Safeguarding readiness in the UK payments sector
Operating models under CASS 15
Explore the findings and insights shaping safeguarding readiness
Key findings
Context
Methodology
Readiness
Returns
Reconciliation
Evidence
Confidence
Recommendations
Bottom line
Key findings
66%
Still reconcile monthly or less—driven
by spreadsheet limits
The spreadsheet constraint
Spreadsheets remain a cornerstone of compliance operations, but they are already operating close to their practical limits: two-thirds of spreadsheet users need at least six hours to produce an evidence pack, 22% lack confidence their reports would pass an audit and the majority (66%) reconcile monthly or less frequently.
13%
Operate daily.
Everyone else doesn’t
The shift to daily has barely begun
Just 13% of organisations currently perform safeguarding reconciliations daily. The majority operate weekly (53%) or monthly (28%), with a further 5% reconciling less frequently. In other words, nearly 90% of the industry is not yet operating at the daily reconciliation cadence expected under the FCA’s safeguarding regime.
32%
Already compliant.
The rest are still catching up
Momentum is real,
but maturity is uneven
32% of the industry already consider themselves compliant with the updated safeguarding rules. The rest are either implementing required changes (49%), assessing the guidelines (13%) or yet to begin preparation (5%). As audits approach, the challenge shifts from programme delivery to controls that operate consistently under real conditions.
35%
Very confident they’d pass an audit.
Most aren’t
Audit confidence is uneven
Although 84% say their team could explain every calculation in their reports to an auditor, depth of assurance varies. Only 35% are very confident; nearly half describe themselves as somewhat confident. That middle ground will be tested when explanations must be supported by documented logic, reconciled data and formal review controls.
43%
Understand the rules—but aren’t
ready to implement them
Understanding outpaces execution
The largest cohort (43%) say they understand what the CASS 15 rules require but need more time and clarity to implement them. Close behind, 39% view the reforms as a manageable extension of existing controls, while 9% remain concerned about complexity and resourcing. Gaps in clarity point to implementation in motion rather than a fully embedded regulatory model.
Survey context and purpose
Safeguarding has long been a core requirement for Authorised Payment Institutions (APIs) and Electronic Money Institutions (EMIs), designed to ensure that customer funds are protected in the event of firm failure. However, the FCA’s recent reforms under PS25/12 materially raise expectations around governance, record-keeping, reconciliation frequency and evidential readiness.
The shift is not limited to policy updates. It moves safeguarding from a periodic compliance obligation to a continuous operational control, with enhanced reporting requirements, daily reconciliation expectations and formalised resolution-pack retrieval standards.
For many, it represents a structural change to back-office processes rather than a narrow regulatory update.
This survey examines how prepared the UK payments sector is for the transition to the updated safeguarding regime.
The researched aimed to:
Assess readiness
Assess the UK payments industry’s current stage of preparation for the FCA’s updated safeguarding regime.
Understand operations
Understand how firms are operationalising safeguarding requirements, including reporting workflows, reconciliation cadence and evidential readiness.
Identify gaps
Identify structural gaps between regulatory expectation and day-to-day operating models.
Methodology and respondent profile
The survey targeted professionals directly involved in or overseeing safeguarding processes within their organisations, aiming to capture both operational and oversight perspectives.
All respondents work at FCA-regulated Authorised Payment Institutions (APIs) or Electronic Money Institutions (EMIs).
Participants were qualified through an initial set of screening questions to confirm safeguarding responsibility. They were then presented with a series of structured multiple-choice questions in both single-and multi-response formats. In all cases, respondents had the option to select “I don’t know”.
The survey captured responses from 75 professionals across the UK payments ecosystem.
20%
Acquiring / PSP / Gateway
20%
Card issuing and processing / Programme management
20%
Remittance / Cross-border / FX
15%
Account provider / Wallets
20%
Open banking PISP
7%
Open banking AISP
27%
500+ employees
23%
250 - 500 employees
20%
100 - 249 employees
13%
50 - 99 employees
13%
10 - 49 employees
4%
<10 employees
The current state of safeguarding compliance
Safeguarding preparations across the industry are well advanced. Around one-third (32%) say they’re already compliant with the FCA’s updated CASS 15 requirements, while half (49%) are actively working on changes ahead of the May deadline.
A small minority (18%) are earlier in the process, either scoping required changes or yet to begin preparation. Notably, no respondents reported uncertainty about how the rules apply to their organisation—a clear signal that awareness of the new regime is now widespread.
Although reassuring that many consider themselves already compliant, this remains a self-assessment.
The next phase will determine whether programmes in flight translate into operational reality.
Which best describes your organisation’s current stage in preparing for the FCA’s updated safeguarding regulations?
32%
Fully compliant with all upcoming requirements
49%
Identified the required changes and are implementing them
13%
Assessing what changes are needed but haven’t started implementation
5%
Not yet started preparing for the new requirements
Confidence is high.
