What Boards and Senior Executives at FCA-Regulated Firms Must Understand in 2026

What Boards and Senior Executives at FCA-Regulated Firms Must Understand in 2026

By Adrian Lawrence FCA — Exec Capital and FD Capital Recruitment Ltd, ICAEW Registered Practice

When an FCA-regulated firm appoints a new CEO, Chair, Chief Risk Officer or Chief Compliance Officer, the regulatory consequences are immediate and personal. Under the Senior Managers and Certification Regime, the individuals appointed to Senior Manager Functions hold personal accountability for the areas within their responsibility — accountability that the FCA can and does enforce directly against individuals, not just against the firm. Boards that approach executive appointments at regulated firms without understanding this framework are not just filling a vacancy. They are making a decision with significant regulatory consequences that will follow the individual and the firm for the duration of their tenure.

This article covers the principal FCA obligations that board members, executive leaders and their appointing boards at UK regulated firms must understand in 2026.

SMCR: The Personal Accountability Framework

The Senior Managers and Certification Regime is the foundational regulatory framework for personal accountability at FCA-regulated firms. It operates across three interconnected layers: the Senior Managers Regime, which creates individually accountable SMF holders with prescribed responsibilities; the Certification Regime, which requires annual certification of individuals in significant harm functions; and the Conduct Rules, which apply to virtually all employees of regulated firms.

For boards appointing to the most senior roles, the Senior Managers Regime is the primary concern. Every CEO, Chair, CFO, Chief Risk Officer, Chief Compliance Officer and MLRO at an FCA-regulated firm must hold FCA approval for their specific Senior Manager Function before they can perform it. The approval process requires a Form A application, a Statement of Responsibilities describing the individual’s specific accountability, and regulatory references from former regulated employers covering the preceding five years. Boards that have not managed this process before frequently underestimate its complexity and the time it takes — a well-prepared application for a straightforward SMF candidate typically takes three to six weeks to determine; an application with queries or adverse history can take four to six months.

The Chair: Governance Leadership Under SMF9

The Chair of the board holds the SMF9 function — the Chair of the Governing Body — and carries specific accountability obligations that are distinct from those of the executive SMF holders. The Chair is accountable for the effectiveness of the board as a governance body, for the integrity of the board’s oversight processes, and for the management of any conflicts of interest that arise between the interests of shareholders, the executive team, and the firm’s regulatory obligations.

The FCA’s expectations of the SMF9 holder go beyond a formal governance role. The Chair must demonstrate the independence of mind and the willingness to challenge executive management that the FCA’s governance standards require. A Chair who does not receive adequate management information, who does not ask probing questions about the firm’s compliance performance, or who allows the executive team to manage the board’s agenda without meaningful challenge has not discharged their SMF9 accountability — regardless of how well the board meetings are documented. The FCA has been explicit in its guidance that it will look through governance documentation to assess whether the Chair is genuinely providing the oversight the SMF9 function requires.

Governance Structure: What SYSC 4 Requires

The governance requirements in SYSC 4 set the FCA’s baseline expectations for how regulated firms must structure their management and control framework. The four-eyes principle — requiring the firm’s business to be managed by at least two individuals with genuine joint authority — applies to all regulated firms. The management body must collectively possess adequate knowledge, skills and experience to understand the firm’s activities and its principal risks. Individual members must commit sufficient time to their functions, act with independence of mind, and avoid conflicts of interest that could compromise their judgment.

For boards that are assessing the adequacy of their own governance structure, SYSC 4 provides the framework against which the FCA will conduct its assessment. A board that lacks expertise in the firm’s principal regulatory risk areas, or whose members are spread across too many other directorships to commit adequate time, is not meeting the SYSC 4 standard regardless of how experienced its individual members are. The collective competence assessment matters as much as the individual fit and proper assessment for each SMF holder.

Statements of Responsibilities: Getting the Documentation Right

Every SMF holder must have a Statement of Responsibilities — a document that sets out specifically what they are accountable for at the firm. The SoR is the document that matters most if something goes wrong: it is the accountability anchor against which the FCA assesses whether the individual discharged their reasonable steps obligation, and it is the basis on which enforcement liability is allocated between SMF holders where multiple individuals were involved in a regulatory failure.

The quality of the SoR is one of the clearest indicators of how seriously a firm takes its SMCR obligations. A generic SoR that describes the SMF function in broad terms without specifying the individual’s actual accountability at this firm provides no protection in an enforcement context. A well-drafted SoR that accurately describes the decisions the individual takes, the information they receive, and the areas of the firm for which they are specifically accountable creates a much clearer framework for both the individual’s governance and the FCA’s assessment of their conduct.

The Fit and Proper Assessment: What the FCA Actually Looks For

The FCA’s fit and proper assessment for proposed SMF holders covers three dimensions: honesty, integrity and reputation; competence and capability for the specific function; and financial soundness. Of these, competence and capability is the dimension most frequently underweighted by boards and appointing executives when assessing candidates.

A candidate who has had a distinguished career in financial services may not be competent for a specific SMF function at a specific firm if their experience does not match the regulatory framework applicable to that firm’s activities. A proposed SMF16 compliance officer whose entire career has been in retail banking is likely to face FCA questions about their competence for the role at a wholesale investment manager, regardless of the overall quality of their track record. The FCA’s assessment is specific, not generic — it is asking whether this individual can perform this function at this firm, not whether they have had a successful career in financial services generally.

