FCA takes ‘audit-driven’ approach to payments firms

The UK Financial Conduct Authority (FCA) is taking an “audit-driven” approach to payments and e-money institutions under its new safeguarding regime, and reallocating its resources towards “active supervision and enforcement actions”, according to Simon Deane-Johns, a partner at Keystone Law.

From May 2026, the UK regulator is introducing tighter rules on payments firms to ensure they keep their own funds separate from customers’ money. While the regime is not “revolutionary”, it could still “drive better behaviour” through more data, more audits and more risk-based supervision, Deane-Johns told Compliance Corylated.

Under the new rules, FCA-authorised payments and e-money institutions will be subject to monthly reporting, annual audits and the possibility of an FCA visit. “That’s a multi-pronged compliance approach. Presumably, the FCA can then focus its limited enforcement resources on firms that fail audits,” he said.

He noted that the FCA appeared to be “relying heavily on the audit community to spot problems early”, adding: “It’s almost like they’re outsourcing enforcement — hoping that more audits will identify non-compliance and correct it.”

Auditors have a statutory duty to report concerns about a firm not complying with regulations to the FCA under the Financial Services and Market Act 2000 (SUP 3.8.10 G). In August 2024, PwC was fined £15 million by the regulator for not reporting concerns that arose during its audit of fraudulent mini-bond provider London Capital & Finance.

Reallocation of resources

In March 2025, the FCA dedicated 23% of its staff to enforcement and market oversight, while 53% were assigned to supervision, policy and competition, according to its annual report published in July.

Deane-Johns suggests the new safeguarding regime could signal the FCA’s intention to reallocate resources towards “active supervision and enforcement actions”. While it already has a client money and assets (CASS) team that enforces the safeguarding rules, e-money and payment services regulations sit outside the Financial Services and Markets Act 2000. This means the FCA has not had the appropriate resources to properly oversee safeguarding under those rules, he added.

Insolvency trend

The FCA also said in its annual report that it has improved data use to detect “problem firms” by using “new technology” to identify 849 firms that failed to give notice of their insolvency. In 2024, the regulator pulled 95 payment firmsʼ authorisations.

“Payment firmsʼ revenues haven’t doubled, but costs have — that makes it hard to stay solvent,” Deane-Johns noted, adding the emerging trend of insolvency among payment firms was probably the main reason behind the regulatory drive, as it has pushed safeguarding issues “to the surface”.

However, he said, if a firm is already conducting “proper” safeguarding, the new regime should not be a problem — as firms should have been “doing this all along”.

The FCA estimates that there are 142 payment firms with zero customer funds, and a further 118 holding more than zero but less than £100,000 in customer funds, according to the policy statement.