Key takeaways for safeguarding audits: CASS 15 and the FRC’s interim guidance

Payment and e-money firms are entering a new phase of regulatory scrutiny, with the Financial Conduct Authority’s (FCA) new supplementary safeguarding regime under CASS 15 coming into force on 7 May 2026. This includes the first cycle of safeguarding audits under the new rules, requiring a robust, controls-focused, and risk-based approach, which Moore Kingston Smith is well placed to deliver.  

Additionally, the Financial Reporting Council’s (FRC) Interim Guidance on Payment and E-money Safeguarding Assurance Engagements, published on 17 March 2026, is an important step in setting expectations for the first audit cycle under CASS 15. The guidance provides a clear and helpful framework for how safeguarding audits are expected to be approached until a dedicated safeguarding assurance standard is issued, currently expected in 2027. 

This is a transitional framework, not a new audit standard 

The FRC is clear that the interim guidance is not a performance standard and doesn’t introduce new requirements. Instead, it sets out principles to support consistent and high-quality reasonable assurance safeguarding engagements during the transition period. 

Auditors remain required to form opinions directly against the FCA’s safeguarding rules under CASS 15, the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. Professional judgement remains central to determining audit scope, procedures and reporting, particularly where legacy rules and new requirements apply side by side within the same reporting period. 

Alignment with the Client Asset (CASS) Assurance Standard is deliberate 

Although safeguarding audits are not CASS audits, the FRC has intentionally aligned the structure and content of the guidance with the existing Client Asset Assurance Standard. From our perspective, this alignment is significant. It signals an expectation that safeguarding audits under CASS 15 will reflect a controls-focused and risk-based approach, consistent with CASS-style engagements, while allowing appropriate professional judgement during the transition. 

The guidance signposts auditors to relevant CASS principles covering areas such as understanding the business model, control environments, reconciliation testing, insolvency mindset and breach reporting. 

Zero materiality for breach reporting remains 

As with CASS audits, there is no concept of materiality when it comes to reporting safeguarding breaches. All breaches identified during the period must be reported in the breaches schedule, regardless of size or impact. The severity and pervasiveness of breaches remain relevant when forming the overall audit opinion. 

Flexible reporting approaches for the first audit cycle 

The guidance allows auditors to issue either two separate opinions for pre and post 7 May 2026 periods, or a single hybrid opinion where reporting periods span the implementation date. This flexibility recognises the practical challenges of transition. 

Extended submission deadlines 

For safeguarding periods ending within 12 months of 7 May 2026, firms will have six months after period end to submit their report to the FCA. Subsequent audits will revert to the four-month deadline. 

Greater focus on safeguarding methods and funds flows 

Auditors are expected to obtain a detailed understanding of firms’ business models, flow of funds and safeguarding methods, whether segregation or insurance based. This highlights the importance of clear documentation and governance around safeguarding arrangements. 

Documentation and records 

Robust documentation is central to CASS 15 compliance. Records should enable relevant funds to be identified and returned without delay, adopting an insolvency mindset. 

IT and automated controls 

Given the heavy reliance on automation across the sector, IT controls are a core component of any CASS 15 safeguarding audit. Where substantive testing alone is insufficient, auditors must assess IT general controls, system-driven reconciliations and outsourced technology arrangements. Moore Kingston Smith has an inhouse specialist IT audit capability, allowing us to perform this work directly and integrate it seamlessly into the safeguarding audit. This avoids reliance on third party providers and enables deeper, more efficient assurance over the systems and controls that underpin client asset protection. 

Looking ahead 

The interim guidance provides clarity ahead of the first cycle of CASS 15 safeguarding audits. Early engagement between firms and auditors will be critical to ensure readiness and a smooth transition into the new regulatory framework. 

Contact our experienced team at Moore Kingston Smith to discuss how we can support you with your first safeguarding audit under CASS 15.