Clarity is the constraint.
Firms are broadly engaged with the FCA’s safeguarding reforms, but confidence is uneven. Some 43% understand what’s required but need more time and clarity, slightly outweighing the 39% who feel well-prepared. Only 18% remain concerned about the complexity and resource impact or are still working through the detail.
The prominence of “need more time and clarity” points to a familiar operational reality: understanding the regulatory model is much easier than re-engineering an operating model to meet it. Challenges arise when applying new requirements to complex, cross-team workflows like reconciliation, exception management and evidence retention—many of which were not designed with safeguarding in mind.
Overhauling long-standing processes requires firms to define ownership, formalise control logic and ensure outputs are repeatable. Businesses still uncertain risk surfacing these dependencies too late, forcing teams to implement controls at the same time they must evidence them.
Which best describes your organisation’s sentiment regarding the FCA’s upcoming safeguarding requirements?
39%
Well-prepared, a managable update to existing controls
Understanding is one thing.
Implementation is another.
43%
Understand what’s required, need more time and clarity
9%
Concerned about complexity and resource impact
9%
Don’t fully understand what’s needed, working through it
Monthly safeguarding returns
Semi-automated processes remain the dominant model for monthly safeguarding returns, with 52% of firms combining tools and spreadsheets. Around one-third (36%) have an automated solution in place, and 12% use spreadsheets exclusively. Overall, 64% of firms still rely on spreadsheets to some degree.
While each approach can meet regulatory requirements in principle, they behave very differently under scale and scrutiny.
Fully automated
Semi-automated
Spreadsheets only
What best describes your organisation’s current solution for completing monthly safeguarding returns to the FCA?
36%
Fully automated
52%
Semi-automated
12%
Spreadsheets only
Why the operating
model matters
Under PS25/12, firms must submit a monthly safeguarding return within 15 business days of month-end.
Meeting that deadline requires timely access to reconciled balances, supporting records and calculation outputs. Where safeguarding data is dispersed across spreadsheets and hybrid workflows, assembling that information quickly becomes difficult.
The operational question is no longer whether a process can produce a return, but whether it can do so repeatably, defensibly and on schedule every month.
Month end | +15 days to deadline
S
M
T
W
T
F
S
S
M
T
W
T
F
S
S
M
Reconciliation frequency in practice
Daily reconciliation is the new expectation, but most are not there yet. Only 13% of organisations conduct safeguarding reconciliations daily. The majority operate either weekly (53%) or monthly (28%), with a further 5% reconciling less frequently.
Taken together, almost
90 %
of in-scope firms are not yet meeting the reconciliation cadence required by the FCA.
At what frequency does your business currently conduct safeguarding reconciliations?
13%
Daily
Expected under FCA safeguarding regime
53%
Weekly
28%
Monthly
5%
< Monthly
Operating models and reconciliation cadence
When reconciliation frequency is grouped by solution approach, spreadsheet-only firms stand out for the weakest cadence.
Two-thirds reconcile monthly or less frequently, compared to 36% of semi-automated firms and 33% of those operating fully automated workflows.
What’s more interesting is what automation does and doesn’t change. Daily reconciliation remains low across all groups (11–15%), so automation doesn’t magically guarantee compliance. But it does shift firms out of the weaker, infrequent posture and into a more controlled operating rhythm—most commonly every week.
Put simply: tooling maturity changes the baseline cadence, but a further operating model shift is still required to reach daily reconciliation in practice.
Safeguarding reconciliation frequency
Fully automated
Semi-automated
Spreadsheets only
33%
Monthly or less
53%
Weekly
15%
Daily
Why “not daily yet” is a risk profile
From 7 May 2026, firms must perform safeguarding reconciliations at least once each reconciliation day. The process should explicitly test safeguarding requirement against safeguarding resource, including the D+1 comparison mechanics.
If daily reconciliation is soon the standard but remains uncommon in practice, the issue is not just readiness but feasibility. The test is whether reconciliation can scale in frequency without eroding control or evidential integrity. Operating models designed for periodic execution are unlikely to support daily control without pushing many back-office functions to the limit.
Weekly or monthly reconciliation represents a materially different risk posture. Five areas are affected:
Risk-ometer
Shortfalls persist
longer
Daily reconciliation limits the duration of exposure; weekly cadence allows shortfalls to sit undetected for days.
Root-cause analysis weakens
Daily checks narrow error windows; weekly reconciliation turns investigation into reconstruction.
Evidence risk increases
Reconciliation is framed as a check on the accuracy of books and records, not a substitute for them.
Supervisory visibility rises
Monthly safeguarding returns require firms to confirm whether reconciliations were performed every reconciliation day.
Escalation thresholds tighten
Firms are expected to notify the FCA without delay if reconciliations cannot be performed or discrepancies cannot be remedied.
Safeguarding
evidence
Most firms can produce a complete safeguarding evidence pack within a working day, but the distribution shows a clear divide between maintained and assembled evidence.
