Governance, Risk & Compliance

How to Build a Policy Management Framework for a UK Regulated Firm

A practical guide to building a policy management framework for UK regulated firms, covering the policy lifecycle, ownership, approval and rule mapping.

7 min read Published 17 Jul 2026
How to Build a Policy Management Framework for a UK Regulated Firm

A written policy is only useful if the firm knows who owns it, when it was last approved, who has read it and which regulatory obligation it satisfies. Many firms accumulate policies over time without any governing structure around them, so documents drift out of date, sit unapproved, or duplicate one another. A policy management framework is the set of processes and controls that keeps every policy current, owned, approved and traceable to the rule it addresses.

The Financial Conduct Authority does not publish a single rule headed "policy management". Instead the requirement is distributed across the Senior Management Arrangements, Systems and Controls sourcebook and the individual conduct rulebooks. SYSC 6.1.1R requires a firm to establish, implement and maintain adequate policies and procedures sufficient to ensure compliance with its obligations, while SYSC 4.1.1R requires robust governance arrangements and internal control mechanisms. Read together, these expect a firm to hold the right policies and to govern them properly.

This article explains why a governed framework matters, walks through the policy lifecycle from draft to retirement, sets out ownership and version control, describes the board and committee approval that regulated policies require, and shows how to map each core policy to the specific regulation that mandates it. Every rule reference below is drawn from the FCA Handbook or from the Money Laundering Regulations 2017.

Why a governed policy framework is a regulatory expectation

The obligation to hold policies is explicit. SYSC 6.1.1R requires a firm to establish, implement and maintain adequate policies and procedures sufficient to ensure compliance with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime. The words establish, implement and maintain matter: a policy that exists on a shared drive but is never applied or reviewed does not meet the standard, because maintenance is a continuing obligation rather than a one-off act of drafting.

The surrounding governance requirement sits in SYSC 4.1.1R, which requires a firm to have robust governance arrangements, including a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report risk, and internal control mechanisms. A policy framework is one of the practical mechanisms through which a firm demonstrates that these arrangements exist and function.

Record-keeping underpins the whole framework. SYSC 4.1.1-AR requires common platform firms to keep adequate and orderly records of their business and internal organisation, and SYSC 9.1.1R requires a firm to arrange for orderly records to be kept that are sufficient to enable the FCA to monitor the firm's compliance. For MiFID business, records under SYSC 9 must be retained for at least five years. Without version history, approval dates and attestation logs, a firm cannot evidence that a policy was in force at a given time, which is exactly what a supervisor or an internal audit will ask for.

The policy lifecycle: from draft to retire

A framework works by moving every policy through a defined lifecycle. Each stage has an owner, an output and a record, so that at any point the firm can say who is responsible for a document and what state it is in. The lifecycle below reflects how the maintain obligation in SYSC 6.1.1R is operationalised: policies are not simply written once, they are approved, communicated, acknowledged, reviewed on a cycle and eventually withdrawn when superseded.

The attestation stage deserves particular attention. Publishing a policy achieves little if the people bound by it never confirm they have read and understood it. Attestation creates the evidence that a policy has been communicated and acknowledged, which supports the training and awareness expectations that run through the Handbook, including the requirement in SYSC 18.3 for firms to maintain up-to-date written whistleblowing procedures that are readily available to UK-based employees.

1
Draft
Owner writes or updates the policy against the relevant rule and current firm practice.
2
Review
Subject matter experts and second line check accuracy, scope and regulatory alignment.
3
Approve
Board or delegated committee formally approves the policy and records the decision.
4
Publish
Approved version is issued to staff through a single authoritative location.
5
Attest
Relevant staff acknowledge they have read and understood the policy.
6
Review cycle
Policy is reassessed on a scheduled date or after a regulatory change.
7
Retire
Superseded policy is withdrawn and archived with its version history retained.

Ownership, version control and a single source of truth

Every policy needs a named owner who is accountable for its accuracy and for triggering its review. Ownership should sit with the person who runs the relevant activity, so an anti-money laundering policy is owned by the money laundering reporting officer and a complaints policy by the person responsible for complaints handling. This mirrors the Handbook's approach of allocating responsibility to identifiable individuals, for example the requirement in SYSC 6.3.9R to appoint a money laundering reporting officer with sufficient authority and independence.

