SYSC: Senior Management Arrangements, Systems and Controls

What It Is

The Senior Management Arrangements, Systems and Controls sourcebook (SYSC) is the FCA's rulebook for how regulated firms should be organised and governed. It sets out the minimum standards for governance structures, compliance arrangements, risk management frameworks, internal controls, record-keeping, and outsourcing. If SM&CR tells you who is accountable, SYSC tells you what they must build and maintain.

SYSC applies to all FCA-authorised firms, though the depth and complexity of what is required varies with the nature, scale, and complexity of the business. The sourcebook is structured around several core areas: SYSC 4 covers general organisational requirements, including governance, business continuity, and accounting. SYSC 5 addresses employees, competence, and training. SYSC 6 deals with compliance, internal audit, and financial crime. SYSC 7 covers risk management. SYSC 8 addresses outsourcing. SYSC 9 sets out record-keeping requirements. SYSC 10 covers conflicts of interest.

SYSC is not a standalone obligation. It underpins virtually every other area of FCA regulation. When the FCA investigates a conduct failure — whether in consumer credit, investment advice, or insurance — it almost always traces the root cause back to a SYSC deficiency: inadequate governance, insufficient compliance monitoring, poor risk management, or defective controls. SYSC failures rarely make headlines on their own, but they are present in nearly every enforcement case.

Why the FCA Cares

The FCA's supervisory model is built on the premise that well-governed firms with effective systems and controls are less likely to cause harm. SYSC is the regulatory expression of that premise. When the FCA assesses a firm — whether through routine supervision, thematic reviews, or enforcement investigation — it evaluates the firm's organisational infrastructure as a leading indicator of conduct risk.

The regulator has consistently found that the firms causing the most harm are not those with deliberately bad intentions but those with inadequate systems and controls. Mis-selling scandals, client money failures, market abuse, and AML breaches are overwhelmingly the product of governance failures — boards that do not challenge, compliance functions that lack authority, risk frameworks that exist on paper but not in practice.

The FCA uses SYSC as both a diagnostic and a remedial tool. Diagnostically, SYSC failings explain how harm occurred. Remedially, the FCA requires firms to strengthen their systems and controls as a condition of continuing to operate. Voluntary Requirements, Own Initiative Requirement Powers, and Section 166 reviews frequently target SYSC deficiencies.

Since Consumer Duty, the FCA has explicitly linked SYSC to outcome delivery. A firm cannot deliver good outcomes without the governance infrastructure to monitor, identify, and act on poor outcomes. SYSC provides the structural foundation on which Consumer Duty sits.

Who It Affects

SYSC applies to every FCA-authorised firm. There is no exemption based on size, sector, or business model. A sole-trader IFA is subject to SYSC just as a global investment bank is — though what constitutes adequate systems and controls for each will differ enormously.

The FCA applies proportionality: what is expected of a firm depends on the nature, scale, and complexity of its activities and the risks inherent in its business model. A small insurance broker will not need the same compliance monitoring programme as a major wealth manager. But the principle is the same: every firm must have systems and controls that are adequate for its business.

Firms that rely on appointed representatives face heightened SYSC obligations. The principal firm must have systems and controls sufficient to oversee all AR activity, and the FCA has been intensely critical of principals whose oversight arrangements are inadequate. The FCA's multi-firm review of the AR model found widespread SYSC failures and has led to significant tightening of expectations.

Firms that outsource critical functions face specific SYSC 8 requirements. The growing use of outsourced compliance, IT, and operational services has made SYSC 8 one of the most practically important parts of the sourcebook.

What Firms Get Wrong

The most fundamental failure is treating SYSC as a documentation exercise. Firms produce compliance monitoring plans, risk registers, and governance frameworks that look appropriate on paper but do not reflect how the firm actually operates. The FCA has repeatedly found firms where the compliance monitoring plan exists in a drawer, governance committees meet infrequently or without meaningful agendas, and risk registers are populated once and never updated.

The second common failure is under-resourcing the compliance function. SYSC 6.1 requires firms to maintain a compliance function that is effective. Effectiveness requires sufficient authority, resource, and access to information. Firms that appoint a compliance officer but give them no time, no budget, and no board access have not satisfied SYSC. The FCA has been particularly critical of firms where the compliance officer also holds a revenue-generating role, creating an inherent conflict of interest.

Third, firms fail to maintain adequate management information. SYSC requires firms to have sufficient information to manage their business and identify emerging risks. Many firms collect data but do not analyse it, or analyse it but do not escalate findings, or escalate findings but do not act. The chain from data collection to board action must be unbroken.

Fourth, conflicts of interest management under SYSC 10 is often superficial. Firms maintain conflicts registers but do not meaningfully assess whether conflicts are managed or merely recorded. The FCA expects firms to identify conflicts, assess their materiality, implement controls to manage them, and monitor whether those controls are effective.

Finally, business continuity under SYSC 4 is frequently inadequate. Firms have business continuity plans that have never been tested, do not reflect current operations, or do not address the scenarios most likely to disrupt the business. The COVID-19 pandemic exposed these weaknesses across the sector.

What Evidence the FCA Expects

The FCA expects a documented governance framework showing reporting lines, committee structures, and decision-making authority. Board and committee minutes should demonstrate meaningful discussion of risk, compliance, and conduct matters — not rubber-stamping of pre-prepared reports.

Compliance monitoring plans must be risk-based, covering all regulated activities on a proportionate cycle. Monitoring reports should identify findings, assess their severity, and track remediation to completion. The FCA will want to see that findings lead to action, not just documentation.

Risk management evidence includes a current risk register, risk appetite statements, risk assessment methodologies, and evidence that risks are reviewed and updated regularly. The FCA expects risk management to be forward-looking, incorporating emerging risks and horizon scanning — not merely cataloguing known issues.

Record-keeping must satisfy SYSC 9 requirements: records must be sufficient to enable the FCA to monitor compliance and to reconstruct transactions and business decisions. The FCA has specified minimum retention periods for various record types, and firms must demonstrate that records are accessible, complete, and accurate.

For outsourcing, the FCA expects documented due diligence, contracts that include appropriate regulatory provisions (including FCA access rights), ongoing monitoring of service provider performance, and tested exit plans.

Good Implementation

A well-governed firm treats SYSC as operational infrastructure, not regulatory paperwork. The governance framework reflects how the firm actually makes decisions. Committees have clear terms of reference, meet regularly, receive useful MI, and make recorded decisions that are followed through.

The compliance function has genuine independence and authority. The compliance officer has direct board access, a budget proportionate to the firm's risk profile, and the ability to challenge business decisions without fear of reprisal. Compliance monitoring is genuinely risk-based: higher-risk activities and areas with previous findings receive more attention.

Risk management is embedded in business processes. Risk assessments are conducted before launching new products or entering new markets. The risk register is a living document that is updated as the business changes. Risk appetite is defined, understood by the board, and used as a basis for decision-making.

Conflicts of interest are identified proactively, assessed honestly, and managed through structural controls — not merely disclosed. Where conflicts cannot be managed, the firm avoids the conflicted activity.

Staff competence under SYSC 5 is maintained through structured training and assessment. Training records are complete, competence is assessed meaningfully, and gaps are addressed through targeted development.

How Our Tool Helps

The MEMA SM&CR navigator includes a governance mapping module that helps firms document and maintain their SYSC arrangements. It provides templates for compliance monitoring plans, risk registers, and governance frameworks that align with FCA expectations and can be customised to your firm's specific activities.

The tool tracks compliance monitoring activities against your plan, flags overdue reviews, and maintains a central record of findings and remediation actions. This gives you a real-time view of your compliance monitoring programme and produces the audit trail the FCA expects to see.

Risk register functionality allows you to maintain a dynamic risk register with configurable risk categories, scoring methodologies, and review cycles. The tool generates MI reports showing risk trends, overdue assessments, and areas requiring board attention.

How Our Service Helps

Our compliance outsourcing service provides the expertise and resource that many firms lack in-house. We design and deliver compliance monitoring programmes tailored to your firm's regulatory permissions, business model, and risk profile. Our reviews are conducted by practitioners who understand what the FCA looks for and how supervisors assess systems and controls.

For firms preparing for FCA supervisory engagement — whether a periodic summary meeting, a thematic review, or a Section 166 — we provide targeted preparation. We conduct a mock review of your SYSC arrangements using the FCA's own assessment framework, identify gaps, and help you remediate before the regulator arrives.

We also provide governance advisory services for firms undergoing change: mergers, acquisitions, new authorisations, or business model shifts. These are the moments when SYSC arrangements are most likely to be tested and found wanting. Getting the governance structure right from the outset is significantly less expensive than remediating failures after the FCA has identified them.

Relevant Sectors

Wealth management firms face among the most demanding SYSC requirements due to the complexity of their activities. Investment suitability, client money, conflicts of interest, and financial promotions all require robust systems and controls. The FCA has focused particularly on whether wealth firms' governance arrangements provide adequate oversight of investment decision-making and adviser conduct.

Payment services firms and e-money issuers operate in a sector where the FCA has identified widespread SYSC deficiencies. Rapid growth, reliance on agents and distributors, and the complexity of safeguarding requirements create a challenging control environment. The FCA has used SYSC as the basis for significant supervisory interventions in the payments sector.

Insurance brokers face SYSC challenges around conflicts of interest (particularly commission arrangements), client money handling, and oversight of appointed representatives. The FCA's multi-firm review of the AR model has placed particular scrutiny on brokers' SYSC arrangements for AR oversight. Firms that have grown their AR networks without corresponding investment in oversight infrastructure are most exposed.

Across all sectors, the firms at greatest SYSC risk are those that have grown faster than their governance infrastructure. A firm that has doubled in size, launched new products, or expanded into new markets without proportionately strengthening its systems and controls is operating with a structural vulnerability that the FCA will identify.