Governance, Risk & Compliance

Board Governance for FCA-Regulated Firms: A Practical Guide to SYSC 4

How FCA-regulated firms meet board governance expectations under SYSC 4, including the management body, board committees, and links to the SM&CR.

8 min read Published 17 Jul 2026
Board Governance for FCA-Regulated Firms: A Practical Guide to SYSC 4

Good governance is the foundation on which every other control in a regulated firm sits. If the board and the wider management body do not set a clear direction, hold executives to account, and receive reliable information, then risk management, compliance, and consumer outcomes all suffer. For firms authorised by the Financial Conduct Authority, board governance is not simply good business practice. It is a regulatory requirement written into the FCA Handbook and reinforced by the Senior Managers and Certification Regime.

The core requirement comes from SYSC 4, the chapter on general organisational requirements in the FCA's Senior Management Arrangements, Systems and Controls sourcebook. SYSC 4.1.1R requires a firm to have robust governance arrangements, and SYSC 4.3A sets out what the management body must do. For listed firms, the Financial Reporting Council's UK Corporate Governance Code adds a further layer on board composition, independence, and committees.

This guide explains what those expectations mean in practice. It covers the role of the board and management body, board composition and independence, the key committees, the management information a board needs, the three lines of defence, and how all of this connects to individual accountability under the SM&CR. Every rule cited below is drawn from a primary source.

What SYSC 4 requires of your governance arrangements

The starting point is SYSC 4.1.1R. It states that a firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems. That single sentence sets the standard against which a supervisor will judge your framework.

The rule breaks down into three practical tests. First, is the structure clear, so that everyone knows who is responsible for what? Second, are there working processes to spot, manage, and report risk? Third, are the internal controls, including finance and information systems, sound? A governance framework that cannot answer all three is exposed.

SYSC 4 also expects senior oversight to be genuine. Under SYSC 4.2.2R, certain firms must ensure that their management is undertaken by at least two persons who are of good repute and suitably experienced. This four eyes principle prevents a single individual from holding unchecked control at the top of the firm, and it is one reason a functioning board matters even in a small firm.

The role of the board and the management body

SYSC uses the term management body for the collective group that runs the firm, which in most firms is the board. SYSC 4.3A.1R requires the management body to define, oversee, and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the firm, including the segregation of duties and the prevention of conflicts of interest. It must have overall responsibility for the firm and approve and oversee implementation of the firm's strategic objectives, risk strategy, and internal governance.

The same rule requires the management body to ensure the integrity of the firm's accounting and financial reporting systems, to oversee disclosure and communications, and to provide effective oversight of senior management. It must monitor and periodically assess the effectiveness of the firm's governance arrangements and take steps to address any deficiencies, and it must have adequate access to the information and documents needed to oversee and monitor management decision making.

A crucial point that is easy to miss is that delegation does not remove accountability. A board can delegate detailed work to a committee or to an executive, but SYSC 4.3A.1R keeps overall responsibility with the management body. If you want to see how a structured control framework supports this kind of board oversight, our control platform is built around exactly these obligations.

1
Set strategy and risk appetite
Approve strategic objectives, risk strategy and internal governance, and review them regularly.
2
Define clear structure
Establish transparent reporting lines and segregation of duties across the firm.
3
Oversee senior management
Hold executives to account against agreed objectives and challenge their decisions.
4
Secure quality information
Ensure the board receives accurate, timely data to monitor decision making.
5
Assess and remediate
Periodically test governance effectiveness and fix deficiencies you identify.

Board composition, independence, and time commitment

A board is only as good as the people on it. SYSC 4.3A.3R requires the members of the management body to be of sufficiently good repute, to possess sufficient knowledge, skills, and experience to perform their duties, and to possess adequate collective knowledge, skills, and experience to understand the firm's activities, including the main risks. Members must reflect an adequately broad range of experiences, commit sufficient time to their functions, and act with honesty, integrity, and independence of mind.

That independence of mind is the point of the rule. SYSC 4.3A.3R expressly requires members to be able to effectively assess and challenge the decisions of senior management where necessary and to effectively oversee and monitor management decision making. A board that cannot or will not challenge the executive is not meeting the standard, however impressive its members' individual credentials.

Separation at the top reinforces this. SYSC 4.3A.2R requires certain firms to ensure that the chairman of the management body does not simultaneously exercise the chief executive function within the same firm. For listed firms the FRC's UK Corporate Governance Code goes further at Provision 9, stating that the roles of chair and chief executive should not be exercised by the same individual and that a chief executive should not become chair of the same company. Provision 11 of that Code states that at least half the board, excluding the chair, should be non-executive directors whom the board considers to be independent.

FRC Code board balance for listed firms

The UK Corporate Governance Code 2024, Provision 11, states that at least half the board, excluding the chair, should be independent non-executive directors. This illustrates the minimum split for a ten-member board excluding the chair.

FRC Code board balance for listed firms
100Total %
Independent non-executive directors50%
Other directors50%

The key board committees and their remit

Boards do detailed work through committees. SYSC 4.1.11G notes that, depending on the nature, scale, and complexity of its business, it may be appropriate for a firm to form an audit committee. That guidance describes an audit committee examining management's process for ensuring the appropriateness and effectiveness of systems and controls, examining arrangements for regulatory compliance, overseeing any internal audit function, and providing an interface with external auditors. It adds that such a committee should have an appropriate number of non-executive directors and formal terms of reference.

For listed firms the FRC's UK Corporate Governance Code sets out clearer expectations. Provision 24 requires the board to establish an audit committee of independent non-executive directors, with a minimum membership of three, or two for smaller companies. Provision 17 requires a nomination committee to lead the process for appointments, with a majority of members being independent non-executive directors. Provision 32 requires a remuneration committee of independent non-executive directors, again with a minimum of three, or two for smaller companies.

Whether or not the Code applies to you, the discipline is the same. Committees let the right people spend real time on audit, risk, remuneration, and appointments, and they create a documented trail of challenge. What committees cannot do is transfer the board's accountability under SYSC 4.3A.1R, which is why terms of reference and reporting back to the full board matter so much.

CommitteeCore remitPrimary source
Audit committeeOversees financial reporting integrity, internal controls, internal audit, and the external auditor relationship.SYSC 4.1.11G; FRC Code Provision 24
Risk committeeWhere established, oversees the firm's risk framework and risk appetite; may be a separate board risk committee.FRC Code Provision 25
Remuneration committeeSets policy for executive remuneration and reviews outcomes against long-term performance.FRC Code Provision 32
Nomination committeeLeads board appointments, succession planning, and reviews board composition and diversity.FRC Code Provision 17
The main board committees and their remit, drawn from FCA SYSC 4.1.11G and the FRC UK Corporate Governance Code 2024.

Management information the board needs

A board cannot govern what it cannot see. SYSC 4.3A.1R requires the management body to monitor and periodically assess the effectiveness of the firm's governance arrangements and to have adequate access to the information and documents needed to oversee and monitor management decision making. In practice that means a defined set of management information reaching the board on a regular cycle, not just when something has already gone wrong.

Good board information is timely, accurate, and proportionate. It should cover progress against strategy, the risk profile against appetite, compliance and conduct indicators, financial and operational performance, and any emerging issues. The FRC's Code echoes this: its principles for the division of responsibilities describe the chair ensuring that directors receive accurate, timely, and clear information so the board can function effectively.

The test of your management information is whether it lets non-executives challenge the executive on the things that matter. If reports are so voluminous that risks are buried, or so thin that the board is effectively rubber stamping, the information regime has failed the SYSC 4.3A.1R standard even if a pack is produced every month.

Many firms organise their control environment using the three lines of defence model. The first line is the business that owns and manages risk day to day. The second line is the risk and compliance functions that set policy and provide oversight and challenge. The third line is internal audit, which provides independent assurance. This model is a widely used way of delivering the effective processes to identify, manage, monitor and report risk that SYSC 4.1.1R requires, and the board sits above all three lines, receiving assurance from each.

Governance and individual accountability are joined at the hip through the Senior Managers and Certification Regime. Under the SM&CR, the person who chairs and oversees the performance of the firm's governing body holds the Chair function, SMF9, which the FCA describes as the only approved function that can be held by a non-executive director. Firms must also allocate a set of Prescribed Responsibilities to Senior Managers and give each Senior Manager a Statement of Responsibilities.

The link is enforced by the Duty of Responsibility. As the FCA explains, every Senior Manager has a Duty of Responsibility under the Financial Services and Markets Act, which means that if a firm breaches one of the FCA's requirements, the Senior Manager responsible for that area could be held accountable if they did not take reasonable steps to prevent or stop the breach. Non-executive directors who are not Senior Managers remain subject to the Conduct Rules, fit and proper requirements, and regulatory reference rules. Governance is therefore not abstract: it maps onto named individuals who can be held to account.

Conclusion

Board governance for FCA-regulated firms is not a matter of ticking boxes. SYSC 4.1.1R sets a clear standard for robust governance arrangements, and SYSC 4.3A tells you what your board or management body must actually do: set strategy and risk appetite, oversee senior management, protect the integrity of financial reporting, and monitor whether the arrangements are working. Listed firms layer the FRC's UK Corporate Governance Code on top, with firmer expectations on independence and committees. The SM&CR then ties these collective duties to named individuals through the Chair function, Prescribed Responsibilities, and the Duty of Responsibility.

The firms that handle this well treat governance as a living system rather than a constitutional document. They keep reporting lines clear, staff their committees with people who have the time and independence to challenge, feed the board the information it needs, and use the three lines of defence to generate genuine assurance. If you are building or strengthening your framework, start from the SYSC 4 requirements and work outwards, and make sure every duty has an owner. To see how a structured platform can support authorisation and ongoing governance, explore our authorisation support.

Frequently asked questions

What is board governance under FCA rules?

Board governance is how a firm's board, or management body, directs and controls the firm. Under SYSC 4.1.1R, an FCA-regulated firm must have robust governance arrangements with a clear structure, effective risk processes, and sound internal controls. SYSC 4.3A sets out what the management body must do, including setting strategy, overseeing senior management, and ensuring the integrity of financial reporting.

Which FCA rules cover board governance?

The main rules are in SYSC 4 of the FCA Handbook. SYSC 4.1.1R requires robust governance arrangements, SYSC 4.2.2R sets out the requirement for management by at least two persons, and SYSC 4.3A sets out the responsibilities, competence, and independence of the management body. For listed firms, the FRC's UK Corporate Governance Code adds further expectations on composition and committees.

What committees should an FCA-regulated firm's board have?

SYSC 4.1.11G notes that it may be appropriate for a firm to form an audit committee, depending on the nature, scale, and complexity of its business. Listed firms following the FRC Code are expected to have an audit committee (Provision 24), a nomination committee (Provision 17), and a remuneration committee (Provision 32), and may establish a separate risk committee (Provision 25). Committees do not transfer the board's overall accountability.

Does the board need to be independent?

SYSC 4.3A.3R requires members of the management body to act with independence of mind and to be able to challenge senior management effectively. SYSC 4.3A.2R requires the chairman not to also hold the chief executive function in certain firms. For listed firms, FRC Code Provision 11 states that at least half the board, excluding the chair, should be independent non-executive directors.

How does board governance link to the SM&CR?

The person who chairs and oversees the firm's governing body holds the Chair function, SMF9, under the Senior Managers and Certification Regime. Firms allocate Prescribed Responsibilities to Senior Managers and give each a Statement of Responsibilities. Under the Duty of Responsibility, a Senior Manager can be held accountable if the firm breaches an FCA requirement in their area and they did not take reasonable steps to prevent it.

What is the three lines of defence model?

It is a common way of organising a firm's controls. The first line is the business that owns and manages risk, the second line is risk and compliance providing oversight and challenge, and the third line is internal audit providing independent assurance. The board sits above all three and receives assurance from each, supporting the effective risk processes required by SYSC 4.1.1R.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide