CASS 15 Safeguarding & FRC Interim Guidance
The new regime, coming into force on 7 May 2026, introduces enhanced requirements around safeguarding, governance, reconciliations and record-keeping
14 April 2026 | Author: Artur Vorobyev
Artur Vorobyev analyses the Interim Guidance on Payment and E-money Safeguarding Assurance Engagements
What the New FRC Guidance Means for Payment and E-money Firms
The Financial Reporting Council has issued its Interim Guidance on Payment and E-money Safeguarding Assurance Engagements (17 March 2026), providing important clarity ahead of the implementation of the FCA’s new safeguarding regime under CASS 15.
The new regime, coming into force on 7 May 2026, introduces enhanced requirements around safeguarding, governance, reconciliations and record-keeping. The FRC guidance is designed to support auditors during the transition period and promote consistency in how safeguarding assurance engagements are performed.
Key themes at a glance
A move to a structured, CASS-style assurance framework:
Safeguarding is transitioning from a principles-based regime to a more prescriptive, controls-driven model aligned with CASS.
Greater focus on controls, reconciliations and audit evidence:
Firms will need to demonstrate robust systems, detailed reconciliations and clear supporting documentation.
Increased regulatory scrutiny and accountability:
The new regime raises expectations around governance, audit readiness and the ability to evidence compliance.
Why is it relevant?
The move to CASS 15 represents a fundamental shift in how safeguarding compliance is assessed and assured. Historically, safeguarding under the Electronic Money Regulations and Payment Services Regulations has been less prescriptive from an assurance perspective.
The new framework introduces a CASS-style assurance model, bringing safeguarding much closer to traditional client asset audits. This includes a stronger focus on systems and controls, detailed testing of reconciliations, and enhanced reporting requirements.
For firms, this means increased regulatory scrutiny and a need to demonstrate that safeguarding arrangements are robust, well-documented and operationally effective.
Who does it affect?
The new requirements apply to firms subject to safeguarding audit obligations under SUP 3A, including:
- Authorised payment institutions
- Authorised and small e-money institutions
- Credit unions issuing e-money
- Certain small payment institutions that opt into the regime
Firms holding less than £100,000 of safeguarded funds may be exempt from mandatory audit requirements, although voluntary audits remain permissible and may still be beneficial from a governance perspective.
What do you need to know?
A shift to a controls-based assurance framework
The guidance aligns safeguarding audits with the existing CASS Assurance Standard, meaning auditors will focus on:
- The adequacy of systems and controls throughout the period
- Compliance with safeguarding rules at period end
- Full breach reporting, regardless of materiality
Increased focus on IT, controls and third parties
Auditors are expected to:
- Assess design, implementation and operating effectiveness of controls
- Evaluate IT systems and IT general controls where relevant
- Review third-party safeguarding arrangements and due diligence processes
Enhanced reconciliations and record-keeping
CASS 15 introduces more stringent expectations, including:
- Robust record-keeping enabling immediate identification of client funds
- New D+1 internal safeguarding reconciliations
- Application of an “insolvency mindset” when assessing records and processes
Reasonable assurance and independence requirements
Safeguarding engagements will be:
- Reasonable assurance engagements (not limited assurance)
- Classified as Public Interest Assurance Engagements, subject to the FRC Ethical Standard 2024
This significantly raises expectations around auditor independence and engagement governance.
Transitional complexity and reporting changes
The first year of implementation will be particularly complex, including:
- Potential for hybrid audit opinions covering legacy and new regimes
- Extended six-month reporting deadline for initial submissions
- Overlap between existing EMR/PSR requirements and new CASS 15 rules
Evolution of Safeguarding: Legacy Regime vs CASS 7 vs CASS 15
| Area | Legacy Safeguarding Regime (EMRs / PSRs) | CASS 7 (Client Money Rules) | CASS 15 (New Safeguarding Regime) | BR Insight / Key Difference |
| Scope of firms | Payment institutions and e-money institutions | Investment firms, brokers, asset managers | Payment institutions and e-money institutions | CASS 15 effectively brings payments/e-money firms into a CASS-style framework for the first time |
| Regulatory framework | EMRs 2011 & PSRs 2017 | FCA CASS 7 rulebook | FCA CASS 15 + Supplementary Regime (from May 2026) | Shift from principles-based regime to prescriptive CASS-style rules |
| Objective | Safeguarding of customer funds | Protection of client money | Safeguarding of “relevant funds” under structured framework | Same core objective, but significantly enhanced structure and enforceability under CASS 15 |
| Safeguarding method | Segregation or insurance/guarantee | Segregation only (client money rules) | Segregation or insurance/guarantee (formalised within CASS) | CASS 15 formalises existing methods but raises expectations on how they are implemented and evidenced |
| Area | Legacy Safeguarding Regime (EMR’s / PSRs) | CASS 7 (Client Money Rules) | CASS 15 (New Safeguarding Regime) | BR Insight / Key Difference |
| Controls & governance | Limited explicit requirements | Strong focus on control environment | Extensive focus on governance, controls and oversight | Major uplift on controls testing now central to safeguarding audits |
| IT & systems | Limited focus | Considered depending on firm | Explicit focus on IT systems, data flows and ITGCs | CASS 15 introduces clear expectation for IT assurance work |
| Reconciliations | Less prescriptive, no standardised approach | Well-defined internal & external reconciliations | Enhanced requirements including D+1 internal reconciliations | One of the biggest changes – more frequent, structured and auditable reconciliations |
| Record-keeping | General requirement to maintain records | Detailed requirements for client money records | Enhanced requirements with focus on accessibility and accuracy | Introduction of “insolvency mindset” – records must support rapid return of funds |
| Third-party oversight | Basic due diligence expectations | Established oversight of custodians/banks | Enhanced due diligence, monitoring and documentation | Increased scrutiny – firms must evidence ongoing oversight and diversification considerations |
| Audit requirement | Annual safeguarding audit (less defined framework) | Established CASS audit regime | Formal safeguarding audit under SUP 3A | CASS 15 aligns safeguarding audits with CASS audit discipline and structure |
| Type of assurance | Reasonable assurance (but less standardised) | Reasonable assurance | Reasonable assurance only (no limited assurance) | Greater clarity and consistency – no flexibility for limited assurance |
| Audit approach | More principles-based | Structured, controls-based | Fully aligned to CASS-style methodology | Clear shift to risk-based, controls-driven audit approach |
| Breach reporting | Required, but less structured | Full breach reporting (no materiality) | Same approach – full breach schedule required | Alignment with CASS – no materiality threshold for breaches |
| Area | Legacy Safeguarding Regime (EMRs / PSRs) | CASS 7 (Client Money Rules) | CASS 15 (New Safeguarding Regime) | BR Insight / Key Difference |
| Independence requirements | Applicable but less prominent | Subject to FRC Ethical Standard | Subject to FRC Ethical Standard | Higher bar – increased scrutiny on independence and governance |
| Reporting format | Less standardised | Standard CASS report format | FCA-prescribed safeguarding report (SUP 3A) | Move to fully standardised reporting and templates |
| Transitional complexity | Not applicable | Not applicable | High (hybrid opinions, overlapping regimes) | Short-term complexity – firms must manage dual frameworks in 2026 |
| Overall maturity | Developing / less mature | Mature and well understood | Emerging but aligned to mature CASS framework | CASS 15 is effectively “CASS-ification” of safeguarding |
Expected Impact on Firms and the Market
The introduction of CASS 15 and the FRC guidance will materially increase the level of assurance required over safeguarding arrangements.
Firms should expect:
- Greater audit focus on control frameworks and governance
- Increased scrutiny of reconciliations and data integrity
- More detailed audit documentation and evidence requirements
- Higher expectations around IT environments and outsourced arrangements
Overall, the regime is designed to strengthen consumer protection and improve market confidence, but will require significant operational readiness from firms.
What should you do next?
Firms should begin preparing now to ensure readiness for the new regime:
- Perform a gap analysis against CASS 15 requirements
- Map key risks, controls and supporting evidence
- Assess IT dependencies and control frameworks
- Review and enhance reconciliation processes (including D+1 readiness)
- Engage early with auditors to align on expectations and timelines
- Early preparation will be critical to avoiding delays and ensuring a smooth transition into the new assurance framework.
Contact us
We support firms in navigating CASS and safeguarding requirements, including readiness assessments, control design and audit preparation.
If you would like to discuss the implications of CASS 15 or the new FRC guidance, please get in touch with your usual Blick Rothenberg contact or Artur Vorobyev.
Contact Chantal
More Spotlight on… articles
Spotlight On…Companies House WebFiling security breach update and recommended actions
Spotlight on…What the Government’s Capital Investment push means for Business, Construction, and the wider Economy
Spotlight on…Changes affecting small company financial reporting: periods commencing on or after 1 January 2026
