REP027: What Payment Firms Really Need to Know 

Author: James Borley, Director of Payment Servives

For many payment and e-money firms, regulatory reporting can often feel like an administrative exercise. Another form to complete. Another deadline to meet. Another submission to add to the compliance calendar. 

REP027 is different. And June is the first month for which the FCA is gathering this information. 

Alongside the rest of the ‘CASS 15’ overhaul of safeguarding arrangements, the FCA’s new monthly safeguarding return represents one of the most significant supervisory developments for the payments sector in recent years. While some firms may initially view it as simply another reporting obligation, that perspective risks missing the regulator’s broader objective. 

REP027 is not fundamentally about reporting. It is about oversight. 

The return forms part of the FCA’s wider programme to strengthen safeguarding standards across the payments and e-money sector, following years of supervisory concerns regarding safeguarding shortfalls, weak governance arrangements, poor record keeping and challenges encountered when firms have entered insolvency. 

The FCA has been clear that safeguarding continues to be one of its key priorities. The introduction of monthly reporting provides the FCA with far greater visibility over firms’ safeguarding arrangements that was ever previously the case and allows potential issues to be identified much earlier than was previously possible. 

For payment institutions and e-money firms, understanding this shift in regulatory philosophy is arguably more important than understanding the mechanics of the return itself. 

Why REP027 Matters 

Historically, safeguarding information was largely reported through a line item in annual regulatory returns, supervisory engagement, and the occasional safeguarding audit report. This created a challenge for regulators. 

A firm could appear compliant at the point of reporting whilst significant weaknesses emerged between reporting cycles. By the time concerns became visible, customer funds could already be at risk. 

REP027 seeks to change that dynamic. 

By requiring firms to submit safeguarding data every month, the FCA gains near real-time insight into the health of safeguarding arrangements across the sector. The regulator can monitor trends, identify anomalies and intervene much earlier where concerns arise. 

This aligns directly with the FCA’s wider safeguarding reforms and the introduction of the new safeguarding framework under CASS 15 and associated SUP reporting requirements. The objective is simple: reduce the risk of customer harm and improve outcomes if a firm fails. 

What the FCA Is Really Looking For 

Many firms naturally focus on what data must be submitted. The more important question is what the FCA intends to do with that data. 

REP027 provides the FCA with a detailed view of several areas that have historically been associated with safeguarding failures: 

• The amount of safeguarded funds held 
• Where those funds are held 
• Reconciliation performance 
• Segregation arrangements 
• Resource adequacy 
• Record-keeping controls 
• Safeguarding breaches and incidents 

Viewed collectively, these data points create a powerful supervisory tool. 

A firm that consistently reports reconciliation exceptions, unexplained fluctuations in safeguarded balances or weaknesses in account-level records is likely to attract supervisory attention far more quickly than under previous reporting arrangements. In effect, REP027 gives the FCA an early warning system. 

Firms should therefore assume that the return is not simply being collected for statistical purposes. It will increasingly become a core supervisory dataset. And, as we have advised clients on numerous occasions, if you come to the FCA’s attention for one thing then expect further scrutiny across the rest of the business. 

The Operational Challenge 

One of the most underestimated aspects of REP027 is the operational burden it creates. Unlike annual reporting exercises, monthly submissions leave very little room for error. 

Most firms must complete the return within 15 business days of month-end. That means finance, operations, safeguarding, risk and compliance teams often need to gather, reconcile and validate information within a compressed timeframe. 

For firms operating multiple safeguarding accounts, using numerous banking partners or processing high transaction volumes, this can become a significant undertaking. 

The challenge is not necessarily producing the data. The challenge is producing accurate data consistently. 

The FCA is generally more concerned about firms that submit inaccurate information than firms that identify and disclose genuine issues. A return that contains inconsistencies may create questions about governance, management information and oversight arrangements. 

This is why many firms are now reviewing the underlying operating model that supports safeguarding rather than focusing solely on the reporting output. 

It’s a Matter of…Timing 

Under SUP 16.14A, firms must submit REP027 within 15 business days of the end of each calendar month. To put this into context, a firm reporting on its June safeguarding position would generally need to submit the return by 21 July 2026. The FCA’s new regime went live on 7 May 2026, with the first return covering June activity. 

