PS25/12: Five Ways Payments Firms Will Fail theNew Safeguarding Audit

Practical gaps in the Supplementary Regime that take effect on 7 May 2026

The Reconciliation Desk   ·   Issue 2   ·   April 2026

On 7 May 2026 the Supplementary Regime under FCA PS25/12 goes live for UK payment institutions, e‑money institutions and credit unions that issue e‑money. That is three working weeks away. The scale of what the rules are trying to fix is substantial: in 2024, EMIs safeguarded roughly £26 billion and PIs around £6 billion of customer money on any given day, and the average shortfall in payments firms that failed between 2018 and 2023 was 65%. The Supplementary Regime is the FCA’s answer — a set of interim rules that bolt reconciliation discipline, monthly reporting, external audit and resolution readiness onto the existing Payment Services and Electronic Money Regulations.

Most firms have known this was coming. Fewer have done the practical operational work the first audit will actually test. What follows is a short field guide to five of the gaps that we expect to surface first — not in the policy documents, but in the reconciliation and evidence files that auditors will ask to see.

What actually changes on 7 May

PS25/12 is a reconciliation-centred regime dressed in governance language. The operational core sits across four new or amended Handbook sections: CASS 15 (the safeguarding rules, including internal and external reconciliation obligations at 15.8.10R and 15.8.47R), CASS 10A (the resolution pack), SUP 3A (the annual safeguarding audit) and SUP 16.14A (the monthly safeguarding return — REP020). Around them sit governance obligations: a named senior manager accountable for safeguarding, a board-approved safeguarding policy, and a formally defined threshold for what the firm regards as a ‘material discrepancy’.

The five gaps that will show up first

1. The internal-external reconciliation gap. Most firms have historically done ‘a safeguarding reconciliation’ — singular. PS25/12 requires two, every reconciliation day: an internal reconciliation of the firm’s own records against each other, and an external reconciliation of those records against bank, custodian and third-party statements. A firm that merges these into one step will fail the first audit even if the numbers tie, because it cannot evidence that the two controls ran independently.

2. The undefined ‘material discrepancy’. PS25/12 leaves it to each firm to define what counts as a material discrepancy and to have the board approve that definition in the safeguarding policy. Firms that haven’t done this before 7 May will find that every reconciliation exception gets treated as material — or, worse, that none do — because there is no governance artefact to test against. The auditor’s very first question will be ‘show me your definition.’

3. The D+1 resource-versus-requirement test. The FCA has simplified the old deposit-resource-and-requirement reconciliation into a higher-level D+1 comparison: the balances in the relevant-funds bank accounts or relevant-assets accounts against the relevant-funds liability. Firms whose existing controls still reconcile at line-item level will pass on substance but fail on form, because the REP020 monthly return is built around the new D+1 concepts.

4. The 48-hour resolution pack drill. CASS 10A requires a resolution pack that is retrievable within 48 hours and that is reported on annually to the governing body. In practice, the contents — current reconciliations, safeguarding contracts, account details, counterparty data — live in different systems and different teams. Firms that have documented the pack but never rehearsed retrieval will discover the 48-hour clock is tighter than it reads. Treat it as a drill, not a folder.

5. Counterparty concentration without a rationale. PS25/12 does not impose concentration quotas on where safeguarded funds sit. It does require firms to evidence that they have thought about it. Firms with 80% of relevant funds at a single safeguarding bank, or across two banks in the same group, need a documented rationale that the auditor can read. ‘Our main banking relationship’ will not be enough.

What ‘audit-ready’ looks like

Three characteristics tend to distinguish firms that will clear the first external audit cleanly:

—  Reconciliation evidence is separated into internal and external steps, with each step producing its own dated exception list and sign-off, not a single consolidated record.

—  Governance artefacts — board-approved policy, materiality threshold, named senior manager, resolution pack — are versioned and dated, so the auditor can see that they existed before the period under review, not the week before the audit.

—  The REP020 monthly return is produced by the reconciliation process, not assembled from it after the fact. That is the single clearest signal to the FCA that the control is real.

The Supplementary Regime is being described as an interim step towards a CASS-style end-state. For reconciliation practitioners, that framing understates what is actually changing. PS25/12 is the first time the FCA has treated reconciliation as the primary control on which safeguarding stands or falls — and the first time that daily reconciliation discipline is backed by a monthly regulatory return and an annual external audit. Firms that get this operating model right will clear the audit; those that don’t will find out, in public, exactly where the gaps were.

The Reconciliation Desk is written by Iain Colquhoun, Principal Consultant at ReconIQ.

ReconIQ advises banks, asset managers, wealth managers, fintechs, EMIs and payment firms on reconciliation architecture and control design.