As of 7 May 2026, full compliance of CASS 15 is required.
Who does this affect?
The CASS 15 rules apply to the following types of organisations:
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
- Authorised payment institutions
- E-money institutions
- Credit unions that issue e-money
Small payment institutions are able to opt-in to comply with the new rules on a voluntary basis; a firm will be considered exempt from CASS 15 if it has held less than £100,000 of relevant funds for fewer than 53 weeks.
Increased protection for funds held
One of the main aims of the new CASS regime is to provide security to clients, particularly in the event of a regulated firm becoming insolvent, and to ensure that all of the safeguarded funds are returned to clients should this be the case.
Under CASS 15, firms are now required to hold safeguarding funds under an arrangement that ensures that funds held on behalf of clients are protected and maintained separately from other creditors of the firm. In practice, this requires firms to safeguard the monies held once they meet the definition of ‘relevant funds’, with the rules providing details of the methods by which this is permitted.
Methods of safeguarding
As had been set out in the FCA’s proposal document CP25/12, the CASS 15 rules state a number of potential methods of safeguarding relevant funds – including holding the funds in a designated safeguarding account or investing the funds in secure liquid assets – and also permit protection of funds by obtaining an insurance or guarantee for the amount of funds held.
Whilst the methods listed are the same as under the previous safeguarding regime, they have been significantly strengthened to add legal certainty to the protection afforded to clients, in line with the FCA’s wider aims.
Where funds are held in designated safeguarding bank accounts, firms are now required to have acknowledgement letters in place, reviewed and signed by the third-party institution, before the account is entitled to receive relevant funds.
When investing in secure liquid assets, firms need to ensure the governance and risk profile around the assets selected is managed appropriately.
Where a firm uses an insurance or guarantee to protect the funds held, management must ensure that they have a documented and clear contingency plan in place to cover the insurance guarantee in the event of failure. In addition, firms must confirm renewal or replacement at least three months before an insurance policy or guarantee expires, or else be ready to cover the funds via segregation.
Reconciliations
A further key element of the CASS 15 rules is a requirement to carry out daily internal and external reconciliations, cross-referencing their internal records and external third-party statements to ensure the accuracy of client funds held.
These reconciliations must be carried out with funds held at ‘D+1’ (the end of day following receipt) at a consistent time each day, with any shortfall identified rectified promptly. Any deviations from this standard method are heavily restricted.
Firms are reminded that a separate client money resource should be calculated, acting as a record of what the firm believes it is holding within client safeguarding accounts. This must be clearly reconciled to the funds the firm is required to hold and be carried out separately for relevant funds in respect of payment services and E-money.
Audit requirements
Under CASS 15, an annual audit report will need to be submitted to the FCA by a qualified auditor. For periods that cross the implementation date of 7 May 2026, the FCA has permitted either a hybrid or two report approach. The former consists of one report covering the full year (for example 1 January to 31 December 2026), referring to the existing safeguarding regime prior to 7 May 2026 and the CASS 15 regime after this date (as opposed to a short period ending on 7 May 2026 covering the existing safeguarding regime, with a new period commencing after this date under CASS 15).
The FCA has confirmed that all CASS 15 audit reports are required to be submitted; previously only those with adverse opinions relating to systemic breaches needed to be filed.
The maximum length of a period for which an audit report covers is 53 weeks and the initial audit reports under CASS 15 must be submitted to the FCA within 6 months of the year end, as opposed to four months under the existing regime.
Information Technology General Controls
IT General Controls (ITGC) work is specifically referenced in the Financial Reporting Council’s (FRC) interim guidance to audit firms performing safeguarding assurance engagements. As a result, firms should expect this to form an important part of the safeguarding audits going forward.
In order to gain comfort over the data used within safeguarding fund platforms, auditors will focus on three key areas: change management, user access and IT operations. If deficiencies are noted, these are likely to result in CASS breaches being reported, so firms should consider engaging early with their auditor or seek a third-party review of their IT arrangements.
Being prepared is the key
We have seen with the introduction of other CASS regimes (notably CASS 6 and 7 which came into force at the end of 2015) that being prepared is the key to compliance. Management should carry out a detailed review of their existing policies and procedures to ensure compliance with the new rules.
Firms are also required to map their existing controls against the CASS rules, to ensure controls exist for all areas. Where this is not already in place, management should use this as an opportunity to review their existing arrangements, update and strengthen as necessary.
Firms should ensure policies and procedures are fully up to date ahead of their year-end; we would encourage firms to act now to ensure they are fully prepared for CASS 15.
Oliver Hawes is a Director at PKF Littlejohn