For many firms, the practical challenge is that the reporting window coincides with other critical month-end activities: 

Day 1-5 

• Month-end close begins; 

• Safeguarding reconciliations are completed (on a daily basis); 

• Relevant funds calculations are performed; 

• Banking confirmations are obtained. 

Day 5-10 

• Exceptions and reconciliation breaks are investigated; 

• Operations and finance teams validate safeguarding balances; 

• Compliance teams begin preparing REP027 data. 

Day 10-15 

• Senior management review takes place; 

• Final quality assurance checks are completed; 

• REP027 is submitted through RegData before the FCA deadline. 

This timetable leaves very little room for delays. Firms relying on manual spreadsheets and fragmented data sources may find themselves under considerable pressure every month. 

From a governance perspective, firms should be asking a simple question: could we confidently produce accurate safeguarding data within 15 business days every single month? 

The FCA is unlikely to view late submissions as merely an administrative oversight. Consistent delays may indicate weaknesses in safeguarding governance, management information, resourcing or operational controls. 

As a result, many firms are now moving towards automated reconciliation processes, enhanced management information dashboards and clearly documented REP027 ownership frameworks. The objective is not simply to meet the deadline; it is to create a sustainable reporting process capable of standing up to ongoing regulatory scrutiny. 

REP027 is a Governance Issue 

Perhaps the most important message for senior management is that REP027 should not be viewed as a compliance function responsibility alone. The data being reported reflects the effectiveness of the firm’s safeguarding framework. 

If the return identifies recurring reconciliation issues, unresolved shortfalls or weaknesses in record keeping, those are not reporting problems. They are governance problems. 

Boards and senior managers should therefore be receiving regular management information relating to REP027 submissions and understanding the trends emerging from the data. Although, the monthly cadence of submissions does not leave much time for pre-discussion. 

The FCA will expect firms to demonstrate not only that returns are submitted on time, but also that senior management understands what the returns are saying about the firm’s safeguarding environment. 

In many respects, REP027 represents another step towards the governance expectations traditionally associated with the CASS regime. 

Common Mistakes Firms Should Avoid 

As firms prepare for ongoing monthly reporting, several themes are already emerging. 

The first is treating REP027 as a regulatory reporting project rather than a safeguarding project. 

The second is relying heavily on manual processes. While spreadsheets may work initially, they often become difficult to control and scale as reporting complexity increases. 

The third is failing to establish clear ownership. Successful firms typically have defined responsibilities across finance, operations, compliance and senior management, with clear escalation pathways where exceptions arise. 

Finally, some firms continue to focus exclusively on submission deadlines without paying sufficient attention to data quality. Regulatory reporting is only as reliable as the underlying records supporting it. Garbage in, garbage out. 

Looking Ahead 

The FCA has invested considerable effort in strengthening safeguarding standards because it continues to see safeguarding failures as a significant source of consumer harm. Monthly reporting provides the FCA with greater transparency and gives firms an opportunity to demonstrate that their safeguarding arrangements are operating effectively. 

The firms that will benefit most from REP027 are not necessarily those that treat it as a reporting obligation. They are the firms that use it as a management tool. 

Done properly, the return can provide valuable insight into operational resilience, safeguarding effectiveness and governance quality. It can highlight weaknesses before they become regulatory issues and help firms build stronger control environments. 

The key question for firms is therefore not whether they can submit REP027. 

It is whether the data they submit genuinely demonstrates that customer funds are being protected in the way the FCA expects. 

That is ultimately what the FCA (and, indeed, the firm’s safeguarding auditor) will be assessing, and why it will be so important for firms to take the utmost care in completion of the REP027. 

How Complyport Can Help 

Complyport supports payment institutions and e-money firms in meeting the FCA’s evolving safeguarding expectations and reporting obligations. 

Our services include: 

• REP027 implementation and readiness reviews. 
• Safeguarding framework gap analyses. 
• CASS 15 compliance assessments. 
• Safeguarding audit preparation and remediation support. 
• Reconciliation process reviews and control testing. 
• Governance and Board reporting framework design. 
• Regulatory reporting quality assurance reviews. 
• Operational resilience and safeguarding control assessments. 
• Ongoing compliance advisory support. 

Whether you are preparing your first REP027 submission or enhancing your safeguarding governance framework, Complyport can provide practical and proportionate support tailored to your business. 

Contact Complyport today to book a meeting with one of our Subject Matter Experts and discuss how we can support your safeguarding and regulatory reporting obligations. 

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat