SM&CR Regime Overview: Structure, Tiers, and Regulatory Expectations

What It Is

The Senior Managers and Certification Regime (SM&CR) is the FCA's framework for individual accountability within regulated firms. It was introduced in response to the financial crisis, where diffuse governance structures made it nearly impossible to hold specific individuals to account for failures that caused significant harm. SM&CR replaced the Approved Persons Regime (APER) and came into force for banks and PRA-designated investment firms in March 2016, extending to all solo-regulated FCA firms in December 2019.

SM&CR has three pillars. The Senior Managers Regime requires firms to identify individuals performing Senior Management Functions (SMFs) and obtain FCA pre-approval for each appointment. Every Senior Manager must have a Statement of Responsibilities defining their areas of accountability. The Certification Regime requires firms to identify employees who could cause significant harm to the firm or its customers, assess their fitness and propriety, and issue annual certificates confirming they are fit to perform their role. The Conduct Rules are a set of individual standards of behaviour that apply to virtually all employees, not just senior managers and certified staff.

The regime operates across three tiers — enhanced, core, and limited scope — with requirements scaled according to the firm's size, complexity, and risk profile. This tiered approach means that a large investment bank faces far more prescriptive requirements than a sole-trader IFA, but both are subject to the same underlying accountability framework. SM&CR interacts closely with SYSC (the Systems and Controls sourcebook, which sets out governance expectations) and FIT (the Fitness and Propriety requirements, which define the criteria for assessing individuals).

Why the FCA Cares

SM&CR exists because the FCA — and its predecessor, the FSA — concluded that regulating firms without being able to hold individuals accountable was fundamentally ineffective. The financial crisis of 2007-2008 demonstrated this vividly. Firms made catastrophic decisions, but no individual could be identified as responsible. The Parliamentary Commission on Banking Standards found that governance structures were deliberately designed to diffuse accountability, making it impossible to establish who knew what and who should have acted.

The FCA's theory of change behind SM&CR is straightforward: individuals who know they are personally accountable will behave differently. They will invest more in understanding the risks in their areas of responsibility, maintain better oversight, challenge more rigorously, and escalate concerns rather than suppress them. SM&CR is designed to change culture from the top down.

The regime also gives the FCA an enforcement tool it previously lacked. Under the duty of responsibility (section 66B FSMA), a Senior Manager can be held personally liable for a regulatory contravention in their area of responsibility unless they can demonstrate they took reasonable steps to prevent it. This shifts the practical burden: the FCA identifies the contravention and the area of responsibility, and the Senior Manager must show what they did. The FCA has used this power in enforcement cases and has made clear it will continue to do so.

SM&CR also serves as a gateway control. The FCA assesses every proposed Senior Manager before they take up their role, applying the FIT criteria covering honesty, competence, and financial soundness. This allows the regulator to prevent unsuitable individuals from occupying positions of influence within the financial system.

Who It Affects

SM&CR applies to virtually all FCA-authorised firms, but the depth of obligation varies by tier.

Enhanced firms face the most extensive requirements. This tier includes significant IFPRU firms, CASS large firms, and firms that exceed specified thresholds for revenue, assets under management, or number of approved persons. Enhanced firms must produce a comprehensive responsibilities map showing how accountability is distributed across the senior management team. They must allocate a wider set of prescribed responsibilities, including responsibilities for financial crime, culture, and the management of information systems. Senior Managers' Statements of Responsibilities must be detailed and are subject to closer FCA scrutiny.

Core firms — the majority of FCA solo-regulated firms including most independent financial advisers, insurance brokers, consumer credit firms, and payment services firms — face a proportionate but meaningful set of requirements. They must identify and obtain approval for their Senior Management Functions (typically SMF1, SMF3, SMF16, and SMF17 as a minimum), allocate prescribed responsibilities, identify certification functions, and apply the conduct rules to all staff. Core firms are not required to produce a responsibilities map, but the FCA recommends it as good practice.

Limited scope firms have the lightest obligations. This category includes sole traders with limited permissions, limited permission consumer credit firms, and certain other firms with restricted activities. They are subject to fewer prescribed responsibilities and a smaller set of SMF designations, but the conduct rules still apply and the duty of responsibility still operates.

The interaction with SYSC is significant at all three tiers. SYSC 4 requires firms to have robust governance arrangements, including a clear organisational structure with well-defined, transparent, and consistent lines of responsibility. SM&CR operationalises this requirement by mandating that specific individuals are named as accountable for specific areas.

What Firms Get Wrong

The most fundamental error is treating SM&CR as a compliance project with a completion date. Firms invested significant effort in implementation — mapping functions, preparing Statements of Responsibilities, identifying certification populations, rolling out conduct rules training — and then stopped. SM&CR is not a one-off exercise; it is a continuous governance obligation. Statements of Responsibilities must be updated when roles change. Certification assessments must be conducted annually. Conduct rules training must be refreshed. The responsibilities map must reflect current reality.

Many firms have Statements of Responsibilities that no longer match how the firm actually operates. Restructures, departures, new hires, and changes in business direction have all occurred since implementation, but the SM&CR documentation has not kept pace. When the FCA asks to see current Statements of Responsibilities, the gap between documentation and reality is immediately apparent.

Tier misunderstanding is another common problem. Firms that have grown since SM&CR implementation may have crossed the threshold from core to enhanced without recognising it. The additional requirements — particularly the responsibilities map and expanded prescribed responsibilities — are not automatically triggered; the firm must self-assess and implement accordingly.

