CASS 15: What are my safeguarding audit obligations?
5 Sep 2025 • Audit and Assurance • Financial Services • Safeguarding Audits
Written by
In August, the FCA officially published its long-awaited policy statement, PS 25/12, which sets out the changes to the Safeguarding regime for payments firms that are responsible for safeguarding relevant funds. Here, we explore some of the key changes to audit requirements.
Background
See here for our summary of key changes which come into effect on 7 May 2026.
In the table below we have highlighted the key impacts that the policy changes will have on the safeguarding audit regime for payments firms.
Which type of firm will require a safeguarding audit? | The audit requirement applies to: 1. Authorised Payment Institutions (APIs) that are authorised to carry out payment services other than payment initiation services or account information services; 2. Electronic Money Institutions (EMIs) Other safeguarding institutions are still required to have in place adequate arrangements to safeguard relevant funds. Voluntarily arranging an audit may help ensure that these obligations are met. |
Are there any exemptions? | If a Payments firm has not been required to safeguard more than £100,000 of relevant funds at any time over a period of at least 53 weeks, it will not have to arrange a safeguarding audit. |
What must the audit report include? | Opinions on whether the firm: - has maintained systems adequate to comply with the relevant funds regime; and - was in compliance with the relevant funds regime at the end of the audit period. Along with: - details of any identified breaches of these rules; and - the remedial actions taken (if any) by the firm and the circumstances that gave rise to the breach. |
What is the relevant funds regime? | CASS 15 and, as applicable, regulation 23 of the Payment Services Regulations and/or regulations 20 to 24 of the Electronic Money Regulations. |
What is the deadline? | The FCA has extended the deadline for submission of the first safeguarding audit report to six months (rather than four) following the end of the firm’s safeguarding audit period. For subsequent audits, the audit report must be submitted within four months of the end of the period. |
Who can perform the safeguarding audit? | Safeguarding audits will need to be performed by qualified auditors. The FCA has clarified that firms are not required to appoint the same auditor for their safeguarding audit and their statutory audit, although firms may appoint the same auditor if they choose. |
Who submits the report to the FCA? | The auditor. |
Does the safeguarding audit period need to be the same as the financial period? | No, the FCA has not introduced a requirement for a payments firm’s safeguarding audit period to be aligned with its financial period. The requirement is for the period covered by the safeguarding audit report not to end more than 53 weeks after the end of the period covered by the previous report, or after the firm becomes subject to the rules. Ultimately, a firm can choose whether it wishes to align its safeguarding audit period to its financial period. |