With the introduction of CASS 15, the FCA has materially raised its expectations of how payment services and e-money firms safeguard customer funds. While much of the industry focus has been on enhanced reconciliation, reporting and insolvency-readiness requirements, one area that warrants closer attention is the selection and ongoing oversight of third parties used in safeguarding arrangements.
In this article, the latest in our series helping firms prepare for the May 2026 deadline, we explore the key requirements that arise in this respect from CASS 15. This is distinct from the appointment of external safeguarding auditors, where separate and equally stringent requirements apply as per SUP3A of the FCA’s Handbook.
Put simply, the FCA now expects firms to be far more deliberate, structured and evidence-driven in deciding who they entrust with client money.
The Central Role of Third Parties
Third parties sit at the heart of most safeguarding arrangements. In practice, these are typically credit institutions providing safeguarding accounts, but they may also include insurers or guarantors used under alternative safeguarding methods.
Under CASS 15, these relationships can no longer be treated as “set and forget” – not that they ever should have been. The FCA is explicit that firms must assess whether a third party is suitable at the point of appointment and continues to be suitable over time. Moreover, given the wide and sometimes creative interpretations of the “risk-based review” expected under section 10.78 of the FCA’s Approach Document, CASS 15 introduces a more prescriptive framework.
Selection: beyond box-ticking
At the point of selection, firms must exercise due skill, care and diligence. This is not a mere procedural exercise. The FCA expects firms to look beyond brand recognition or operational convenience and to develop a clear understanding of the risks associated with placing customer funds with a particular institution.
This assessment should include, at a minimum, the third party’s financial strength, creditworthiness and overall stability, as well as its experience of holding safeguarded funds and operating within the regulatory perimeter.
Firms must also consider concentration risk. While placing most funds with a single institution may be operationally efficient, it can create significant exposure if that institution experiences distress. CASS 15 encourages firms to assess whether diversification across multiple providers would better protect customers, particularly where balances are large or volatile. If a firm decides it is not appropriate to diversify its providers, then it should document why this is the case.
Another critical consideration is the legal and regulatory environment in which the third party operates. Firms need to understand how customer funds would be treated if the third party were to fail, including whether deposit protection schemes apply and, if so, the scope, limits and conditions of that protection. This analysis is central to the FCA’s objective of ensuring that customer funds can be returned as quickly as possible in an insolvency.
Ongoing oversight: suitability is not static
CASS 15 requires firms to carry out ongoing, risk-based reviews to ensure that third parties remain appropriate. Financial positions can deteriorate, business models can change, and regulatory permissions can be amended or withdrawn. Regular reviews allow firms to identify emerging risks early and take mitigating action before customers are exposed.
Crucially, firms must document both the initial selection and all subsequent reviews. The FCA expects clear records explaining why a third party was chosen, the factors considered, and the conclusions reached at each stage. These records must be retained for at least five years after the relationship ends and must be robust enough to withstand regulatory scrutiny.
Where a firm concludes that diversification of providers is not necessary, that decision – and the rationale for it – should be clearly documented and appropriately approved.
What firms should be doing now
- Identify and review all safeguarding third parties: map all institutions involved in safeguarding arrangements and refresh due diligence on their financial strength, creditworthiness, safeguarding experience and regulatory status.
- Assess concentration and insolvency risk: analyse exposure to each provider, consider diversification, and understand how customer funds would be treated in the event of a third-party failure (including the application of deposit protection schemes). Document decisions and approvals.
- Formalise selection and oversight frameworks: establish clear, evidence-based criteria for selecting third parties, alongside structured processes for ongoing reviews and defined trigger events.
- Strengthen governance and documentation: assign clear ownership for third-party oversight and maintain comprehensive records of selection decisions, reviews and conclusions, retained for at least five years.
Final Thought
Ultimately, CASS 15 reinforces a simple but important message: appointing a third party does not absolve a firm of responsibility. By adopting a structured, well-documented and proactive approach to third-party selection and oversight, firms can not only meet the FCA’s expectations, but also strengthen trust with their customers.
If you have any questions about appointing third party safeguarding providers or require assistance with due diligence, please contact our team of experts here at Cosegic.
