On 7 May 2026, the rules changed. Most people ordering their morning flat white did not notice. The coffee was the same temperature. The queue was the same length. The app worked exactly as it always had. But somewhere in a Canary Wharf legal department — or several — a compliance team was reading the same filing rather carefully, and trying to work out what it meant for a revenue line that had never, until now, attracted much regulatory attention.

The filing had a number. PS25/12. And it had an effective date.

There is a particular kind of quiet that falls over a boardroom when someone slides a regulatory instrument across the table.

Not a warning letter. Not an enforcement notice. Something more useful, and considerably more uncomfortable: a new set of obligations that apply to everyone in the room, effective immediately. The kind that arrives not with a bang but with the measured cadence of a consultation paper that has finally, after two years, become law.

PS25/12 — the FCA's Supplementary Safeguarding Regime — is described by the FCA itself as "the most significant set of changes to the safeguarding regime since its inception." It came into force on 7 May 2026. It was not aimed specifically at coffee chains. It did not need to be.

Because here is the thing about loyalty programmes. The ones operated by the major UK coffee chains — Costa, Starbucks, Pret, Caffè Nero — are not, in the strict sense, coffee businesses. They are, in regulatory terms, something closer to unregistered banks. Customers preload money. Balances accumulate. Funds sit on the chain's books, earning interest, providing float income, and occasionally — frequently, in fact — going unspent. The industry term for unspent customer balances is "breakage." In 2018, Starbucks reported $155 million in breakage income from its loyalty programme alone. That is not a rounding error. That is a revenue line.

The question the filing now places in front of every franchise chain is a simple one: are you holding customer funds? And if so — under what framework, exactly, are you doing that?

Regulation · PS25/12 · Effective 7 May 2026

FCA Supplementary Safeguarding Regime — key requirements

Requirement Applies when
Mandatory registrationRegister as e-money or payment institution before accepting funds Customer balance held >£0 at scale
Ring-fencing & segregationFunds in designated safeguarding account, separate from firm's own Immediately upon receipt of customer funds
Daily reconciliationShortfall must be remedied within one business day Every business day
4 more requirements — independent audit, winding-down plan, return of funds, Refueler position
Mandatory registration
What it means
Any firm holding customer funds above de minimis thresholds must register as an e-money or payment institution with the FCA before accepting funds.
Customer balance held >£0 at scale
Ring-fencing & segregation
What it means
Relevant funds must be held in a designated safeguarding account at an approved credit institution, strictly separated from the firm's own operational funds at all times.
Immediately upon receipt of customer funds
Daily reconciliation
What it means
Firms must reconcile safeguarded funds against outstanding customer liabilities daily. Any shortfall must be remedied within one business day.
Ongoing · every business day
Independent audit
What it means
Annual independent audit of safeguarding compliance is mandatory unless the firm held less than £100,000 across all relevant funds in any 53-week period.
Annual · exempt only if <£100k held in 53-week period
Winding-down plan
What it means
Firms must maintain a documented resolution plan setting out how customer funds would be returned in an insolvency or wind-down scenario, reviewed annually.
All in-scope firms
Return of funds on failure
What it means
PS25/12 introduces a statutory priority claim for e-money holders in insolvency — but only for firms that have correctly ring-fenced. Unregistered operators provide no statutory protection.
Registered & compliant firms only · no protection if unregistered
Refueler position
Our architecture
Refueler holds no customer float. Rewards are issued as ecash to the user's device at point of earning. No preloaded balance model. No safeguarding obligation arises.
Outside perimeter by architecture

The audit exemption is notable. A chain operating a loyalty programme at the scale of the major UK franchises will, in almost every case, have held well in excess of £100,000 in customer funds within any 53-week period. The exemption exists. It will not apply to them.

The FSCS position is worth stating plainly. If a major coffee chain were to fail, customer loyalty balances would not be protected by the Financial Services Compensation Scheme. Between Q1 2018 and Q2 2023, customers of failed payment and e-money firms recovered on average only 35p in every pound owed, and only after significant delay. The loyalty float is not, in this sense, particularly loyal.

The secondary question — the one with its own kind of quiet — is whether a chain whose loyalty programme has not been registered as an e-money institution is now operating outside the regulatory perimeter entirely. That is, legally speaking, its own kind of problem.

The investment thesis — why your coffee app is a data business

Before we reach the proposition, it is worth pausing on a question that has never quite been asked in plain English.

If a City of London coffee unit faces rent at £85–90 per square foot in Central London, and the industry net margin runs at around 8%, then a reasonable person might ask how the economics of being there — at that density, at that scale — make sense on coffee alone.

The honest answer is that the coffee is not the only product.

The loyalty app is the data infrastructure. Every tap — the Monday 7.20am Americano, the longer commute on Fridays, the changed routine in September — is being assembled, profiled, and passed to marketing technology platforms with considerably more commercial precision than the coffee has ever achieved.

