Blog
MAY 4, 2026 • 7 MIN READ
REP027: The FCA’s New Monthly Safeguarding Return for UK PIs and EMIs
Fiona Jelly,
Founder & CEO of Complyfirst
This applies to PIs/EMIs in the UK
From 7 May 2026, every UK payment institution and e-money institution that safeguards customer funds has a new monthly return to submit: REP027. It’s the first monthly regulatory return UK PIs and EMIs have ever had to file, and the first deadline is already 21 July 2026.
The FCA XML schema has finally been published. It’s what unlocks API-based submission and makes a repeatable monthly process actually achievable.
This guide will everything your team needs to know. What REP027 is, why it exists, who’s in scope, what you need to report section by section, and how to build a process that doesn’t fall apart by month three.
Let’s get into it!
TL;DR
- What it is: A new standalone monthly safeguarding return submitted to the FCA via RegData
- Who it affects: All UK authorised payment institutions, e-money institutions, and any SPIs or SEMIs that have opted in to safeguarding
- When: Go-live 7 May 2026. First return due 21 July 2026
- Frequency: Monthly, within 15 business days of month-end
- Why it matters: The first ever monthly regulatory return for UK PIs and EMIs. The FCA wants month-by-month visibility on how firms safeguard customer funds, not just an annual snapshot
- Submission: FCA RegData. Manually or via XML and API using the now-published XSD schema
REP027 is a standalone monthly safeguarding return submitted to the FCA via RegData. It’s the first ever monthly regulatory return for UK payment institutions and e-money institutions.
It sits in the FCA Handbook at SUP 16.14A and Annex 29BR, introduced by FCA 2025/38, and runs alongside the new safeguarding rules in CASS 15.
The whole point of the return is to give the FCA proper visibility on how firms safeguard customer funds every month, not just a once-a-year snapshot. Annual reporting hasn’t been catching the problems that build up between periods. Monthly reporting closes that gap.
REP027 covers:
- Safeguarding method
- Balances
- Where funds are held
- Resource vs requirement
- The D+1 segregation check
- Reconciliations performed during the period
- Account-level record-keeping
- Any notifiable CASS breaches
Before REP027, safeguarding data was tucked inside broader returns like FSA056 and FIN060a. This is a completely different beast. Far more granular, standalone, and closer to a CASS-style return than anything UK PIs and EMIs have had to submit before.
Why is REP027 Being Introduced?
REP027 is part of PS25/12, the FCA’s overhaul of the safeguarding regime. Arguably the biggest reform since the PSRs and EMRs came in.
Here’s why it got to this point:
- Safeguarded e-money balances have more than doubled to ÂŁ26bn, up from ÂŁ11bn in 2021
- Around 1 in 10 UK e-money holders now use these accounts for everyday spending
- Bank customers have the FSCS. Customers of PIs and EMIs don’t. They have the FCA safeguarding regime
That regime hasn’t held up. Three of the most prominent failures:
| Firm | Year | What happened |
|---|---|---|
| Premier FX | 2018 | Failed to properly safeguard customer funds |
| Ipagoo | 2019 | Went into administration having failed to safeguard |
| Applied Wallet | 2019 | Went into liquidation for the same reason |
Each case dragged on for years. Customers recovered only a fraction of what they were owed.
And these firms aren’t outliers. Across 12 payment firm insolvencies between 2018 and 2023:
- Average shortfall between funds owed and funds safeguarded: 65%
- For EMIs alone, that figure rises to 80%
The FCA is closing the gap. And REP027 is a huge part of that.
What is Changing Under PS25/12?
