If you are a payment or e‑money institution preparing for your first CASS 15 safeguarding audit, the latest FRC interim guidance will directly impact how the engagement will be planned, evidenced, and reported. Many firms are still unclear on what the new expectations mean in practice. This article sets out the key actions to take now.
What is the new FRC guidance?
On 17 March 2026, the Financial Reporting Council (FRC) published its interim guidance to audit firms performing safeguarding assurance engagements under the FCA’s Supplementary Regime, for periods ending after 7 May 2026, when the new rules come into force. This is designed to act as a transitional resource until a dedicated Assurance Standard is released, which is expected in early 2027 following a public consultation.
As expected, the guidance is heavily leveraged from the existing CASS Assurance Standard and aims to provide clarity on the approach auditors should take to these engagements. It also highlights a number of key areas that auditors will focus on, and also covers the treatment of hybrid periods that straddle the date of the new rules coming into effect.
Key changes Payment and E-Money firms need to understand
Whilst this is primarily aimed at assisting auditors, there are some key takeaways that are relevant for firms preparing for their first CASS 15 audit.
A. Transition and reporting
The guidance sets out two approaches to a firm’s initial CASS 15 reporting period. The first is the ‘two report’ approach, consisting of a short period ended on 6 May 2026, to be conducted under the existing safeguarding regime and a new period commencing on 7 May 2026, which will be conducted under the new CASS 15 rules. The second approach is a ‘hybrid’ opinion – being a single report covering the whole period under review and referencing the fact that the period before 7 May 2026 is being reported under the existing regime and the period post this date under the new rules.
Whichever approach firms take, they are reminded that the maximum length of a period covered by a CASS report is 53 weeks and therefore firms should consider what they want their year-end to be going forward when deciding which approach they wish to use.
The guidance also sets out the format of the CASS 15 report, which follows the structure of the existing CASS regime and is a standard template to be used across all safeguarding engagements. Breaches will be recorded by rule reference and management will be required to include a response to each item identified, whether this be raised by the firm itself or the auditor. Firms should use this space to explain the context of each breach as well as any remedial actions taken. Whilst the auditor is required to include only matters that occurred during the period, firms responses may cover the period post the report date and up to the point of signing by the auditor.
The standardising of the CASS assurance report format is expected to lead to more consistency of reporting across the industry and will lead to the FCA having a clearer picture of overall compliance, with three opinions, being unmodified, qualified or adverse.
B. IT controls and your control environment
The guidance makes specific reference to the auditor having an understanding of the firm’s overall control environment, including those related to information technology, which will be key for the majority of safeguarding firms. As a result, IT General Controls (ITGC) work will form an important part of the audit and firms should expect work in this area to be more rigorous than they have experienced previously.
Work on ITGCs will focus on three key areas, being change management, user access and IT operations with the aim of providing comfort to the auditor that the data within platforms and other systems can be relied upon. Where significant deficiencies are noted, this is likely to result in CASS breaches being recorded, so firms should engage early with the auditor, ahead of the year end, to allow interim testing to be performed and any deficiencies identified.
Firms are also reminded that this testing may extend to third party IT service providers, where elements of compliance with CASS functions are outsourced, including records and reconciliations. Firms should discuss the approach to this with their auditors to ensure that staff at the outsourced firm have capacity to assist with the audit in order to prevent delays occurring. In addition, consideration should be made as to whether any other assurance reports (such as SOC 2 reports) are available, which will likely reduce the testing required at the service organisation.
C. Additional areas of focus
The FRC document also sets out guidance to auditors on the approach to other key areas including:
- Understanding the firms business model and safeguarding methods
- Record keeping and reconciliations; and
- Third party appointments.
To avoid delays or breaches:
- Ensure safeguarding processes are fully documented
- Confirm that reconciliation information is accurate and retrievable; and
- Prepare now for a level of testing that may differ significantly from previous safeguarding arrangements.
How we can help
At PKF, we are aware that these proposals will have a significant impact on payments and electronic (e-money) firms and are here to help. If you have any queries on the impact of new regime on your firm or safeguarding in general, then please contact our experts.
About our Payment Services team
Our specialist Payment Services team advise money remittance, payment processing and electronic money firms across the sector. Our services include statutory audit, financial reporting, regulatory advice and assurance, safeguarding audits, external finance and transactional support, as well as structuring, tax compliance and advice on a range of complex issues.
