UK FCA SMCR

The Senior Managers and Certification Regime (SMCR) was introduced by the FCA and PRA under the Financial Services (Banking Reform) Act 2013 following the Parliamentary Commission on Banking Standards. SMCR replaced the Approved Persons Regime (APR) for banks in 2016 and was extended to all FCA solo-regulated firms in December 2019. The regime has three components: Senior Managers Functions (SMFs) — named individuals who must be FCA/PRA approved and are responsible for specific "areas of responsibility" documented in Statements of Responsibility; the Certification Regime — employees whose work could significantly harm the firm, customers, or market integrity must be certified annually as fit and proper; and the Conduct Rules — basic behavioral standards (honesty, due skill, market integrity, treating customers fairly, relationship with regulators) that apply to all employees. Senior Managers face criminal liability under Section 36 of the Financial Services (Banking Reform) Act for reckless misconduct. The FCA proposed SMCR reforms in 2023, with a review ongoing as of 2024.

The technology obligations of SMCR are centered on regulatory data management and internal accountability documentation. Firms must maintain accurate registers of all SMFs and their Statements of Responsibility, all Certified Persons with their certification status and annual review dates, and the fitness and propriety assessment records for all certified staff. These registers must be producible on demand for FCA examination. The fitness and propriety assessments involve criminal record checks (DBS for UK), financial soundness checks (credit checks), and regulatory history checks (the FCA Register and FCA Regulatory Data Exchange for regulatory history of individuals). The SMF individual's area of responsibility must be kept current — when firm structure changes, SMF Statements of Responsibility must be updated and resubmitted to regulators in prescribed form (Form K for changes). Technology firms providing services to FCA-regulated clients must understand their employees' SMCR status, as SMFs of client firms may have prescribed responsibilities for technology oversight.

SMCR intersects with technology governance in a specific way: SMCR SMF-24 (Chief Operations) or equivalent functions typically carry prescribed responsibility for "managing the firm's operational resilience" and "managing the firm's information security." This means a named senior manager has personal accountability for the firm's operational resilience outcomes under the FCA's Operational Resilience Policy Statement (PS21/3). If an important business service fails to meet its impact tolerance, the named SMF faces accountability questions from the FCA. This creates a direct line from technology infrastructure resilience failures to personal regulatory liability for senior individuals — a governance dynamic that elevates technology risk management discussions to C-suite and board level. The PRA's SS1/21 on Operational Resilience and FCA's PS21/3 define the important business service mapping and impact tolerance methodology that sits beneath the SMCR accountability structure.

We implement SMCR regulatory data management platforms that maintain SMF registers, Certified Person registers, and fitness and propriety assessment workflows with automated annual recertification reminders, DBS/credit check integrations, and FCA Register cross-referencing. Our operational resilience frameworks are designed with explicit SMF accountability mapping — each important business service has a documented responsible SMF and a quantified impact tolerance, with monitoring dashboards that give SMFs visibility into the operational risk metrics for their areas of responsibility. We align technology governance documentation to SMCR prescribed responsibility language so that board packs and risk committee reports directly address the accountability framework.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.