Background

A safeguarding audit is an independent assessment conducted by auditors to verify that a payment or e-money issuing firm has appropriate systems and controls to safeguard customer funds. The audit is designed to:

• Ensure compliance with regulatory requirements, and
• Assure customers and regulators that their funds are protected.

In particular, the audit assesses whether proper segregation and safeguarding of customer funds comply with the latest regulations. This in turn helps to build trust among customers, regulators, and other stakeholders.

Common questions asked by firms

1. Which firms have to have a safeguarding audit?

Payment and e-money issuing firms have to undertake a safeguarding audit. 

An e-money issuing firm is one that provides electronic money services. These allow customers to store funds electronically and use them for various transactions, such as cashless online purchases or money transfers. E-money providers are also known as Electronic Money Institutions (EMI) and differ from banks in their regulation and operations. 

Payment firms are those regulated by the Payment Systems Regulator (PSR). These firms provide systems that enable the transfer of funds between accounts, for example, when people withdraw money from a cash machine, bank a cheque, pay a deposit on a house or have their salary paid into their account.

2. What key areas are covered in a safeguarding audit for payment and e-money issuing firms?

In making the safeguarding stipulation, the FCA used the term ‘audit’ which is usually reserved for statutory audits, or CASS audits where there is a specific audit framework in place. Interestingly, the FCA has not yet issued an audit standard for this.

Currently, its guidance merely states that the firm is to ask the auditor to provide an opinion addressed to the firm on:

1. whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/PSRs (as set out in chapter 10 of our Approach Document), throughout the audit period, and
2. whether the firm met those expectations as at the audit period end date.

The safeguarding audit typically covers areas such as the:

• segregation of customer funds
• accounting and record-keeping practices
• internal controls
• risk management processes
• technology infrastructure
• compliance with regulatory requirements, and
• third-party relationships.

3. How often should a safeguarding audit be conducted and is there a fixed deadline?

While the FCA has still not provided details of the period the assurance opinion should cover, it expects that most firms may wish to align the period with their accounting year-end.

Neither the temporary guidance published in July 2020 nor the consultation in January 2021 set out the timing of the reports – including a deadline for when the reports should be submitted.

Similar to Client Asset (CASS) reports, it may be reasonable to assume the safeguarding audit should be completed within 4 months of the period end date to mirror the CASS regime requirements, with the report itself following a similar format.

The frequency of safeguarding audits may vary based on regulatory requirements and the size of the payment and e-money issuing firm. Typically, a safeguarding audit is conducted on an annual basis. They may, however, be required more frequently depending on the jurisdiction and the firm’s risk profile.

4. Can an e-money issuing firm conduct its own safeguarding audit?

No, a payment or e-money issuing firm cannot conduct its own safeguarding audit. This is because the audit requires independent verification by external auditors to ensure objectivity and provide assurance to the firm’s customers and regulators.

5. What challenges do payment and e-money issuing firms face during safeguarding audits?

The regulatory requirements surrounding safeguarding audits are complex. It’s vital that firms demonstrate proper segregation of funds, and have and maintain secure technology and infrastructure in their operations.  

The audit also has to assess how the business manages its third-party relationships. This needs an experienced and objective viewpoint, but finding auditors with specialised expertise can sometimes be challenging. Once appointed though, these specialists can ensure the business adheres to the accurate reporting and documentation needed to comply with the safeguarding audit.

6. What can payment and e-money issuing firms do to prepare and help the audit run smoothly?

It’s important that firms prioritise understanding the regulatory framework concerning their safeguarding obligations in the UK.  A specialist adviser can help. In particular it is important to:

• Establish robust internal policies and procedures.
• Ensure segregation of your customer funds.
• Appoint a safeguarding officer for the business.
• Conduct regular risk assessments.
• Keep detailed records of all your safeguarding activities.
• Conduct regular training with employees to strengthen their awareness of safeguarding measures.
• Monitor any latest regulatory changes

For a more comprehensive checklist – see this article.

7. What happens if a payment or e-money issuing firm fails a safeguarding audit?

If an e-money issuing firm fails a safeguarding audit, it may face regulatory penalties. As a result of this, it may also face reputational damage and potential loss of customer trust. Remedial actions will be necessary to address the identified deficiencies and bring the firm into compliance.

Changes ahead – CP24/20

In Autumn 2024, the FCA issued new guidance CP24/20, which impacts E-Money Firms. They also launched a safeguarding consultation, which closed in December 2024. The consultation will guide the final safeguarding rules the FCA intends to implement in stages. In doing so, it will work alongside HM Treasury to transition relevant PSRs and EMRs provisions into the FCA Handbook.

It is anticipated these next steps from the FCA are likely and that the outcome of the consultation will be published in Summer 2025:

• Interim rules and a policy statement will be published in the first half of 2025.
• The interim rules will then be implemented over a six-month period.
• The FCA will publish final rules (end state) for which firms will then have 12 months to implement.

For more details see: Changing the safeguarding regime for payments and e-money firms

Can we help?

It’s important for payment and e-money issuing firms to consult with legal and regulatory experts to ensure they comprehensively understand the specific requirements and obligations related to safeguarding audits in their jurisdiction.

At Shipleys, we’ve been helping many payment and e-money issuing businesses comply with the latest regulations. For further information, contact one of our specialists shown on this page.

Specific advice should be obtained before taking action, or refraining from taking action, in relation to this summary. If you would like advice or further information, please speak to your usual Shipleys contact.

Copyright © Shipleys LLP 2025

Related Resources

Payment and E-Money Firms Safeguarding Audit

Since 2021, the Financial Conduct Authority (FCA) has required firms covered by The Payment Service Regulations and Electronic Money Regulations to have an annual safeguarding audit.

Read more

An 8-point checklist to help Payment and E-money firms’ safeguarding audit compliance

A handy 8-point checklist designed to help Payment and E-Money firms strengthen their compliance ahead of their safeguarding audit.

Read more