Tag: FCA audit

  • Changes to safeguarding for payments and e-money firms and CASS 15 audits

    New CASS 15 Safeguarding Rules: A Guide for EMIs and Payment Firms

    The Financial Conduct Authority (FCA) has recently finalized its overhaul of the safeguarding regime for payments and e-money firms. Introduced under Policy Statement PS25/12, the new rules represent the most significant shift in the sector’s regulatory landscape in years, moving firms toward a rigorous framework under CASS.

    For many firms, the transition to the new CASS 15 chapter will require a major rethink of their internal controls, governance, and audit arrangements.

    Why the change?

    The FCA’s primary goal is to address long standing weaknesses in how firms safeguard client funds. By strengthening these rules, the regulator aims to ensure that if a firm fails, customer money can be returned more quickly and in full. The new regime is designed with failure in mind, meaning firms must prove they can identify and segregate client funds at any given moment.

    Key Milestones: The Roadmap to Compliance

    The transition is split into two distinct stages:

    The Supplementary Regime (Interim Rules):
    Taking effect from 7 May 2026, these rules strengthen existing requirements around record keeping, monitoring, and reporting.

    The Post-Repeal Regime (CASS 15):
    This is the end state where the current Electronic Money Regulations (EMRs) and Payment Services Regulations (PSRs) are replaced by the prescriptive CASS 15 rules in the FCA Handbook.

    What is Changing for Audit and Assurance?

    Perhaps the most critical change for senior management is the shift in how safeguarding is audited.

    Statutory Auditor Requirement:
    Under the new rules, safeguarding audits can no longer be conducted by general regulatory consultants. They must be performed by statutory auditors where EMIs and payment firms hold more than £100k. This brings safeguarding assurance in line with other regulated client asset regimes (like MiFID firms).

    Reporting Breaches:
    Auditors will likely be required to report all safeguarding breaches to the FCA, regardless of materiality. This removes management discretion over what is escalated to the regulator.

    Strict Reconciliation:
    The new rules mandate daily internal and external reconciliations. Auditors will look for robust, automated processes rather than manual, error-prone spreadsheets.

    Statutory Trust:
    CASS 15 introduces a statutory trust over relevant funds. This creates a more robust legal protection for customers but requires precise accounting and legal documentation to be in place.

    Who is affected?

    The rules apply to:

    • Authorised Payment Institutions (APIs)
    • Authorised E-Money Institutions (EMIs)
    • Small EMIs (SEMIs)
    • Credit Unions issuing e-money

    Small Payment Institutions (SPIs) are not mandated to follow the full regime but can choose to “opt-in” to bolster their credibility and consumer protection.

    How to Prepare: A Checklist for Firms

    With the May 2026 deadline approaching, firms should begin their gap analysis immediately:

    Review Governance:
    Ensure there is clear senior management accountability for safeguarding (specifically under the SM&CR framework).

    Audit Your Tech:
    Evaluate whether your current reconciliation engines and sub-ledgers can handle the requirement for daily, granular reporting.

    Document the ‘Flow of Funds’:
    Create a detailed map of how money enters and leaves your business, identifying every point where funds are “relevant” and must be protected.

    Engage Your Auditors Early:
    Because the new rules require a specialist statutory audit, you should speak with your auditors now to ensure they have the capacity and expertise to meet the new FRC CASS assurance standards.

    How MAH Can Help

    At MAH, we specialise in helping FinTech and financial services firms navigate complex regulatory audits. As the FCA increases its scrutiny of the payments sector, having a robust, compliant safeguarding framework is no longer optional, it is a prerequisite for survival.

    We can assist your firm with:

    • Pre-audit readiness reviews to identify gaps before the May 2026 deadline.
    • Statutory safeguarding audits compliant with the new CASS 15 standards.
    • Internal control advisory to help automate and secure your reconciliation processes.

    Contact us today for a consultation on how the CASS 15 changes will impact your business and to ensure you are ready for the new regime.

  • FCA audit

    FCA audit

    FCA audit:

    Do you need an FCA audit?

    Under the Companies Act 2006 (or as applied to LLPs) a business will normally need an audit if it is fairly large and exceeds 2 out of the 3 size limits of a small firm:

    • assets > £3.26m (£5.1m from 1/1/16)
    • turnover > £6.5m (£10.2m from 1/1/16)
    • employees > 50

    However, an FCA registered firm which is an MiFID investment firm is likely to require an FCA audit even if it would otherwise be a small firm (see notes below)*.

    FCA registered

    “FCA registered” refers to financial firms registered and authorised by the Financial Conduct Authority which is one of the successor bodies to the Financial Services Authority (FSA).

    FCA registered firms come under intense scrutiny and so it is vital that they only engage auditors with the skills and resources to ensure that their financial affairs are in order. This is also mentioned in the FCA handbook:

    [quote style=”boxed”]SUP 3.4.2R: Before a firm, to which SUP 3.3.2 R applies, appoints an auditor, it must take reasonable steps to ensure that the auditor has the required skill, resources and experience to perform his functions under the regulatory system[/quote]

    How we can help

    We have experience of auditing FCA registered firms and use all of our skills, resources and experience to ensure that the audit goes smoothly. Some of the key aspects of our work specific to an FCA audit are:

    1. checking your FCA permissions and capital requirements in detail;
    2. obtaining a full understanding of your business and systems;
    3. understanding your key risks and the controls to mitigate them;
    4. recalculating fees/commissions/brokerage;
    5. reconciling open positions, trading balances and fund/managed accounts to 3rd party reports;
    6. checking if you have held client assets or money;
    7. investigating any regulatory breaches;
    8. working fast and efficiently to meet your audit deadline;
    9. submitting client asset reports to the FCA upon completion

    Expertise

    Despite our small size we are highly skilled auditors. For example, we were invited to respond to the FRC’s new draft standard about FCA client asset audits. In fact, we were the only firm to participate not ranked in the Top 10 audit firms:

    MAH response to FRC consulation

    Are you paying too much for your audit?

    Some firms may ratchet up their prices as soon as they hear “FCA”, however we prepare our quotes on a fair basis and will normally be able to offer very competitive prices.

    *Detailed notes about the audit exemptions for MiFID firms

    Under s.478b(i) of the Companies Act 2006 MiFID investment firms are not exempt from an audit, even if they would otherwise be small companies.

    s.539 explains that an “MiFID investment firm” means an investment firm within the meaning of Article 4.1.1 of Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, other than—
    (a) a company to which that Directive does not apply by virtue of Article 2 of that Directive,
    (b) a company which is an exempt investment firm within the meaning of regulation 4A(3) of the Financial Services and Markets Act 2000 (Markets in Financial Instruments) Regulations 2007, and
    (c) any other company which fulfils all the requirements set out in regulation 4C(3) of those Regulations;

    We can review your situation to check if your firm meets any of the exemptions under Articles 2 and 3 of Directive 2004/39/EC. If it doesn’t, Title II of Directive 2004/39/EC is likely to apply under 4A(3) of FSMA 2000 (MiFID) 2007. This means that your firm could be an MiFID investment firm which doesn’t appear to meet any of the exemptions in s.539 (a,b,c) , and therefore, required to have an audit.

    Want to find out more?

    Please contact us for a free, no obligation consultation to discuss your requirements.