Blog

JUNE 3, 2026 • 11 MIN READ

FCA REP027 Safeguarding Return: Submission Guidelines Before 21 July 2026

Fiona Jelly,
Founder & CEO of Complyfirst

This applies to PIs/EMIs in the UK

Table of Contents

What is the FCA REP027 Safeguarding Return?
Why the FCA built a dedicated return
When is REP027 due?
Is Your Firm in Scope for REP027?
The REP027 Return at a Glance: All 17 Sections
The Three Trickiest Sections
What Answers in REP027 Will Trigger FCA Supervisory Attention?
Who is the New Safeguarding Accountable Individual?
How to Build a Repeatable Monthly REP027 Process
Getting REP027 Right From the Start

The FCA has watched £6 billion a day flow through payment institutions. They have also watched what happens when safeguarding fails. REP027 is how they plan to make sure it doesn't happen again.

Between 2018 and 2023 we saw a string of UK insolvencies (Ipagoo, Premier FX and others) where customer funds couldn't be returned in full. The FCA noted the average shortfall in those cases was 65%. That experience sits behind every policy decision in this new regime.

REP027 is a brand new, dedicated monthly safeguarding return. You used to submit a small portion of safeguarding data as part of your capital adequacy return. Now it has its own home, its own sections, its own conditional logic, and its own first deadline: 21 July 2026.

This blog walks you through what the return covers, which sections are tricky, what the FCA will be watching closely, and how to set up a good, repeatable monthly process.

TL:DR

First submission deadline: 21 July 2026, then monthly (15 business days after month-end)
In scope: authorised PIs, authorised EMIs, small EMIs that have opted into safeguarding
The return has up to 17 sections. Which ones apply depends on your firm type and activity.
A single director or senior manager is now formally accountable for safeguarding operations.
Complyfirst is offering your first quarter free: full platform access, 1:1 support, and submission all the way to the FCA.

What is the FCA REP027 Safeguarding Return?

REP027 is a monthly regulatory return submitted via the FCA's RegData platform. It sits under the new CASS 15 sourcebook, which replaced the FCA's high-level safeguarding guidance with prescriptive operational rules from 7 May 2026.

The purpose is straightforward. The FCA wants standardised, frequent data on how firms are protecting customer funds. Not once a year. Every month.

Why the FCA built a dedicated return

EMIs safeguarded approximately £26 billion in customer funds in 2024, up from £11 billion in 2021. Payment institutions safeguard an estimated £6 billion per day. That scale, combined with the insolvency failures of the previous decade, made a dedicated return inevitable.

The FCA has been clear that it has zero tolerance for safeguarding failures. REP027 is their early warning system. One month's data is a data point. Several months of the same issue is a pattern, a pattern that will trigger supervisory action.

When is REP027 due?

The first submission covers the period from 7 May 2026 to 30 June 2026 and is due by 21 July 2026. After that, submissions are due within 15 business days of each month-end, every month.

That is twelve submissions a year.

Is Your Firm in Scope for REP027?

There are three layers to work through.

Which firm types have to submit

Layer 1: Firm type: Authorised payment institutions (APIs) and authorised e-money institutions (AEMIs) are in scope. Small e-money institutions (SEMIs) are in scope if they have opted into safeguarding. Small payment institutions (SPIs) are only in scope if they have opted in. If you are not authorised or did not opt in, you are out of scope.
Layer 2: Activity: If you are in scope, sections 1, 2, and 9 always apply. That is your firm details, your safeguarding method, and any notifiable CASS breaches. Sections 3 to 8 only apply if you actually held relevant funds during the monthly reporting period. For smaller firms, if there was a month where nothing was safeguarded, you skip sections 3 to 8.
Layer 3: Unrelated payment services (UPS): If your firm provides payment services that are genuinely separate from your e-money issuance (for example, an EMI that also runs a standalone money remittance product for SMEs), you are providing UPS. Sections 10 to 17 apply. The FCA wants to see the UPS bucket separately from e-money because the two are safeguarded under different regimes and can have different treatment for returning funds in an insolvency.

Which sections apply to you

In short: sections 1, 2, and 9 apply to everyone in scope. Sections 3 to 8 depend on activity. Sections 10 to 17 depend on whether you provide UPS. Run through all three layers before you assume which sections you need to complete.

The REP027 Return at a Glance: All 17 Sections

Sections 1–9: the core return

Section	The Details
Section 1: Firm information	Your firm name, category of safeguarding institution, and details of your last safeguarding audit.
Section 2: Safeguarding method	What method did you use? Segregation, insurance or guarantee, or a combination? Include the number of clients you safeguarded for, and any use of non-standard internal reconciliation procedures during the period. (More on why this matters below.)
Section 3: Balances	Your highest and lowest safeguarding requirement during the reporting period.
Section 4: Where funds are held	For segregation: institution, account type, number of accounts, total held, country, contract terms. For insurance or guarantee: insurer name, amount covered, expiry date, overdue premiums. For relevant assets: asset type, custodian, total value held at period end. We will spend more time on this section below.
Section 5: Resource vs requirement	What you actually safeguarded across bank accounts, segregated funds not yet placed, relevant assets, and any insurance or guarantee cover. Any excess or shortfall at month end and what you did about it. Also coming back to this one.
Section 6: D+1 segregation check	Your requirement vs resource from your last internal reconciliation, plus any adjustments made.
Section 7: Reconciliations	Confirmation that you carried out internal and external reconciliations on every reconciliation day during the period.
Section 8: Record-keeping	Your inventory of safeguarding accounts and assets: how many you held at the start of the month, opened, closed, and held at month end, plus acknowledgement letter coverage. We are coming back to this one too.
Section 9: Notifiable breaches	Did anything happen this month that you were required to notify the FCA about under CASS? material record-keeping errors, failed reconciliations, unresolved discrepancies, material shortfalls, an insurance or guarantee approaching expiry without a replacement, or any other breach of duty under CASS 15?

Sections 10–17: the UPS block

Sections 10 to 17 mirror the core return but apply only to unrelated payment services. If UPS applies to your business model, you’ll need to complete these sections.

The Three Trickiest Sections

Section 4: Where your funds sit

Section 4 asks you to report where relevant funds actually sit, so which institutions, accounts, assets, insurance or guarantees. The reason it catches people out is that what you tick at the top of the section determines how much data you have to produce underneath.

There are five sub-sections, 4a through 4e, each triggered by a yes/no question:

11AA: yes triggers 4a — your full list of bank accounts
12AA: yes triggers 4b and 4c — your assets and custodian detail
14AA: yes triggers 4d — insurer names, amounts covered, expiry dates, overdue premiums
15AA: yes triggers 4e — guarantor names, amounts covered, expiry dates, overdue fees

One yes can generate a significant volume of follow-on data. For larger firms with multiple safeguarding methods or many bank accounts, section 4 alone can take considerable time to prepare.

And if you have an overdue premium on an insurance policy in 4d, that data point carries forward. It surfaces again in section 5 and is likely to attract supervisory attention.

Section 5: Resource vs requirement

This is the section supervisors will read first. It is where your actual safeguarding position becomes visible, and where patterns emerge over time.

A few things to note in section 5:

Insurance cover with an overdue premium (field 17D) is still technically in force, but the FCA will notice it. An overdue premium is an early signal that the policy may lapse, and you may hear from them.
Unallocated funds (field 19B) i.e. money received but not yet matched to a client, must be reported here. It is also worth fixing upstream. If clients are not sending funds with a correct payment reference, they cannot be tagged and safeguarded promptly. That is a process problem, not just a reporting problem.
Shortfalls (fields 20A and 21A). You report any shortfall and what you did about it. A single shortfall corrected by a top-up is a data point. The same shortfall appearing month after month is a pattern. The FCA will be asking whether this is a one-off or a sign of something structural in your safeguarding operations.

Section 8: Record-keeping and acknowledgement letters

Section 8 is your inventory: accounts at the start of the month, opened during the period, closed during the period, accounts at month end, and how many of those are covered by an acknowledgement letter.

Two things to pay close attention to here.

First, the account count at month end (field 28AE) must tie exactly to the count of accounts listed in section 4a. If those numbers do not match, you have a consistency problem that will stand out.

Second, the number of accounts covered by an acknowledgement letter (field 28AF) is scrutinised. If you have accounts without letters on file, field 28AG requires a narrative explanation of what happened, and what you are doing about it. This is a running commentary. If you write in May that you are chasing the bank, and you are still writing the same thing in October, the FCA will come looking.

Section 8 is also where de-banking becomes visible for the first time in a structured way. De-banking is a known pain point for PIs and EMIs, as you often have no control over the timing. But historically, firms that lost safeguarding accounts and quickly replaced them did not always flag it to the FCA.

From now on, section 8 captures every account opened and closed, with narrative. Getting that wrong, or being economical with the truth, puts you in false-statement territory under the EMRs and PSRs.

What Answers in REP027 Will Trigger FCA Supervisory Attention?

Most of REP027 is straightforward data. But there are specific answers that are likely to prompt the FCA to take a closer look.

Four to flag:

Section 2, question 8A asks whether you used a non-standard method of internal safeguarding reconciliation during the period. Ticking yes will attract attention. Only tick yes if you genuinely did, and be prepared to explain why.
Section 7, questions 26A and 27A ask whether you carried out internal and external reconciliations on every reconciliation day. If you tick yes but actually missed days, that is a potentially false statement to the FCA. Be accurate here, and address any missed days in your narrative.
Section 9, questions 29A and 30A ask whether any notifiable CASS breaches arose and whether you complied with the notification requirements. The answers here can create serious supervisory issues if you get them wrong. Make sure you know what triggers a notification obligation under CASS 15 before you complete this section.
Sections 10 to 17 — if UPS applies to your business model and you leave these sections blank, that will stand out. Know your scope before you submit.

