliation processes
  • Clear governance structures, including designated responsibility for safeguarding
  • Evidence of review, challenge and escalation processes
  • Documented due diligence and ongoing monitoring of third parties
  • Key safeguarding documents (such as policies, procedures and resolution packs)

What a safeguarding audit covers under CASS 15

As part of a safeguarding audit, the auditor will assess whether the firm has maintained adequate documentation and controls as part of their safeguarding arrangements. These include:

  • Structure and operation of safeguarding accounts
  • Acknowledgement letters from banks or custodians confirming safeguarding status
  • Policies and procedures for record-keeping and reconciliations
  • Evidence that relevant funds are distinguished from other funds and can be determined without delay

The auditor will also obtain an understanding of the firm’s IT arrangements and controls. This will vary depending on the complexity of an organisation’s IT environment.

Safeguarding calculations and reconciliations

A key focus area is the safeguarding calculation and reconciliation process, including:

  • How relevant funds are identified and calculated
  • The frequency and methodology of reconciliations
  • Evidence of review and challenge
  • Exception identification and escalation

We test selected reconciliations and review how effectively discrepancies are resolved.

Segregation of funds

We review:

  • How customer funds are segregated
  • The flow of funds through the business
  • Controls ensuring segregation occurs within required timeframes (including T+1 requirements)

Third-party due diligence

Where firms use banks or other third parties in the safeguarding process, we examine:

  • Initial and periodic due diligence
  • Ongoing monitoring arrangements
  • Contractual documentation
  • Evidence of review and oversight

Record-keeping and key documentation

We inspect key safeguarding documents, which may include:

  • Risk and controls matrices mapped to CASS 15
  • Policies and procedures
  • Governance papers
  • Resolution packs and safeguarding documentation

Where breaches are identified, we clearly explain:

  • The rule breached
  • The associated risk
  • What would be expected to achieve compliance

Common gaps firms should address

Based on experience of FCA assurance engagements, firms should pay particular attention to the following areas:

  • Missing or inconsistent supporting evidence
  • Unclear ownership of safeguarding controls
  • Reconciliation process gaps
  • Weak or undocumented exception handling
  • Insufficient third-party due diligence documentation
  • Governance arrangements that lack formal structure

We can help

Contact us today to find out more about how we can help you with your CASS Safeguarding audit

Get in touch

Frequently asked questions about CASS Safeguarding audits 

When do the FCA safeguarding rules come into effect?

The enhanced CASS 15 regime takes effect from 7 May 2026.

Do we need the same auditor as our statutory auditor?

No. Your safeguarding auditor can be the same firm as your statutory auditor, but it does not have to be.

What is involved in a safeguarding audit?

A structured assurance engagement covering governance, reconciliations, segregation of funds, third-party oversight, documentation and record-keeping, with a strong focus on testing safeguarding controls.

Which firms are exempt from the safeguarding audit?

Firms that do not meet the £100,000 relevant funds threshold over the 53-week assessment period will not require an annual safeguarding audit. Small Payment Institutions may also fall outside scope unless they opt in.

Do we need an audit if we held no relevant funds?

If no relevant funds were held during the period and the threshold is not met, an audit opinion may not be required. Firms should document and evidence this position carefully.

What documentation should firms expect to provide?

Common requests include:

  • Risk and controls matrices mapped to CASS 15
  • Governance documentation and board papers
  • Safeguarding calculation workings
  • Reconciliation evidence
  • Third-party due diligence records
  • Policies, procedures and systems notes

What does the audit timeline look like?

The audit typically includes:

  1. Planning and scoping
  2. Fieldwork and control testing
  3. Reporting and opinion issuance

First year of the regime

For the first year, the audit period will begin from May 2026 (when the new rules come into effect). Firms will then typically have six months from their period end to submit their first safeguarding assurance report.

Subsequent years

In subsequent years, the process becomes more routine:

  • Annual audit covering the full financial period
  • Consistent application of safeguarding controls throughout the year
  • Submission of the assurance report within six months of each period end

Firms should plan ahead to ensure controls are embedded from the start of each period, as issues arising during the year may impact the audit opinion.

How do you minimise disruption during fieldwork?

Most work can be completed remotely. We agree information request lists in advance and structure testing to align with existing processes, reducing operational disruption.

Can you have a short audit period?

Yes – these may arise where new rules take effect mid-year. Firms can opt for split periods, as long as each period is no more than 53 weeks.

Example – year end 31 December 2026

Two report approach:

  • 1 January 2026 – 6 May 2026 under the legacy safeguarding regime and existing assurance framework; and
  • 7 May 2026 – 31 December 2026 under the relevant funds regime.

This would also result in a hybrid opinion to cover each of the above periods.

We can help

Contact us today to find out more about how we can help you

Get in touch

Meet out Audit & Assurance team below...

Darren Amott

Darren Amott

Partner

Tom Asplin

Tom Asplin

Senior Manager

Stella Athanasiadou

Stella Athanasiadou

Partner

James Bloxham

James Bloxham

Manager

Camilla Bole

Camilla Bole

Manager

Andrew Booth

Andrew Booth

Partner

Victoria Bye

Victoria Bye

Assistant Manager

Charisse Calaunan

Charisse Calaunan

Manager

Michael Cooper-Davis

Michael Cooper-Davis

Partner

Paul Cullen

Paul Cullen

Partner

Rhys Daltrey

Rhys Daltrey

Assistant Manager

Gonzalo Dominguez Pena

Gonzalo Dominguez Pena

Assistant Manager

Read our insights here...

Top