As of May, CASS 15 reporting requirements are now live in the UK for Electronic Money Issuers (EMIs) and Authorised Payment Institutions (PIs).
On the surface, safeguarding under CASS 15 appears relatively straightforward. Firms are expected to protect client money, maintain accurate records, reconcile balances, and provide reporting in line with FCA requirements.
However, the operational reality is far more complex. Beneath these high-level principles sits a range of hidden risks that can quickly emerge in day-to-day processes if controls are not properly designed, implemented, and monitored.
This blog explores the less obvious challenges organisations face under CASS 15 safeguarding and what firms must consider to remain compliant while operating efficiently.
Why CASS 15 Demands More Than Other Safeguarding Regimes
CASS 15 sits within the FCA Client Assets Sourcebook and formalises safeguarding requirements specifically for EMIs and PIs operating in the UK. Its purpose is to ensure that client funds are protected in such a way that, in the event of insolvency, they can be identified and returned to customers quickly.
While similar safeguarding regimes exist globally, CASS 15 is particularly demanding from an operational standpoint. It requires firms to demonstrate, on a daily basis, that client money is not only protected but also fully reconciled and readily accessible. This is not a periodic exercise. It is a continuous obligation.
In addition to daily controls, organisations must also undergo annual external audits, where they are expected to evidence that their safeguarding processes are robust, consistent, and fully auditable from end to end.
A Shift Towards FCA Enforcement
One of the most important context shifts for firms is the FCA’s move towards a more active enforcement posture.
For organisations that are new to the CASS regime, particularly EMIs and PIs, this means there is little tolerance for gaps in governance or control design. If a firm cannot demonstrate compliant processes and data flows from the outset of an audit, it is likely to raise concerns around ownership, accountability, and operational maturity.
This makes preparation critical. CASS 15 is not a framework that can be interpreted loosely or implemented incrementally. Firms are expected to be fully operational and audit-ready from day one.
Establishing Clear CASS Rules Mapping
A fundamental requirement for any firm undergoing a CASS audit is a clear and comprehensive mapping of CASS rules to internal controls and processes.
Without this, firms are highly likely to receive audit findings that highlight weaknesses in internal controls. For firms entering the CASS environment for the first time, this is often underestimated. However, it is one of the clearest signals to auditors of whether safeguarding has been operationalised effectively across the organisation.
Understanding Where Client Money Sits
Another common challenge is the accurate definition and reconciliation of relevant funds.
It is not enough to simply track balances. Firms must be able to clearly demonstrate where client money sits across the entire payment lifecycle. This includes understanding whether funds have been received but not yet settled, are in transit between systems, or are tied up in exceptions such as chargebacks.
Without strong data management and clear audit trails, this becomes increasingly difficult to evidence. Over time, this lack of clarity can undermine both reconciliation accuracy and regulatory reporting.
The Reality of Fund Segregation
In theory, fund segregation can appear simple. In practice, it rarely is.
Many firms operate with complex financial ecosystems that involve multiple account types, payment flows, and operational processes. Client funds often pass through areas such as suspense accounts, FX corridors, or processor settlement accounts as part of normal business activity.
If these flows are not fully understood and controlled, there is a real risk that safeguarding requirements are inadvertently breached. Ensuring that account structures and payment flows are designed with CASS 15 in mind is therefore essential, rather than treating safeguarding as a layer applied after the fact.
Daily Reconciliation at Scale
CASS 15 introduces strict expectations around daily reconciliation of both internal and external data.
This is where many organisations begin to encounter practical challenges. Data is often sourced from multiple systems, each with its own format, structure, and timing. Some data may arrive in real time, while other data is delayed or batched. Additional complexities, such as fees or settlement adjustments, further complicate the reconciliation process.
Attempting to manage this manually quickly becomes unsustainable. Not only does it introduce inefficiency, but it also increases the likelihood of errors and makes it difficult to provide the level of audit evidence required.
Proving Compliance Through Auditability
Perhaps the most critical shift under CASS 15 is the requirement to demonstrate compliance, not just perform it.
Firms are expected to maintain complete and audit-ready records that show how safeguarding controls operate in practice. This includes being able to evidence how controls are linked to specific CASS rules, how breaches are identified and resolved, and how issues are escalated within the organisation.
Beyond this, regulators and auditors expect visibility into how systems perform, how responsibilities are segregated, and how approvals are managed. These elements are no longer considered enhancements or best practice. They are fundamental to passing a safeguarding audit.
Why Technology Is No Longer Optional
Given the complexity of CASS 15, relying on manual processes or fragmented systems is no longer viable.
To meet both operational and regulatory expectations, firms require scalable technology that can manage large volumes of data, perform reconciliations consistently, and maintain a complete audit trail.
Automation plays a key role here. It allows organisations to standardise processes, reduce the risk of human error, and respond more effectively to audit and reporting requirements. Just as importantly, it provides the transparency needed to demonstrate compliance with confidence.
How AutoRek Supports CASS 15 Compliance
AutoRek provides a fully automated, end-to-end CASS 15 reporting solution designed to help firms meet FCA safeguarding requirements with confidence.
By centralising data management, reconciliation, and reporting, AutoRek enables organisations to gain full visibility over client money and ensure that safeguarding processes are both accurate and auditable. Real-time reconciliation capabilities support daily compliance requirements, while on-demand reporting ensures firms can respond quickly to regulatory scrutiny.
In addition, AutoRek’s Regulatory Toolkit ensures that firms remain aligned with evolving CASS 15 requirements. By automatically updating match rules and embedding key governance elements such as sign-off and resolution pack management, it supports both operational efficiency and audit readiness within a single platform.
Final Thoughts
CASS 15 is now fully operational and actively supervised by the FCA.
For Payment Institutions and Electronic Money Issuers, safeguarding is no longer just a regulatory obligation. It is an operational discipline that must be embedded across systems, processes, and controls.
Firms that recognise the complexity early and invest in the right frameworks and technology will be best positioned to meet regulatory expectations and scale confidently.
If your organisation is navigating CASS 15 safeguarding challenges or preparing for audit, AutoRek can help you strengthen your processes and demonstrate compliance with confidence.
This blog was written by David Reilly, Account Executive, Payments & Retail Banking at AutoRek