Will the FCA flag my return if I missed a reconciliation day?

Yes, potentially. Section 7 asks you to confirm reconciliations were carried out on every reconciliation day. A missed day reported accurately is far better than a missed day covered up. Transparency with a clear explanation of what went wrong and what you have done to fix it is the right approach. False or misleading information in a regulatory return is a criminal offence under the EMRs and PSRs.

I’ve worked at large banks with entire teams managing returns. With Complyfirst, we had it done in days.

Neil McDermott, CFO

Learn how

Who is the New Safeguarding Accountable Individual?

The FCA now requires a single director or senior manager of sufficient skill and authority to formally own safeguarding. Their responsibilities are to have oversight of the firm's operational compliance with the relevant funds regime, and reporting to the governing body on that oversight.

This is a taste of the SMCR regime arriving in a bespoke way for payment and e-money firms. This type of named accountability does not exist anywhere else for PIs and EMIs. It is new, it is specific to safeguarding, and it carries real consequences.

What are the consequences if the safeguarding accountable individual gets it wrong?

At firm level: financial penalty, public censure, or in the most serious cases cancellation of authorisation under the EMRs or PSRs.

At individual level: personal financial penalties, loss of fit and proper status (which effectively means loss of the role), and in the most serious cases a criminal offence for providing false or misleading information to the FCA.

If you are that individual (and for many of you reading this, you are) the way REP027 is prepared, approved, and evidenced each month is now a professional liability question.

How to Build a Repeatable Monthly REP027 Process

This is a monthly return. You will submit it twelve times a year. The goal is to design it once and run it the same way every month, so you’re not having to reinvent the wheel each time.

Here’s a practical four-step approach:

Step	The Process
Step 1: Data pull	Set up an extract from your core systems (your banking platform, your reconciliation tooling) that you can run every month. It will not capture everything, but getting the core fields automated removes the most time-consuming manual keying.
Step 2: Validate the data	You can validate manually on the FCA RegData platform, or technically against the FCA's XSD schema. The schema has conditional logic baked in, so validation catches errors before submission.
Step 3: Approvals	Your safeguarding accountable individual needs an audit trail of who approved what, and when. Build this into your process from the start. A spreadsheet signed off over email the night before is not the audit trail that individual wants to be relying on.
Step 4: Submit to RegData	You can key data in manually via the RegData web interface, or submit via API directly from your reporting system. Given REP027 can run to hundreds of data points for larger firms, the manual route is not a sustainable long-term approach.

Should we automate REP027 or do it manually?

The honest answer is that manual works for the first submission or two. It will not work sustainably twelve times a year. The risk is not just time, it is accuracy. Manual keying introduces errors. And a process that lives in one person's head generates key person risk.

Automating via API submission requires technical resource to build, and someone who can maintain it when the FCA updates the XSD schema (which it will). If you do not have that in-house, you need it in your corner before the errors start.

At Complyfirst, we built a reporting platform specifically for this. You drop your data in, the platform fills out the return automatically, your safeguarding accountable individual reviews and approves with a full audit trail, and we submit direct to RegData via API. When the FCA updates the schema, that is on us, not you or your team.

And, we are offering your first quarter completely free. Full platform access, 1:1 support from our team, and submission all the way to the FCA. The first deadline is 21 July.

Complyfirst Resources

REP027 snapshot one-pager

Inside REP027: Preparing for the FCA's New Monthly Safeguarding Return - Webinar recording & slides

1:1 call with us

Getting REP027 Right From the Start

Three things to take away from this post: know your scope and which sections apply to you, understand what the FCA is actually looking at in sections 4, 5, and 8, and build a repeatable monthly process with a clear approval trail for your safeguarding accountable individual.

If you are navigating this and want to talk it through, get in touch with us here. The 21 July deadline is close, and we are happy to help.

FAQ

Yes, it's live. The schema is available on the FCA website now. What they haven't published is a user-friendly Excel template, which is why we built one. DM us if you'd like a copy.

If you hold no relevant funds in that month, you only need to complete sections 1, 2 and 9. Sections 3 to 8 are activity-driven. Sections 10 to 17 only apply if you provide unrelated payment services.

Probably not. Most firms run with segregation as their sole safeguarding method. Insurance only comes into play if there's a specific operational reason or you want an extra layer of protection. It’s very business model specific, so worth a conversation if you're unsure.

The threshold is materiality. You're required to notify the FCA of material excesses or shortfalls. What's material will depend on your business model. Our advice: if you're genuinely unsure, err on the side of caution and notify.

Section 5 asks for your safeguarding resource versus requirement. The figures reported are based on your last reconciliation at month end, not a daily consolidated amount. Your highest and lowest balances during the period are captured separately in Section 3.