SMCR for Crypto Firm Boards: What Authorisation Means for Directors and Leadership Teams

When the FSMA cryptoasset regime starts — expected 25 October 2027, with applications from 30 September 2026 — UK crypto firms come within the Senior Managers and Certification Regime for the first time. An entire sector must build boards and leadership structures the FCA will approve: SMF1 chief executives, SMF3 executive directors, prescribed responsibilities, Statements of Responsibilities and personal accountability throughout. This guide explains what SMCR asks of a crypto firm’s board, how to build the governance an authorisation application needs, and how to sequence the appointments.

Something without precedent in UK financial services is about to happen: an entire sector will enter the Senior Managers and Certification Regime at once. When banking came within SMCR in 2016, and the rest of the regulated population in 2019, those firms already lived under approved persons regimes and had governance built for supervision. Cryptoasset firms do not. Registration under the Money Laundering Regulations — the regime the sector has known since 2020 — creates no approved persons, no board-level accountability framework and no conduct rules. The FCA assesses the MLRO’s fitness at registration, and nothing else about the leadership team.

Authorisation under FSMA changes every part of that at once. From the regime start, a crypto firm’s chief executive holds office by individual FCA approval; its executive directors carry personal regulatory accountability; its board composition is assessed as part of the authorisation application; and the duty of responsibility means a senior manager can face personal enforcement where a breach occurs in their area and they failed to take reasonable steps. For founders and boards, SMCR is not a compliance workstream to delegate — it is a redesign of who leads the firm, on what terms, and with what personal exposure. This guide covers the regime from the board’s perspective.

SMCR in outline — read from the boardroom

The Senior Managers and Certification Regime has three layers, each landing differently at board level.

The Senior Managers Regime

Individuals performing designated Senior Management Functions must be approved by the FCA before taking up the role. For a typical authorised cryptoasset firm the core set will be SMF1 (Chief Executive), SMF3 (Executive Director), SMF16 (Compliance Oversight) and SMF17 (Money Laundering Reporting Officer), with larger or more complex firms adding others as the final rules and the firm’s structure dictate. Each approved individual has a Statement of Responsibilities — a regulatory document recording exactly what they are personally accountable for — and firms of sufficient scale maintain a management responsibilities map showing how the pieces fit together with no gaps and no overlaps. The board-level significance: allocating responsibilities is a governance design exercise the board itself must own, because the allocation determines who answers personally when something fails.

The Certification Regime

Below SMF level, staff whose roles could cause significant harm — in crypto firms, senior financial crime staff, key custody and treasury personnel, material risk takers — must be certified as fit and proper by the firm itself, at least annually. The FCA does not approve these individuals; the firm does, and the board owns the machinery that makes those certifications defensible.

The Conduct Rules

Enforceable standards of personal behaviour applying to almost all staff — acting with integrity, with due skill care and diligence, being open with the regulator — with additional rules for senior managers, including taking reasonable steps to ensure the business of the firm for which they are responsible is controlled effectively and complies with the regulatory system. Breaches are individually enforceable and reportable, which changes disciplinary processes, employment contracts and the firm’s notification obligations in ways boards must understand before the first incident, not after.

The duty of responsibility: the clause that changes board behaviour

One provision deserves its own section because it reshapes how directors of crypto firms should think about their roles. Under the duty of responsibility, where a firm breaches a regulatory requirement, the FCA can take action against the senior manager responsible for the area in which the breach occurred — unless the manager can show they took reasonable steps to prevent it. The burden of demonstrating reasonable steps sits, in practice, on the evidence the manager can point to: board and committee minutes recording challenge, documented escalations, resourcing decisions, management information actually reviewed, and actions taken when warnings surfaced.

For crypto executives this is a cultural inversion. The sector’s operating style — fast, informal, decision-making in chat channels, documentation as an afterthought — is precisely the style that leaves a senior manager unable to evidence reasonable steps when the FCA comes asking. The boards that adapt well institute the disciplines early: minuted decisions with recorded dissent, a management information pack the board genuinely interrogates, and escalation paths that leave a trail. The boards that adapt badly discover the gap during their first supervisory incident, when it is too late to backfill the record. Candidates for senior roles at crypto firms increasingly ask about exactly these disciplines before accepting — because the quality of the firm’s governance record is now part of their personal risk assessment.

What the FCA reads in a board: the authorisation lens

The authorisation application — covered end to end in FD Capital’s cryptoasset FSMA authorisation guide — assesses the firm against threshold conditions that include suitability and effective supervision, and the board is where case officers look first. Four questions run through the assessment.

Does the board collectively understand the business it governs? The FCA expects directors who can speak to the firm’s regulated activities, its risk profile and its financial position — not a decorative board around a founder who holds everything. In crypto this cuts both ways: boards need digital asset fluency and regulated-market judgment, and a board holding only one of the two reads as unbalanced.

Is there genuine independent challenge? Venture-stage crypto boards are typically founders plus investor directors — every seat holding equity, no seat independent. Authorisation-stage firms add independent non-executive directors precisely to answer this question, and the FCA reads the presence, calibre and evident engagement of INEDs as a signal of how seriously the firm takes governance. Our companion guide to independent directors and governance for crypto firms covers the appointment in detail.

