PS25/12 Safeguarding Compliance Checklist: What Payment Firms Must Do Before May 2026

The FCA's Policy Statement PS25/12 represents the most significant overhaul of the safeguarding regime for payment institutions and electronic money institutions since the implementation of PSD2. Published in August 2025 and effective from 7 May 2026, PS25/12 introduces fundamental changes to how authorised payment institutions must protect customer funds. This article provides a practical compliance checklist to help payment firms prepare for the new requirements.

What Is PS25/12?

PS25/12 (Changes to the safeguarding regime for payments and e-money firms) is the FCA's final policy statement implementing a strengthened safeguarding framework for authorised payment institutions (APIs) and authorised electronic money institutions (AEMIs). The policy statement follows Consultation Paper CP24/20, published in September 2024, and reflects the FCA's response to persistent safeguarding failures across the payments sector. The new rules introduce a statutory trust model, enhanced reconciliation requirements, mandatory annual audits, improved governance standards, and new regulatory reporting obligations. The regime applies to all FCA-authorised payment institutions and electronic money institutions that hold relevant funds — Small Payment Institutions (SPIs) and Small Electronic Money Institutions (SEMIs) that have not opted in to safeguarding are not directly affected, although they should monitor developments as the FCA has indicated that the Post-Repeal Regime may extend safeguarding obligations more broadly.

The Statutory Trust Framework

The most fundamental change under PS25/12 is the replacement of the existing contractual segregation model with a statutory trust. Under the current regime, safeguarded funds are held in designated accounts at approved credit institutions, but the legal framework protecting those funds in the event of firm insolvency has been the subject of judicial uncertainty — as demonstrated by the Ipagoo and Supercapital cases. The statutory trust provides a clear legal basis: safeguarded funds are held on trust for customers from the point of receipt, and they are ring-fenced from the firm's estate in insolvency. This means that in a firm failure, customer funds cannot be claimed by creditors of the firm and must be returned to customers.

For payment institutions, the practical implications are significant. Firms must ensure that their safeguarding account agreements with credit institutions explicitly acknowledge the statutory trust status of the funds. Existing safeguarding account documentation will need to be reviewed and amended. Firms must also ensure that their internal accounting systems can clearly distinguish between safeguarded funds held on statutory trust and the firm's own funds at all times.

Daily Reconciliation Requirements

PS25/12 introduces a requirement for daily reconciliation of safeguarded funds. Under the current regime, the FCA expects payment institutions to reconcile safeguarded funds on a regular basis, typically interpreted as end-of-day or next business day. The new rules make this explicit: firms must perform a reconciliation of the balance held in safeguarding accounts against the relevant funds liability at least once per business day.

The reconciliation must identify and investigate any discrepancy between the safeguarded balance and the relevant funds liability. Where a shortfall is identified, the firm must fund the shortfall from its own resources within the same business day or, if identified after a specified cut-off time, by the opening of the next business day. Firms must maintain detailed records of each reconciliation, including the methodology used, the results, any discrepancies identified and the corrective action taken.

Payment institutions processing high volumes of transactions across multiple payment corridors should invest in automated reconciliation systems that can handle the frequency and complexity required. Manual reconciliation processes are unlikely to meet the standard for firms of any significant scale.

Annual Safeguarding Audit

For the first time, PS25/12 introduces a mandatory annual safeguarding audit. An independent auditor must be appointed to conduct a review of the firm's safeguarding arrangements and provide an opinion on whether the firm has maintained compliance with the safeguarding requirements throughout the audit period. The first audit report must be submitted to the FCA within 12 months of the effective date — meaning the first reports will be due by May 2027.

The audit must cover: the adequacy of the statutory trust arrangements; the accuracy and frequency of reconciliations; the segregation of safeguarded funds from the firm's own funds; the governance framework including the role of the safeguarding officer; and the firm's compliance with record-keeping requirements. The FCA expects audit firms with relevant expertise in payment services regulation to be appointed.

Board-Level Safeguarding Officer

PS25/12 requires the appointment of a board-level safeguarding officer — a senior individual with specific responsibility for the oversight and governance of the firm's safeguarding framework. This role carries personal accountability for ensuring that the firm's safeguarding arrangements comply with the regulatory requirements. The safeguarding officer must have sufficient authority and expertise to challenge operational decisions that could affect the safety of customer funds.

The safeguarding officer must report directly to the board on safeguarding matters at least quarterly, and immediately in the event of a material safeguarding incident or shortfall. Firms should consider whether their existing Senior Manager Function (SMF) holders are appropriate for this role, or whether a new appointment is required.

New Regulatory Reporting: REP020

The FCA is introducing a new monthly safeguarding return — REP020 — to be submitted via RegData. This return will require firms to report: the total value of safeguarded funds held at each safeguarding institution; the results of daily reconciliations including any shortfalls; the composition of safeguarding arrangements (segregation vs insurance vs guarantee); and details of any material safeguarding incidents during the reporting period. The first REP020 submission will be due in the month following the effective date.

Compliance Checklist for Payment Institutions

1. Review safeguarding account agreements. Contact your safeguarding credit institution(s) and ensure that account documentation reflects the statutory trust framework. Obtain written acknowledgement that funds are held on statutory trust.

1. Upgrade reconciliation processes. Implement daily reconciliation capability. For high-volume firms, this means automated reconciliation systems that can process and match transactions across multiple accounts within the required timeframe.

1. Appoint a safeguarding officer. Identify and appoint a board-level individual to serve as safeguarding officer. Document their responsibilities, authority and reporting lines.

1. Engage an independent auditor. Appoint an auditor with relevant payment services expertise to conduct the annual safeguarding audit. Begin the engagement process early to ensure the first audit can be completed within the 12-month window.

1. Update governance frameworks. Revise board and committee terms of reference to include safeguarding oversight. Establish quarterly safeguarding reporting to the board.

1. Prepare REP020 reporting capability. Ensure your regulatory reporting systems can generate the data required for the monthly REP020 return. Test the submission process via RegData.

1. Train staff. Ensure that finance, operations and compliance teams understand the new requirements and their respective responsibilities under the enhanced regime.

1. Update policies and procedures. Revise safeguarding policies and operational procedures to reflect all PS25/12 requirements. Document the new reconciliation methodology and escalation procedures for shortfalls.

What Firms Should Do Now

The 7 May 2026 deadline is imminent. Firms that have not begun implementation should treat this as a priority. The FCA has indicated that it will take a firm supervisory approach to non-compliance from the effective date — firms should not expect a grace period. Payment institutions that are unable to demonstrate compliance with the statutory trust framework, daily reconciliation, and governance requirements from day one risk supervisory intervention, including potential restrictions on their ability to hold client funds.

Regulatory Counsel advises payment institutions on PS25/12 implementation, including safeguarding framework design, reconciliation process development, safeguarding officer appointments, and audit preparation. Contact us for a free initial consultation. See our PS25 safeguarding service for details.