Governance, Risk & Compliance

SM&CR explained: a practical guide for UK firms

SM&CR explained for UK solo-regulated firms: the three pillars, Core, Enhanced and Limited Scope tiers, SMFs, responsibilities and conduct rules.

9 min read Published 17 Jul 2026
SM&CR explained: a practical guide for UK firms

The Senior Managers and Certification Regime, usually shortened to SM&CR, is the framework the Financial Conduct Authority uses to hold individuals in regulated firms accountable for their conduct and competence. It was extended to almost all FCA solo-regulated firms on 9 December 2019, reaching around 47,000 firms that had previously worked under the older Approved Persons Regime. If your firm is authorised under the Financial Services and Markets Act 2000, the regime almost certainly applies to you.

The FCA describes the aim plainly: to reduce harm to consumers and strengthen market integrity by making individuals more accountable. In practice, that means senior decision makers can be named, their responsibilities can be written down, and a firm cannot hide poor conduct behind a corporate structure. The regime rests on three pillars, the Senior Managers Regime, the Certification Regime and the Conduct Rules, and it applies proportionately through three firm tiers.

This guide explains each pillar, sets out the differences between Core, Enhanced and Limited Scope firms, and gives a practical route to implementation. Every figure and rule below is drawn from the FCA Handbook, the FCA guide for solo-regulated firms, and the Financial Services and Markets Act 2000. Where a number could not be verified against a primary source, it has been left out.

Who SM&CR applies to

SM&CR applies to all FCA solo-regulated firms authorised under the Financial Services and Markets Act 2000, alongside banks, building societies, insurers and PRA-designated investment firms that were brought in earlier. For the solo-regulated population, that covers investment firms, consumer credit lenders and brokers, mortgage lenders and intermediaries, insurance intermediaries, claims management companies and many others.

There is an important scope point that is often misunderstood. The FCA guide is explicit that firms which are not authorised under FSMA, giving payment services firms as its example, are not covered by SM&CR. Standalone payment institutions and e-money institutions authorised under the Payment Services Regulations or the Electronic Money Regulations therefore sit outside the regime itself, although a payments or e-money business that is part of a wider FSMA-authorised group, or that also holds FSMA permissions, will need to consider how the regime touches the authorised entity.

The regime does not apply to Appointed Representatives, who remain subject to the Approved Persons Regime. Because it operates on a legal entity basis, each authorised firm in a group must apply the regime to its own senior managers, certified staff and conduct rules population separately.

The three pillars of SM&CR

SYSC 23.3 of the FCA Handbook sets out the three components of the regime. The Senior Managers Regime identifies the individuals holding the most senior roles, known as Senior Management Functions, each of whom must be approved by the FCA before they start and must have a written Statement of Responsibilities describing what they are accountable for. The Certification Regime covers staff below senior manager level whose roles could cause significant harm, requiring the firm, not the regulator, to assess and certify that they are fit and proper. The Conduct Rules are enforceable standards of behaviour that apply directly to the great majority of a firm's workforce.

The three pillars work together. The Senior Managers Regime tells the regulator who is in charge, the Certification Regime pushes responsibility for competence down to the firm, and the Conduct Rules set a baseline of behaviour that runs from the boardroom to the wider staff. A firm that treats any one pillar as a box-ticking exercise tends to fail on the others, because responsibility, competence and conduct are difficult to separate in practice.

Governance tooling can make the difference between a paper exercise and a living framework. Nasara's governance controls module keeps Statements of Responsibilities, certification records and conduct rule breaches in one place, which matters when the FCA asks who was responsible for what and when.

The three firm tiers: Core, Enhanced and Limited Scope

The regime applies proportionately through three categories. Most firms are Core and apply a baseline set of requirements. A small proportion are Enhanced and must apply extra rules to reflect their size, complexity and potential impact. Limited Scope firms, which include sole traders, limited permission consumer credit firms and certain claims management companies, apply fewer requirements than Core firms and do not need to allocate prescribed responsibilities.

A firm falls into the Enhanced tier if it meets any one of six criteria published by the FCA. According to the current FCA categorisation guidance, these include being a Significant SYSC firm or a CASS Large firm, or crossing one of the following thresholds calculated as a three year rolling average: assets under management of 65 billion pounds or more, total intermediary regulated business revenue of 45 million pounds or more per annum, or consumer credit lending revenue of 130 million pounds or more. A mortgage lender or administrator that is not a bank with 10,000 or more regulated mortgages outstanding is also Enhanced.

