Home FCA Handbook SUP SUP 3A SUP 3A Annex 1 Auditor’s safeguarding report
You are viewing SUP 3A Annex 1 Auditor’s safeguarding report as of . SUP 3A Annex 1 Auditor’s safeguarding report was last updated on 07/05/2026.

SUP 3A Annex 1 Auditor’s safeguarding report

07/05/2026R

Independent auditor’s report on safeguarding to the Financial Conduct Authority in respect of [institution name], firm reference number [number], for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy

Part 1: Auditor’s Opinion on Safeguarding 

We report in respect of [institution name] (‘the institution’) on the matters set out below for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy] (‘the period’). 

Our report has been prepared as required by SUP 3A.9.1R and is addressed to the Financial Conduct Authority (‘the FCA’) in its capacity as regulator of payment institutions and electronic money institutions under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. 

Basis of opinion 

We have carried out such procedure as we considered necessary for the purposes of this report in accordance with [specify Standard/Guidance used] issued by the [specify organisation name]. 

This opinion relates only to the period and should not be seen as providing assurance as to any future position, as changes to systems or control procedures may alter the validity of our opinion. 

Opinion

In our opinion: 

[The institution has maintained] [Except for….the institution has maintained] [Because of….the institution did not maintain] systems adequate to enable it to comply with the relevant funds regime throughout the period since [the last date at which a report was made] [the institution was authorised or registered] [the institution became subject to SUP 3A.10 and we, its auditor, became subject to SUP 3A.9].*

[The institution was] [Except for…the institution was] [Because of….the institution was not] in compliance with the relevant funds regime as at the period end date.* 

Other matters 

The report should be read in conjunction with the Breaches Schedule that we have prepared and which is appended to it.

[Signature of the partner/individual with primary responsibility within the audit firm] [Typed name of signing individual

For and on behalf of [Name of the audit firm

[Registered office

[Date of report

 

Instructions for Part 1

* If the auditor expresses an adverse opinion (ie, states the institution ‘did not maintain…’ or ‘was not in compliance…’) they must set out the reasons why. This can be done by reference to items in columns A to D in Part 2 of the auditor’s safeguarding report.

If the auditor expresses a qualified opinion (ie, states that ‘except for …., the institution has maintained’ or that ‘except for …., the institution was in compliance’) they must do so by reference to items in columns A to D in Part 2 of the auditor’s safeguarding report.

 

07/05/2026R

Part 2: Identified breaches of the relevant funds regime that occurred during the period 

 

[Institution name], firm reference number [number], for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy

 

In accordance with SUP 3A.9.13R, Columns A to D are to be completed by and are the responsibility of the auditor. In accordance with SUP 3A.10.1G, Column E should be completed by the institution. The auditor has no responsibility for the content of Column E. 

 

Column A 

Column B 

Column C 

Column D 

Column E 

Item No. 

Regulation or Rule Reference(s) 

Identifying party 

Breach Identified 

Institution’s Comment 

 1 

 

 

 

 

  

 

 

 

 

Instructions for Part 2:

In Columns A to D of the above schedule, the auditor is to set out all the breaches of the relevant funds regime by the institution that occurred during the period subject to the auditor’s report. These must include the breaches the auditor has identified through its work (such as in the sample testing of reconciliations) and breaches identified by the institution or any other party (such as those included in the institution’s breaches register or identified by the FCA). In Column B, the auditor must specify the provision(s) in the Electronic Money Regulations 2011 or Payment Services Regulations 2017, and/or rule(s) in CASS 15 the breach relates to.

In relation to any breach identified, the auditor must provide in column D any information that it has as respects the severity and duration of the breach identified including, where relevant:

  1. (1) the number of times the breach occurred;

  2. (2) the longest duration of a single instance of the breach and the value of that instance;

  3. (3) the highest value of a single instance of the breach and the duration of that instance;

  4. (4) the average value of instances of the breach; and

  5. (5) the average duration of instances of the breach.

The value of a breach is the amount of any shortfall  caused by the breach, or the amount of any relevant funds affected or put at risk by the breach. 

The auditor must provide a ‘nil’ return for this part of the report where no breach of the relevant funds regime has been identified.

In Column E, the institution should set out any remedial actions taken (if any) associated with the breaches cited, together with an explanation of the circumstances that gave rise to the breach in question.