CASS is widening its reach. New safeguarding rules for payment and e‑money firms — and proposed regulation for digital assets — are reshaping the client assets regime. This article explains what’s changing, what it means in practice, and how firms and advisers can keep pace as the bar for compliance and assurance continues to rise.
The FCA’s Client Assets Sourcebook (CASS) is a well-established regime designed to protect client money and custody assets and ensure that regulated financial firms adhere to stringent regulatory standards. But while the core CASS rules have largely remained unchanged, their extended scope and application to different financial sectors have evolved with speed and impact in recent years. Specific chapters for debt and claims management over the past years, the effective date of CASS 15 for payment and e-money firms on 7 May 2026, and further extension to digital assets through implementation of CASS 16 and 17 likely in 2027, all make for quite a different-looking compliance landscape for both firms and professionals.
Meanwhile, assurance standards have strengthened with the Financial Reporting Council (FRC) CASS Assurance Standard in 2016 (revised 2019) and the publication of the FRC’s interim guidance on payment and e-money assurance engagements (2026) Add external hyperlink: FRC publishes interim guidance to support safeguarding auditors during transition to the FCA’s new supplementary regime. The proposals set out under CASS 16 and 17 will require an independent review to be conducted annually by qualified auditors. Although similar audit standards will likely be applied, it’s unclear whether they’ll be performed within existing CASS frameworks or require new standards to be developed.
CASS matters to both the FCA and regulated firms not only because it helps keep client assets safe but because it often provides a view of an organisation’s governance and risk profile. Firms focus on enhancing their CASS compliance through strengthening governance and organisational arrangements in order to keep pace with both internal and external changes.
With regulated firms expanding business models into areas such as payments and crypto assets, the need for stronger internal risk and control frameworks has grown. For such firms, staying compliant depends on securing and retaining the right skills. The interaction between different business lines and products makes it critical to have a solid understanding of your CASS footprint, as well as how you’ve designed your operational functions, systems and controls to ensure compliance with the relevant regulations.
Finally, technology - as both a risk and an enabler - has a big role to play both in how firms carry out their business and how they stay compliant with the regulations.
From 7 May 2026, the CASS 15 regime brings payment and e-money firms into the CASS net. This has been a key regulatory area of focus since last year and firms have been busy getting ready for the new rules by implementing and enhancing systems and controls to ensure compliance.
Auditors are also adapting their safeguarding audit approaches – and assessing the resource required to meet the demands of an additional annual CASS audit. With audit reports submitted to the FCA and audits conducted under an assurance standard, the emphasis on robust, high-quality audits has increased. No doubt there are, and will be, areas where CASS rule interpretations and compliance will evolve over time as this regime embeds and matures.
The inclusion of digital assets within the scope of CASS is a highly topical and evolving area - not without challenge. Although the underlying CASS principles are the same, digital assets are a different asset class, with different risks, underpinned by a unique eco-system and technology that diverges from traditional finance.
Regulated firms entering this space should expect significant implementation effort and enhancement of systems and controls. You’ll need a clear understanding of how your operations, technology and finance functions interrelate to comply with the relevant CASS rules, while also aligning new rules with existing CASS frameworks.
It’s been encouraging to see greater openness and engagement with the regulator on CASS matters in recent years - particularly during last year’s consultation papers for the proposed CASS rule changes, safeguarding and digital asset regime. Both the financial services industry and profession have also welcomed efforts to simplify or amend longstanding CASS rules (as covered by CP 25/37) that have driven persistent breaches, without the practical solution to remediate.
CASS audits are a mandated source of supervisory information for the FCA, and their purpose goes beyond regulatory compliance. A well-conducted CASS audit provides genuine assurance to regulators, investors and clients that assets are being protected and administered properly. The quality of that assurance has direct consequences for how a firm is perceived by the regulator.
As the CASS regime expands, so does the technical demand on auditors. CASS 15 is new. CASS 16 and 17 are coming. Each requires specialist knowledge, not just of the rules, but of how they apply in practice to different business models, products and technologies. Auditors who are upskilling and investing in this expertise now are better placed to provide the depth of assurance that a maturing regime will require.
With this, comes an increased openness to adopt AI by both regulated firms and audit firms in their testing approach, as well as the increased use of digital tools to make audits more efficient and robust.
At Grant Thornton, we have seen a clear shift in the questions firms are bringing to us from "are we compliant?" to "are we ready for what's next?". That shift reflects a sector that understands CASS is no longer a stable regime to be managed around. It's an evolving set of obligations that rewards firms who treat assurance as a strategic input, not an annual box to tick.
As safeguarding and digital assets are brought into the CASS regime, it’s vital that regulators, professionals and clients can align and collaborate. Open and transparent relationships will be key to this and help all stakeholders adapt to both the acceleration pace of innovation and regulation.
Clients must recognise that CASS is an iterative process. One that requires ongoing compliance work in enhancing governance frameworks and organisational arrangements, as well as staying abreast of evolving regulation, and ensuring appointed auditors have the requisite skills and experience.
For their part, regulators and professionals will need to assess resourcing needs and ensure they hire and keep people who understand not only CASS rules, but how to apply them in practice. Appointing an auditor with genuine CASS expertise - one who understands not only the rules but how they apply to your specific business model - is worth prioritising early.
CASS compliance is not a project with an end date. The regulation keeps moving, the scope keeps broadening, and the quality bar keeps rising. Firms that build the right foundations now will be better placed to meet what comes next.
For more insight and guidance, get in touch with Shermeen Kazmi and Paul Staples.
Safeguarding customer funds isn’t new concept. It has been a long-standing regulatory expectation across many sectors, including investment and insurance. For payments sector, it has been a key part of compliance, with the FCA continuing to underline the importance of safeguarding customer funds over recent years.
But recent insolvencies showed a hard truth. The old rules didn’t always work in practice.
So it’s no surprise that safeguarding customer funds is one of the FCA’s four strategic priority areas, in its recently published Regulatory Priorities for Payments.
Importantly, it should be noted that the 7th May effective date for CASS 15 Supplementary Regime should not been seen as a point in time compliance target. Rather, it should be seen as a regime that strengthens over time as it embeds across the sector, with expectations maturing as firms, professionals and regulators learn from implementation.
With CASS 15 coming into force, safeguarding has and needs to become much more operational.
Firms must now demonstrate, on an ongoing basis, that customer funds are correctly safeguarded and properly segregated.
This demands tighter reconciliations, clearer fund flows and scoping, enhanced risk and controls framework and far stronger audit trails - not just at the effective date, but as a continuing discipline.
One of FCA’s priority themes for payments is effective governance, and that is clearly reflected in the CASS 15 regime, with tone from the top being crucial in fostering a culture of compliance and accountability.
Firms are now required to have a named individual responsible for safeguarding, along with a detailed Resolution pack.
There is also a strong focus on the need to adopt an insolvency mindset, both from a firm and auditor perspective, to ensure safeguarding arrangements would work in practice, not just on paper.
With safeguarding under FCA’s spotlight, regulatory oversight has increased significantly.
Under CASS 15, firms submit monthly safeguarding data returns and are subject to a mandatory annual audit by a qualified auditor - both of which serve as key supervisory data points.
The recent interim guidance for assurance engagements issued by the FRC is also a key step for setting expectations for a high quality and robust annual audits.
This is all in line with the approach taken in other sectors, where the CASS regime has matured over time through ongoing supervisory engagement and regulatory clarification.
Across the market, our financial services audit and advisory teams are actively supporting payment firms as they assess their current systems, controls, and governance against CASS 15 and embed them.
For some firms, this has meant incremental refinement of existing frameworks. Whereas for others, particularly fast‑growing or complex businesses, it has required more robust enhancements, including strengthened governance and clearer oversight.
In our view, there is a clear precedent from the CASS regime across other sectors that effective compliance develops over time - with the right attitude from management and supported by open and constructive engagement with the FCA.
The firms that will succeed under this regime are those with the right compliance mindset, one focused on strengthening systems and controls as the business evolves, rather than treating safeguarding as a one‑off regulatory milestone.
From Oct 2027, cryptoassets will enter a new FCA regulatory regime, signalling a major shift for UK crypto compliance, investor protection and market oversight.
The UK payments sector is balancing innovation with complex regulatory demands, including operational resilience, wind-down planning and APP fraud prevention.
The FCA introduces new safeguarding rules for payment firms under CASS 15. Learn what’s changing and how to prepare for stronger customer fund protection.
Understand the background to the FCA's proposals for crypto regulation, and find out about key dates and focus areas.
