Executive Summary: The Three‑Month Countdown
The regulatory landscape for UK and Gibraltar payment institutions (PIs) and e‑money institutions (EMIs) is undergoing its most significant overhaul in a decade. See e.g:
The Ever Expanding Regulatory Perimeter: Outsourcing, Resilience & Supply Chains
Consumer Duty Compliance for Gibraltar and UK Payment Service Providers
Ramparts European Payments & E-money Regulatory Update and Outlook – July 2025
As part of these changes, the Financial Conduct Authority’s (FCA) Supplementary Safeguarding Regime (CASS 15) takes effect on 7 May 2026, introducing much more granular, CASS‑style expectations into the payments and e‑money space.
This reform is a direct response to historical failures where firms entering insolvency had an average customer fund shortfall of around 65% (see PS 25/12), meaning customers often recovered only a fraction of their balances and waited years for distributions. The new rules fundamentally change how firms must protect customer funds, shifting safeguarding from a periodic compliance exercise to a daily, embedded operational discipline supported by independent assurance and ongoing reporting.
With less than three months remaining, implementation should now be near final subject to testing. Board members, senior managers and compliance staff need to ensure day‑one readiness.
Core Requirements: What You Must Implement
The new regime mandates five key areas of change to enhance customer protection and improve outcomes in an insolvency:
| New Requirement | Core Action Required | Why It Matters |
|---|
| 1. Daily Reconciliations | Perform both internal and external safeguarding reconciliations at least once each reconciliation day. Any shortfall must be remedied immediately using the firm’s own funds where necessary. | Moves from weekly/monthly checks to continuous monitoring, reducing the risk that shortfalls or other issues go unnoticed. |
| 2. CASS Resolution Packs | Maintain a comprehensive pack containing all documents needed for rapid fund return in insolvency, retrievable within 48 hours. | Enables insolvency practitioners to identify and return customer funds rapidly cutting down the current average of c. 2.3 years in payments firm failures. |
| 3. Annual Safeguarding Audits | All authorised PIs and EMIs must undergo a statutory safeguarding audit by a qualified auditor with company law and CASS‑style expertise. A limited exemption exists for firms continuously safeguarding under £100,000. | Provides independent validation of systems and controls, acts as an early warning mechanism, and gives regulators and counterparties greater confidence in the firm’s safeguarding framework. |
| 4. Monthly Safeguarding Returns | Submit detailed monthly returns via the FCA’s RegData system within 15 business days of each month‑end, covering reconciliations, balances, methods and breaches. | Gives the regulator near real‑time visibility on safeguarding practices, allowing earlier, more targeted intervention if issues emerge. |
| 5. Strengthened Governance | Allocate clear responsibility for safeguarding to a single senior manager. Institute annual board‑level reporting, and carry out enhanced due diligence and diversification of banks/custodians holding safeguarded funds. | Ensures clear accountability, stronger oversight and reduced concentration risk from reliance on a single safeguarding bank or provider. |
Multiple Currencies with Multiple Banks
For a multi‑currency structure involving two UK safeguarding banks, the key is to break the analysis down by currency and institution rather than treating safeguarding as a single blended pot. Each reconciliation day, the firm should calculate its safeguarding requirement in each currency (e.g. GBP and EUR), compare this to the total balances held in the corresponding safeguarding accounts at both banks, and then investigate and top up any shortfalls without delay. The firm also needs to document how it manages concentration risk if, for example, most of its GBP is held at one bank and most of the EUR at the other, including why that split is appropriate and what risk monitoring is in place.
Special Considerations for Gibraltar Firms
Gibraltar occupies a unique position as the only non‑UK jurisdiction with dedicated market access to the UK under a bespoke bilateral access framework which also grants UK firms with access to Gibraltar. The UK represents approximately 90% of the business of the Gibraltar financial services sector and so the integrity of the Gibraltar financial sector is crucial.
That access will soon sit within the developing Gibraltar Authorisation Regime (GAR), which is built on the principle of regulatory alignment between Gibraltar and the UK. GAR is already embedded in UK law and mirrored in Gibraltar’s framework, but the current UK market access arrangements still operate under extended transitional provisions to 31 December 2026, pending full GAR commencement and UK sector‑by‑sector alignment assessments leading to secondary legislation implemented by UK Treasury.
GAR and Market Access
Going forward once the full GAR regime is implemented it will underpin Gibraltar firms’ ability to service UK customers on a long‑term and more structured basis. In practice, this access is conditional on Gibraltar maintaining equivalent standards to the UK in key areas, including safeguarding and consumer protection. Persistent divergence would put the political and regulatory case for continued market access under pressure.
UK Branches of Gibraltar Firms
If your Gibraltar‑licensed firm operates from a UK branch, that branch is treated in regulatory terms much like a UK firm. You are directly in scope for CASS 15, with the same 7 May 2026 deadline and the full suite of requirements: daily reconciliations, resolution packs, monthly returns, annual safeguarding audits and strengthened governance.
Gibraltar Domestic Regime and Alignment
The GFSC has been clear that Gibraltar will implement equivalent safeguarding standards through legislation and guidance, so that domestic Gibraltar rules align with the UK requirements.
Strategic Imperative for All Gibraltar Firms
Even where the precise legal application of CASS 15 to pure cross‑border, services‑only models may be more nuanced, practically speaking best practice is to implement CASS‑equivalent frameworks. Firms that fall materially behind UK standards risk:
Increased supervisory focus from both the GFSC and UK authorities.
Difficulty convincing UK counterparties and banks that their safeguarding is robust.
For Gibraltar firms, stronger safeguarding discipline and processes are not only necessary to protect customers it is also important to protect Gibraltar’s continued UK market access for the financial services sector.
With the deadline fast approaching, firms should be executing and refining their implementation plans. A realistic high‑level timetable for the remaining period is set out below:
February – April 2026: Final Build and Testing
Immediate priority actions:
Gap Analysis (if not complete)
Confirm residual gaps against CASS 15, with clear owners and dates for closure.
Auditor Appointment and Engagement
Ensure a qualified auditor with relevant corporate and client asset protection experience is engaged.
System and Data Readiness
Implement or finalise daily reconciliation tooling and data feeds
Test the reconciliation logic, exception workflows and shortfall remediation.
Configure data capture for monthly RegData returns.
Resolution Pack Build and Drill
Complete the structure of the resolution pack and links to underlying records.
Run at least one 48‑hour retrieval test end‑to‑end.
Governance and Policies
Formally allocate safeguarding responsibility to a named senior manager.
Update policies, procedures and MI packs to reflect new regime requirements.
Schedule and run board briefing(s) and approve the safeguarding framework.
Training and Dry Runs
Train relevant teams (ops, finance, compliance, risk).
Conduct dry‑run reconciliations and mock monthly returns to identify issues early.
7 May 2026: Go‑Live
By this date, firms should:
Be performing daily internal and external reconciliations on every reconciliation day.
Have an operational resolution pack capable of being produced within 48 hours.
Be ready to submit their first monthly safeguarding return within the required timeframe.
Have governance, reporting and escalation procedures fully embedded.
The first formal safeguarding audit will follow the initial reporting period, but firms should work on the basis that auditors—and regulators—can and will look back to day one.
Next Steps
For UK firms: Your focus should now be on final execution, robust testing and ensuring you are audit‑ready from day one.
For Gibraltar firms: Treat CASS 15‑equivalent implementation as both a regulatory necessity and a GAR‑critical strategic priority. Strong safeguarding supports Gibraltar’s long‑term case for privileged UK access; weak safeguarding undermines it.