Firms can choose to opt up to a higher tier even if they do not meet the criteria, for example so that a group applies the regime consistently across its subsidiaries. Getting the categorisation right at the outset matters, because it determines how many Senior Management Functions and prescribed responsibilities apply.

FeatureLimited ScopeCoreEnhanced
Who it coversSole traders, limited permission consumer credit firms, some CMCs and others with limited APR applicationThe baseline population that is neither Limited Scope nor EnhancedA small proportion meeting one or more of six size and complexity criteria
Senior Management FunctionsFewer SMFs applySix Core SMFsAdditional SMFs on top of the Core set
Prescribed ResponsibilitiesNone requiredFive prescribed responsibilitiesTwelve prescribed responsibilities
Conduct RulesApplyApplyApply
Certification RegimeAppliesAppliesApplies
Comparison of the three SM&CR firm tiers. Figures from the FCA guide for solo-regulated firms and FCA categorisation guidance.

Senior Management Functions and prescribed responsibilities

A Senior Management Function, or SMF, is a role so significant that the individual must be approved by the FCA before performing it. There are six SMFs within the Core regime: SMF1 Chief Executive, SMF3 Executive Director, SMF27 Partner and SMF9 Chair among the governing functions, plus the required functions of SMF16 Compliance Oversight and SMF17 Money Laundering Reporting Officer. Enhanced firms have additional SMFs on top of these. Every SMF holder must have a Statement of Responsibilities that clearly states what they are responsible and accountable for.

Prescribed Responsibilities are specific responsibilities defined in SYSC 24 of the Handbook that a firm must allocate to its senior managers, in addition to the inherent responsibilities of their roles. They exist to make sure a named senior manager is accountable for key conduct and prudential risks. Core firms must allocate five prescribed responsibilities, Enhanced firms must allocate twelve, and Limited Scope firms are not required to allocate any. Each responsibility should go to the most senior person genuinely responsible for that area, with the authority, knowledge and competence to carry it out.

There is limited flexibility for temporary cover. The twelve week rule in SUP 10C allows an individual to cover for an absent senior manager without approval, where the absence is temporary or reasonably unforeseen and the appointment lasts fewer than 12 consecutive weeks. Outsourcing does not move accountability: a firm that outsources an operational function remains fully responsible for its regulatory obligations.

The Certification Regime and the fit and proper test

The Certification Regime, set out in SYSC 27, covers employees who are not senior managers but whose roles could cause significant harm to the firm or its customers. These certification functions do not require FCA pre-approval. Instead the firm must check and confirm that the person is fit and proper, issue them with a certificate, and renew that certificate at least once a year while they remain in the role. The FCA is clear that one objective of the regime is to reinforce that firms, not the regulator, are responsible for making sure their staff are fit and proper.

Fitness and propriety is assessed against three factors set out in the FIT part of the Handbook: honesty, integrity and reputation; competence and capability, including any relevant training and competence requirements; and financial soundness. The same three factors apply to senior managers and to non-executive directors who are not senior managers, except at Limited Scope firms. The assessment is not a one-off exercise at hiring: firms must assess these individuals on an ongoing basis and at least once a year.

The regime also requires firms to gather evidence. Firms must carry out a criminal records check as part of each senior manager application, register with the Disclosure and Barring Service or its equivalents, and request regulatory references covering the previous six years from a candidate's former employers. These checks give the annual fit and proper judgement a documented foundation rather than resting on a manager's opinion.

1
Identify certified roles
Map which employees perform certification functions that could cause significant harm to customers or the firm.
2
Assess fitness
Test each person against honesty and integrity, competence and capability, and financial soundness.
3
Gather evidence
Collect qualifications, training records, regulatory references and any relevant background checks.
4
Issue certificate
Confirm the person is fit and proper and issue a certificate stating the business areas they cover.
5
Renew annually
Reassess and re-certify each certified person at least once every year while they hold the role.

The Conduct Rules and their two tiers

The Conduct Rules are enforceable standards found in the COCON chapter of the Handbook, and they apply to almost the entire workforce, not just approved individuals. They apply to all senior managers, all certified staff, all non-executive directors who are not senior managers, and all other employees except ancillary staff, meaning people such as receptionists, security guards and post room staff who do not perform a role specific to financial services.

