Toggle mobile menu Open search
Motion over bridge

22 Jan 2026

Your first CASS 15 audit: helping you prepare for the new rules

Publications

Elana Dimmer

Home /  Publications /  Your first CASS 15 audit: helping you prepare for the new rules

We’re getting closer to 7 May when the new CASS 15 rules from the Financial Conduct Authority (FCA) take effect, overhauling the safeguarding regime.

As part of these changes, all authorised payments firms and e-money institutions (EMIs) will require an external audit of safeguarding practices each year.

For many firms within the scope of CASS 15, the changes will be a huge step up from the current safeguarding requirements. Our specialists in financial services audits are here to ease the pressure, ensuring that your business is compliant with the CASS 15 regulations.

Read on for a summary of the requirements under CASS 15, more detail about key aspects of the requirements, and our checklist to help ensure you’re CASS 15 ready.

CASS 15 requirements in brief

  • An annual external audit of safeguarding practices
  • More detailed record keeping and daily reconciliations
  • Maintaining a schedule of breaches
  • A monthly client money and asset return (CMAR)
  • Maintaining a CASS resolution pack

Watch our video for an introduction to these areas.

 

As you get your new processes ready, two areas of particular importance are the CASS resolution pack and the schedule of breaches.

CASS resolution pack

In the event of insolvency, the pack will assist liquidators in the orderly wind-down of the firm. Key information in the pack would include clear directions to ensure the safe return of relevant funds.

The pack needs to be accurate, compliant and up to date: material changes should be made within five days. The pack is a window into your firm, so it’s important for you to make the right impression on the FCA from the start.

Schedule of breaches

To help your business meet the FCA’s reporting requirements for breaches – in the annual safeguarding audit report, in the monthly CMAR, and as soon as you become aware of them – we recommend that your schedule of breaches report be continually reviewed. This will ensure that the audit report isn’t the first time that ‘Those Charged with Governance’ (e.g. your board of directors) are made aware of breaches identified internally.

The FCA will consider an empty schedule of breaches as more of a red flag than one with breaches. This is because an empty schedule would indicate that your firm’s systems and controls are not effective enough to identify breaches.

Under CASS, any discrepancy at all must be reported, along with the remedial action taken.

 

Your CASS 15 checklist

Across five key areas of your operations, these are the things you should consider in preparing for your annual safeguarding audit and the broader CASS 15 requirements.

1. Governance & accountability

  • Board-approved safeguarding policy aligned to CASS 15
  • Monthly FCA return (CMAR) process
  • Resolution pack complete, retrievable within 48 hours

2. Safeguarding arrangements

  • Segregated safeguarding accounts confirmed with acknowledgement letters
  • Daily reconciliations (internal vs external) with exception handling and shortfall top-ups
  • Insurance/guarantee terms reviewed for compliance

3. Technology and automation controls

  • Reconciliation engine governance: version control, change management, override logs
  • Data lineage documented for monthly returns and resolution pack
  • Automation resilience: run-books, fallback processes, RTO/RPO tested
  • AI/automation register maintained with explainability and oversight

4. Third-party oversight

  • Due diligence on banks, payment service providers, outsourcers (financial strength, SOC reports)
  • Periodic reviews and monitoring dashboards for uptime and incidents

5. Evidence & reporting

  • Immutable evidence of reconciliations, breach remediation, and governance MI
  • Exception dashboards provided to Those Charged with Governance
  • Annual safeguarding audit engagement scheduled (within four months of year-end)

 

Abbreviations used in the checklist

  • RTO/RPO: recovery time objective, recovery point objective
  • SOC: system and organisation controls
  • MI: management information

 

How BKL can help

Our financial services and fintech audit specialists work closely together, sharing knowledge and supporting clients as a team.

We can apply our years of experience working with and auditing EMIs to ensure that your business is compliant with CASS 15 and other FCA regulations.

By working closely with regulatory advisers and solicitors who also specialise in financial services and CASS rules, we’ll give you extensive support throughout your fintech’s journey.

Together we will reduce the stress around regulatory compliance, freeing you to focus on innovating, helping your customers and securing your EMI’s future.

For a chat about your business, get in touch with Alisha O’Donovan or Elana Dimmer, or send us an enquiry.

Alisha O'Donovan

Assurance Associate Director

Discover more
Alisha O'Donovan

Elana Dimmer

Assurance Senior Manager

Discover more

Our Insights

CASS 15: Preparing for the new financial services rules – watch our video

Summarising the new CASS 15 rules taking effect from May 2026, and how payments firms and e-money firms should get ready.

CASS 15: Changing rules for EMIs

The sooner your e-money institution prepares for CASS 15, the sooner you'll unlock advantages before the FCA increases the pressure.

EMIs, audit requirements and CASS 15: Webinar replay

Webinar replay: Alisha O'Donovan and Innovate Finance explain CASS 15 and the audit requirements affecting groups containing an e-money institution.