Skip to content
In the news TRM Labs × Finray — audit-ready crypto transaction monitoring for banking
Finray
Book a briefing

Safeguarding reconciliation is a solvency discipline

EMI and PI safeguarding under PSD2 Article 10, EMD2 Article 7 and FCA PS25/12 is a daily solvency discipline, not a periodic compliance task. The radar maps 15 control nodes, four named enforcement cases (BlueSnap, Foxpay, Biilz, Currency Matters) and six vendors across CBI, Bank of Lithuania and FCA evidence. Corebanq recused from ranking.

Cluster
Corebanq
Published
Updated
Version
1.0.0

Last reviewed   ·  Version 1.0.0  ·  Evidence cutoff 

Safeguarding reconciliation is a solvency discipline

Safeguarding is often described as a compliance requirement. That framing is too narrow. For an electronic money institution or payment institution, safeguarding reconciliation is the daily proof that customer or payment-service-user liabilities are understood, that the protected asset position is identifiable, and that exceptions have not been allowed to become a hidden solvency gap.

PSD2 Article 10, EMD2 Article 7, the UK Payment Services Regulations 2017 and the UK Electronic Money Regulations 2011 all start from the same structural point: relevant funds are not ordinary working capital. They need a defined liability perimeter, a valid safeguarding method, segregation from other funds and records that can evidence the position. The UK post-PS25/12 regime now makes the operating cadence more explicit through CASS 10A, CASS 15, SUP 3A and SUP 16, including daily reconciliation, monthly safeguarding reporting, third-party due diligence, resolution packs and safeguarding audits. Primary sources: https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/16232, accessed 2026-05-09; https://eur-lex.europa.eu/eli/dir/2009/110/oj/eng, accessed 2026-05-09; https://www.legislation.gov.uk/uksi/2017/752/regulation/23/data.html, accessed 2026-05-09; https://www.legislation.gov.uk/uksi/2011/99/regulation/20, accessed 2026-05-09; https://www.fca.org.uk/firms/emi-payment-institutions-safeguarding-requirements, accessed 2026-05-09.

Corebanq is built and operated by Finray Technologies Ltd, the publisher of this graph. Corebanq is recused from any qualitative ranking. Inclusion is for completeness in the buyer-guide vendor universe under the editorial methodology at /intelligence/methodology/.

The control question is no longer monthly comfort

The weak version of safeguarding asks whether the finance team can explain the month-end balance. The supervisory version asks whether the firm can prove, without delay, what the safeguarded liability is, where the corresponding safeguarding asset sits, which flows are in settlement transit, and which exceptions need action.

That is why this radar separates the operating model into controls rather than treating safeguarding as a single policy. The graph uses account-designation, segregation, liability-scoping, daily-reconciliation, intraday-safeguarding-integrity, d-plus-1-comparison, books-and-records-at-any-time-no-delay, monthly-safeguarding-return, resolution-pack, annual-safeguarding-audit, governance-1st-2nd-line-separation, third-party-oversight, settlement-account-safeguarding-not-itself, concentration-risk-management and group-oversight as distinct nodes.

The separation matters. A firm can have a designated safeguarding account and still fail the daily reconciliation discipline. A firm can have a reconciliation process and still fail liability scoping. A firm can hold funds at a central bank settlement account and still lack a safeguarding method for funds held beyond the permitted settlement window. The EBA Q&A 2024_7165 and the Bank of Lithuania CENTROlink materials make that last point concrete: payment-system settlement access is not the same thing as a customer-fund safeguarding account. Primary sources: https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2024_7165, accessed 2026-05-09; https://www.lb.lt/en/centrolink, accessed 2026-05-09; https://www.lb.lt/uploads/documents/files/Rekomendaciju%20rastas%20MEPI%20ENG%202025.pdf, accessed 2026-05-09.