Are accountabilities clear and credible? The Statements of Responsibilities and the responsibilities map are tested against reality: does the person named for a responsibility actually control it, with the resources and authority to discharge it? Founder-heavy structures where one individual notionally holds everything, and diffuse structures where accountability falls between seats, both attract requisitions.

Do the individuals survive assessment? Every SMF candidate is assessed for fitness and propriety — honesty, integrity and reputation; competence and capability; financial soundness — with regulatory references covering six years, and interviews where the FCA considers them warranted, which for a first-time sector it frequently will. A single weak SMF candidacy delays the whole application; the FCA’s warnings about mid-application changes to key individuals apply at board level with full force.

Building the authorisation-ready board: a sequencing playbook

From our mandate work with firms approaching regulated gateways, the board build that works runs in a deliberate order — and starts twelve to eighteen months before intended submission.

Step one: the honest audit. Map the current board and executive team against the SMF set the firm will need and the four questions above. The output is usually uncomfortable and always useful: which incumbents are approvable in which functions, where the gaps are, and — the hardest conversation — whether the founder stands for SMF1 or the firm hires a chief executive. Our guide to the CEO of a cryptoasset firm treats that decision in full.

Step two: the chair and first independents. Independent appointments come early because they compound: a credible chair strengthens every subsequent hire, from CEO candidates who want to know who they answer to, through to the FCA’s read of the application. Crypto firms typically appoint a chair plus one or two INEDs with regulated financial services depth — payments, banking, market infrastructure — balancing the founder and investor seats.

Step three: the executive spine. The SMF1 question resolved, then the SMF3 executive directors, then the control functions — SMF16/17, typically recruited through our sister brand’s cryptoasset compliance practice — with each appointment made early enough for the individual to shape the application they will defend. Senior hires at this level take three to six months from brief to start; against a 30 September 2026 gateway, the arithmetic is unforgiving.

Step four: the machinery. Statements of Responsibilities drafted and stress-tested against reality; the responsibilities map assembled; board and committee structures (audit and risk at minimum for firms of scale) constituted and actually meeting; the certification population mapped; conduct rules training delivered; and the governance record — minutes, MI, escalations — accumulating the evidence the duty of responsibility will one day ask for.

The committee structure the FCA expects

Board committees are where governance stops being an org chart and becomes a working system, and applications are read accordingly. Proportionality applies — the FCA does not expect a ten-person firm to run a listed-company committee suite — but by authorisation-stage scale, three structures have become the working norm across our regulated-sector mandates.

Audit committee. Chaired by an independent director with genuine financial reporting depth — almost always a qualified accountant — owning the external audit relationship, the integrity of financial statements built on still-unsettled digital asset accounting policies, and the internal control attestations the application asserts. At custody businesses and issuers the committee also owns the assurance over on-chain asset existence and, for issuers, reserve verification: novel work that defines the calibre of chair required.

Risk committee. Owning the risk appetite statement the application presents, the management information that evidences it is monitored, and the escalation record that senior managers’ reasonable-steps defences will one day rest on. In crypto firms the committee’s agenda spans market, liquidity, operational, technology and financial crime risk — with the last typically receiving a standing deep-dive given the sector’s supervisory profile. Smaller firms legitimately combine audit and risk into one committee at the outset, splitting as scale arrives.

Remuneration and nomination arrangements. Lighter-touch at this scale, but the FCA’s interest in incentive structures — do reward arrangements encourage the conduct the application promises? — means even young firms benefit from documented remuneration governance, and the nomination discipline of a skills matrix and succession view strengthens both the application and the board’s own build-out.

Two practical points from mandate experience. Committees need independent chairs to function as intended — an audit committee chaired by the CFO’s closest board ally defeats its purpose, and case officers notice. And committees need to have actually met before the application is assessed: a committee structure constituted the month before submission, with no minutes behind it, reads as scenery. Constitute early, meet properly, and let the record accumulate.

A twelve-month board build: the working calendar

For a firm targeting an early slot after the 30 September 2026 gateway opens, the board workstream back-solves into a calendar that looks like this.

Months one to three: audit and design. The honest audit of the current board against the SMF set and the FCA’s four questions; the founder/SMF1 decision taken in principle; the target board design agreed — functions, committee structure, independence balance — and the chair search launched. The chair comes first because everything downstream recruits better once that seat is filled.

Months three to six: the cornerstone appointments. Chair appointed; CEO question resolved (founder confirmed and development plan started, or external search concluding); first INED search running against the skills matrix; SMF16/17 searches — through the compliance tier — at offer stage, because those individuals must shape the application from here.

Months six to nine: the machinery. Statements of Responsibilities drafted and stress-tested; responsibilities map assembled; committees constituted and holding their first cycles; conduct rules training delivered to the board itself; the governance record — minutes, MI packs, escalation logs — accumulating. Second INED lands where the design calls for one.

Months nine to twelve: rehearsal and submission. The board walks the application as a governing body — every director able to speak to the business model, the risk profile and their own accountability; SMF candidates through mock interviews; regulatory references gathered; the application filed with a governance chapter describing a board that demonstrably exists rather than one promised for later.

The calendar’s uncomfortable arithmetic: with executive and chair searches running three to six months each including notice periods, a firm intending to file in the first application window needed to start by mid-2026 — and a firm starting today should sequence ruthlessly, chair and control functions first, because those are the appointments the rest of the build compounds from.

The people market: what the SMCR transition does to hiring

The demand shock is straightforward: every authorised crypto firm needs an approvable SMF1, approvable executive directors and credible independents, all at once, all against the same deadline. The supply is not: executives holding both digital asset credibility and FCA approval history are scarce, and the sector is competing for them with payments and fintech firms that can offer lower personal risk. Three market effects follow, all visible in our current mandates. Compensation at the approvable end has stepped up — authorisation-stage CEO packages typically £180,000–£300,000 plus meaningful equity, executive directors £150,000–£250,000, with personal accountability explicitly priced in through indemnities and enhanced directors’ and officers’ cover. Candidates conduct reverse due diligence — on the firm’s supervisory history, its governance record and its SMF16/17 bench — before accepting, because their own approval and enforcement exposure depends on it. And regulated-sector executives from payments, e-money and banking are entering crypto in numbers for the first time, because SMCR makes the sector legible to them: the accountability framework they know, applied to a new asset class.

The investor dimension: why the cap table now wants what the regulator wants

A quieter force is pushing the same board build the FCA requires: the sector’s capital providers. As institutional money replaces retail-era venture funding at the top of the crypto market, term sheets increasingly carry governance conditions that read like a summary of this guide — independent directors within a defined period, constituted audit and risk committees, an approvable chief executive, and a compliance bench the investor’s own diligence has assessed. The logic is straightforward: for an investor, authorisation is the asset. A firm that fails the gateway, or limps through it a year behind competitors, has impaired the investment regardless of product quality, so board readiness is priced into every round the sector raises this year. The practical effect for founders is that the SMCR board build is no longer a regulatory tax to be minimised but a fundraising asset to be evidenced — and the firms that grasped this early are now recruiting from a position of strength, presenting candidates with a governed business rather than asking them to bet on a promise. Boards planning a raise alongside authorisation preparation should sequence accordingly: the governance milestones investors ask for are the same ones the application needs, and hitting them once serves both audiences.

Frequently asked questions

When do SMCR obligations actually bite for crypto firms?

With authorisation. Applications open 30 September 2026, SMF candidates are named and assessed within the application, and the regime — expected to start 25 October 2027 — brings the full framework into force for authorised firms. Registered-only firms carry no SMCR obligations before then, but the individuals must be identified, hired and shaping the application long before submission.

Do investor directors need FCA approval?

It depends on function, not title. A director exercising executive functions falls within SMF3; non-executive investor directors are generally outside the approval requirement unless holding a designated function — though conduct rules and the FCA’s collective read of board suitability still apply. Structure determines the answer, which is one reason the responsibilities mapping exercise belongs at board level.

Can one person hold multiple SMFs?

Yes, where the FCA accepts they have capacity and competence for each — combined SMF16/17 is common at smaller firms, and small-firm CEOs sometimes hold additional functions. The limits are practical: each combination concentrates accountability, and the FCA probes capacity directly at interview.

What happens to our existing board when we apply?

Every continuing director is considered within the application — executives through SMF approval, the board collectively through the suitability and effective-supervision conditions. Directors who would not survive assessment are better addressed before submission than discovered within it; this is the audit at step one, and it is the part firms most often need an outside view on.

Is SMCR really enforced against individuals?

Yes. The FCA has fined and banned senior managers across the regulated sector for governance and oversight failures, and financial crime weaknesses — the crypto sector’s highest-risk area — feature prominently in individual enforcement. The regime’s purpose is precisely that accountability cannot be diffused into the corporate entity.

How do we handle SMCR in an acquisition or investment round mid-application?

Carefully and early. A change of control during an authorisation application triggers its own FCA notification and assessment, new controllers are examined for suitability, and any resulting board changes reopen the SMF assessments — all of which can add months. Firms anticipating a raise or sale alongside the gateway should sequence the two processes deliberately with advisers, and brief incoming investors that the governance conditions in this guide are part of what they are buying. The worst version, which we have seen, is a surprise board reshuffle landing mid-requisition; the FCA’s warnings about changing key individuals during applications apply to investor-driven changes just as much as resignations.

Related guides and services

External resources

About the Founder — Adrian Lawrence FCA

Adrian Lawrence is a Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW FCA verified) and the founder of Exec Capital. He has placed CEOs, executive directors, chairs and board members with UK businesses since 2018, and leads all regulated-sector board mandates personally given the personal accountability the appointments carry under SMCR.

Exec Capital is registered at Companies House (no. 15037964) and operated alongside Adrian’s ICAEW-registered practice. Speak to Adrian: 020 3834 9616 · recruitment@execcapital.co.uk

Building an authorisation-ready board? Call Exec Capital on 020 3834 9616 or email recruitment@execcapital.co.uk to map your board build against the 30 September 2026 gateway.