Chief Operating Officer (SMF24) Appointments at FCA-Regulated Firms

Chief Operating Officer (SMF24) Appointments at FCA-Regulated Firms

The Chief Operating Officer role at an FCA-regulated firm has been transformed by a decade of regulatory development. Where the COO was once primarily an internal efficiency function, the designation of the role as SMF24 — the Chief Operations function — under SMCR has made it one of the most externally visible and personally accountable positions in the regulated firm executive team. Operational resilience, outsourcing governance, technology risk and business continuity now sit within the COO’s regulatory scope, and the FCA’s supervisory approach to these areas has intensified significantly.

Exec Capital places COOs at FCA-regulated firms across banking, insurance, investment management and consumer finance. This guide sets out what boards and NEDs need to understand when approaching a COO appointment at a regulated firm.

The SMF24 Designation: Scope and Accountability

SMF24 — the Chief Operations function — applies at the majority of FCA-regulated firms that have a senior individual responsible for operational matters. The precise scope of the designation is defined in the Statement of Responsibilities, which must be agreed before the individual is approved and should reflect the genuine breadth of what they oversee.

The FCA’s interpretation of the Chief Operations function has expanded considerably in line with the operational resilience agenda. PS21/3 — the FCA’s operational resilience policy — made it clear that firms must be able to remain within impact tolerances for important business services during severe but plausible disruptions. The individual who sits under SMF24 is typically the person most directly accountable for ensuring that the firm can demonstrate this. Boards appointing a COO under SMF24 need to ensure the candidate understands what that accountability means in practice.

How Operational Resilience Has Reshaped the COO Brief

The 2025 deadline for full operational resilience compliance has passed, but the regulatory scrutiny has not diminished. The FCA continues to test firms’ mapping of important business services, their identification of impact tolerances, and the robustness of their scenario testing programmes. COOs who have led a firm through the PS21/3 implementation process — not just overseen a policy document — are in significantly higher demand than those who have not.

Third-party and outsourcing risk is a closely related area of FCA focus. The regulator’s expectations around outsourcing governance, particularly for cloud service providers and critical technology vendors, have increased materially. The COO is typically the executive most closely involved in managing these relationships, and the regulator expects them to be able to articulate the firm’s risk exposure and mitigation approach with precision. Candidates who have navigated a significant outsourcing review, a vendor concentration issue, or a critical system failure are particularly valuable.

Business continuity management sits within the operational resilience framework and carries its own set of regulatory expectations. The FCA expects firms to have tested their business continuity arrangements through realistic scenarios — not desktop exercises that confirm the plan works, but genuine stress tests that identify its weaknesses. The COO’s role in designing, overseeing and learning from those exercises is central to the FCA’s assessment of the firm’s operational resilience posture.

Technology Leadership and the Regulated Firm COO

In many regulated firms, the COO carries direct or indirect responsibility for technology. Where the firm does not have a separate CTO or CIO, the COO’s technology oversight can be extensive — covering core banking systems, data infrastructure, cybersecurity governance, and digital transformation programmes. This creates a bifurcation in the COO candidate market between those with deep technology backgrounds and those who are primarily operations and process leaders.

Boards need to be clear before the search begins about which profile they require. A COO with a technology background but limited regulatory experience at a rapidly growing authorised firm may not be the right choice; equally, a COO with a strong regulatory record but minimal engagement with technology risk may struggle at a firm where digital infrastructure is central to the operating model. The intersection of operational, regulatory and technology competence is where the most effective regulated firm COOs are found — and it narrows the field considerably.

Cybersecurity governance has become an increasingly prominent element of the COO’s technology oversight responsibility. The FCA expects firms to have adequate controls to detect, respond to, and recover from cybersecurity incidents, and it has made clear that it will assess the adequacy of senior management oversight of cyber risk as part of its supervisory approach. COO candidates at firms with significant digital infrastructure should be assessed specifically on their understanding of cybersecurity governance, not just their broad technology awareness.

Data Governance and the COO’s Role

Data governance has emerged as a material regulatory concern in its own right. The FCA’s focus on data quality — in regulatory reporting, in client data management, and in the management information that reaches the board — has made data governance a live supervisory topic at many regulated firms. Where the COO has oversight of data architecture and data quality, this dimension of the role needs to be specifically assessed in the appointment process.

