CASS 15: An Operational Control Challenge

CASS 15 is not just a reporting issue. It is an operational control challenge.

The FCA’s new safeguarding regime comes with a deadline, a monthly return and an audit. Treat it as form-filling and you miss the point, and the risk.

When the FCA published Policy Statement PS25/12 in August 2025, confirming its changes to the safeguarding regime for payments and e-money firms, much of the early reaction settled on the obvious. There was a new monthly safeguarding return to produce, an annual safeguarding audit to pass and more records to keep. In a lot of firms, the instinct was to treat it as a reporting upgrade. Build the return, satisfy the auditor, move on. That reading is understandable. It is also wrong, and the distance between the two interpretations is exactly where regulatory and customer-protection risk now sits.

What PS25/12 actually changed

Since 7 May 2026, the Supplementary Regime set out in PS25/12 has been in force. Following its consultation in CP24/20, the FCA gave firms a nine-month implementation window, longer than the six months it had originally proposed, precisely because what it expects is not a quick configuration change. The new rules introduce a dedicated safeguarding chapter in the Client Assets Sourcebook, CASS 15, and they do not sit alone. They are accompanied by a resolution pack chapter in CASS 10A, a safeguarding audit requirement in SUP 3A and the monthly safeguarding return in SUP 16.14A.

Read those four pieces together and a pattern emerges. This is the description of an operating model, not a reporting cycle. PS25/12 also confirmed that the FCA is not, for now, pressing ahead with the more far-reaching end-state, sometimes called the post-repeal, regime it had floated, choosing instead to let the Supplementary Regime bed in and to review it once a full audit cycle has run. The direction of travel, though, is set, and firms should plan around it rather than against it.

Why the rules look like this

The rationale is uncomfortable, and instructive. The FCA’s own analysis of firm failures found that when payments and e-money firms went under, customers were left badly short. The money actually available to return to those customers fell well below what they were owed, with average shortfalls running to roughly two thirds of relevant funds in the cases the regulator examined. A regime built around a monthly form would never have closed a gap that large. A regime built around continuous control has a chance of doing so. That logic runs through every part of CASS 15, and it explains why the obligations are weighted so heavily towards daily operational discipline rather than periodic disclosure.

The return is the tip of the iceberg

The monthly return is the visible output. The work that actually protects customers sits beneath it, and most of that work happens every business day. CASS 15 expects firms to reconcile what they owe customers against what they hold in safeguarding, and to do it on each reconciliation day rather than once a month. It draws a sharp distinction between the segregation requirement, meaning what the firm should be holding, and the segregation resource, meaning what it actually holds, and it asks firms to compare the two and put right any shortfall promptly. A discrepancy is no longer something to flag and revisit at month end. It is something to find today and fix today.

Around that daily core sit further obligations, and none of them is a reporting task. Firms must maintain a resolution pack, so that if the worst happens relevant funds can be identified and returned to customers quickly. They must carry out due diligence on where safeguarding funds are held and avoid undue concentration in any one place. Where they rely on the insurance or guarantee method, they must meet specific conditions, including allowing enough lead time to put replacement cover in place. They must hold acknowledgement letters for their safeguarding accounts. And they must support an annual safeguarding audit, although the FCA has carved out the smallest firms, those whose relevant funds do not exceed £100,000, from the audit requirement.

Why this is an operating challenge, not a reporting one

Seen as a whole, the message is hard to miss. CASS 15 asks firms to run a control environment, to evidence that it is working, and only then to report on it. Reporting is the third step, not the first. That ordering is why a spreadsheet, however carefully maintained, struggles under the new regime. A spreadsheet can hold numbers well enough. It is far weaker at proving, weeks or months later, who reviewed a discrepancy, when it was escalated, what action was taken and who signed it off. When an auditor or the FCA asks how a particular break was handled, a workbook and a folder of emails will not carry the weight.

The practical problem most firms face is not a shortage of data. The data exists. It is simply spread across customer ledgers, bank portals, payment processor exports, spreadsheets and the working memory of whoever ran the last reconciliation. Assembling that picture once a month is demanding enough. Assembling it every business day, to a standard that survives an audit, is a different order of task altogether. That is the operational control challenge PS25/12 has created, and it is precisely the part that never appears on the face of the return.

Where this leaves firms

This is the work Imperium(L) Prism is built for. Prism brings the owed side and the held side into a single view, runs internal and external reconciliation daily, and surfaces breaks the same day they happen rather than three weeks later when someone opens the file. It wraps each break in a structured resolution workflow, with an owner, a severity, a deadline, evidence and sign-off, and it tracks resolution-pack completeness against the documents the pack actually needs. Every reconciliation, action and sign-off is captured, timestamped and attributable, and the monthly safeguarding return data is generated from controlled reconciliation rather than rebuilt by hand at month end.

It is worth saying that this is not untested thinking. Prism is built on reconciliation and customer-fund-protection technology that has supported businesses in live, high-volume environments for over 12 years, so the operational logic behind it has already been proven against real money, real reconciliations and real audits.

CASS 15 set a deadline, and that deadline has passed. The firms that will find the regime manageable are the ones that treat it as what it is, a continuous control discipline that happens to produce a monthly report, rather than a monthly report that happens to require some control. The return is the easy part. The control behind it is the point.

Frequently Asked Questions

Is CASS 15 just a new reporting requirement?

No. The monthly safeguarding return is only the visible output of CASS 15. The regime set out in PS25/12 is built around daily operational control: regular internal and external reconciliation, prompt correction of discrepancies, a resolution pack, acknowledgement letters, due diligence and an annual safeguarding audit. The reporting sits on top of that control, not in place of it.

When did the CASS 15 Supplementary Regime come into force?

The Supplementary Regime came into force on 7 May 2026, following a nine-month implementation period after PS25/12 was published in August 2025.

What is the difference between the segregation requirement and the segregation resource?

The segregation requirement is what a firm should be holding in safeguarding to cover what it owes customers. The segregation resource is what it actually holds. CASS 15 asks firms to compare the two on each reconciliation day and to correct any shortfall promptly.

Do all firms have to have a safeguarding audit?

Not all. The FCA has exempted the smallest firms, those whose relevant funds do not exceed £100,000, from the safeguarding audit requirement. Firms above that threshold must support an annual audit.