Named enforcement since 2024 makes the pattern concrete

The radar includes named entity nodes only where a primary source ties the case to a safeguarding or related control failure. The purpose is not to build a league table of failed firms. The purpose is to prevent the buyer conversation from staying abstract.

BlueSnap Payment Services Ireland Limited is mapped to account-designation, segregation, daily-reconciliation, liability-scoping and group-oversight because the Central Bank of Ireland enforcement action and settlement notice describe failures around designated safeguarding accounts, mixed funds, awareness, oversight and reconciliation. Primary sources: https://www.centralbank.ie/news/article/the-central-bank-takes-enforcement-action-against-bluesnap-payment-services-ireland-limited-for-safeguarding-failures, accessed 2026-05-09; https://www.centralbank.ie/docs/default-source/news-and-media/legal-notices/settlement-agreements/settlement-notice-enforcement-action-against-bluesnap-payment-services-ireland-limited-%28sanctions-confirmed-by-the-high-court%29.pdf?sfvrsn=48af671a_16, accessed 2026-05-09.

UAB Foxpay is mapped to segregation, daily-reconciliation, governance-1st-2nd-line-separation and group-oversight because the Bank of Lithuania revocation notice describes safeguarding, reconciliation, separation, management-information and internal-audit failures. Primary sources: https://www.lb.lt/en/news/lietuvos-bankas-revoked-uab-foxpay-licence-due-to-serious-and-systematic-breaches, accessed 2026-05-09; https://www.lb.lt/en/news/lietuvos-bankas-restricts-foxpay-activities-and-appoints-a-temporary-representative-to-supervise-the-activities, accessed 2026-05-09.

Biilz UK Ltd is mapped to account-designation, segregation and liability-scoping because the FCA Final Notice states that the firm had not taken adequate measures to safeguard electronic money holders’ funds and that proposed safeguarding arrangements were not acceptable where the account was not in the firm’s name. Primary source: https://www.fca.org.uk/publication/final-notices/biilz-uk-ltd-2024.pdf, accessed 2026-05-09.

Currency Matters Limited is included only as a supervisory-notice example, not as a final enforcement finding. It is mapped to segregation, liability-scoping, governance and books-and-records evidence because the FCA First Supervisory Notice raised safeguarding, own-funds, governance and customer-money evidence concerns. Primary sources: https://www.fca.org.uk/publication/supervisory-notices/first-supervisory-notice-currency-matters-limited.pdf, accessed 2026-05-09; https://www.fca.org.uk/news/news-stories/currency-matters-limited-enters-special-administration, accessed 2026-05-09.

What buyers should test in vendor due diligence

A safeguarding-aware ledger or payments-operations stack is not compliant by label. It earns relevance only if it gives compliance, finance, treasury, second line and engineering the same view of liabilities, assets and exceptions.

The practical buyer questions are direct. Can the platform produce the customer-liability population, the safeguarding requirement, the bank or safeguarded-asset comparison and the exception list from the same source of truth? Can it distinguish e-money, payment-service user funds, own funds, fees, refunds, chargebacks, returns, unallocated receipts and settlement-in-transit balances? Can it preserve evidence for the monthly safeguarding return, the annual safeguarding audit and a resolution pack without a manual reconstruction exercise? Can it show whether group treasury, third-party providers, safeguarding banks or settlement accounts are creating concentration, ownership or access risk?

Vendor claims should be read as due-diligence inputs, not as outsourcing of accountability. The graph therefore uses supports edges from vendors to controls only where official product or provider materials support the mapping. It does not use evidence-for edges for vendors unless a primary-source regulator publication names the vendor in the safeguarding context.

How to read the radar

The regulatory-anchor layer maps PSD2 Article 10, EMD2 Article 7, the UK PSRs, the UK EMRs, FCA PS25/12 and forward-looking PSD3 and PSR materials to the controls they impose or amplify. The supervisory-standard layer adds the EBA Q&A, FCA Approach Document, FCA portfolio and review materials, Bank of Lithuania letters and Central Bank of Ireland newsletter. The forensic layer anchors the pattern to BlueSnap, Foxpay, Biilz and Currency Matters. The vendor layer turns the control map into buyer due-diligence questions for Corebanq, Mambu, Tuum, Thought Machine, Modulr and ClearBank.