Candidates who have overseen the implementation of data governance frameworks, who have managed regulatory data quality issues, or who have experience of large-scale data migration or modernisation programmes are increasingly sought after. The proliferation of legacy data systems at many established financial services firms means that the COO frequently inherits a data environment that creates both operational and regulatory risk, and the ability to navigate that environment strategically is a genuine differentiator.

The Change Management Dimension

COO appointments at regulated firms are frequently triggered by a period of significant change — a regulatory remediation programme, a post-merger integration, a technology transformation, or a shift in the firm’s business model. In these contexts, the COO’s change management capability is as important as their steady-state operational competence.

Boards appointing a COO into a change context should assess candidates’ track records specifically in structured change delivery — not just their ability to articulate a change management philosophy, but their actual record of delivering complex programmes on time, within budget, and to the satisfaction of a regulatory audience. The FCA pays close attention to firms that are managing significant operational change, and the COO is typically the individual who will face the most detailed supervisory scrutiny during that period.

Change management at a regulated firm requires the COO to manage multiple simultaneous stakeholder relationships — the board and risk committee, the FCA’s supervisory team, operational staff who are implementing the change, and technology teams who are building or configuring the systems that support it. Candidates who struggle to manage complexity across multiple stakeholder groups tend to create problems in change contexts that more technically capable but less interpersonally sophisticated leaders do not.

The COO’s Relationship with the FCA Supervisory Team

At larger and more complex regulated firms, the COO will have direct engagement with the FCA’s supervisory team — attending meetings, responding to information requests, and presenting the firm’s operational risk and resilience position. This engagement is a significant test of the individual’s regulatory communication skills and their ability to represent the firm credibly under scrutiny.

The FCA pays attention to the consistency of what it hears from different members of the senior team. A COO whose account of the firm’s operational position differs materially from the CEO’s or the CRO’s account — or who appears unprepared for the level of detail the supervisory team expects — creates a negative impression that can take months to repair. Candidates should be assessed on their regulatory communication experience and their understanding of what the FCA expects from these interactions.

Building the Operations Function at a Growing Regulated Firm

At growth-stage regulated firms — challenger banks, recently authorised investment firms, and scale-up consumer credit businesses — the COO appointment often involves building a function from a relatively early stage rather than inheriting a mature one. This requires a different set of skills from the COO at an established institution: the ability to design and build processes from first principles, to hire and develop operational leadership below them, and to make pragmatic judgments about where to invest operational capability first.

Growth-stage firms also face the challenge of building operational maturity in a regulatory environment that expects institutional-grade standards. The PRA and FCA do not adjust their expectations for operational resilience, outsourcing governance, or business continuity based on the size or stage of the firm. A COO who has only operated in established institutions may find the resource constraints of a growth-stage business frustrating; conversely, a COO with a background in early-stage businesses may not have the regulatory framework knowledge the role requires. The intersection of these two profiles is genuinely rare and commands accordingly.

Compensation and Market Context

COO compensation at FCA-regulated firms varies significantly by firm size and regulatory category. At smaller authorised firms, base salaries typically range from £130,000 to £200,000. At mid-tier banks, insurers and investment managers, the range extends from £200,000 to £350,000, with variable compensation subject to the applicable Remuneration Code provisions. At growth-stage firms, equity participation — options or warrants — frequently forms a material part of the overall package.

The regulated firm COO market is competitive. Candidates with a strong operational resilience track record, technology oversight experience and a positive relationship history with FCA supervision are in active demand. Firms that move slowly through the appointment process frequently lose their preferred candidates to competitors, and the time cost of restarting a COO search is significant.

The Search Process

Exec Capital runs COO searches at FCA-regulated firms on a retained basis. We work with boards and Nomination Committees to define the brief, agree the candidate profile and conduct a targeted search that focuses on individuals with genuine regulated firm experience rather than a broad financial services background. Our typical shortlist delivery time is three to five weeks from brief sign-off. We support the firm through the regulatory approval process where SMF24 applies and provide guidance on Statement of Responsibilities drafting to ensure the scope of accountability is accurately defined from the outset.