The PDF server is offline. Please try after sometime.

At a time when the Government and regulators are usually in holiday mode, the FCA has published its long-awaited proposals for the extension to all FCA authorised firms of the rules on the senior managers and certification regime.  In general, the FCA has taken a pragmatic approach given the very large number of firms involved.  What is slightly surprising is that it has kept most of the key elements of the existing regime in its proposed rules (drastically increasing its own regulatory burden), while lightening the load for most solo (FCA) regulated firms.  For FCA authorised firms, the key is to work out whether you are an "enhanced regime" firm, which bears a much closer resemblance to the existing banking SM&CR rules, or you are a baseline "core regime" firm.  However, all firms will need to make changes to their compliance and HR systems and procedures if they are to comply with the rules by the 2018 deadline.  The exact date for implementation remains unknown, but it is likely to be later in 2018 to accommodate the practicalities of finalising the new rules.  The shift from the regulator to the firm in how senior managers and certified individuals are assessed as fit and proper is only the tip of the iceberg, there is lots more work to do.  But it seems that the FCA will work with industry to get this right.

Background and brief reminder

SM&CR rules currently apply to banks, PRA investment firms and some insurers and have been in place since 7 March 2016. The Government announced in 2015 that all regulated firms will be subject to SM&CR from 2018 which has led the FCA to produce proposals for the extension of the regime. This extension means that all 47,000 FCA regulated firms will now be caught.

Senior Managers Regime The rules for Senior Managers cover certain individuals who are subject to approval by the regulator. Under the FCA's proposals, all FCA authorised firms should have at least one Senior Manager. The FCA has set out the senior management functions (SMFs) which will apply to firms. A firm does not need to have a Senior Manager for every SMF the FCA has listed, but if there is an individual who is performing a role which constitutes a SMF, then they will be a Senior Manager and will require FCA approval as such. For certain types of firms, the list of SMFs is more extensive (although not as extensive as for banks, PRA investment firms and certain insurers).
Certification Regime The Certification Regime requires firms to assess the fitness and propriety of certain employees who, by virtue of their role, could pose a risk of significant harm to the firm or any of its customers. This moves the onus from the regulator to firms themselves to conduct the fitness and propriety checks on individuals performing Certification Functions (as well as for Senior Managers and NEDs).
Conduct Rules These rules relate to professional conduct rather than conduct of business. They apply not only to those individuals caught by both the Senior Managers regime and the Certification Regime but also to all of a firm's employees other than ancillary staff. This excludes only a very narrow group of people such as cleaners, caterers, security guards etc. For most people working in financial services firms, these rules will apply. There is also a requirement on the firm to report any breaches of these rules to the regulator.


Classification of firm

The FCA has always hinted that it will take a proportionate approach to the roll out of the SM&CR rules to solo-regulated firms. In this respect, they haven't disappointed. The FCA has created three new classifications of firms: Enhanced firms which, will be subject to requirements more akin to the banking SM&CR rules; Core firms (which will comprise the majority) who will be subject to baseline requirements, and Limited Scope firms who will be subject to a "SM&CR-lite" approach.

Significant investment (IFPRU) firms All other FCA solo regulated firms not caught as an Enhanced firm or limited scope firm. Limited permission consumer credit firms
Firms that are CASS Large firms Sole traders
Firms with assets under management of £50billion or more Authorised professional firms whose only regulated activities are in non-mainstream regulated activities
Firms with total intermediary regulated business revenue of £35 million or more per annum Oil market participants
Firms with annual regulated revenue generated by consumer credit lending of £100 million or more per annum
Service companies
 Mortgage lenders that are not banks with 10,000 or more regulated mortgages outstanding Energy market participants
Subsidiaries of local authorities or registered social landloards
Insurance intermediaries whose principal business is not insurance intermediation and who only have permission to carry on insurance mediation activity in relation to non-investment insurance contracts
Internally managed AIFs


For all solo-regulated firms, the first requirement is to establish which type of firm you are.