This radar should be read alongside four adjacent Finray Intelligence artefacts: /intelligence/eu-uk-pi-emi-core-banking/ for the broader core-banking buyer guide; /intelligence/emi-pi-licensing-success/ for the positive-control authorisation population; /intelligence/emi-pi-authorisation-withdrawals/ for the withdrawal-register population and status taxonomy; and /intelligence/dora-article-28-roi-tracker/ for regulator-side ICT third-party monitoring.

Editorial conclusion

The hard part of safeguarding is not writing a policy that says customer funds are protected. The hard part is building an operating model where the policy, ledger, payment flows, safeguarding accounts, third-party records, exception workflow, audit trail and governance escalation all say the same thing at the same time.

That is why reconciliation belongs in the solvency architecture. If the firm cannot prove the safeguarded liability and asset position under ordinary operating pressure, it should not assume it will be able to prove it under stress.

Layout
cose-radar
Nodes
66
Edges
150
Last reviewed
2026-05-09
Evidence cutoff
2026-05-09
Pending outreach
1
Showing 4 / 4
Jurisdiction (1)
Forensic status categories assigned from the source documents. (1)
Service-scope breadth (4)
  • firm-segment
  • regulator
  • regulation
  • standard
  • control
  • vendor
  • product
  • licensed-entity
  • status-class
  • jurisdiction
  • finray product (COI)

Reference index

The interactive forensic graph above and the tables below cover the same population. The graph is for filtered exploration; the tables index every successful CASP record, every represented jurisdiction, and every pre-MiCA archetype as plain text — for search engines, citation tools and readers who prefer linear reading.

Forensic status categories assigned from the source documents.s (3)

The 3 regulatory classifications observable in the success population. Each row aggregates how many of the 4 records fall into that class. Counts are exact; class boundaries follow the source register's own institution-type field where possible and are editorial inferences only where the register does not expose the classification at row level.

Forensic status categories assigned from the source documents.s observed in the 4-record success population.
Forensic status categories assigned from the source documents. Description
Regulator-driven revocation Status class for cancellation or revocation by a regulator under enforcement powers.
Enforcement fined Status class for a completed enforcement action resulting in a monetary sanction.
Supervisory notice Status class for a supervisory notice or intervention that is not treated here as a final enforcement outcome.

Jurisdictions (3)

Home Member States represented in the success population. Volume is not a proxy for low or high standards — supervisory rigor is set by ESMA's authorisation briefing and applies irrespective of NCA. Use the count column as evidence of deal-flow gravity, not regulatory permissiveness.

Home jurisdictions with successful licensed entities authorisations, with record counts.
Jurisdiction Records Description
United Kingdom 4 UK jurisdiction node for FCA-supervised firms and UK statutory instruments.

Licensed entities (4)

Every successful record in the source register at the cut-off, grouped by home jurisdiction. Listing is editorial — record naming reflects the public source register and is not a recommendation. Status and service-scope columns are inferences from observable register fields, not legal opinions.

United Kingdom 4 records

Licensed licensed entities with United Kingdom as home jurisdiction.
Entity Forensic status categories assigned from the source documents. Scope Website
Biilz UK Ltd Regulator-driven revocation forensic case fca.org.uk
BlueSnap Payment Services Ireland Limited Enforcement fined forensic case centralbank.ie
Currency Matters Limited Supervisory notice forensic case fca.org.uk
UAB Foxpay Regulator-driven revocation forensic case lb.lt

Source: the source register, cut-off 2026-05-09. The full forensic pack — cleaned benchmark CSV and editorial classifications — is available under briefing scope; email partnership@finray.tech with the subject line "Forensic pack".

