Safeguarding audits are a critical regulatory obligation for authorised payment institutions and EMIs. The audit provides independent assurance to the FCA — and to the firm's own board — that customer funds are being properly protected. With the introduction of PS25/12 raising safeguarding standards, the scope and intensity of these audits has increased significantly.
Who Needs a Safeguarding Audit?
All authorised payment institutions (APIs) that hold relevant funds and all authorised EMIs that issue electronic money must arrange for an annual safeguarding audit. Small payment institutions and small EMIs are not subject to the same audit requirement, although the FCA may impose it as a condition of registration in specific cases. The audit must be conducted by a person who is eligible for appointment as a statutory auditor under Part 42 of the Companies Act 2006. In practice, this means a registered audit firm — typically the same firm that audits the company's statutory accounts, although this is not mandatory.
Scope of the Safeguarding Audit
The auditor's task is to assess whether the firm's safeguarding arrangements comply with the relevant regulatory requirements: Regulation 23 of the Payment Services Regulations 2017 for PIs, and Regulation 21 of the Electronic Money Regulations 2011 for EMIs. The key areas the audit covers include:
- Method of safeguarding — Whether the firm uses the segregation method (placing relevant funds in a designated safeguarding account with a credit institution or approved investment), the insurance or guarantee method, or a combination. The auditor verifies that the chosen method is properly implemented.
- Timing of segregation — Relevant funds must be segregated by the end of the business day following the day they are received (or, post-PS25/12, by the end of the next business day at the latest). The auditor tests whether the firm meets this timing requirement consistently.
- Reconciliation — The firm must reconcile its internal records of customer funds against the balances held in safeguarding accounts. The auditor tests the frequency, accuracy and completeness of these reconciliations.
- Safeguarding account documentation — The firm must hold written acknowledgement from each safeguarding credit institution confirming the designated status of the account and that the institution has no right of set-off or combination against the funds. The auditor checks that these letters are in place and current.
- Record-keeping — The firm must maintain adequate records to identify, at any time, the funds held for each customer and to distinguish safeguarded funds from the firm's own money.
Common Audit Findings
Having advised firms through dozens of safeguarding audits, we see recurring findings that firms should address proactively:
Segregation timing breaches remain the most common finding. Many firms process high volumes of transactions and struggle to achieve same-day or next-business-day segregation for all relevant funds. The root cause is often manual processing steps, batch payment runs that occur only once daily, or delays caused by banking cut-off times. Reconciliation gaps arise where the firm's internal ledger of customer balances does not perfectly match the safeguarding account balance. Small discrepancies (e.g., from bank charges debited to the safeguarding account or timing differences on pending transactions) are common but must be identified, documented and resolved promptly. Missing or outdated acknowledgement letters — Firms change banking providers, open new safeguarding accounts or restructure existing arrangements without obtaining fresh acknowledgement letters. Every safeguarding account must have a current letter confirming its designated status.
Commingling of funds — The auditor may find instances where the firm's own funds have been inadvertently deposited into a safeguarding account, or where customer funds have been used to cover the firm's operational expenses. This is a serious regulatory breach. Inadequate records — The firm cannot demonstrate, at the point of audit, exactly how much is owed to each individual customer and how this matches the total safeguarded balance.
Post-PS25/12 Expectations
The FCA's Policy Statement PS25/12 has introduced enhanced safeguarding requirements that take effect from mid-2025. Key changes that affect the audit scope include: a clearer requirement for daily reconciliation of safeguarded funds; enhanced record-keeping standards including the ability to produce a 'resolution pack' of safeguarding information at short notice; restrictions on the use of the insurance/guarantee method — firms must demonstrate that the cover is adequate and immediately accessible; and requirements for firms to have a documented safeguarding policy approved by the board, setting out the firm's approach, controls, governance and escalation procedures.
Auditors are expected to assess compliance with these new requirements from the first audit period in which they apply. Firms should not wait for the audit to identify gaps — they should conduct a self-assessment against the PS25/12 requirements and remediate issues in advance.
Preparing for a Smooth Audit
Practical steps to ensure an efficient safeguarding audit include: conducting an internal pre-audit review at least six weeks before the auditor's planned fieldwork; ensuring all acknowledgement letters are current and accessible; preparing a schedule of all safeguarding accounts, balances and reconciliation records; briefing relevant staff on the audit process and their role in providing information; and addressing any known reconciliation discrepancies or process weaknesses before the auditor arrives.
The audit report is submitted to the FCA. Qualified opinions or material findings will attract supervisory attention. Firms should treat the audit not as a box-ticking exercise but as an opportunity to demonstrate the robustness of their safeguarding arrangements.
Regulatory Counsel advises payment institutions and EMIs on safeguarding compliance, audit preparation and remediation of audit findings. Contact us for a free initial consultation. See our safeguarding compliance page for more.
Frequently Asked Questions
All authorised payment institutions holding relevant funds and all authorised EMIs must arrange an annual safeguarding audit. Small PIs and small EMIs are generally exempt unless the FCA imposes it as a condition.
The auditor assesses the method and timing of segregation, reconciliation accuracy and frequency, safeguarding account documentation (acknowledgement letters), record-keeping and overall compliance with the PSRs 2017 or EMRs 2011.
Segregation timing breaches — where relevant funds are not segregated by the end of the next business day following receipt — are the most frequently reported finding.
PS25/12 introduces enhanced requirements including daily reconciliation, resolution pack readiness, restrictions on insurance/guarantee methods and a board-approved safeguarding policy, all of which are now within the audit scope.