SMCR, the Senior Managers and Certification Regime, was designed to put accountability back at the centre of how regulated firms operate. The framework applies to your firm, but the obligations are different from those facing larger or enhanced scope firms. No Management Responsibilities Map. No operational resilience self-assessment. No impact tolerance testing.
What you do need is clear: named Senior Managers with accurate Statements of Responsibilities, a functioning Certification Regime, Conduct Rules training evidenced across your firm, and systems and controls that are real, not inherited from a template and never reviewed.
The FCA’s supervisory focus on smaller firms has increased, not decreased. The 10 questions below are the ones that matter for your firm.
10 Questions to ask yourself
SMF IDENTIFICATION
1. Do you know exactly which Senior Management Functions apply to your firm, and are all of them covered by a named individual?
This sounds basic. Many firms still get it wrong. The functions required depend on your regulatory permissions and structure, not a standard checklist. A gap, an SMF that applies to your firm but isn’t formally held by anyone, is a regulatory breach, not an admin oversight. Start here before anything else.
STATEMENTS OF RESPONSIBILITIES
2. Does your Statement of Responsibilities describe what you actually do, or what you did when you applied for authorisation?
SoRs are live documents. If yours was drafted at authorisation and hasn’t been touched since, the chances are it no longer reflects how your firm operates. New services, new systems, new people, all of these can shift what a Senior Manager is genuinely accountable for. An outdated SoR won’t protect you when the FCA asks who was responsible for what.
CONDUCT RULES
3. Can you evidence that every member of staff subject to the Conduct Rules has been trained on them, and that the training is documented?
The Conduct Rules apply to almost everyone in your firm, not just Senior Managers. The FCA expects training to have happened, to be refreshed, and to be evidenced. A conversation in a team meeting doesn’t count. If you couldn’t produce training records for every applicable person today, you have a gap worth closing.
CERTIFICATION REGIME
4. Have you certified your Certified Persons this year, and is the fitness and propriety assessment actually documented, not just assumed?
Annual certification is a regulatory requirement, not a box-tick. The fitness and propriety assessment must be genuine: it should consider honesty and integrity, competence and capability, and financial soundness. If your process is a formality, a signature on a form with no underlying review, it won’t hold up. The FCA has been clear that perfunctory certification is not certification.
RESPONSIBILITY GAPS
5. Is there anything your firm does, any service, product, or process, that no named Senior Manager is clearly accountable for?
In smaller firms, it’s easy for responsibilities to drift into no-man’s land, particularly when the business evolves faster than the governance documentation. A product you added two years ago, a system you adopted, a client segment you moved into, if there’s no named SMF holder accountable for overseeing it, you have a gap that a supervisory review will find.
SYSTEMS AND CONTROLS
6. Can you describe the key controls that ensure your firm meets its regulatory obligations, and who is responsible for each one?
Under SYSC, all regulated firms must have adequate systems and controls. For smaller firms, proportionality applies, you don’t need a bank’s compliance architecture. But you do need to be able to describe what your controls are, demonstrate they are functioning, and name the person accountable for them. ‘We rely on our compliance consultant’ is not a controls framework.
APPOINTED REPRESENTATIVES
7. If you have appointed representatives, can you demonstrate active oversight, not just a contractual relationship?
Principal firms are responsible for the conduct of their appointed representatives as if it were their own. The FCA’s 2022 AR regime reforms raised the bar significantly: principals must now monitor ARs’ activities, revenue, and complaints; ensure ARs are suitable; and take action when they’re not. Oversight needs to be evidenced, not assumed. A contract alone is not oversight.
KEY PERSON RISK
8. If you, or another key person, were suddenly unavailable, would your firm still be able to meet its regulatory obligations?
In a small firm, one person often holds significant regulatory responsibility. That’s not inherently a problem. The problem is when there’s no documented plan for what happens if that person is absent. Who holds the SMF functions? Who can access the compliance records? Who makes the regulatory decisions? If the answer is ‘we’d figure it out’, that isn’t good enough under SMCR.
MONITORING
9. Is your compliance monitoring proportionate, documented, and actually reviewed by the right Senior Manager?
Proportionality is real, you don’t need an investment bank’s monitoring programme. But you do need a programme. It should cover the risks that actually exist in your business, produce something that a Senior Manager reviews, and generate action when issues are found. Monitoring that isn’t reviewed, doesn’t produce findings, or never results in change is monitoring in name only.
REGULATORY READINESS
10. If the FCA requested your SMCR documentation tomorrow, could you produce it, accurately and in full, within 24 hours?
This is the test. Not whether the documents exist somewhere, but whether they are current, accurate, and accessible. SoRs that reflect how the firm actually operates. Conduct Rules training records for all applicable staff. Up-to-date fitness and propriety assessments for Certified Persons. A clear list of who holds which SMF. If pulling that together would take a week, the framework isn’t in good shape.
Want help getting your SMCR framework in order?
Elira Solutions works with smaller regulated firms to build accountability frameworks that are accurate, proportionate, and regulator-ready, not lifted from a large-firm template and hoped for the best.