Version control gives the framework its audit trail. Each policy should carry a unique identifier, a version number, an effective date, the approval date and body, the next review date and a short change log describing what altered between versions. This directly supports the orderly records requirement in SYSC 9.1.1R, which expects a firm to be able to reconstitute each element of a record and identify any changes, corrections or amendments clearly.

A single source of truth prevents the most common failure mode, which is multiple conflicting copies of the same policy circulating in email attachments and personal folders. The framework should designate one location as authoritative and treat every other copy as a snapshot. Nasara Connect's policy and control management tools are designed to hold that authoritative version, track ownership and versioning centrally, and record attestations against each release so the evidence is captured as the process runs rather than reconstructed afterwards.

Board and committee approval

Approval is where governance meets documentation. Some policies carry an explicit statutory or Handbook requirement for senior sign-off. Regulation 19 of the Money Laundering Regulations 2017 requires a relevant person's anti-money laundering policies, controls and procedures to be proportionate to the size and nature of the business and, importantly, to be approved by its senior management. That is not a matter of convention; the approval is a legal condition of the policy being adequate.

The Consumer Duty places a comparable obligation at board level. PRIN 2A.8.4R requires that, at least annually, the governing body of a firm reviews and approves the firm's report on the outcomes being received by retail customers, confirms whether it is satisfied that the firm is complying with the Duty, and assesses whether the firm's future business strategy is consistent with those obligations. A policy framework should route each policy to the correct approving body and diarise these recurring approvals so they are never missed.

For whistleblowing, SYSC 18.4 sets out the whistleblowers' champion role, which the FCA expects to be filled by a non-executive director where the firm has one. Under SYSC 18.4.4R the champion is responsible for ensuring and overseeing the integrity, independence and effectiveness of the firm's whistleblowing policies and procedures. Building these named approval and oversight roles into the framework ensures the right person signs off the right policy and can evidence that oversight when asked.

Where core policies are approved or overseen

Illustrative allocation of approval and oversight responsibility for core policies, based on the roles named in the relevant rules.

Where core policies are approved or overseen
100Total %
Full board or governing body40%
Delegated committee25%
Senior management (MLRO, compliance)20%
Named oversight role (whistleblowers' champion)15%

Mapping policies to the regulation that requires them

The defining feature of a mature framework is traceability. Every policy should be linked to the specific rule or regulation it satisfies, so that when a requirement changes the firm can identify which policies are affected, and when a supervisor asks how the firm meets an obligation the firm can point to the governing document. The table below maps a set of core policies that UK regulated firms commonly maintain to the primary source that mandates each one.

This mapping is also a completeness check. If the firm carries out an activity that a rule governs but holds no policy addressing it, the gap is immediately visible. Conversely, policies that cannot be traced to any obligation or genuine business need are candidates for retirement, which keeps the library lean and reduces the maintenance burden that SYSC 6.1.1R imposes.

Core policyPrimary sourceWhat the source requires
Compliance policy and proceduresSYSC 6.1.1REstablish, implement and maintain adequate policies and procedures sufficient to ensure compliance.
Anti-money laundering policyMLR 2017, regulation 19Policies, controls and procedures to mitigate money laundering risk, proportionate and approved by senior management.
Complaints handling policyDISP 1.3.1R and DISP 1.6.2REffective and transparent complaint procedures; a final response by the end of eight weeks.
Whistleblowing policySYSC 18.3.1R and SYSC 18.4Appropriate arrangements for disclosure of reportable concerns, overseen by a whistleblowers' champion.
Financial promotions policyCOBS 4.10 and COBS 4.11Controls to confirm compliance of promotions and an adequate record of each promotion approved or communicated.
Consumer Duty policy and monitoringPRIN 2A.8.4RGoverning body reviews and approves the outcomes report at least annually and confirms compliance with the Duty.
Record-keeping policySYSC 9.1.1RKeep orderly records sufficient for the FCA to monitor compliance; at least five years for MiFID business.
Illustrative mapping of core policies to the primary rule or regulation that requires each one. Applicability varies by firm type and permissions.