Senior Managers Regime

The Senior Managers Regime is the key focus of the regulator and aims to ensure that those running firms in the UK are held to account. There are a number of elements that have been rolled over from the existing regime.

Statement of responsibilities

Firms need to submit a statement of responsibilities to the FCA when applying for a Senior Manager to be approved. Firms must then keep the Statement of Responsibilities up to date and re-submit it whenever there is a significant change to a Senior Manager's responsibilities (for example, where a Prescribed Responsibility is added). The FCA will provide a template Statement of Responsibility which will be subject to a consultation later this year, but we have a fair idea of what the regulator is looking for from the banking SM&CR. These are not lengthy documents and are intended as a concise reference of who is responsible for what in a firm.

Duty of responsibility

Like the existing SM&CR regime, every Senior Manager has a statutory duty of responsibility. If a firm breaches an FCA requirement, the Senior Manager responsible for that area could be held accountable by the regulator if they did not take reasonable steps to prevent or stop the breach from occurring. The burden of proof lies with the FCA to show that the individual did not take steps that a person in their position could reasonably be expected to take to avoid the firm's breach. The FCA will consider the person's Statement of Responsibility as well as considering what was or was not done in the circumstances. For this reason, many individuals subject to the banking SM&CR have focussed on both what amounts to reasonable steps and what evidential requirements would be needed to show that those steps were taken.

Senior management functions

A senior management function is akin to a controlled function under the Approved Persons regime. The FCA has produced a new list for solo regulated firms.
Not all SMFs on the list need to be allocated, only those where there is a person actually performing a role that amounts to a SMF. Where existing FCA rules require a person to perform compliance oversight (e.g. under SYSC6.1.4), the MLRO function or what was previously the apportionment and oversight function, these are still required under the Senior Managers Regime and the FCA proposes relevant SMFs.

SMF 9 Chair (non-executive) All firms except Limited Scope firms
SMF 1 Chief Executive
SMF 3 Executive
 SMF 27 Partner
SMF16 Compliance oversight  

Core and Enhanced firms plus:

  • Sole traders
  • Authorised professional firms
  • Oil market participants
SMF17 Money Laundering Reporting officer    

Core and Enhanced firms plus:

  • Sole traders
  • Oil market participants
SMF 29 Limited Scope Function Links to the Apportionment and oversight Function under the Approved persons Regime

Some of the following Limited Scope firms:

  • Limited permission consumer credit firms
  • Authorised professional firms
  • Oil market participants
  • Insurance intermediaries whose principal business is not insurance intermediation
SMF2 Chief Finance Function  Enhanced firms only
SMF4 Chief Risk Function
Head of Internal Audit
Senior Independent Director
Chair of the Remuneration Committee
SMF10 Chair of the Risk Committee
Chair of the Audit Committee
Chair of the Nominations Committee
Group Entity Senior Manager
Chief Operations Function
Other Overall Responsibility

Enhanced firms

It is clear that Enhanced firms are likely to have more complex business structures (or the ability to pose a more likely threat to the FCA's objectives), which is why the FCA has expanded the list of potential SMFs for them. In particular, the FCA is keen to point out that the Overall Responsibility requirement applies i.e. firms must ensure that every activity and business line of an Enhanced firm has a Senior Manager with responsibility for it. Done correctly, this should ensure that there are no gaps in accountability. The Overall Responsibility requirement caused some confusion under the SM&CR for banks and PRA investment firms. To help, the FCA has given some useful pointers on how firms should approach this e.g. firms should consider what activities, business areas and management functions they have, who is responsible at the most senior level for each of these (which could be the chief executive or an executive director), and, if relevant, allocate SMF18 or other relevant SMF to that person.

Prescribed Responsibilities

The FCA has produced a list of new prescribed responsibilities for the purpose of the extended regime. These are listed below. They should be allocated to the Senior Manager who is the most senior person responsible for that issue. The inclusion of a specific Prescribed Responsibility for UCITS managers is new.
Relevant prescribed responsibilities will be listed on an individual's Statement of Responsibility.

Joint responsibilities

There are limited circumstances where a prescribed responsibility can be held by more than one person and a firm must be able to show that this is appropriate and justifiable (e.g. job share arrangements). A clear explanation of any shared prescribed responsibility will also be needed in a person's Statement of Responsibility.


Where a firm uses SYSC 8 outsourcing arrangements, the responsibility for that function cannot be outsourced. So there must be a Senior Manager in the firm who is responsible for the outsourced function.

List of Prescribed Responsibilities

1. Performance by the firm of its obligations under the Senior Managers Regime, including implementation and oversight Cannot be allocated to SMF 18 (Other Overall Responsibility) 
2. Performance by the firm of its obligations under the Certification Regime
3. Performance by the firm of its obligations in respect of notifications and training of the Conduct Rules
 4. Responsibility for the firm's policies and procedures for countering the risk that the firm might be used to further financial crime
 5. Responsibilities for the firm's compliance with CASS (if applicable)
Can be allocated to SMF18
 6. Responsibility for ensuring the governing body is informed of its legal and regulatory obligations
 √  X Cannot be allocated to SMF 18
 7. Responsibility for an AFM's value for money assessments, independent director representation and acting in investors' best interests  Only AFMs
8.  Compliance with the rules relating to the firm's Responsibilities Map
Executive director
 9. Safeguarding and overseeing the independence and performance of the internal audit function (in accordance with SYSC 6.2)
NED, if possible
 10. Safeguarding and overseeing the independence and performance of the compliance function (in accordance with SYSC 6.1)

NED, if possible
 11. Safeguarding and overseeing the independence and performance of the risk function (in accordance with SYSC7.1.21R and SYSC 7.1.22R)

NED, if possible
 12. If the firm outsources its internal audit function, taking reasonable steps to ensure that every person involved in the performance of the service is independent from the persons who perform external audit

Executive director
 13. Developing and maintaining the firm's business model

Executive director
 14. Managing the firm's internal stress tests and ensuring the accuracy of the timeliness of information provided to the FCA for the purposes of stress testing

Executive director

Limited Liability Partnerships (LLPs)

One of the burning questions for fund managers, in particular, was how the FCA would propose mapping the current CF4 partner function under the approved persons regime to the new SM&CR. The FCA has taken a pragmatic approach to this.

Generally the FCA believes that all partners in a firm will be Senior Managers (based on the assumption that partners have influence over how a firm is run) and there is a partner senior management function, for that purpose (SMF27). However, if a partner has no involvement in the management of the firm, such as a silent partner or a junior partner, they will not need to be a Senior Manager. The FCA seems to expect that it is likely that there will be more sharing of responsibilities in partnerships than in other firms, but do not go very far to elaborate, except to acknowledge that the Statement of Responsibilities for a partner with limited management responsibility is likely to be short.

Responsibilities maps

Only Enhanced firms are required to produce a Responsibilities Map. This is a single document that sets out the firm's management and governance arrangements to give a collective view of the allocation of responsibilities across a firm. They are also used to help the regulator determine who should be held accountable if something has gone wrong.

This does not apply to Core firms or Limited Scope firms.

Handover procedures

Enhanced firms will also be required to take all reasonable steps to ensure that a person taking a Senior Manager role has all the information they could expect to do their job effectively, such as through a handover note. The obligation on the firm is to have a policy explaining how it fulfils this requirement and keep records of the steps taken to comply with it.

Territorial limitation

For those firms caught by the current SM&CR rules (i.e. banks and PRA investment firms, amongst others), the territorial limitation was one of the trickiest parts of the regime to get right - in particular to get "buy-in" from those individuals not physically present in the UK but caught by the rules.

For the Senior Managers Regime, there is no territorial limitation i.e. a firm must comply with the Senior Manager rules to cover activities, transactions, business areas and management functions that are located or take place wholly or partly outside and well as inside the UK. This is the same as the current position under the Approved Persons regime in relation to governing functions.

The Certification Regime applies to those who are based in the UK or, if based outside the UK, are dealing with UK clients (except in relation to material risk takers where there is no territorial limitation under the Remuneration Code rules). Dealing with clients consists of having contact with them. This is known as the territorial limitation. If an individual is a material risk taker under a UK Remuneration Code, the Certification Regime will apply even if they are not in the UK nor dealing with UK clients.

Certification Regime

The FCA has set out the functions which it considers as Certification Functions. FSMA defines a Certification Function as 'one that requires the person performing it to be involved in one or more aspects of the firm's affairs so far as relating to a regulated activity, and those aspects involve or might involve a risk of significant harm to the firm or any of its customers'. The list of Certification Functions is set out below.

If a role fits the definition of a Certification Function, the firm is under an obligation to ensure that anyone doing that role has been certified i.e. the firm must check and confirm that the person is fit and proper to do the job and issue them with a certificate (renewed at least once a year).

Certification Functions

1. Significant management function This is based on current CF29 and applies to someone with 'significant responsibility for a significant business unit'. What constitutes significant needs to be determined by a firm with reference to the size of and significance of a firm's business in the UK, the risk profile of the unit, the unit's use of firm capital, its contribution to the firm's P&L, number of employees and number of customers.
2. Proprietary traders Covered by current CF29.
3. CASS oversight function
Firms that hold client money or client assets must have a Senior Manager who is responsible for CASS compliance under the CASS Prescribed Responsibility. The CASS oversight function in the Certification Regime may be performed by the Senior Manager responsible for CASS compliance (in which case he or she is not subject to the Certification Regime, just the Senior Managers Regime). But it may be more operationally focussed and not performed by the Senior Manager responsible for CASS compliance. In that case, the individual falls within the Certification Regime.
4. Functions that are subject to qualification requirements
For example, mortgage advisers, retail investment advisers, pension transfer specialists.
5. Client dealing function
This is an expansion of the current CF30 to any person dealing with clients (retail, professional and ECPs). This will include those who advise on investments and perform related functions (such as dealing and arranging), deal as principal or agent and arrange deals in investments, or act as investment manager.
6. Algorithmic traders
This function includes those who approve a trading algorithm for deployment, or monitor and decide whether or not to use a trading algorithm and whether it remains compliant with the firm's obligations.
7. Material risk takers
This concept comes from the Remuneration Code. If a firm has a material risk taker for the purpose of the relevant Remuneration Code, this individual will be caught by the Certification Regime.
8. Anyone who supervises or manages anyone performing one of the functions above This ensures that people who supervise certification function employees will be held to the same standard of accountability as their direct reports. This applies throughout the chain of responsibility up until the Senior Manager responsible for that area.

Fit and proper assessment

Firms are required to assess individuals who are either Senior Managers or performing Certification Functions as being fit and proper to do their jobs. This is a key feature of the existing rules for banks and PRA investment firms.

In addition, the FCA is proposing that firms should also assess any non-executive directors who are not Senior Managers.

The FCA is proposing a simple roll out of the existing rules to FCA authorised firms. This means that firms will need to consider how best they can assess the qualifications, training, competence and personal characteristics of an individual for any Senior Manager or Certification Function role which they are performing. As part of this process, there is a new requirement on firms to perform criminal record checks for each Senior Manager applying for approval.

Regulatory references

The regulatory reference requirements will be rolled out so that firms must request a reference from employers for Senior Managers, non-executive directors and Certification Function candidates going back six years.

Firms may already be familiar with regulatory reference requirements as they would be under an obligation to provide them to banks and PRA investment firms who had requested them already. One aspect of the regulatory reference regime is that firms must update any regulatory references given where new significant information comes to light. For firms caught by the requirement to seek regulatory references, this will be a new point to consider. Firms will need to decide what their approach will be to any updates which they receive to a regulatory reference. This will be a difficult balancing act between regulatory responsibilities and employment law rights and obligations.

