Safeguarding Audits Under PS25/12: What EMIs Need to Know About the New Requirements

The introduction of mandatory annual safeguarding audits under PS25/12 represents a step change in regulatory oversight for electronic money institutions. For the first time, authorised EMIs must engage an independent auditor to review and opine on their safeguarding arrangements. This article examines the audit requirements in detail and provides practical guidance for EMIs preparing for the first reporting cycle.

Why the FCA Introduced Mandatory Safeguarding Audits

The FCA's decision to require annual safeguarding audits reflects persistent concerns about the adequacy of EMI safeguarding practices. Several high-profile EMI failures — including the insolvencies of Ipagoo and Supercapital — exposed weaknesses in how firms segregated, reconciled and governed customer funds. The FCA found that firms were relying on self-assessment with limited independent verification, leading to undetected reconciliation errors, commingling of safeguarded and operational funds, and inadequate governance oversight. The mandatory audit addresses this gap by introducing external, independent verification of safeguarding compliance.

Scope of the Safeguarding Audit

The PS25/12 safeguarding audit is not a standard financial statement audit. It is a purpose-built regulatory review focused specifically on the firm's compliance with safeguarding requirements. The audit scope covers five key areas:

Statutory trust arrangements. The auditor must verify that safeguarded funds are held under a statutory trust at approved credit institutions, that trust documentation is in place and properly executed, and that the legal protections afforded by the trust would be effective in the event of firm insolvency.

Reconciliation accuracy and frequency. The audit must assess whether the firm has performed daily reconciliations throughout the period, whether reconciliation methodologies are sound, and whether any discrepancies were identified and resolved within the required timeframes.

Fund segregation. The auditor must confirm that safeguarded funds are clearly separated from the firm's own funds at all times, that there is no commingling in practice, and that the firm's accounting systems accurately distinguish between safeguarded and proprietary balances.

Governance framework. The audit must evaluate the effectiveness of the safeguarding governance framework, including the role and activities of the safeguarding officer, board-level reporting, and the firm's response to any safeguarding incidents or shortfalls during the period.

Record-keeping. The auditor must verify that the firm maintains complete and accurate records of all safeguarding activities, including reconciliation records, trust account documentation, governance meeting minutes, and incident logs.

Selecting a Safeguarding Auditor

The FCA expects EMIs to appoint auditors with relevant expertise in payment services and electronic money regulation. Generic financial statement auditors may lack the specialist knowledge required to assess safeguarding compliance effectively. Firms should evaluate potential auditors on their experience with payment institutions and EMIs, understanding of the PSRs 2017 and EMRs 2011 safeguarding frameworks, familiarity with the FCA's supervisory approach, and capacity to deliver the audit within the required timeframe.

Demand for qualified safeguarding auditors is expected to be high in the first reporting cycle. EMIs should begin the auditor selection and engagement process immediately to avoid delays. The first audit report must be submitted to the FCA within 12 months of the 7 May 2026 effective date.

The Audit Opinion

The safeguarding audit must produce a formal opinion on whether the firm maintained compliance with the PS25/12 safeguarding requirements throughout the audit period. This is a continuous compliance assessment, not a point-in-time review. The auditor must consider whether the firm complied at all times during the period, and must report any instances of non-compliance, however temporary. A qualified or adverse audit opinion will trigger immediate FCA supervisory attention and potentially enforcement action.

Practical Preparation Steps for EMIs

1. Appoint an auditor now. Begin the selection process immediately. Request proposals from audit firms with payment services expertise and evaluate their capacity for the first reporting cycle.

1. Conduct a pre-audit readiness assessment. Before the formal audit begins, perform an internal review of your safeguarding arrangements against the PS25/12 requirements. Identify and remediate any gaps before the auditor arrives.

1. Ensure reconciliation records are complete. The audit will review daily reconciliation records for the entire period. Firms must ensure that records are complete, accurate and retrievable.

1. Document governance activities. Maintain detailed records of safeguarding officer activities, board reporting, incident responses and governance decisions. The auditor will expect a clear paper trail.

1. Prepare for auditor access. Establish a protocol for providing the auditor with access to systems, records, personnel and banking documentation. Delays in providing information will extend the audit timeline and increase costs.

Regulatory Context

The safeguarding audit requirement is part of the FCA's broader strategy to improve the resilience of the payments sector. The FCA has been clear that firms unable to demonstrate robust safeguarding arrangements — verified by independent audit — will face supervisory consequences. This may include restrictions on the firm's ability to hold customer funds, requirements to increase capital buffers, or in severe cases, variation or cancellation of the firm's authorisation.

Regulatory Counsel advises EMIs on PS25/12 safeguarding audit preparation, including pre-audit readiness reviews, auditor selection guidance, reconciliation process improvement and governance framework development. Contact us for a free initial consultation.