Why this matters

The FCA has completed a major review of safeguarding for payment and e-money institutions. Its new rules are designed to reduce the risks seen in recent failures – where customers faced long delays and, on average, recovered only 35 per cent of the funds they were owed.

At the same time, the EU is progressing with Payment Services Directive 3 (PSD3) (which is currently in draft form and is expected to take effect in 2027) and the Markets in Crypto-Assets Regulation (MiCA) (which took effect in December 2024), which will also tighten safeguarding requirements but in a different way. Cross-border firms will therefore need to plan for two parallel regimes.

The UK position – new rules now finalised

The FCA’s Policy Statement PS25/12 (7 August 2025) sets out a two-stage reform:

• Supplementary Regime: Effective 7 May 2026, after a nine-month transition. This overlays the existing Payment Services Regulations 2017 (PSRs) / Electronic Money Regulations 2011 (EMRs) with new provisions in the FCA Handbook (notably the Client Assets Sourcebook (CASS) and Supervision manual (SUP).
• Post-Repeal Regime: This will take effect once the HM Treasury revokes the PSRs and EMRs, replacing them with a statutory trust framework for safeguarding. The implementation date remains to be confirmed.

FCA sources: Policy Statement, PDF, and Draft Approach Document (May 2026).

Core UK requirements

Governance

• A named senior manager responsible for safeguarding.
• Board-level approval of safeguarding policy, including what counts as a “material discrepancy”.

Reconciliations and records

• Reconciliations must be performed on every reconciliation day (not weekends / bank holidays).

Funds relating to e-money and payment services must be safeguarded separately

• Firms must keep a resolution pack – a living document linking to current reconciliations, contracts and account information.

Audits and regulatory returns

• Annual safeguarding audit required unless the firm has safeguarded under £100,000 over a rolling 53-week period.
• First audit report must be submitted within six months of the period end (then within four months in subsequent years).
• New monthly returns to the FCA covering reconciliations, safeguarding methods, amounts, shortfalls, breaches and safeguarding accounts.

Third-party providers

• Due diligence must be carried out on the specific safeguarding of the bank, custodian, insurer or guarantor – not just the wider group.
• Firms must review diversification regularly, and if the review shows diversification is needed, they must implement it and document the action taken.
• The FCA expects firms to consider the availability of deposit protection (Financial Services Compensation Scheme look-through applies where UK banks hold safeguarded funds).

Insurance and guarantees

• Notify the FCA at least two months before taking out or changing cover.
• Renewal decisions must be made three months before expiry, with contingency plans if not renewing.
• Policies can only be cancelled for non-payment with 90 days’ notice to both firm and FCA.
• Payouts must cover the full amount owed, even where insolvency stems from fraud or negligence.

Acknowledgement letters

• Prescribed safeguarding acknowledgement letters are now mandatory.
• Firms must check the signatory’s authority, keep letters for five years after account closure and review them annually.

Start and end of safeguarding

• Safeguarding starts once the firm has an entitlement to funds.
• If e-money is issued before card funds have cleared, the firm must use its own resources to settle payments.
• Standalone FX transactions are outside the safeguarding regime, but firms must keep evidence that they are standalone.

EU developments – PSD3 and MiCA

The EU’s approach is less prescriptive but moving in the same direction:

• Segregation at receipt: Relevant funds must go directly into a safeguarding account, with no commingling or later segregation.
• Central bank safeguarding PSD3 will allow firms to safeguard directly with central banks (if permitted), supporting access to payment systems.
• Diversification: Explicit obligation not to place all client funds with one institution.
• Notification duties: Material changes to safeguarding processes must be notified to regulators in advance.
• E-money tokens (EMT): Must be safeguarded in line with MiCA rather than PSD3.
• No statutory trust: EU law avoids reliance on trust concepts, focusing instead on segregation and regulatory oversight.

What this means for firms

• UK-only firms: Immediate priority is readiness for the Supplementary Regime by May 2026; the focus should be on reconciliations, resolution packs, acknowledgement letters, auditor engagement and monthly returns.
• Cross-border firms: must design safeguarding frameworks that can satisfy both regimes – a UK trust-based approach and the EU’s strict segregation model; payment flows may need restructuring so that relevant funds are received directly into safeguarding accounts in the EU, while UK operations prepare for statutory trust overlay.

Practical checklist

Governance

• Senior manager responsible; board policy including “material discrepancy” rules.

Reconciliations & records

• Daily reconciliations (business days).
• Separate ledgers for e-money vs payment services.
• Resolution pack maintained as a live document.

Audits & reporting

• Auditor appointed; scope and timetable agreed.
• First audit report deadline tracked (six months).
• Monthly return tested and ready.

Third parties

• Entity-level due diligence (capital, credit, FSCS cover).
• Diversification review carried out and acted upon.
• Records retained of diligence and diversification actions.

Insurance/guarantees

• FCA notifications (noting the two months / three months / 90 day deadlines, respectively).
• Policy terms checked for cancellation/payout provisions.

Acknowledgement letters

• Prescribed form signed by authorised individual.
• Annual review and five-year retention after closure.

Scope clarifications

• Controls to prevent use of safeguarded funds before card settlement.
• Evidence log for standalone FX transactions.

Cross-border (EU)

• Dedicated safeguarding accounts for incoming funds.
• Assess feasibility of central bank safeguarding.
• EMT issuers aligned with MiCA.
• Processes for advance regulatory notifications.

Next steps

• Begin gap analysis against finalised amendments to CASS/SUP now, prior to the changes taking effect on 7 May 2026.
• Engage auditors early to avoid capacity issues.
• Repaper acknowledgement letters and update third-party due diligence.
• For cross-border firms, plan for divergent requirements under UK and EU regimes.