Compliance is the floor, not the ceiling
On 7 May 2026, the FCA's new CASS 15 regime came into force. For payment institutions and e-money firms across the UK, it represents the most significant overhaul of safeguarding requirements in years.
Shieldpay is fully compliant with CASS 15 as of the effective date. But I want to explain what the regime actually requires, what it means for law firms using a third-party managed account, and why at Shieldpay we're treating compliance as the starting point rather than the destination.
What is CASS 15?
CASS 15 is the FCA's new Supplementary Safeguarding Regime for payment institutions (PIs) and e-money institutions (EMIs), introduced through Policy Statement PS25/12. It replaces the previous safeguarding framework that operated under the Payment Services Regulations and Electronic Money Regulations.
The intent is straightforward: bring the safeguarding standards applied to PIs and EMIs in line with the rigorous client asset protections that have long applied to investment firms. If you're familiar with CASS 7 (the client money rules for MiFID firms), CASS 15 is the closest equivalent for the payments sector.
The practical effect is that safeguarding is no longer a compliance-only activity. It becomes a core governance obligation.
What's actually changed
For firms like Shieldpay, the key changes are:
From "adequate" to daily reconciliations. The previous regime required reconciliations at an "adequate" frequency. Deliberately vague. CASS 15 mandates daily reconciliations using a standardised methodology. There's no longer room for interpretation.
From annual to monthly reporting. Firms must now report to the FCA monthly via RegData, replacing the previous annual or ad-hoc approach. The regulator has real-time visibility into safeguarding positions.
Specialist CASS audits. The annual general audit is replaced by a specialist CASS audit. These are more focused, more technical, and conducted by auditors with specific CASS expertise.
A named director with personal accountability. Every firm must appoint a single director or senior manager with clear, demonstrable responsibility for safeguarding compliance. This person has direct accountability to the FCA, not just internally.
Statutory trust structure. The legal basis for how client funds are held will move from simple segregation to a statutory trust, with an interim state in place while the FCA finalises the end-state transition timeline.
Third-party due diligence. Where safeguarded funds are held with third-party institutions, firms must conduct periodic reviews, not just initial due diligence at onboarding.
What CASS 15 means for law firms using a TPMA
If your firm uses Shieldpay as your third-party managed account provider, CASS 15 directly affects the safeguarding arrangements around your client money.
Here's the practical implication: you are placing client funds with an FCA-regulated payment institution. CASS 15 means that institution is now held to the same safeguarding standard as an investment firm managing client assets. Daily reconciliations, specialist audits, named board-level accountability, monthly regulatory reporting.
For the law firms choosing a TPMA provider, this should prompt a question you may not have asked before: is your provider actually CASS 15 compliant?
The SRA permits law firms to use third-party managed accounts as an alternative to holding client money directly. But the SRA's permission does not automatically guarantee the provider is meeting its regulatory obligations. If a TPMA provider fails or mishandles client funds, the consequences for your clients are real. The FCA's enforcement record under the previous regime makes that clear.
In 2015, BNY Mellon was fined £126 million for safeguarding failures involving record-keeping and reconciliation for £1.3 trillion in assets. Aviva was fined £8.2 million in 2016 for failing to adequately protect client money and assets. More recently, One Call was fined £684,000 and its director personally fined £468,600 for mismanagement of client funds. The pattern is consistent: the FCA takes safeguarding failures seriously, and personal accountability is increasingly part of that.
The question worth asking your TPMA provider: who in your organisation is the named CASS 15 director, and what does your daily reconciliation process look like?
Why compliance is the floor
Shieldpay is fully CASS 15 compliant as of 7 May 2026. That's the minimum bar, and we've cleared it.
But the FCA and our auditors are clear that the firms that stand out under the new regime are those that can demonstrate they're not box-ticking. Compliance with the letter of CASS 15 is achievable. Embedding a culture where safeguarding is genuinely a board-level priority - not a compliance department concern - is harder, and rarer.
That's where our focus is now.
- Daily reconciliations are in place.
- Our CASS Resolution Pack is maintained as a living document, not a static file.
- Our named CASS director has the authority and the remit to act.
- We're working with our auditors to go beyond the baseline requirements in a way the FCA's specialist CASS auditors can verify.
For law firms, this matters. When you choose Shieldpay as your TPMA provider, your clients' funds are held within a safeguarding framework designed to return those funds quickly, accurately, and transparently - even in the unlikely event that something goes wrong with us. That's what CASS 15 is for. And that's why we're taking it seriously.
Further reading
If you have questions about CASS 15 and what it means for your firm's use of a TPMA, contact us at compliance@shieldpay.com or visit our CASS 15 Compliance page.
COMMENTS