Data Protection considerations

Firms complying with the regulatory reference requirements under the SMCR rules will need to adhere to the European General Data Protection Regulation (GDPR), which comes into effect in May 2018. The GDPR imposes various obligations on data controllers - which will include firms - in relation to data retention. In particular, Article 17 permits data subjects to request the deletion or rectification of their personal data from the data controller. However, the GDPR provisions expressly carve out any processing required "for compliance with a legal obligation to which the controller is subject… by Union or Member State law." As the SMCR rules will be imposed upon firms as legal obligations under the relevant statutory instrument which will amend the FCA Handbook, there should not be a conflict between the GDPR and the regulatory reference requirements; the regulatory reference requirements shall prevail.

Firms who are data controllers should be aware that they will still be subject to various other general obligations under the GDPR in relation to the retained data for individuals. In particular, controllers are required to implement appropriate technical and organisational security measures that address the risks presented by data processing, such as the use of encryption and restricting the collection of data to only the specified purpose. Moreover, data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Serious breaches of the GDPR can give rise to significant sanctions, of up to 4% of total global annual turnover or €20m (whichever is higher).

Conduct Rules

The Conduct Rules replace the Principles for Approved Persons, but also extend their application to a much wider population of firms' employees. Firms are required to make staff aware of the Conduct Rules and to provide tailored training as to how the rules apply in the context of individuals' roles in the firm.

The Conduct Rules are split into two tiers and are a direct transposition from the existing SM&CR.

1. You must act with integrity.
2. You must act with due care, skill and diligence.
3. You must be open and cooperative with the FCA, the PRA and other regulators.
4. You must pay due regard to the interests of customers and treat them fairly.
5. You must observe proper standards of market conduct.
6. You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
7. You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
8. You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
9. You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

For solo-regulated firms, the rules will apply to a firm's regulated and unregulated financial services activity, which is narrower than the equivalent under the banking SM&CR rules. The Conduct Rules will apply to all except ancillary staff, which are listed by the regulator and include receptionists, switchboard operators, postroom, security etc. Interestingly, the Conduct Rules will not apply to data controllers and processors under the Data Protection Act or Corporate Social Responsibility Staff, amongst others, under the regime.

Finally, there are notification requirements on firms to report to the FCA when any disciplinary action has been taken against a person for any breach of the Conduct Rules. For Senior Managers, this notification must be within 7 business days and, for all other individuals, notification should be made annually. This notification requirement does not affect firms' existing obligation under Principle 11.


The consultation is open until 3 November 2017.

Operational aspects and transitional arrangements will be subject to a separate consultation at a later date. A further consultation will be released later this year on the template for the Statement of Responsibilities as well as other technical matters.

The FCA has not set a date for the extended SM&CR regime to apply. It has to be 2018, as laid down by HM Treasury in 2015, but undoubtedly this looks more likely to be the end of 2018.

Regardless, firms need to start moving now. This is effectively the starting gun for a long marathon of regulatory change.




1. Senior Manager
2. FCA approval

3. Statement of Responsibilities

4. Criminal records check for Senior Managers and NEDs

5. Duty of Responsibility

6. Fit and Proper Requirements

7. Handover procedures

8. Prescribed Responsibility

9. Overall responsibility

10. Other overall responsibility function

11. Responsibilities Map

12. Regulatory References

13. Certification Function

14. Fit and Proper Requirements

15. Regulatory References

16. Individual Conduct Rules

17. Senior Manager Conduct Rules

Key Contacts

We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.

Load More

More on SMCR

Financial regulation update

SM&CR extension: automatic conversion and transitional provisions announced

Read Now

Keep up to date

Sign up to receive the latest legal developments, insights and news from Ashurst.  By signing up, you agree to receive commercial messages from us.  You may unsubscribe at any time.

Sign up

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying it to specific issues or transactions.

Get Started

        Forgot Password - Ashurst Account

        If you have forgotten your password, you can request a new one here.


        Forgot password? Please contact your relationship manager to find out more about our client portal.
        Ashurst Loader