Reviewing, retiring and evidencing the framework

Review is not optional housekeeping. Regulation 19 of the Money Laundering Regulations 2017 expressly requires a relevant person to regularly review and update the anti-money laundering policies, controls and procedures it has established, and to maintain a written record of any changes and of the steps taken to communicate them. The framework should assign every policy a review frequency and an owner responsible for confirming, at each review, whether the policy remains accurate or needs revision.

Reviews should also be event-driven, not only calendar-driven. A change to a rule, a new product, an enforcement theme, a material complaint trend or a failure identified through monitoring should each trigger a review of the affected policies out of cycle. Linking policies to rules through the mapping described above is what makes event-driven review practical, because the firm can immediately see which documents a regulatory change touches.

Retirement completes the lifecycle. When a policy is superseded, the previous version should be withdrawn from the authoritative location and archived with its full version history intact, so the firm can still show what was in force at any historical point. This is the practical expression of the SYSC 9.1.1R expectation that records be orderly and that changes be identifiable. Firms that are also working through an authorisation or a permissions change will find that a well-evidenced framework supports the authorisation process, because a clear, mapped and approved policy library is precisely what the FCA expects a well-run firm to hold.

Conclusion

A policy management framework turns a collection of documents into a controlled system. By moving every policy through a defined lifecycle, assigning a named owner, keeping strict version control, routing each policy to the correct approving body and mapping it to the rule it satisfies, a firm meets the maintain obligation in SYSC 6.1.1R and the governance and record-keeping expectations in SYSC 4 and SYSC 9. Just as importantly, it can evidence all of this on demand, which is what supervision, internal audit and the board each require.

The rules cited here, from the Money Laundering Regulations 2017 through DISP, SYSC 18 and the Consumer Duty, do not ask for perfection. They ask for policies that are adequate, current, owned, approved and traceable, supported by orderly records. A framework built around the lifecycle and mapping set out above delivers exactly that, and it scales as the firm's permissions and product range grow rather than becoming harder to maintain over time.

Frequently asked questions

What is a policy management framework?

It is the set of processes and controls a firm uses to keep every policy current, owned, approved and traceable to the obligation it addresses. It covers the full lifecycle from drafting a policy through approval, publication, staff attestation, scheduled review and eventual retirement, with version history retained throughout so the firm can evidence what was in force at any time.

Which policies must a UK regulated firm maintain?

The exact set depends on a firm's permissions and activities, but common requirements include a compliance policy under SYSC 6.1.1R, an anti-money laundering policy under regulation 19 of the Money Laundering Regulations 2017, a complaints policy under DISP 1.3.1R, a whistleblowing policy under SYSC 18.3.1R, financial promotions controls under COBS 4, and Consumer Duty monitoring under PRIN 2A. Map each activity you carry out to the rule that governs it to confirm your own list.

Does the board have to approve policies?

For some policies, senior approval is a specific requirement rather than a matter of good practice. Regulation 19 of the Money Laundering Regulations 2017 requires anti-money laundering policies to be approved by senior management, and PRIN 2A.8.4R requires the governing body to review and approve the Consumer Duty outcomes report at least annually. A framework should route each policy to the correct approving body and record the approval date and decision.

How often should policies be reviewed?

There is no single universal frequency, but review must be a continuing activity. Regulation 19 of the Money Laundering Regulations 2017 requires firms to regularly review and update their anti-money laundering policies. Good practice is to set a scheduled review date for each policy and to trigger additional out-of-cycle reviews when a rule changes, a new product launches, or monitoring identifies a problem with an existing policy.

How does version control support compliance?

SYSC 9.1.1R expects a firm to keep orderly records and to be able to identify clearly any changes, corrections or amendments to them. Version control delivers this by giving each policy a version number, effective date, approval record and change log. It lets the firm show which version was in force at any historical point, which is exactly what a supervisor, an auditor or a complaint investigation may ask for.

What is the eight-week rule for complaints policies?

DISP 1.6.2R requires a firm to send the complainant a final response by the end of eight weeks after receiving the complaint. A firm's complaints policy should build this deadline into its procedures, alongside prompt written acknowledgement under DISP 1.6.1R and the requirement in DISP 1.3.1R to have effective and transparent procedures for the reasonable and prompt handling of complaints.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Keep reading

More insights you will like.

Stay ahead of the curve

Practical guides and updates for UK firms, straight to your inbox.

Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide