How to Prepare for an FCA Audit as a Payment Service Provider: A 2026 Guide
Audit-readiness
If you run a payment service that is authorised or registered by the Financial Conduct Authority, the regulatory landscape you are navigating in 2026 is more demanding than it has ever been. The rules are changing, the FCA's supervisory posture is sharper, and the consequences of being unprepared have real teeth.
This guide is for compliance leads, CEOs, and operations teams at payment institutions (PIs) and electronic money institutions (EMIs) who want to understand what FCA scrutiny actually looks like in 2026, what the regulator is specifically focused on, and what practical steps will get your firm genuinely audit-ready rather than just paper-compliant.
A note on jurisdiction: the FCA is a UK regulator. If your firm is based in the EU and regulated by your national competent authority under PSD2, much of what follows is still deeply relevant to you. Many EU-based PSPs hold dual authorisation or are seeking FCA authorisation for UK market access. The FCA's framework is also increasingly used as a benchmark by EU supervisors and the European Banking Authority. Understanding how the FCA audits PSPs helps you build the kind of compliance infrastructure that satisfies regulators on both sides of the Channel.
What an FCA Audit Actually Means for a PSP
The term "FCA audit" is used loosely in the industry, and it is worth being precise. The FCA does not typically arrive unannounced and conduct a single dramatic inspection. Instead, scrutiny comes in several forms, and understanding which you might face changes how you prepare.
The most routine form is the annual safeguarding audit, which is now mandatory for most authorised PSPs under the new rules introduced by PS25/12. This is an audit carried out by a qualified external auditor who reports to the FCA on your firm's safeguarding arrangements. It is not the FCA itself walking through your door, but the output goes directly to the regulator, and findings matter.
Beyond the annual audit, the FCA can commission a skilled person review under Section 166 of the Financial Services and Markets Act 2000, which sits between routine supervision and formal enforcement, and how a firm responds in the first days and weeks can define the outcome of the entire process.
Then there is the supervisory engagement channel: the FCA may write to you, ask questions via RegData, call your MLRO, or conduct a themed review of your sector. Between January 2020 and October 2024 alone, the FCA conducted 52 Section 166 reviews of PSPs. That is not a distant threat. It is a live supervisory tool being deployed across the payments sector right now.
Understanding all three of these channels is the foundation of meaningful audit preparation.
The Regulatory Context You Are Operating In Right Now
Before you can prepare properly, you need to understand what has actually changed and why the FCA's expectations have escalated.
The FCA found that prior to these new rules, some payments and e-money firms did not have sufficiently robust safeguarding procedures, creating a risk of harm to consumers and market integrity. The FCA identified persistent weaknesses, including poor record keeping, inadequate reconciliations, and delays in returning customer funds on insolvency.
The numbers behind that finding are stark. By 2024, EMIs were safeguarding approximately £26 billion and PIs approximately £6 billion on any given day. Yet in firm failures between 2018 and 2023, the average safeguarding shortfall was 65%. Think about that for a moment. When firms failed, nearly two thirds of the money that customers expected to be ring-fenced was not actually there or not immediately accessible. The FCA's response to this was not gentle guidance. It was a structural overhaul.
The Supplementary Regime, and related amendments to the Approach Document, will come into force on 7 May 2026. This is the most significant regulatory change to hit the payments sector since PSD2, and it sits on top of everything else the FCA was already focused on: financial crime, operational resilience, Consumer Duty, and governance.
In February 2025, the FCA published a Dear CEO letter setting out its priorities for firms supervised under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011, including Payment Institutions, Electronic Money Institutions, and Registered Account Information Service Providers. That letter is essentially the FCA telling you precisely where its audit attention will fall. Ignoring it is one of the most common and most avoidable compliance mistakes PSPs make.
The Five Areas the FCA Will Scrutinise Most Closely in 2026
1. Safeguarding: The Most Urgent Priority of All
Safeguarding is the area where the regulatory change is most dramatic in 2026, and it deserves the most space here.
The new rules effective from 7 May 2026, introduced in PS25/12, apply to authorised payment institutions (except those which solely provide payment initiation services or account information services), authorised e-money institutions, small e-money institutions, and credit unions which issue e-money in the UK.
What specifically does your firm now need to have in place?
Firms are required to perform safeguarding reconciliations at least once each day other than weekends, public holidays, and days when relevant foreign markets are not open. This is not a weekly summary. It is a discipline baked into your daily operations, and the FCA expects evidence of it. If you have a cross-border operation that touches non-UK currency corridors or time zones, your reconciliation calendar needs to account for foreign market closures as well.
Monthly FCA returns on safeguarded funds are now mandatory for all firms, and segregated funds must be held under a statutory trust with all relevant funds received in safeguarded accounts.