Firms also underestimate the scope of the certification regime. Identifying all certification functions requires a careful analysis of each role against the criteria in SYSC 27. Roles that involve significant management responsibility, client dealing, algorithmic trading, or the ability to cause significant harm to the firm or its customers are all potentially within scope. Firms that have not conducted a thorough role-by-role assessment frequently have gaps.

The conduct rules are too often treated as a training exercise rather than a behavioural framework. Firms deliver training at induction and then do not revisit it. There is no monitoring for potential breaches, no process for investigating alleged breaches, and no disciplinary framework that connects conduct rule expectations to employment outcomes.

What Evidence the FCA Expects

The FCA expects current, accurate Statements of Responsibilities for every Senior Manager. These must clearly delineate areas of accountability, be consistent with each other (no gaps or overlaps), and reflect the firm's actual governance structure. For enhanced firms, the responsibilities map must provide a comprehensive picture of how accountability is allocated.

Certification records must demonstrate an annual cycle: identification of all certification functions, fitness and propriety assessment using the FIT criteria (honesty/integrity/reputation, competence/capability, financial soundness), evidence of the assessment, and issuance of certificates with clear validity periods. Records must show that assessments are substantive — a signed declaration alone is insufficient.

Conduct rules training records must cover all in-scope staff, with evidence of initial training at induction and periodic refresher training. A conduct rules breach register must record all reported or identified breaches, the investigation conducted, and the outcome. Regulatory reference records must be maintained for all Senior Managers and certified persons for six years.

Governance evidence must show SM&CR as a standing item in board and committee discussions. The FCA will look for evidence that the board monitors SM&CR compliance, reviews Statements of Responsibilities, and ensures that departures and appointments are managed without gaps in accountability.

Good Implementation

A firm with strong SM&CR implementation has made accountability part of its operating DNA. Senior Managers do not need to consult their Statement of Responsibilities to know what they are accountable for — it is reflected in how they spend their time, what MI they review, and what decisions they make. They maintain contemporaneous evidence of oversight: attendance records, action logs from committee meetings, escalation decisions, and challenge of MI.

The firm has a clear process for managing SM&CR through change. When a Senior Manager departs, a handover protocol ensures continuity of oversight with no gap period. When the firm restructures, Statements of Responsibilities are updated before the change takes effect. When new business lines are launched, the governance implications are assessed and SM&CR documentation is updated.

Certification assessments are meaningful. They draw on multiple data sources — performance reviews, complaints data, conduct rule breach records, competence assessments, and regulatory reference history. Where concerns are identified, the firm investigates before deciding whether to certify. The firm has declined to re-certify individuals where the evidence does not support it.

The conduct rules are embedded in culture. Staff understand not just the rules themselves but the behavioural standards they represent. Managers model the conduct expected and address potential breaches promptly. The firm's disciplinary framework references conduct rule expectations.

How Our Tool Helps

The MEMA SM&CR navigator is a digital governance platform that manages your entire SM&CR obligation across all three pillars. For the Senior Managers Regime, it maintains live Statements of Responsibilities and responsibilities maps, alerts you when updates are required, and provides version control with a full audit trail.

For the Certification Regime, the tool manages the annual cycle: tracking certificate expiry dates, prompting fitness and propriety assessments, capturing assessment evidence against FIT criteria, and generating certificates. It flags overdue assessments and provides MI on your certification population.

For the Conduct Rules, the tool records training delivery and completion, manages the breach register, and tracks the investigation and resolution of reported breaches. It provides reporting that demonstrates to the FCA that your conduct rules framework is active and substantive.

The tool automatically identifies your firm's SM&CR tier based on your permissions and size metrics, and alerts you if your firm approaches a tier boundary.

How Our Service Helps

Our SM&CR implementation service covers the full lifecycle of SM&CR governance. For firms implementing SM&CR for the first time or firms that recognise their arrangements have lapsed, we conduct a structural review that maps your governance arrangements against regulatory expectations, identifies gaps, and delivers a practical remediation plan.

We provide independent SM&CR health checks — a detailed assessment of your current arrangements that tests whether your Statements of Responsibilities are accurate, your certification regime is robust, and your conduct rules framework is operational. This is particularly valuable ahead of a supervisory visit or when the FCA has signalled sector-wide SM&CR reviews.

For firms navigating SM&CR events — onboarding new Senior Managers, managing departures, conducting handovers, or preparing for FCA interviews — we provide hands-on support informed by direct experience of how the FCA approaches these situations.

Relevant Sectors

Wealth management firms typically have the most complex SM&CR structures. Multiple Senior Managers, large certification populations (including investment advisers, portfolio managers, and dealing staff), and intricate governance arrangements create significant compliance overhead. The FCA has focused on whether wealth firms' SM&CR arrangements adequately capture oversight of investment suitability, client money, and conflicts of interest.

Insurance brokers face particular challenges around the certification regime. Client-facing staff who arrange, advise on, or manage insurance contracts frequently meet the significant harm function criteria. Firms with appointed representative networks must also ensure that SM&CR arrangements address AR oversight — a specific area of FCA focus, with the regulator questioning whether principal firms' Senior Managers have adequate visibility of AR conduct.

Payment services firms, particularly those that have grown rapidly, often find that their SM&CR arrangements have not kept pace with their business. The FCA has highlighted concerns about governance in the payments sector, where agile, technology-led business models can outgrow the compliance infrastructure originally put in place. These firms must ensure that growth in staff, transaction volumes, and product complexity is matched by corresponding investment in SM&CR governance.