REP027 is one of six areas PS25/12 tightens. Here is the before and after:
| Area | Before | After (PS25/12 ) |
|---|---|---|
| Reconciliations | Required under the PSRs and EMRs but no prescriptive cadence | One per reconciliation day (excludes weekends, bank holidays, foreign market closures), comparing safeguarding requirement vs resource. Any shortfall fixed immediately |
| Separate reconciliations for e-money vs payment services | Single safeguarding view across activities | E-money funds and payment services funds reconciled and safeguarded separately, so each pool is transparent in an insolvency |
| Resolution packs | No formal requirement to maintain a single, live resolution pack | Live document covering safeguarding accounts, custodians, agents, distributors, return-of-funds procedures, and safeguarding contracts |
| Annual safeguarding audits | In practice, only larger firms in scope | Almost all firms in scope (firms with under ÂŁ100k safeguarded over the past 53 weeks are exempt) |
| Third-party oversight | Third-party oversight High-level expectations | Detailed due diligence on banks, custodians, and insurers; documented diversification decisions; liquidity stress tests confirming 24-hour redemption capability; insurance and guarantee renewal decisions taken three months before expiry |
| FCA reporting | Safeguarding data buried inside broader returns (FSA056, FIN060a) | Standalone monthly return (REP027) submitted via RegData |
That last row is REP027. It’s what we’re going to be diving into in this blog.
Who Does REP027 Apply To?
REP027 applies to all safeguarding institutions holding relevant funds under the PSRs or EMRs:
- Authorised Payment Institutions (APIs)
- E-Money Institutions (EMIs)
- Small Payment Institutions (SPIs) that have opted in to safeguarding
- Small E-Money Institutions (SEMIs) that have opted in to safeguarding
If you are an SPI or SEMI that has not opted in, REP027 does not apply. If you have opted in, even voluntarily, you are in scope.
Firms providing unrelated payment services (UPS) must also complete Sections 10 to 17. That roughly doubles the length of the return.
What Are the Key REP027 Deadlines?
| Milestones | Date |
|---|---|
| Go-live | 7 May 2026 |
| First return due | 21 July 2026 |
| Reporting frequency | Monthly |
| Submission deadline | 15 business days after month-end |
The 15 business day window is where compliance teams will feel the pressure. It overlaps directly with month-end close, and the data sits across finance, ops, and compliance in different systems.
How is REP027 Submitted?
REP027 goes via the FCA’s RegData platform, within 15 business days of month-end. You’ve got two ways to do it:
Option 1: Manual entry
- Pull data from your systems
- Key it into RegData directly
- Fine for the first return
- Gets painful fast by the third or fourth
Option 2: API or XML submission
- Use the FCA’s published REP027 XSD schema
- Build a canned extract that auto-populates the return
- Submit to RegData via the FCA’s API
- No manual re-keying
Now that the schema’s been published, option 2 is really the no-brainer. It’s the one worth building toward.
What truly sets Complyfirst apart is its ability to simulate a regulator’s review, identifying potential data discrepancies or inconsistencies across multiple reports before submission.
Pamela Crilly, EU COO, TrueLayer
Which Sections of REP027 Apply to My Firm?
Not every firm fills in every section. Getting this wrong means either over-reporting or missing sections you should have completed.
| Sections | Who completes them |
|---|---|
| Sections 1, 2 and 9 | Every firm in scope |
| Sections 3 to 8 | Only if you were required to safeguard during the period |
| Sections 10 to 17 | Only firms providing unrelated payment services (EMIs providing UPS, SEMIs that opted in, credit unions that opted in) |
If your business model includes unrelated payment services, the return roughly doubles in length.
What Does REP027 Require You to Report?
