Why the FCA Is Acting: A Record of Failures
Between 2018 and 2025, a series of authorised payment institutions and e-money institutions failed in ways that left customers unable to access their funds for extended periods. Wirecard's UK subsidiary, PayrNet, and a number of smaller EMIs all entered administration with safeguarding shortfalls, meaning customers who held balances were treated as unsecured creditors rather than protected beneficiaries.
The existing safeguarding regime, established under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011, was designed to protect customer funds. In practice, the FCA found widespread non-compliance: funds not properly separated, reconciliations not performed daily, custodians not appropriately appointed, and in some cases safeguarded funds simply not present in the amounts required.
CP23/20, published in December 2023, is the FCA's response. It proposes a significant strengthening of the regime that borrows heavily from the bank model: a statutory trust imposed on safeguarded funds, mandatory third-party audit of safeguarding arrangements, enhanced regulatory reporting, and a clearer definition of what constitutes a qualifying safeguarding account. The direction of travel is unmistakable: PIs and EMIs are being pushed toward a more bank-like prudential model even if they do not hold a banking licence.
The Current Safeguarding Regime
Under the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs), PIs and EMIs are required to safeguard customer funds from the moment they are received. The current regime gives firms a choice of two safeguarding methods:
Method 1: Segregation in a Designated Account
Customer funds are held in a segregated bank account, designated as a safeguarding account, at an authorised credit institution. The account must be clearly ring-fenced from the firm's own funds. In the event of insolvency, these funds are treated as a separate pool and are not available to general creditors.
Method 2: Insurance or Guarantee
Instead of holding funds in a segregated account, the firm can obtain an insurance policy or guarantee from an insurer or credit institution for an amount equivalent to the customer funds. In practice, this method is rarely used because obtaining sufficiently large insurance coverage at commercially viable terms is difficult for most PIs and EMIs.
Where a firm uses Method 1, the obligations are as follows: funds must be placed in the account no later than the business day after receipt; the account must be reconciled against customer fund obligations at the end of each business day; and the firm must keep adequate records to identify the balance owed to each customer at any point in time.
The current regime does not impose a statutory trust. It relies on the practical consequence of segregation rather than a legal trust structure. This is the primary gap that failures have exposed: in insolvency, the legal status of segregated funds has been contested, and the reconciliation process has in several cases revealed shortfalls that customers bear the cost of.
CP23/20: The Proposed Reforms
The FCA's proposals in CP23/20 are structured around four principal changes.
Statutory Trust
The most significant change is the imposition of a statutory trust over all safeguarded funds. Under the proposed regime, funds received from customers will be held on trust for those customers by operation of law, from the moment of receipt. This means that in insolvency, the funds are unambiguously outside the general estate and ring-fenced for customer benefit. The legal uncertainty that created difficulties in past failures would be eliminated.
Enhanced Audit Requirements
CP23/20 proposes that firms' safeguarding arrangements be subject to a mandatory annual audit by an external auditor. The audit must verify that the safeguarding account is appropriately designated, that daily reconciliations are being performed, that no shortfalls exist, and that the firm's internal policies and procedures comply with the regime. For smaller firms, this represents a material new compliance cost: a dedicated safeguarding audit is a separate engagement from the statutory accounts audit and will typically add £10,000–£30,000 per year in external audit fees.
Regulatory Reporting
Firms will be required to submit regular regulatory returns to the FCA confirming their safeguarding position. The proposed return includes the aggregate amount of customer funds held, the breakdown across safeguarding accounts and insurance coverage, confirmation of daily reconciliation performance, and disclosure of any shortfalls identified and remediated during the period. This is a significant escalation from the current position, under which there is no structured regulatory reporting obligation specific to safeguarding.
Qualifying Custodians
The FCA proposes to tighten the definition of qualifying safeguarding accounts and qualifying custodians. Not all credit institutions will be eligible; the proposed criteria focus on prudential soundness, credit rating, and the ability to segregate funds in a way that supports a trust structure. Firms using neobank accounts or accounts at smaller EMIs as safeguarding accounts may find that their current arrangements do not meet the new criteria.
"CP23/20 is moving PIs and EMIs toward a model that looks more like a narrow bank. The statutory trust requirement, combined with mandatory audit and enhanced reporting, means that safeguarding is no longer an operational matter — it is a CFO-level responsibility."
Own Funds Requirements: The Three Methods
Separately from safeguarding, PIs and EMIs are subject to minimum own funds requirements. For payment institutions, the Payment Services Regulations 2017 set out three methods for calculating the minimum own funds requirement, and the firm must use the method appropriate to its activities.
Method A: Fixed Minimum
Method A applies a fixed minimum own funds requirement based on the type of payment service provided. The amounts are:
- Payment initiation services only: £20,000
- Money remittance: £20,000
- Other payment services (including account information services): £125,000
- Payment services including execution of payment transactions: £125,000
Method A is the minimum floor. For any PI with significant payment volumes, one of the volume-based methods will produce a higher requirement and will therefore be binding.
Method B: Fixed Overhead Requirement
Method B sets the own funds requirement at 10% of the firm's fixed overheads from the prior year. Fixed overheads are broadly defined as total expenses minus variable costs — in practice, it approximates to roughly one month of total operating expenditure. For a PI with £3m annual fixed costs, the Method B requirement would be £300,000. This method tends to bind for firms with high cost bases relative to payment volumes.
Method C: Volume-Based Percentage
Method C is the most commonly binding method for PIs with significant payment flows. It applies a tiered percentage to the average monthly payment transaction volume over the prior year:
- 4.0% on the portion of monthly volume up to €5m
- 2.5% on the portion between €5m and €10m
- 1.0% on the portion between €10m and €100m
- 0.5% on the portion between €100m and €250m
- 0.25% on the portion above €250m
The own funds requirement is the highest of Method A, B and C. For any PI processing more than €50m per month, Method C will almost certainly be the binding constraint, and the capital requirement will be well above the Method A floor.
A PI processes an average of €30m per month. Method C calculation:
€5m × 4.0% = €200,000
€5m × 2.5% = €125,000
€20m × 1.0% = €200,000
Total: €525,000 (approximately £450,000 at current rates). If Method A gives £125,000 and Method B gives £280,000, Method C binds at £450,000.
EMI Own Funds: The 2% Rule
E-money institutions are subject to a different and generally more demanding own funds regime. EMIs must hold own funds at least equal to 2% of the average outstanding e-money. Outstanding e-money means the total amount of e-money issued and not yet redeemed, which is effectively the firm's customer balance sheet.
This has significant implications for fast-growing EMIs. An EMI with £50m of outstanding e-money must hold at least £1m of own funds (2% of £50m). As the firm grows, the own funds requirement scales with the balance sheet, not with revenue or profit. A firm that grows its outstanding e-money from £50m to £200m will see its minimum capital requirement quadruple, from £1m to £4m. Failure to plan for this creates capital constraint at precisely the time the business is growing.
The minimum initial capital for an EMI is £350,000, which aligns with the stablecoin issuer PMR under CP25/15 and reflects a consistent FCA approach to minimum capitalisation for financial institutions handling customer money.
Current vs Proposed Safeguarding: Side by Side
Operational Implications for CFOs
The proposed reforms have several direct operational implications that a CFO must plan for.
First, the statutory trust requirement changes the accounting treatment of customer funds. Under a trust structure, the safeguarded funds and the corresponding customer liability are both presented on the balance sheet, but their nature changes: they are explicitly held on behalf of others, not as the firm's own assets. This is how the current regime should already be treated, but the statutory trust formulation removes any ambiguity and requires explicit disclosure in the notes to the accounts.
Second, the mandatory safeguarding audit is a new cost that needs to be budgeted. Firms should approach their external auditors in advance to understand scope and pricing. For smaller firms, the audit may be performed by the same firm as the statutory audit, but it is a separate engagement with separate terms of reference.
Third, if a firm's current safeguarding accounts are held at institutions that will not qualify under the new criteria, migration to a qualifying custodian must be planned and executed before the new rules take effect. This is not a trivial operational task: it requires new account opening (which can take weeks for a regulated safeguarding account), system repointing, and co-ordination with the banking operations team.
Fourth, the regulatory reporting obligation requires a reporting infrastructure that many smaller PIs and EMIs do not currently have. The data required (daily reconciliation results, customer balance totals, shortfall tracking) must be captured systematically, not constructed retrospectively.
Key Takeaways
- The FCA is reforming safeguarding for PIs and EMIs following multiple failures. The direction is toward a statutory trust model with mandatory audit and regulatory reporting.
- The statutory trust, when enacted, will place customer funds unambiguously outside the general estate in insolvency, removing the legal uncertainty that caused delays and losses in past failures.
- The mandatory safeguarding audit is a new external cost. Budget for it now, before it becomes a compliance requirement.
- Own funds requirements for PIs are the highest of Methods A, B and C. For any PI with significant payment volumes, Method C (volume-based) will be the binding constraint.
- EMI own funds are set at 2% of average outstanding e-money. Fast-growing EMIs must model the capital requirement trajectory alongside their balance sheet growth plan.
- Firms holding safeguarding balances at non-qualifying custodians need to assess migration risk early. Account opening at qualifying institutions can take weeks and requires regulatory designation.
- The proposed regulatory reporting obligations require systematic data capture. Build the infrastructure ahead of the formal obligation, not in response to it.