Only
36%
report instant or near-instant access, while the majority require several hours—including a small but material 2–5 day tail.
PS25/12 reframes safeguarding evidence as something that must already exist, not something produced when requested. The FCA’s CASS resolution-pack requirement sets a 48-hour retrieval expectation and specifies that key records—including acknowledgement letters and recent safeguarding reconciliations—should be immediately available.
Against that expectation, our data exposes a simple reality: some firms build evidence; some firms have evidence. Where evidence must be constructed across systems and teams, firms risk failing the retrieval standard even if the underlying data is ultimately correct.
How quickly could your business produce a complete safeguarding evidence pack showing reconciliations, bank acknowledgements and relevant records?
How operating models shape evidence availability
Evidence-pack readiness varies sharply depending on the safeguarding method. In manual workflows where evidence must be assembled each time, two-thirds require at least six hours and one-third need more than a full working day. Much of that time is spent extracting data, standardising formats and manually tying outputs back to underlying records.
Semi-automated workflows improve response times but remain constrained, with 77% in the 2–12 hour range and only 10% achieving real-time readiness. Where evidence spans multiple systems, retrieval always depends on coordination across data sources and processes at the point of request.
Fully automated models shift
the dynamic.
Almost half (44%) have real-time access and the vast majority (88%) can produce an evidence pack within one working day. In these environments, evidence should be generated as an output of the process and ready for on-demand retrieval.
Safeguarding evidence pack readiness by operating model
Fully automated
Semi-automated
Spreadsheets only
0%
0%
0%
0%
0%
Audit
confidence
Producing reports is often only the first challenge. The harder test is explaining every figure in detail: where it came from, how it was calculated, who reviewed it and how it reconciles to underlying records.
Against this backdrop, most firms are confident in their ability to substantiate safeguarding reports under scrutiny. 84% say their team could explain every calculation in their reports to an auditor, with 35% very confident and 49% somewhat confident. Only 16% remain either neutral or not very confident.
Although reassuring on the surface, somewhat confident is not the same thing as certainty.
The distinction reflects whether auditability is anchored in structured, repeatable processes or working interpretations. In practice, that gap shows up most clearly in the operating model used to produce reports.
How confident are you that everyone on your team could explain every calculation in your regulatory reports to an auditor?
Very confident
Somewhat confident
Neutral
Not very confident
How operating models shape confidence
Confidence in explainability varies strongly by operating model, but not in a linear way. Spreadsheet approaches stand out for the weakest profile, with 22% lacking confidence they could explain safeguarding calculations to an auditor. This is materially higher than other methods, reflecting fragmented logic, undocumented formulas and manual adjustments.
Semi-automated models do not show a clear uplift compared to spreadsheets alone, suggesting that reconciliation outputs rely on manual interpretation between systems. Although hybrid workflows can reduce effort, they don’t necessarily improve traceability if spreadsheets continue to house key assumptions, adjustments or matching logic.
Automation doesn’t eliminate audit hesitancy entirely, but it does produce the largest cohort of firms (59%) very confident that their reports will stand up to audit. Where logic is embedded in systems and governed through consistent controls, explainability becomes a property of the operating model itself.
How confident are you that everyone on your team could explain every
calculation in your regulatory reports to an auditor?
Fully automated
Semi-automated
Spreadsheets only
Very confident
Somewhat confident
Neutral
Not confident
Very confident
Somewhat confident
Neutral
Not confident
Very confident
Somewhat confident
Not confident
What explainability really involves
Explaining a safeguarding calculation means more than presenting a final number.
It means showing where the figure came from, how it ties back to source systems and safeguarded balances and what controls—review, sign-off and change management—were applied along the way.
While the FCA does not explicitly require firms to “explain every calculation,” the principle is embedded throughout the CASS regime with its emphasis on accurate books and records, reconciliations to validate those records and governance capable of withstanding scrutiny.
Kani’s
key recommendations
The bottom line
Historically, safeguarding has been treated as a necessary reporting obligation. But the reforms introduced in PS25/12 reframe it as something more fundamental: a continuous, “always-on” layer of operational oversight.
The question is no longer simply whether a firm can pass an audit. It is a question of how far safeguarding principles are embedded into the daily financial operations of a business—in its reconciliations, data flows, controls and governance.
Our findings show an industry in transition. Awareness is high and preparation well underway, but many operating models were designed for periodic reporting rather daily operation.
The way forward
Firms best positioned for the new regime will treat safeguarding as infrastructure rather than obligation. In practice, that means building processes that prove the integrity of safeguarded funds each and every day, not just when reports are due. The coming year will determine how successfully the industry shifts from treating safeguarding as a reporting process to a standing financial discipline.
We look forward to revisiting respondents in 2027 to see how they’ve adapted through the first 12 months of the updated regime.
Copyright © 2026 Kani Payments | Privacy Policy