👋🏼 Got a regulatory report due? Get free XML/XBRL generation and support on your first return. 🎉

Blog

APRIL 10, 20267 MIN READ

FCA Safeguarding Report: New Requirements Explained for UK E-Money and Payments Firms

Fiona Jelly

Fiona Jelly,
Founder & CEO of Complyfirst

UK flag

This applies to PIs/EMIs in the UK

Table of Contents
  1. What Information Firms Need to Report
  2. Basic set-up
  3. Safeguarding method
  4. Balances
  5. Where funds are held
  6. Resource vs requirement
  7. The D+1 (Day plus 1) segregation check
  8. Reconciliations
  9. Record-keeping
  10. Notifiable breaches
  11. Direct API Integration with FCA RegData
  12. What This Enables in Practice

The UK Financial Conduct Authority (FCA) has introduced new safeguarding oversight measures for all e-money institutions and payment institutions operating in the UK.

Previously, safeguarding audits applied only to larger EMIs, and safeguarding information formed a small part of a broader regulatory submission. As a result, the FCA had limited insight into how smaller firms safeguarded money day-to-day.

PS25/12 changes this.

From 7 May 2026, all UK EMIs and PIs that safeguard funds must complete an annual safeguarding audit, and all firms will begin submitting a dedicated monthly safeguarding return through RegData.

But verifying that these changes are being applied correctly in practice isn’t going to be an easy feat.

For compliance teams, this mainly means more frequent reporting and more structure around safeguarding data.

Let’s dive in to the main changes EMIs and PIs need to be aware of.

fca safeguarding deadline frequency format

TL;DR

  • What it is: New FCA safeguarding rules introducing annual audits and a monthly safeguarding return via RegData.
  • When it starts: From 1 January, with first submissions in Q1.
  • Who it affects: All UK-authorised e-money institutions and payment institutions.
  • Why it matters: Safeguarding is the main protection for customer funds, and firms must now report it accurately every month.

What Exactly are the New FCA Safeguarding Requirements?

Let’s start with recapping what safeguarding means in practice.

Safeguarding requires firms to hold customer funds in a separate, protected account so that the money remains isolated from the firm’s own assets. This way, if a firm collapses, safeguarded customer funds should be returned quickly to customers (as they are not used for business operations).

With the PS25/12 coming into effect from May 2026, the FCA has two major objectives: expanding who must undergo an annual audit, and who must submit a monthly return, to have more oversight into how firms safeguard funds day-to-day.

Here’s an overview of the FCA’s annual audit and monthly return:

Safeguarding AuditSafeguarding Return
What changedAudit requirement now applies to all EMIs and PIs, not just larger EMIs.Safeguarding data is no longer a small section of another return (e.g., FSA056). It becomes a standalone monthly report with expanded fields.
PurposeTo independently verify that firms segregate customer funds correctly, perform reconciliations accurately, and maintain complete safeguarding records.To give the FCA ongoing visibility of safeguarded balances, reconciliation outcomes, and where customer funds are held.
FrequencyAnnually, with the first audit due within 6 months of the firm’s first year-end after 7 May 2026 (4 months in following years).Monthly, submitted through RegData once the FCA finalises the schema.

Who is in Scope?

The return applies to all firms that are required to safeguard customer funds, including:

  • E-money institutions (EMIs)
  • Authorised payment institutions (APIs)
  • Small payment institutions (SPIs) that have opted in
  • Small e-money institutions (SEMIs) that have opted in

The return covers relevant funds safeguarded under the PSRs and EMRs.

All firms must complete sections 1–9. Sections 10–17 apply only where firms provide unrelated payment services, such as EMI + UPS models or opted-in credit unions.

Timing, Frequency, and Submission

The new rules go live on 7 May 2026.

The return must be submitted monthly, within 15 business days after month-end, via the FCA’s RegData platform. The first return is expected to be due on 19 June 2026, based on the initial reporting period.

Returns can be keyed directly into RegData or submitted using XML or API-based automation (we can help! 😉).

What truly sets Complyfirst apart is its ability to simulate a regulator’s review, identifying potential data discrepancies or inconsistencies across multiple reports before submission.

Pamela Crilly, EU COO, TrueLayer

Read case study

How FCA Safeguarding Reporting Works in Practice

In practice, safeguarding reporting is a repeatable monthly process that sits alongside month-end close.

Each month, firms will calculate how much customer money should be safeguarded, confirm where those funds are held, and reconcile customer liabilities against safeguarding accounts. The return then records whether safeguarding requirements were met at all times, including on a D+1 basis where required.

Any shortfalls, excesses, adjustments, or notifiable issues must be identified and explained. Over time, this creates a consistent audit trail that feeds directly into the annual safeguarding audit.

What Information Firms Need to Report

Now, on to the data fields you’ll need to collect. If you were required to safeguard during the period, sections 1-9 apply:

Now on to the data fields you’ll need to collect.

If you were required to safeguard during the period, sections 1–9 apply:

Basic set-up

Your firm name, category of safeguarding institution, and details on your last safeguarding audit.