Boards making senior appointments at regulated firms should apply the same specificity in their assessment. Evaluating candidates against the specific SMF function’s requirements and the specific regulatory framework of the firm — not just against the candidate’s general seniority and experience — is the standard the FCA expects the firm to have applied before submitting the Form A application.

Regulatory References: The Obligation Boards Must Own

The regulatory references obligation under SYSC 22 requires firms to obtain references from all former FCA-regulated employers of proposed SMF holders before making the appointment, and to take those references into account in the fit and proper assessment. The references must cover the preceding five years and must disclose specific categories of adverse information, including fitness and propriety findings, disciplinary actions and Conduct Rule breaches.

In practice, regulatory references are one of the most consistently mismanaged elements of the executive appointment process at regulated firms. Reference requests are initiated too late — sometimes after the Form A has already been submitted — creating a bottleneck that extends the FCA approval timeline. Reference responses that contain adverse information are sometimes not followed up adequately, or are treated as HR matters rather than regulatory compliance matters requiring structured assessment. And the obligation to update references after an individual has left the firm — where new adverse information comes to light after the reference was provided — is frequently not implemented at all.

Consumer Duty: The Board’s Role

For regulated firms serving retail customers, the Consumer Duty creates a board-level governance obligation that goes beyond what previous regulatory frameworks required. The annual Consumer Duty board report — a formal board-level assessment of whether the firm is delivering good outcomes for retail customers across all four outcome areas — is a prescribed governance obligation that must be owned by the board, not delegated to the compliance function as a reporting exercise.

Boards that receive a Consumer Duty report containing genuine outcome data — showing actual customer results against each of the four outcomes, identifying gaps, and setting out the remedial actions the board has directed — are discharging their governance obligation. Boards that receive a Consumer Duty attestation document produced by the compliance team and noted rather than genuinely reviewed are not. The FCA’s supervisory approach to Consumer Duty in 2026 is increasingly focused on the quality of board governance of the obligation, not just on the firm’s technical compliance with the underlying rules.

The Senior Manager Conduct Rules: Personal Obligations

The Senior Manager Conduct Rules apply to all SMF holders in addition to the Individual Conduct Rules that apply to all regulated firm employees. The four Senior Manager Conduct Rules create specific obligations: to take reasonable steps to ensure the business of the firm is controlled effectively; to ensure the business complies with applicable regulatory requirements; to oversee delegated responsibilities effectively; and to disclose to the FCA anything it would reasonably expect notice of.

What adequate reasonable steps look like in practice has been clarified through a series of FCA enforcement decisions. The consistent finding is that passive oversight is insufficient. A senior manager who receives management information, does not challenge it, does not follow up on concerns raised, and does not maintain documentation of their oversight activities has not taken adequate reasonable steps regardless of the quality of the firm’s overall governance framework. The FCA’s enforcement approach makes clear that the personal accountability the SMCR creates is real, and that individuals cannot rely on the firm’s compliance infrastructure as a substitute for their own active governance role.

The Three Lines of Defence: Board Oversight of the Control Framework

The three lines of defence model provides the governance framework through which regulated firms organise their risk management and control functions. For boards and audit committees, understanding how the three lines operate in their firm — and whether the second and third lines have the genuine independence and resource to provide meaningful challenge to the first — is an essential governance competency.

The FCA’s consistent finding in supervisory reviews is that the three lines model is widely adopted in name but inconsistently implemented. Compliance functions that lack the independence to challenge business decisions, internal audit functions resourced from management rather than independently, and risk functions whose findings are routinely overridden without board oversight all represent failures of the model that the FCA will identify and pursue. Boards that do not actively assess the adequacy and independence of their second and third lines are not discharging their governance obligations under SYSC 4.

Placing Senior Executives at FCA-Regulated Firms

At Exec Capital, we work exclusively with boards of directors, nomination committees and chief executives to recruit senior leadership into the most demanding executive and non-executive roles in UK financial services. Our mandates regularly include SMF1 CEOs, SMF9 Chairs, Chief Risk Officers, Chief Compliance Officers and Non-Executive Directors at FCA-regulated banks, investment managers, wealth managers, payment institutions and insurance firms.

Our sister practice, FD Capital Recruitment Ltd, maintains an extensive regulatory knowledge centre covering the full range of FCA compliance obligations. Its guides on the FCA regulatory framework, compliance and SMF recruitment and specialist compliance recruitment are among the most comprehensive free resources available for regulated firms navigating these obligations.

About the author: Adrian Lawrence FCA is the founder of Exec Capital and FD Capital Recruitment Ltd, ICAEW Registered Practices (Co. No. 15037964 / 13329383) specialising in executive search and the placement of compliance professionals at FCA-regulated financial services firms. Adrian holds an ICAEW practising certificate as a Fellow Chartered Accountant and is verified at find.icaew.com.

Adrian Lawrence

Adrian Lawrence FCA is the founder of Exec Capital. He is a Chartered Accountant and holds an ICAEW practising certificate in his own name with over 25 years’ experience operating at C-suite level, Adrian brings direct executive experience to senior search. His background spans private equity-backed businesses, owner-managed companies, and listed environments, giving Exec Capital a practitioner’s understanding of what leadership hires actually require.