Skip to content
ConductLog

FCA Certification Regime: Annual Renewal Step-by-Step for Small Firms

The Certification Regime is the part of SMCR that comes round every year. Unlike Senior Manager approvals — which the FCA grants once and you only revisit on change — certification is a recurring obligation: every certified person has to be re-assessed and re-certified as fit and proper at least once every 12 months, by the firm itself. Miss the cycle and you have certified staff performing roles they are no longer validly certified for.

This guide covers how the annual renewal works at a small firm: who needs certifying, what the 12-month cycle requires, what evidence to gather, and a step-by-step process you can run each year. It is written for compliance officers and principals at IFAs, mortgage brokers, insurance brokers, and small wealth managers with 1–50 staff.

For the foundational view of the three SMCR tiers, our SMCR plain-English guide is the pillar. For the fitness-and-propriety criteria themselves, see our FCA fitness and propriety guide.

What is the Certification Regime?

The Certification Regime requires a firm to identify employees performing Significant Harm Functions — roles that could cause significant harm to the firm or its customers — assess whether each is fit and proper, and issue them a certificate confirming it. The regime sits in SYSC 27 of the FCA Handbook, with the certification functions defined in SYSC 27.8.

The crucial difference from the Senior Managers Regime: the FCA does not pre-approve certified staff. The firm issues the certificate, and the firm carries the responsibility for getting the assessment right. The FCA can ask to see the assessment evidence at any time.

Who needs certifying at a small firm?

Certification applies to staff in certification functions — Significant Harm Functions. At a typical small advice firm, the certified population usually includes:

  • Advisers giving regulated advice (the CASS-aside core of most small firms).
  • Discretionary investment managers, where the firm runs discretionary portfolios.
  • Anyone supervising or managing a certified person who is not themselves a Senior Manager.
  • Material risk takers, where the firm's remuneration rules bring them into scope.

It does not apply to Senior Managers (they are in the Senior Managers Regime, not the Certification Regime) or to ancillary staff outside the Significant Harm Functions. At a small firm the certified population is often just 2–6 people — but each individual assessment is as thorough as at a large firm.

Use the COCON Self-Assessment to confirm who at the firm is a Senior Manager, who is certified, and who is conduct rules staff — the classifications drive who needs certifying.

The 12-month certification cycle

A fit-and-proper certificate is valid for a maximum of 12 months. That single fact drives the whole renewal cycle: every certified person must be re-assessed and re-certified at least annually. Most small firms align the certification cycle with a fixed point in the year — commonly year-end or the period after performance and bonus decisions, so that any conduct or performance concerns from the year are captured before the certificate is reissued.

There is no FCA-mandated calendar date. What matters is that no certificate lapses beyond 12 months and that the firm can show a documented assessment behind each one.

What does the fitness-and-propriety assessment cover?

The assessment draws on the FCA's fit-and-proper criteria in the FIT sourcebook, across three areas:

  1. Honesty, integrity and reputation — including any disciplinary findings, conduct rule breaches, complaints, or adverse regulatory history.
  2. Competence and capability — qualifications, ongoing competence (CPD), and demonstrated ability to perform the role.
  3. Financial soundness — relevant where the role and the criteria make it so.

For the detailed criteria and how non-financial misconduct now feeds into F&P assessments, see our FCA fitness and propriety guide, and our F&P Assessment Worksheet provides a structured template.

Criminal record checks and regulatory references — the precision points

Two requirements get muddled at small firms:

Criminal record (DBS) checks are a requirement for Senior Managers (and, for most firms, non-executive directors) — they are part of the approval and ongoing assessment of SMF holders. They are not a general annual requirement for certification staff. Firms sometimes over-apply criminal record checks to certified staff; check the actual requirement for the role before running one.

Regulatory references under SYSC 22 apply when a firm is appointing someone to a certification (or Senior Manager) function — the firm must request references covering the previous six years from past employers. This is an appointment-time requirement, not an annual-renewal one, but it is part of the F&P picture and the renewal should confirm that any reference-disclosed issues have been addressed.

Step-by-step: running the annual renewal

A workable annual process at a small firm:

  1. List the certified population. Confirm everyone currently in a certification function and the date each certificate was last issued.
  2. Flag anything due. Identify any certificate approaching 12 months — these are the priority for re-assessment.
  3. Gather the evidence per person. Conduct record (any breaches, complaints, disciplinary action), CPD and competence record, any F&P-relevant disclosures, and confirmation that prior reference issues are resolved.
  4. Assess against FIT. Work through honesty/integrity, competence/capability, and (where relevant) financial soundness using a consistent template.
  5. Decide and certify. If fit and proper, issue the certificate (valid up to 12 months). If not, the person cannot continue performing the certification function — handle as a fitness issue, not a paperwork delay.
  6. Record. Keep the assessment, evidence, and certificate. The FCA can ask to see them.
  7. Feed into REP008 where relevant. Any conduct rule breach by a certified person that led to disciplinary action feeds the firm's annual conduct rule breach reporting.

How PS25/23 affects the renewal from September 2026

From 1 September 2026, the expanded scope on non-financial misconduct (bullying, harassment, and violence) becomes part of the conduct picture that feeds fitness-and-propriety assessments. Firms running their renewal cycle from September 2026 onward should make sure their F&P process explicitly considers NFM in the honesty/integrity assessment. Our PS25/23 compliance checklist covers the wider readiness programme, and the PS25/23 Readiness Scorecard helps gauge where the firm stands.

Common certification-renewal mistakes at small firms

1. Letting a certificate lapse. A certificate is valid for a maximum of 12 months. A lapsed certificate means someone is performing a certification function without valid certification.

2. Treating renewal as a formality. Re-certifying without a real assessment behind it defeats the purpose and leaves the firm exposed if a concern surfaces later.

3. Over-applying criminal record checks. DBS checks are for Senior Managers and NEDs, not a general annual requirement for certified staff.

4. Not capturing NFM from September 2026. Once PS25/23 is in force, an F&P assessment that ignores non-financial misconduct is incomplete.

Where to start

  1. List the certified population and last-certification dates.
  2. Set a fixed annual cycle (often year-end or post-bonus) so nothing lapses beyond 12 months.
  3. Run each assessment against the FIT criteria using a consistent template — our F&P Assessment Worksheet provides one.
  4. From September 2026, build NFM explicitly into the honesty/integrity assessment.

ConductLog is building tooling to track certification cycles, F&P evidence, and conduct records together at a small firm — so a certificate never lapses unnoticed and the evidence is ready when the FCA asks. Join the waitlist to hear when it launches.

References

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 4 June 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA Conduct Rule Breach Reporting: REP008, SUP 15 and When Each Applies

How FCA conduct rule breach reporting works at a small firm — REP008 for conduct rules and certified staff, the separate route for Senior Managers, the annual deadline, and what counts as a notifiable breach.

FCA Prescribed Responsibilities: The Core-Firm List and How to Allocate Them

The FCA prescribed responsibilities that apply to Core solo-regulated firms, what each one means, who to allocate them to, and how the small-firm carve-outs work under SYSC 24.

FCA Statement of Responsibilities: Worked Examples for Small Regulated Firms

What an FCA Statement of Responsibilities has to contain, how to draft one at a small solo-regulated firm, when to resubmit it, and a worked example for a sole principal holding multiple SMFs.