Safeguarding method

If you were in scope for safeguarding, what method did you use (segregation, insurance/guarantee, or some combination), the number of clients you safeguarded for, and any use of non-standard internal reconciliation procedures during the period.

Balances

Simply your highest and lowest safeguarding requirement during the period.

Where funds are held

  • If segregation is used:
    The institution where funds are held, the type of account, number of accounts, total amounts held, country, and whether the contract is fixed-term or has a notice period.
  • For insurances/guarantees:
    Name of insurer or guarantor, amount covered, date of expiry, and total overdue premiums.
  • For investment in secure liquid assets:
    The asset type, name of custodian, and total value of assets held at the end of the period.

Resource vs requirement

You report what you’ve actually safeguarded across bank accounts, segregated funds not yet placed, relevant assets, and any insurance/guarantee cover.

Then you compare that to what you should be safeguarding (including any amounts received but unallocated to an individual client).

Then you work out whether you had an excess or shortfall at month-end and disclose what you did to fix it.

The D+1 (Day plus 1) segregation check

You report your requirement vs resource from your last internal reconciliation, along with any adjustments made.

Reconciliations

Did you carry out:

  • Internal reconciliations using your own records every reconciliation day?
  • External reconciliations using external evidence (e.g. bank statements)?

Record-keeping

This is your inventory of all safeguarding accounts and assets, including:

  • How many accounts you had at the start of the month
  • How many you opened
  • How many you closed
  • How many you had at the end of the month

Then you confirm how many of those accounts are covered by an acknowledgment letter, and if letters are missing, explain why.

Notifiable breaches

This is where the FCA is basically asking: did anything happen this month that you were required to notify them about under CASS, for example:

  • Material errors in records — materially out of date, inaccurate, or invalid
  • Failed reconciliations — you can’t perform the required internal/external reconciliations
  • Unresolved discrepancies — you’re unable to fix shortfalls or excess after reconciliation
  • Material shortfalls — a material difference between safeguarding requirement vs resource
  • Insurance/guarantee — about to expire without replacement lined up (you need to tell the FCA three months in advance)
  • Any other breach of duty under CASS 15

For firms providing unrelated payment services i.e. payment services unrelated to the issuance of e-money, you repeat the same checks as above in sections 10-17.

EMIs who provide UPS, SEMI opt-in and credit union opt-ins may have to complete this section.

Complyfirst Supports Monthly FCA Safeguarding Reporting

In practice, the biggest impact is the shift to regular reporting. Safeguarding data often sits across finance, operations, and compliance teams, and monthly reporting requires tighter coordination between those groups.

Month-end is already a busy period. Adding a safeguarding return means processes need to be repeatable, reconciliations need to be reliable, and last-minute fixes need to be kept to a minimum. This is where we can help.

Here’s how Complyfirst can help pick up the monthly load:

Direct API Integration with FCA RegData

Complyfirst has a direct API integration with the FCA RegData platform.

This means:

  • No manual keying of fields line by line into RegData
  • No re-entering data already reconciled internally
  • No duplication between internal reports and FCA submission

Instead, safeguarding data flows directly into the FCA reporting format via system integration.

What This Enables in Practice

Because submission is integrated rather than manual, firms will benefit from:

  • Automated safeguarding data collection
  • Built-in data validation and error checks before submission
  • Accurate RegData-ready XML generation
  • Clear review, sign-off, and version control processes
  • Responsive support during month-end madness

FAQ

Firms should start by confirming whether they are required to safeguard customer funds and which parts of the monthly return apply to their business model. From there, preparation mainly involves making safeguarding a repeatable month-end process. This includes standardising customer funds calculations, tightening reconciliations to safeguarding accounts, assigning clear data ownership across finance and operations, and planning for submission within 15 business days. Firms should also ensure records and evidence are retained, as monthly reporting feeds directly into the annual safeguarding audit.

The FCA PS25/12 safeguarding regime is the updated framework governing how e-money institutions and payment institutions protect and report on customer funds. It introduces a mandatory annual safeguarding audit for all firms and a new standalone monthly safeguarding return submitted via RegData. The regime is designed to give the FCA regular visibility of safeguarding arrangements, following failures in the sector, and applies to firms safeguarding relevant funds under the Payment Services Regulations and Electronic Money Regulations.

The FCA is expanding safeguarding audits to ensure consistent assurance across all EMIs and PIs, not just larger firms. Past failures and limited visibility of smaller institutions highlighted gaps in oversight. By requiring all firms to undergo an annual audit, the FCA can independently verify segregation and safeguarding controls and reduce the risk of customer loss in firm failure.

The new FCA safeguarding rules apply from 7 May 2026. From this date, firms must follow the updated safeguarding framework, including preparing for the new monthly safeguarding return. The first monthly return is due 15 business days after month-end, which is expected to be 19 June 2026 for most firms.

Conclusion

The FCA’s safeguarding changes are mainly about consistency. By moving to monthly reporting, the FCA gains regular visibility of how customer funds are protected. For EMIs and payment institutions, the focus now is on setting up clear, repeatable processes so safeguarding reporting becomes part of the normal month-end cycle, rather than a recurring disruption.