Get ready for CASS 15

What do the FCA’s upcoming safeguarding rules mean for your business?

The financial industry is bracing itself for a significant regulatory shift. In the first half of this year, the Financial Conduct Authority (FCA) is set to release new safeguarding rules in its Client Asset Sourcebook (CASS). With firms being given a limited timeframe to adapt, early preparation is critical to ensure compliance and operational continuity.

A new era in FCA scrutiny on safeguarding practices

The upcoming changes aim to eliminate ambiguity in safeguarding processes. The revised rules will directly impact records and reconciliations, monitoring, governance and reporting. With such sweeping changes, firms must proactively transform their safeguarding processes to stay ahead of regulatory expectations.

Safeguarding in the payments and e-money sector has been a top FCA priority, culminating in the recent safeguarding consultation. The regulator has underscored weaknesses in the current approach, citing inconsistencies across the industry that put consumer funds at risk.

The proposed changes are designed to:

  • minimize shortfalls in safeguarded relevant funds
  • ensure timely and cost-effective returns of funds to customers
  • strengthen the FCA’s ability to identify and intervene in cases of non-compliance


Historically, the payments and e-money sector has exhibited a higher risk of firm failure, with an alarming 65% average shortfall in client funds between 2018 and 2023. The extended timeline, which was an average of over two years, for returning funds increased potential harm to customers. They face liquidity issues, increased debt exposure and financial distress when firms fail to properly segregate and safeguard funds.

More prescriptive safeguarding rules

The proposed revisions to the safeguarding rules introduce more detailed and prescriptive requirements for payment firms, outlining stricter procedures for protecting consumer funds. These new expectations mark a shift from the existing guidance within the payment services and e-money regulations, which will be retired and replaced by Chapter 15 of CASS.

A key component of the new regulation involves notifications and incident communication with the FCA. Firms will now be required to inform the FCA in writing and without delay if:

  • internal records are materially out of date, inaccurate, or invalid
  • they are unable to perform an internal or external reconciliation
  • they are unable to remedy a discrepancy in reconciliations
  • there was a material difference in the previous year between the amount of relevant funds safeguarded and the amount that should have been safeguarded

The FCA has outlined a distinction between:

  1. All breaches of CASS that firms must identify, record, investigate and remediate to prevent future occurrences.
  2. Breaches of CASS that require immediate notification to the regulator.

These notification requirements now apply to payment service and e-money firms under Chapter 15.

Managing incident and breach escalation

Payment service and e-money firms must establish mechanisms to identify and escalate breaches requiring immediate notification. Firms must also maintain records of other breaches that, while not requiring immediate notification, must be assessed for their impact on controls and overall risk management.

To support compliance with Chapter 15, firms should:

  • implement a robust incident management framework that aligns with their obligation mapping and risk register
  • conduct root cause analyses for breaches, ensuring remediation ownership and proper reporting for senior management
  • maintain documentation that evidences all conclusions, mitigating controls and rationales for any subsequent actions taken or for ceasing further steps, whether a breach is notifiable or not

Becoming CASS 15 ready

Regulatory changes of this magnitude require a structured, strategic approach. Firms can take several steps now to prepare:

1. Conduct a gap analysis

A thorough gap analysis should compare current safeguarding policies, procedures, and controls against the interim and final CASS 15 requirements. This assessment will help identify weaknesses and prioritize remediation efforts.

2. Develop a change management plan

Once gaps are identified, firms should develop a detailed change management plan. This should break down required changes into manageable sub-projects, allocating resources based on priority.

3. Revisit initial plans post-publication

When the FCA finalizes the new rules, firms should promptly update their transition plans. Leveraging the initial gap analysis will enable quicker realignment and execution.

4. Strengthen governance

Firms must appoint an individual responsible for safeguarding oversight, ensuring they are prepared to guide the transition. Additionally, safeguarding committees should be established, comprising key stakeholders with access to high-quality management information for informed decision-making.

5. Enhance documentation practices

The regulatory changes will necessitate extensive documentation of decisions, challenges, and process modifications. Firms should ensure they maintain detailed records to demonstrate compliance.

6. Appoint an independent auditor

The new rules mandate the appointment of a qualified statutory auditor with relevant expertise. The FCA has indicated that new auditing standards, mirroring the FRC CASS framework, will be introduced. Firms should audit-proof their safeguarding documentation to facilitate independent review.

Enhanced scrutiny, proactive engagement

The FCA has made its stance clear: Payments firms should expect increased regulatory oversight. The regulator is likely to engage with firms directly, ensuring compliance and guiding implementation. Firms must recognize that safeguarding practices will be under a regulatory microscope and act accordingly.

By taking decisive steps now, firms can mitigate risk, enhance compliance, and navigate the regulatory changes with confidence. The countdown to CASS 15 has begun.

Let Vinciworks help you stay compliant. Our FCA compliance courses and online training gets your workers up to speed with the regulations and practices that keep the financial markets running effectively.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.