Regulators (8)

National Competent Authorities, supervisory authorities, and pan-EU European Supervisory Authorities indexed in this radar. Each row links to the regulator's primary-source URL with the date the source was last accessed. Listing is alphabetical by jurisdiction code; inclusion is editorial, not a directive. Volume of regulators per jurisdiction reflects the local supervisory architecture (single-supervisor vs sectoral split) and is not a quality signal.

Regulators indexed in this radar with their jurisdiction and primary-source URLs.
Regulator Jurisdiction Scope Primary source
Bank of Lithuania public authority Lithuanian competent authority with detailed EMI and PI safeguarding guidance and revocation evidence. View source
Central Bank of Ireland public authority Irish competent authority for payment and e-money supervisory communications and enforcement. View source
Council of the European Union public authority EU co-legislator publishing Council compromise texts for PSD3 and PSR. View source
European Banking Authority public authority EU authority maintaining PSD2 single-rulebook interpretive material. View source
European Commission public authority EU institution that proposed the PSD3 and PSR reform package. View source
European Parliament and Council public authority EU co-legislators that adopted PSD2 and EMD2. View source
Financial Conduct Authority public authority UK conduct regulator for payment and e-money firms. View source
HM Treasury public authority UK government department responsible for payment-services and electronic-money regulations. View source

Regulatory anchors and supervisory standards

The legal instruments and supervisory standards an institution in this segment must satisfy. Each row links to the primary source — official journal page, supervisor circular, or standards body — with the date the source was last accessed.

Regulatory anchors and supervisory standards covered in this radar, with primary-source links.
Anchor Scope Primary source
EMD2 Article 7 Regulation EU safeguarding requirement for funds received in exchange for electronic money. View source
PSD2 Article 10 Regulation EU safeguarding requirement for payment-service user funds. View source
UK PSRs 2017 Regulation 23 Regulation UK safeguarding rule for authorised payment institutions. View source
UK EMRs 2011 Regulations 20 to 22 Regulation UK safeguarding rule set for electronic-money institutions. View source
FCA PS25/12 safeguarding regime Regulation FCA final policy statement introducing CASS 10A, CASS 15, SUP 3A and SUP 16 safeguarding rules. View source
FCA CP24/20 safeguarding consultation Regulation Historical FCA consultation that preceded PS25/12 final rules. View source
PSD3 proposal COM(2023) 366 Regulation European Commission proposal for a new directive on payment and e-money services. View source
PSR proposal COM(2023) 367 Regulation European Commission proposal for a directly applicable EU payment-services regulation. View source
Council PSD3 position ST 8222/26 Regulation Council compromise text for the PSD3 directive track. View source
EBA Q&A 2024_7165 Standard EBA answer on whether a central-bank settlement account can itself be a safeguarding account. View source
EBA peer review on PI and EMI authorisation Standard EBA peer-review evidence on authorisation scrutiny, governance and internal-control divergence. View source
FCA Approach Document May 2026 Standard FCA Approach Document updated for the post-PS25/12 safeguarding regime. View source
FCA payments portfolio letter 2023 Standard FCA portfolio letter raising safeguarding weaknesses in the payments sector. View source
FCA payments portfolio letter 2025 Standard FCA 2025 supervisory priorities letter for payments firms. View source
FCA payments report 2026 Standard FCA payments-sector report with safeguarding context for EMIs and PIs. View source
FCA risk management and wind-down multi-firm review Standard FCA multi-firm review on risk management and wind-down planning in e-money and payments firms. View source
Bank of Lithuania Dear CEO letter 2022 Standard Bank of Lithuania supervisory letter on fintech risk management and licensed activities. View source
Bank of Lithuania 2025 prudential letter Standard Bank of Lithuania 2025 recommendation letter on EMI and PI prudential requirements. View source
Bank of Lithuania CENTROlink safeguarding guidance Standard Bank of Lithuania explanation that CENTROlink does not offer customer-fund safeguarding accounts. View source
CBI Payment and E-Money Newsletter Issue 1 December 2025 Standard Central Bank of Ireland newsletter focusing on safeguarding, governance and risk themes. View source

Controls

The control domains those regulatory anchors require. Each control sits at the intersection of one or more regulations and one or more vendor products that implement it.