Each firm must maintain a detailed resolution pack, demonstrating a clear wind-down plan to ensure smooth distribution of relevant funds and contingency planning documentation should be in place for the processes to be followed in the event of insolvency. The resolution pack is not a one-off document you write and file away. The FCA expects it to be a living record that is regularly reviewed and genuinely operational.
On annual audits: most firms must arrange an annual safeguarding audit unless their safeguarded balances stayed below £100,000 during the prior 53 weeks. First audits must be submitted within 6 months of period end, then within 4 months thereafter. If you are uncertain whether your firm meets the £100,000 threshold exemption, the cautious and correct approach is to assume you do not.
When appointing or reviewing banks, custodians, insurers or guarantors, firms must perform due diligence and explicitly consider whether to diversify providers. The rules expect a reasoned, documented view that is revisited periodically, with changes made where appropriate.
The governance dimension of safeguarding is equally important. Reconciliation processes must now be signed off by a firm's board. This is not a compliance team task delegated downward. It requires direct board accountability.
A practical way to think about this: the FCA is essentially asking whether, if your firm failed tomorrow morning, it would be possible to identify exactly where every customer's money sits, retrieve it promptly, and return it to customers without a protracted insolvency process. If the honest answer to that question involves hesitation, your resolution pack and reconciliation process are not yet where they need to be.
2. Financial Crime Controls
In the 2024/25 financial year, the FCA commissioned 48 skilled person reviews under Section 166. Approximately 75% of all reviews focused on one of three specific areas: financial crime, controls and risk management, and conduct of business, with each area accounting for approximately 25% of the total.
Financial crime is not a background compliance task for PSPs. It is one of the FCA's primary lenses for evaluating whether a payment firm should continue operating.
Financial crime prevention remains a top priority for the FCA, with persistent weaknesses in governance, risk management, and fraud prevention identified across the sector. The FCA is specifically focused on AML systems and controls, transaction monitoring effectiveness, Suspicious Activity Reports (SARs), politically exposed person (PEP) screening, and the oversight of agents and distributors.
A common pattern in firms that face FCA scrutiny is that their written AML policies look reasonable but their actual day-to-day practices do not match them. Transaction monitoring alerts are not reviewed in time. Customer risk assessments are completed once and never updated. Agent oversight is nominal rather than substantive. The FCA looks at what your firm actually does, not just what its procedures document says it does.
Under the Money Laundering Regulations 2017 (as amended), you are required to have risk-based AML controls that are proportionate to your business model. For PSPs, that means your customer risk assessment framework needs to reflect the specific fraud and money laundering risks associated with your payment corridors, customer types, and transaction volumes. A generic template lifted from a compliance library is unlikely to satisfy FCA scrutiny.
The FCA expects firms to implement robust governance arrangements with strong oversight and independent challenge, to properly monitor agents and distributors to minimise customer harm, and to ensure outsourced functions remain compliant with UK regulatory requirements.
3. Operational Resilience
The FCA's final rules and guidance on operational resilience came into effect on 31 March 2022 with a three-year transitional period. Firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. That transitional period has now closed. By the time you read this, full compliance is expected, not planned.
The FCA identifies cyber-attacks, IT system outages, and third-party supplier failure as operational disruptions that have the potential to cause harm to consumers, threaten the viability of firms, and cause instability in the financial system. The FCA has seen weaknesses in some firms' technological resilience, which is in some cases coupled with a lack of oversight of change programmes, which has resulted in weakened resilience and business interruption.
For PSPs specifically, the critical questions the FCA will want answered are:
Which of your business services are important business services?
What is your impact tolerance for each one?
Have you actually tested whether you can remain within those tolerances during a realistic disruption scenario?
And if a key third-party provider failed today, how long would it take you to restore service?
If your firm relies on a single cloud provider, a single banking partner, or a single payment rails provider without documented contingency arrangements, that is a vulnerability the FCA will not overlook.
4. Governance, Accountability, and Culture
The FCA identifies the importance of governance, oversight and leadership, noting that weaknesses in these areas are a root cause of many of the regulatory issues they see in the payments portfolio.
This is worth sitting with. The FCA is not just telling you to have a compliance manual. It is telling you that poor compliance outcomes in the payments sector are most commonly traceable to weak governance at the top. That means board members who do not adequately understand the regulatory requirements, senior managers who delegate compliance without genuine oversight, and cultures where commercial pressures routinely override risk controls.
Under the Senior Managers and Certification Regime (SM&CR), every regulated PSP is required to have named individuals responsible for specific regulatory functions. Those individuals can be held personally accountable when things go wrong. The FCA has made it clear it is not reluctant to use those powers.
For your audit readiness, this means your board needs to be demonstrably engaged with regulatory matters, not just briefed quarterly by the compliance team. Board minutes should show real challenge and discussion on compliance topics. Senior managers should be able to articulate your firm's key risks and controls coherently, not just refer questions to the compliance function.
Firms headquartered in the UK are expected to maintain operational decision-making at their UK offices. For PSPs with distributed or offshore operational structures, this is not merely administrative. It is a substantive requirement about where real decisions are made.
5. Wind-Down Planning
The FCA has raised concerns about the quality of Wind-Down Plans, noting that standards have been too low with substantial gaps in the analysis of liquidity. The FCA also had reservations on the credibility of Wind-Down Plans where firms outsource material activities to other group entities.
A wind-down plan is not a formality. The FCA treats it as a live document that should be credible enough to actually execute. A plan that assumes you can wind down in three months while your actual operational dependencies suggest it would take twelve is not a plan that will satisfy supervisory scrutiny.
Effective wind-down plans should be in place to ensure orderly business closure if necessary, and prudential risk management requires firms to meet regulatory capital requirements at all times and plan ahead for financial stability.
What the FCA Looks at When It Examines Your Firm
Understanding the mechanics of how scrutiny actually unfolds helps you prepare in the right order.
Routine supervision begins with the data you submit. All PSPs are required to report at least once every calendar year on their operational and security risk assessment and their assessment of the adequacy of the resulting mitigation measures and control mechanisms. All PSPs must also send statistical data on fraud affecting different types of payment. The FCA uses this data to identify outlier firms. Inconsistencies between your submitted data and your actual operations are a red flag.
PSPs including electronic money institutions should report using RegData. Errors in RegData submissions, late filings, or figures that do not reconcile with each other are often the first signal to the FCA that a firm's internal controls may be weak.
A Dear CEO letter, like the one issued in February 2025, is not background reading. Boards and senior management are expected to discuss the contents and take necessary actions, with firms prepared to explain their response to the regulatory requirements if the FCA engages with them directly. Treating it as a document for the compliance team rather than a board-level action item is itself a governance failure.
A Practical Audit Preparation Checklist for 2026
The following is a working framework rather than an exhaustive list. Every firm's risk profile is different, but these are the areas where preparation is most likely to reduce your regulatory risk.
On safeguarding: confirm whether your firm is in scope under PS25/12. Review your safeguarding policy against CASS 15 and the updated Approach Document. Build a reconciliation process that runs every business day and produces a documented output. Commission your annual safeguarding audit if you have not already done so. Build your resolution pack as if it will genuinely be used. Document your due diligence on every safeguarding counterparty.
On financial crime: conduct a gap analysis of your AML controls against the FCA's Financial Crime Guide. Review your transaction monitoring rules for your actual customer and corridor risk profile. Ensure your SAR processes are functioning and that the responsible individual is trained and resourced. Test your agent oversight processes against real outcomes rather than policy descriptions.
On operational resilience: document your important business services and your impact tolerances. If you have not yet done disruption scenario testing, do it now. Review your third-party contracts for the access, audit, and termination rights the FCA expects you to have.
On governance: review board minutes to ensure they demonstrate genuine engagement with compliance topics. Map every SM&CR function to the named individuals who hold it and ensure those individuals can explain their responsibilities. Review your wind-down plan for credibility and update it to reflect your current operational structure.
On regulatory reporting: audit your last 12 months of RegData submissions for accuracy and completeness. Ensure your fraud reporting data is consistent with your internal records.
What Happens if You Are Not Ready
The FCA's enforcement posture has become materially more assertive. The FCA is already conducting deep-dive reviews, and a mid-2026 post-implementation assessment is expected to further sharpen scrutiny and enforcement expectations.
Firms that fail to implement robust safeguarding controls may face increased scrutiny from the FCA, potential fines, and reputational damage, which can have long-lasting impacts on customer confidence and business growth.
Beyond fines, the FCA has the power to impose requirements, restrict activities, suspend authorisation, or ultimately cancel a firm's authorisation entirely. For a PSP, authorisation is the business. Losing it, or having conditions attached to it, is an existential risk.
Where the FCA identifies issues, it states it will take swift and assertive action to protect customers and ensure market integrity. This is not rhetorical. The FCA has applied that principle in the payments sector repeatedly in recent years.
About SpeedyDD
At SpeedyDD, we work with complex and regulated businesses to make compliance infrastructure less of a burden and more of a business advantage. Our mission is simple: we believe that regulated firms, especially those in high-scrutiny industries like payments, should never have to face a regulator in a state of unreadiness. We help PSPs, EMIs, and other regulated entities build the kind of documentation, due diligence processes, and audit-ready systems that stand up to scrutiny, not just at audit time, but every day of the year. Whether you are preparing for your first FCA safeguarding audit, building out your AML controls, or trying to onboard clients efficiently. We are the team you call when regulation gets complicated.
Frequently Asked Questions
What is the difference between an FCA safeguarding audit and a Section 166 review?
A safeguarding audit is a mandatory annual review carried out by an independent qualified auditor examining your safeguarding arrangements. It is a routine compliance requirement under the new PS25/12 rules. A Section 166 skilled persons review is a supervisory tool the FCA can deploy when it has specific concerns about a firm. It is commissioned either by the firm at the FCA's direction or directly by the FCA itself, and it is significantly more intensive and consequential. Think of the safeguarding audit as scheduled maintenance and a Section 166 as an emergency inspection prompted by a warning light.
Does PS25/12 apply to EU-based PSPs?
PS25/12 applies to firms authorised or registered by the FCA in the UK. EU-based PSPs regulated solely by their national competent authority are not directly subject to it. However, if your EU firm holds FCA authorisation for UK market access, those UK-authorised entities are fully in scope. Additionally, the EBA Guidelines on internal governance and safeguarding under PSD2 carry similar intent, and EU regulators have been moving in the same direction. The FCA framework is a useful benchmark regardless of your primary regulator.
What is a resolution pack and why does the FCA require it?
A resolution pack is a collection of documents that would allow an insolvency practitioner or administrator to quickly identify where all customer funds are held, who holds them, how to access them, and how to return them to customers if a firm fails. The FCA introduced it because, historically, when payment firms collapsed, administrators found it extremely difficult to locate and return customer money promptly. The resolution pack is meant to make the failure process orderly and fast for consumers.
How often do I need to submit safeguarding returns to the FCA?
Under the new PS25/12 rules effective from 7 May 2026, most in-scope firms are required to submit monthly safeguarding returns to the FCA via RegData. These returns report on your safeguarded fund balances and reconciliation status.
What is the £100,000 exemption threshold for safeguarding audits?
Firms that have not been required to safeguard more than £100,000 in relevant funds at any point over a continuous period of at least 53 weeks are exempt from the mandatory annual safeguarding audit requirement. If your firm's safeguarded balance has ever exceeded £100,000 during that window, the exemption does not apply.
What are the FCA's three main outcomes for payments firms in 2025 and 2026?
The FCA's February 2025 Dear CEO letter set out three outcomes: effective competition and innovation to meet customers' needs, firms not compromising financial system integrity, and customers' money being kept safe. Every aspect of your compliance programme should be mapped to one of these outcomes.
What is the difference between an internal and external safeguarding reconciliation?
An internal reconciliation compares your own records of what relevant funds should be held against what your accounting systems show. An external reconciliation compares your internal records against the statements from your safeguarding bank accounts or custodian. Both are required on every business day under PS25/12 rules.
What happens if a shortfall is found during a safeguarding reconciliation?
The FCA expects shortfalls to be identified, documented, and remediated promptly, ideally by the following business day (D+1). You are also required to notify the FCA of material adverse findings. Failing to remediate promptly or failing to report is itself a compliance breach, separate from the underlying shortfall.
Can I use safeguarding insurance instead of a segregated bank account?
Yes, safeguarding insurance remains an option under the rules, but the FCA has made its expectations significantly more rigorous. Cover must include headroom for foreseeable fluctuations in safeguarded balances, firms must evidence how policy expiry risk is mitigated, and the policy must be structured so that funds fall outside the insolvent estate. The FCA has signalled that it views insurance-based safeguarding as inherently more fragile than segregated bank account arrangements.
What does the FCA mean by "impact tolerances" for operational resilience?
An impact tolerance is the maximum level of disruption your firm has determined it can tolerate for a given important business service before it causes intolerable harm to consumers or market integrity. You are required to have mapped your important business services, set a tolerance for each, and tested whether you can stay within it during a realistic disruption scenario. The transitional period for these rules closed in March 2025, meaning full compliance is now expected.
How does the FCA use RegData to supervise PSPs?
RegData is the FCA's primary regulatory reporting system. PSPs use it to submit financial returns, fraud data, safeguarding returns, and operational and security risk assessments. The FCA uses this data to identify patterns and outliers across the sector. Inconsistent, late, or inaccurate RegData submissions can trigger supervisory interest. Good data hygiene in RegData is, in practical terms, part of your audit readiness.
What should my board be doing differently in 2026 to satisfy FCA governance expectations?
Your board should be demonstrating active engagement with regulatory matters rather than passive receipt of compliance reports. Board minutes should evidence substantive challenge and discussion on safeguarding, financial crime, and operational resilience. Named senior managers under SM&CR should be able to articulate their regulatory responsibilities in their own words. Wind-down planning should be discussed at board level at least annually and reviewed whenever your business model changes materially.