Call the operation what it was — call it, for the purposes of this article, The Consortium — and the investment logic becomes clear. The Consortium raised $63.4 million. It built the loyalty and payment infrastructure behind a major UK coffee chain's app, embedded itself across 60 UK universities, and deployed at corporate locations including some of the most data-hungry financial institutions in the square mile. The investor list was not assembled by accident. It included a global telecoms conglomerate, a multinational payment network, and a major retail group with considerable interest in consumer behaviour at scale. These are not organisations that invest in coffee.

One of The Consortium's co-founders was explicit about the inspiration: the Tesco Clubcard's data analytics, combined with the Starbucks loyalty float, deployed across the broader retail market. The pitch was always exactly what it looked like — if you knew where to look.

The answer — in the Consortium's pitch deck, in the Starbucks annual report, in every loyalty programme operating at scale. The loyalty float funds the operation. The data is the return.

The Consortium was subsequently acquired. The coffee chain's app continues operating on the same infrastructure. The customer support address, for those who look, still routes to the original wallet domain.

Its public review record — accumulated over several years of service disruptions, expired vouchers, unresponsive support, and payment integrations that ceased working for weeks without acknowledgement — now functions as something close to a technical dossier. $63 million raised. Premium institutional partners. The finest loyalty data operation capital could buy.

Nero paper cards, as one reviewer noted, were a far better option.

The villain, in this story, is not the technology. The villain is surveillance capitalism with a loyalty card and a contactless reader. Capitalised accordingly. Reviewed accordingly.

Refueler is the product built after reading that dossier.

For the independent shop — the same question, differently posed

At the other end of the high street, the calculation looks entirely different.

The paper stamp card — nine coffees, one free, no data, no FCA registration, no monthly returns to anyone — carries none of the regulatory exposure described above. It also carries none of the infrastructure. No customer insight. No digital presence. No way to know whether the person who just claimed their free coffee visits every day or found the card on the pavement in February.

The paper stamp is honest. It is also, in a market where a competitor's app offers a personalised order, ambient awareness, and a reward denominated in actual money rather than a theoretical future coffee, quietly losing ground.

The question for the independent shop is not regulation. It is relevance.

Three models for the mint — a note for the technically interested

For the Bitcoin-native reader and the investor following the ecash landscape, the architecture question is the interesting one. Refueler's rewards are issued as sats via the Cashu ecash protocol. But who holds the ecash liability? The answer depends on which model is in operation.

Model (a) — Refueler operates its own mint. Full control over issuance and redemption of ecash tokens. Long-term, this is the direction of independent ecash infrastructure — particularly given work on enclave-based mint architecture, where the mint operator is structurally unable to access keys or inspect data processed inside it. This model is investor-attractive and architecturally elegant. FCA perimeter clarity is required before proceeding. Status: roadmap.

Model (b) — Mint partner. Refueler routes rewards through a preferred ecash mint partner, currently in development. Custody of the ecash liability sits with the mint. Refueler takes no ecash liability and no mint infrastructure responsibility. This is the launch model. Status: in development.

Model (c) — Shop-as-mint. The independent coffee shop issues its own Cashu tokens, redeemable in-store only. Closed loop. Fully private. No chain dependency. The paper stamp card, rebuilt in Bitcoin — and considerably harder to lose in a coat pocket. Status: in development.

The white-label proposition — stated honestly

Commercial · White-label proposition

Legacy loyalty scheme vs Refueler white-label — franchise cost / benefit

Legacy proprietary loyalty Refueler white-label
Setup &
build		 £500k–£2m+ for proprietary app build, loyalty engine, and payment integration. Ongoing rebuild cycles. White-label onboarding. No proprietary build cost. Integration at venue level.
Ongoing
ops		 Internal engineering, third-party analytics vendors, data broker relationships, consent management platform. Per-transaction commission only. No data vendor relationships. No consent management infrastructure required.
Regulatory
compliance		 FCA registration, daily reconciliation, annual safeguarding audit, winding-down plan. Significant legal cost. No float held. No FCA safeguarding obligation. No registration required.
Structurally outside perimeter
8 more dimensions — GDPR, float income, breakage, data monetisation, regulatory timing, customer segment
Costs
Setup & build
Legacy loyalty
£500k–£2m+ for proprietary app build, loyalty engine, and payment integration. Ongoing rebuild cycles.
Refueler
White-label onboarding. No proprietary build cost. Integration at venue level.
Ongoing ops
Legacy loyalty
Internal engineering, third-party analytics vendors, data broker relationships, consent management platform.
Refueler
Per-transaction commission only. No data vendor relationships. No consent management infrastructure.
Regulatory compliance
Legacy loyalty
FCA registration, daily reconciliation, annual safeguarding audit, winding-down plan. Significant legal and compliance cost.
Refueler
No float held. No FCA safeguarding obligation. No registration required. Structurally outside perimeter.
ICO / GDPR exposure
Legacy loyalty
Ongoing. Location data, third-party sharing, consent chains. Fine exposure up to £17.5m or 4% global turnover.
Refueler
Structurally minimal. No location data. No third-party pixel. No behavioural profile.
Revenue & margin
Float income
Legacy loyalty
Preloaded customer balances earn interest. Material at scale — Starbucks reported $155m breakage revenue (2018).
Refueler
None. No preloaded balance model. Acknowledged trade-off.
Breakage income
Legacy loyalty
Unspent balances and expired points captured as revenue. Industry average 10–15% of issued loyalty value.
Refueler
None. Sats issued at point of earning, held on-device. Cannot be expired or reclaimed.
Data monetisation
Legacy loyalty
Behavioural segments licensed to ad networks and data brokers. Est. £18–43/user/yr.
Refueler
Zero. No data to license. This is what the privacy architecture costs the merchant — and gains the customer.
Strategic position
Regulatory timing
Legacy loyalty
PS25/12 in force May 2026. ICO enforcement priority: location data and online tracking. Compliance cost rising.
Refueler
Architecture predates the filing. Regulatory clean hands from day one — not retrofitted.
Customer segment
Legacy loyalty
Broad. Includes loyalty-sceptics and data-aware users increasingly restricting permissions.
Refueler
Bitcoin-native City commuter. High spend, low churn. Not currently served by any competing app.

The costs to a major franchise chain of the Refueler white-label model are real and worth stating without euphemism. The chain loses its data operation — location history, behavioural profiles, purchase patterns. As the previous section makes clear, that is not a marginal commercial asset. It is what the $63 million was for.

It loses breakage. It loses float. It pays a per-transaction commission it does not currently pay.

What it gains is regulatory clean hands at precisely the moment the filing has arrived. Zero ICO exposure on loyalty data in a market where enforcement moves in one direction. A customer segment that has spent several years watching institutions treat its data as inventory — and adjusted its behaviour accordingly.

That segment does not redeem points. It does not forget to collect stamps. It does not leave a balance sitting long enough to become someone else's breakage income. It uses Bitcoin. It understands exactly what its data is worth. And it spends — consistently, daily, at the kind of per-transaction value that makes a City coffee unit's rent-to-revenue ratio considerably less alarming.

The proposition is not that Refueler is better. The proposition is that the regulatory environment has changed — and what was previously merely convenient is now, for the first time, also necessary.

What the filing confirmed, without meaning to

Consumer protection · FSCS

What happens to your money if the operator fails

35p Average recovery in the pound for customers of failed payment and e-money firms, Q1 2018 – Q2 2023, after significant delay. Source: Payment Systems Regulator.
Bank / savings account
FSCS protection
Up to £85,000 per person
Speed of recovery
7 business days (statutory target)
Regulatory framework
Prudential Regulation Authority · FSCS-backed deposit guarantee
Practical reality
Protected. Guaranteed. Insured by statutory scheme.
Loyalty app preloaded balance
FSCS protection
None
Speed of recovery
Months to years via insolvency process — if recovered at all
Regulatory framework
PS25/12 now requires ring-fencing for registered firms. Unregistered operators: unsecured creditor position.
Practical reality
35p in the pound, historically. No statutory guarantee scheme.
Refueler sats reward
Custody model
On-device ecash. User holds the token.
Operator failure impact
None. Ecash is bearer instrument. Refueler cannot freeze, reverse, or access user balances.
Regulatory framework
No float held by Refueler. No safeguarding obligation arises. FCA perimeter question under active review.
Practical reality
Yours from the moment of issuance. Not a promise — a technical fact.

† Average recovery figure: PSR Review of failed payment and e-money firms, 2018–2023. FSCS limit correct as at May 2026 (£85,000 per eligible depositor per authorised firm). PS25/12 statutory priority claim applies only to correctly ring-fenced, registered firms. Refueler ecash model subject to ongoing FCA perimeter review.

There is an unintentional honesty in what PS25/12 reveals about the existing model. Regulators do not create safeguarding requirements for industries in which customer money is not at risk. The supplementary regime exists because the previous framework was, in the FCA's own assessment, insufficient. The thing it was insufficient to protect is customer money — the same customer money that was, in the interim, earning float, generating breakage, and attracting eight-figure investment rounds from organisations with a professional interest in knowing where you buy your coffee and how often.

For most loyalty app users, none of this has been presented in plain English. The app works. The stamps accumulate. The coffee is the right temperature. It has not occurred to them — why would it? — that their preloaded balance sits structurally closer to an unsecured creditor position than a deposit account.

Refueler's architecture was in place before 7 May 2026. It was not built in response to the filing. It was built because holding customer money creates liability, and because the better architecture was to not hold it at all. No float. No breakage. No dossier.

The Consortium built the dossier. The filing found it.