Control domains required by the regulatory anchors above.
Control What it covers
Account designation Safeguarding accounts must be identifiable as safeguarding accounts rather than ordinary operating accounts.
Daily reconciliation Daily reconciliation compares safeguarded liability records with safeguarding assets and bank or settlement evidence.
Intraday safeguarding integrity Intraday safeguarding integrity keeps liability, ledger and asset movements visible before the formal day-end comparison.
Segregation Relevant funds must be kept separate from other funds and protected from commingling.
Liability scoping The firm must know which balances are relevant funds and which are outside the safeguarding liability.
Books and records at any time without delay Books and records must let the firm identify relevant funds and safeguarding positions without operational delay.
D+1 comparison Funds still held by the end of the business day after receipt must be placed or protected through the safeguarding method.
Monthly Safeguarding Return UK firms must be able to report safeguarding information monthly under the post-PS25/12 reporting regime.
Resolution pack A resolution pack preserves the records and access information needed to return funds or support administration.
Annual safeguarding audit Safeguarding audit evidence tests whether controls operate, not only whether policy wording exists.
First and second line separation Safeguarding governance requires clear ownership, challenge and escalation between operations and control functions.
Third-party oversight Safeguarding depends on controlled relationships with banks, custodians, insurers, payment systems and outsourcing providers.
Settlement account not safeguarding itself A settlement account or payment-system balance is not automatically a compliant safeguarding method.
Concentration risk management Safeguarding design must monitor exposure to banks, asset providers, jurisdictions and operational dependencies.
Group oversight Group arrangements must not obscure customer-fund ownership, bank-account control or safeguarding responsibility.

Vendors and products

Named vendors active in this control space and the specific products each ships. Listing is alphabetical within the graph's evidence set; inclusion is editorial, not commercial, and is not a recommendation. Finray Technologies Ltd ships products in this space and is recused from any ranking — see the methodology page for the conflict-of-interest framework.

Vendors and the specific products each ships into this control space.
Vendor Products Vendor source
Finray Technologies Ltd Vendor of Corebanq, the Finray core banking product included under recusal. Finray Technologies — recused from ranking
  • Corebanq — Finray core banking product included under conflict-of-interest recusal. ( product page )
Vendor site
Mambu Vendor of composable cloud banking and payments software.
  • Mambu Payments — Mambu payments product with public reconciliation-automation materials. ( product page )
Vendor site
Tuum Vendor of a modular core banking and payments platform.
  • Tuum Core Banking Platform — Tuum modular platform covering accounts, payments and settlement integrations. ( product page )
Vendor site
Thought Machine Vendor of Vault Core and Vault Payments.
  • Vault Core and Vault Payments — Thought Machine core ledger and payments products represented as a paired operating surface. ( product page )
Vendor site
Modulr UK and EU payments infrastructure provider with published safeguarding information.
  • Modulr Payments Automation Platform — Modulr payments infrastructure and automation platform. ( product page )
Vendor site
ClearBank UK and EU clearing, embedded banking and safeguarding-account infrastructure provider.
  • ClearBank Clearing and Embedded Banking — ClearBank clearing, account and embedded-banking infrastructure. ( product page )
Vendor site
Certificate of Registration NQA · UKAS Management Systems
ISO/IEC 27001:2022 Certificate of Registration issued by NQA to Finray Technologies Ltd, certificate number 215646, valid 21 October 2025 to 21 October 2028
Search
Type to search across Finray, products, company, and journal.

    Press Esc to close · to open the highlighted result.

    Book a briefing 01 / 03

    Step 01

    Identify the institution

    Who is requesting the briefing.