There are two tiers. The First Tier, the Individual Conduct Rules, requires staff to act with integrity, to act with due care, skill and diligence, to be open and cooperative with the regulators, to pay due regard to the interests of customers and treat them fairly, and to observe proper standards of market conduct. A sixth Individual Conduct Rule, in force since 31 July 2023 under COCON 2.4, requires staff whose firm's activities are covered by the Consumer Duty to act to deliver good outcomes for retail customers. The Second Tier, the Senior Manager Conduct Rules, adds four further rules requiring senior managers to take reasonable steps to control their part of the business effectively, to ensure regulatory compliance, to delegate appropriately with proper oversight, and to disclose appropriately any information the FCA or PRA would reasonably expect notice of.

Firms must train their staff so they understand which rules apply to them, and must report to the FCA breaches of the Conduct Rules that result in disciplinary action. Breaches by senior managers must be reported within seven business days, with breaches by other staff reported annually. Keeping that reporting reliable is easier when conduct records sit inside the same system used to manage authorisations and responsibilities, which is where a platform such as Nasara can reduce the manual burden.

The Duty of Responsibility

Sitting above the Conduct Rules is the Duty of Responsibility, which flows from the Financial Services and Markets Act 2000. Under section 66A of the Act, if a firm breaches an FCA requirement, the senior manager responsible for that area can be held accountable where they did not take such steps as a person in their position could reasonably be expected to take to avoid the contravention occurring or continuing.

The burden of proof sits with the FCA. The regulator must show that the senior manager failed to take the reasonable steps expected of someone in their position, and it will weigh all the circumstances, including the seriousness of the breach and the manager's responsibilities, applying the criteria in the Decision Procedure and Penalties Manual. This is why clear Statements of Responsibilities and a documented trail of oversight matter so much: they are the evidence a senior manager relies on to show that reasonable steps were taken.

The regime continues to evolve. In April 2026 the FCA published policy statement PS26/6, the first phase of a review intended to make SM&CR more efficient and proportionate while maintaining strong individual accountability, with changes taking effect through 2026. Firms should treat their SM&CR framework as something to maintain and review, not a project to complete once.

Conclusion

SM&CR is less complicated than its acronym suggests. Three pillars set the shape: the Senior Managers Regime names and approves the people in charge and writes down their responsibilities, the Certification Regime pushes fitness and propriety checks down into the firm with an annual renewal, and the Conduct Rules set enforceable standards for almost everyone. Three tiers, Core, Enhanced and Limited Scope, then scale those obligations to the size and impact of the firm.

The practical work is in the detail: correct categorisation, complete Statements of Responsibilities, prescribed responsibilities allocated to the right people, certification renewed every year, conduct rule breaches reported on time, and a documented record of the reasonable steps senior managers take. Firms that keep this evidence current are not only compliant; they are ready when the regulator asks who was responsible for what. To see how a single governance platform can hold that evidence together, explore Nasara's products or book a demonstration.

Frequently asked questions

What does SM&CR stand for?

SM&CR stands for the Senior Managers and Certification Regime, the FCA framework that holds individuals in regulated firms accountable for their conduct and competence. It was extended to almost all FCA solo-regulated firms on 9 December 2019.

What are the three pillars of SM&CR?

As set out in SYSC 23.3, the three pillars are the Senior Managers Regime, which approves and documents the most senior roles, the Certification Regime, under which firms assess and certify staff who could cause significant harm, and the Conduct Rules, enforceable standards of behaviour that apply to most of the workforce.

What is the difference between Core, Enhanced and Limited Scope firms?

Core firms apply a baseline set of requirements including six SMFs and five prescribed responsibilities. Enhanced firms meet one of six size and complexity criteria and apply extra rules including twelve prescribed responsibilities. Limited Scope firms, such as sole traders, apply fewer requirements and allocate no prescribed responsibilities.

Does SM&CR apply to payment and e-money firms?

The FCA guide states that firms not authorised under FSMA, using payment services firms as its example, are not covered by SM&CR. Standalone payment institutions and e-money institutions therefore sit outside the regime, though a business also holding FSMA permissions, or within a FSMA-authorised group, must consider the regime for the authorised entity.

How often must firms assess fitness and propriety?

Firms must assess senior managers, certified staff and relevant non-executive directors as fit and proper on an ongoing basis and at least once a year. The assessment covers honesty, integrity and reputation, competence and capability, and financial soundness, and certification must be renewed at least once a year.

What is the Duty of Responsibility?

Under section 66A of the Financial Services and Markets Act 2000, if a firm breaches an FCA requirement, the responsible senior manager can be held accountable where they did not take such steps as a person in their position could reasonably be expected to take to avoid the breach. The FCA carries the burden of proof.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Keep reading

More insights you will like.

Stay ahead of the curve

Practical guides and updates for UK firms, straight to your inbox.

Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide