CASS 15 – the FCA’s overhaul of the Electronic Money safeguarding regime which takes effect in May 2026 – marks a significant shift in how safeguarding arrangements at Electronic Money Institutions (EMIs) will be supervised, tested, and evidenced.
Alongside the FCA’s interim and end-state rules, the Financial Reporting Council (FRC) is expected to update its CASS assurance standard to bring CASS 15 formally into scope.
While the revised assurance standard has yet to be published, its direction is already clear: safeguarding will be assessed through an insolvency-readiness lens, with increased emphasis on governance, operational resilience, third-party oversight, and the reliability of technology-driven processes. This is not merely a technical audit change: it has direct implications for senior management accountability, regulatory risk, and firm-wide operating models.
What this means for senior management
The forthcoming FRC CASS assurance standard will reinforce the FCA’s objective that firms must be able to return customer funds quickly and in full in the event of failure. For senior leaders, this means:
- Greater accountability for safeguarding governance and controls
- Less tolerance for informal processes or undocumented judgments
- Increased regulatory visibility into operational weaknesses
- A need to treat assurance reports as regulatory artefacts, not audit formalities
Firms that fully understand their changing requirements – while investing early in governance clarity, technology resilience, end-state readiness, and strong relationships with specialist auditors – will be best positioned to navigate the transition to CASS 15 with minimal disruption.
A shift to statutory audit and heightened regulatory scrutiny
One of the most consequential changes under CASS 15 is that safeguarding audits will fall solely within the remit of statutory auditors. Previously, firms could rely on regulatory advisers or specialist EMI consultants. Going forward, safeguarding assurance will sit alongside other FCA-regulated client asset regimes and is expected to become a core supervisory input for the FCA.
As with other CASS regimes, auditors are likely to be required to report all safeguarding breaches, regardless of materiality. This will give the FCA a granular, standardised view of firms’ safeguarding arrangements and reduce management discretion over what issues are escalated.
Continuity with the existing CASS assurance framework
Much of the existing FRC CASS assurance framework is expected to carry across to CASS 15. In particular:
- Safeguarding will be assessed over the period as well as at period end
- Firms will be evaluated on whether systems and controls would function effectively in an insolvency scenario
- End-to-end “flow of funds” reviews will remain central, particularly with the introduction of mandatory daily reconciliations
- Governance, individual accountability, and third-party oversight will be critical components of assurance
For firms already subject to CASS audits under MiFID or other regimes, the overall audit experience may feel familiar but expectations will be higher, particularly around evidence quality and documentation.
Interim vs end-state rules: a staged transition
CASS 15 introduces a phased implementation, with interim rules taking effect from May 2026 and more prescriptive end-state requirements following later. The revised assurance standard is expected to reflect this staging.
While certain requirements may not be formally tested during early audits, firms should expect auditors — and regulators — to scrutinise how they are preparing for the end state. Readiness planning, governance decisions, and implementation roadmaps are therefore likely to become part of the assurance conversation well before the final rules apply.
EMI-specific features: insurance and guarantee safeguarding
Unlike other CASS regimes, EMIs may safeguard customer funds using insurance or guarantee arrangements. The revised assurance standard is expected to set clearer expectations on how auditors should assess these structures, including:
- Whether policy terms allow for prompt payout on failure
- How close firms are to policy expiry and their contingency planning
- Liquidity risks arising from premium payments
- Whether insurance proceeds are appropriately held under statutory trust
This area is likely to attract heightened scrutiny, given its complexity and potential impact on insolvency outcomes.
Technology, automation, and operational resilience
Modern EMI and payment service provider operating models are highly automated, relying on reconciliation engines, treasury systems, sub-ledgers, and data pipelines. The existing CASS assurance standard predates many of these developments.
The revised standard is expected to place greater emphasis on:
- Governance over automated reconciliation and segregation tools
- Data integrity and traceability from transaction processing through to regulatory reporting
- Oversight of third-party platforms, cloud providers, and outsourced services
- Operational resilience, including system outages, batch processing failures, and fallback procedures
Safeguarding risk will increasingly be viewed as technology and operational risk, not just a finance or compliance issue.
How BKL can help
Our financial services and fintech audit specialists work closely together, sharing knowledge and supporting clients as a team.
We can apply our years of experience working with and auditing EMIs to ensure that your business is compliant with CASS 15 and other current and future regulations.
By working closely with regulatory advisers and solicitors who also specialise in financial services and CASS rules, we’ll give you extensive support throughout your fintech’s journey.
Together we will reduce the stress around regulatory compliance, freeing you to focus on innovating, helping your customers and securing your EMI’s future.
For a chat about your business, get in touch with Alisha O’Donovan or send us an enquiry.
