Twelve days ago, on 7 May 2026, the FCA's new safeguarding regime for UK payments and e-money firms came into force. The headline rules sit inside the brand-new CASS 15 sourcebook chapter and they are the most prescriptive operational obligations the FCA has ever written for non-bank payment institutions. If you work as a UK fintech developer or payment developer inside a payment firm, an e-money issuer, or a platform that holds relevant customer funds, the engineering bar has just been raised — and the build that satisfies the new rules is the kind of unglamorous, deeply boring backend work that separates the firms that survive an audit from the ones that scramble through their first one.
This is the regulatory counterpart to the HM Treasury stablecoin consultation closing in three days. The Treasury piece sets out where UK payments regulation is going. CASS 15 is what is already in force this week.
What Actually Changed on 7 May
The old safeguarding regime relied largely on high-level principles. CASS 15 replaces that with prescriptive operational rules across five areas:
- Daily reconciliation of safeguarded funds.
- Monthly reporting confirming safeguarding practices and reconciliation outcomes.
- Annual safeguarding audit by a qualified auditor (unless the firm has not been required to safeguard more than £100,000 of relevant funds at any point in the preceding 53 weeks).
- Resolution packs that allow safeguarded funds to be distributed quickly in a wind-down.
- Third-party due diligence on safeguarding banks, custodians, and account providers.
The piece that puts the largest demand on engineering teams is the daily reconciliation requirement. It is the most operationally specific obligation in the regime and the one that, in practice, will define whether a firm's safeguarding posture is real or theatrical.
"Six a Day" — the Reconciliation Obligation in Practice
The FCA requires multiple types of reconciliation on every business day (excluding weekends and UK public holidays):
- An internal check that the firm's "safeguarding resource" — the funds actually held in segregated accounts or invested in relevant assets — equals its "safeguarding requirement", the amount the rulebook says it should be holding.
- A D+1 internal confirmation that relevant funds received on day D have, by close of business the next business day, landed in a designated safeguarding account or relevant asset.
- An external comparison of the firm's own internal records against third-party records: statements from safeguarding banks, statements from account providers, and confirmations from authorised custodians.
Read the full article on tomcn.uk →
About the Author
I'm Tom Wang, an AI Developer & Fintech Developer — building AI agents, crypto payment infrastructure, and cross-border payout systems with Rust, Go, and TypeScript. Based in London, UK.
Currently open to new opportunities in fintech, crypto payments, and AI agent engineering.
Top comments (0)