Sections 1 to 9 are the core return:
| Section | What you report |
|---|---|
| Section 1: Firm and category | Firm name, category of safeguarding institution, details of your most recent safeguarding audit |
| Section 2: Safeguarding method | Method(s) used during the period (segregation, insurance, guarantee, or a mix), method at the time of your last internal reconciliation, number of clients safeguarded, whether you used any non-standard internal reconciliation procedure |
| Section 3: Balances | Highest and lowest safeguarding requirement during the period, in sterling |
| Section 4: Where funds are held | See breakdown below |
| Section 5: Resource vs requirement | What you actually safeguarded across bank accounts, segregated funds not yet placed, relevant assets, and insurance or guarantee cover, compared to what you were required to safeguard. Any excess or shortfall at month-end, and what you did to fix it |
| Section 6: D+1 segregation check | D+1 resource vs D+1 requirement from your last internal reconciliation, plus any adjustments made |
| Section 7: Reconciliations | Yes/no: did you carry out internal and external reconciliations on every reconciliation day? |
| Section 8: Record-keeping | Accounts at start of month, opened, closed, accounts at month-end, plus acknowledgment letter status for each. If letters are missing, you explain why |
| Section 9: Notifiable CASS breaches | Anything you were required to notify the FCA about: material errors in records, failed reconciliations, unresolved discrepancies, material shortfalls between requirement and resource, insurance or guarantee cover nearing expiry (the FCA expects three months’ notice), or any other CASS 15 breach |
Section 4 in detail: Where funds are held
This one varies depending on how you safeguard:
- Segregation: institution, account type, number of accounts, total balances, country, fixed-term or notice
- Insurance and guarantees: provider, coverage amoun t, expiry date, overdue premiums
- Secure liquid assets: asset type, custodian, value at period end
For firms providing unrelated payment services, Sections 10 to 17 repeat the same checks for that activity.
What Does REP027 Mean for Compliance Teams?
This is the first ever monthly regulatory return for UK PIs and EMIs. Here is where this is going to bite:
- The cadence. Everything else in the FCA’s calendar is quarterly, semi-annual, or annual. Monthly is a different rhythm. Most teams haven’t had to report at this frequency before and it will show.
- The data. Safeguarding data doesn’t sit in one place. It lives across finance, ops, and compliance. Pulling it together manually every month, inside a 15 business day window, on top of month-end close, is going to hurt.
- The upside nobody talks about. Get it right from day one and the monthly reporting trail feeds straight into your annual safeguarding audit. That’s the prize.
The firms that find the first deadline straightforward will be the ones building a repeatable monthly process now, not the week before it’s due.
How Should Compliance Teams Prepare for REP027?
| Step | Action |
|---|---|
| Work out your scope | Are you required to safeguard? Did you opt in? Do sections 10 to 17 apply to your business model? |
| Map your data sources | Work out where each REP027 data point currently lives. Section 4 and Section 8 tend to be the most fragmented |
| Build a repeatable extract | You’ll be doing this every month. A canned extract is the baseline. XML or API submission removes the manual re-keying entirely |
| Set up maker/checker | Build an approval workflow so every return gets reviewed before submission and there’s a record of how each figure was derived |
| Get the dates in the diary | 15 business days after month-end, every month. First deadline: 21 July 2026 |
| Think ahead to your annual audit | The monthly trail you build from day one feeds directly into your annual safeguarding audit. Get it right early and it does double duty |
What Tools Are Available for REP027 Reporting?
The firms that’ll find the first deadline manageable are the ones treating this as an automation problem now, not a reporting problem in June.
The FCA’s published XSD schema is what makes that possible. It defines exactly what a valid REP027 submission looks like. With it, you can build a canned extract from your existing systems that maps directly to the return and submits to RegData automatically. Set it up once. Run it every month.
| Approach | What it involves | Sustainable long-term? |
|---|---|---|
| Manual | Pull data from systems, key into RegData | Honestly? No. The data is fragmented, the window is tight, and this is monthly |
| API / XML | Build a canned extract using the FCA’s XSD schema, submit via RegData API | Yes. The setup takes time upfront, but then it just runs |
How Does Complyfirst Help UK PIs and EMIs with REP027 Reporting?
Complyfirst is built specifically for UK PIs and EMIs getting ready for REP027. We’re the home of safeguarding reporting.
We sit in the middle of the monthly process so you don’t have to piece it together manually every time:
- Works with any extract. Excel, CSV, or any format your systems produce. We map it into the platform and auto-generate the return. No copy-pasting into report cells.
- Validates before submission. Every return is checked against the FCA’s REP027 XSD schema before it reaches RegData. Errors caught before they become a problem.
- Submits via API. We submit directly to RegData via the FCA’s API. No keying it in.
- Maker/checker built in. Approval controls on every report with a full audit trail behind it. If the FCA queries how a return was prepared, you have the answer in seconds.
Get in touch to talk through your setup. And DM us if you’d like our Excel template to start mapping your data today, even if you’re not working with us.