Skip to content
ConductLog

SMCR Compliance for Small Firms: What You Actually Need

SMCR compliance at a small firm is not a smaller version of SMCR compliance at a bank. The Senior Managers and Certification Regime applies to almost every FCA-regulated firm in the UK, but the operational reality at a 5-person IFA is fundamentally different from the operational reality at HSBC. The regime is designed to scale down — what changes is the volume of formal documentation and the number of designated roles, not the underlying obligations.

This guide unpacks what SMCR compliance actually requires of small firms (1–50 staff): which obligations are non-negotiable, which scale down materially at small-firm size, what compliance work looks like in practice through a typical year, and how the PS25/23 changes feed into the ongoing programme from 1 September 2026.

For the foundational explainer of SMCR's three tiers and how the regime works in concept, our SMCR plain-English guide is the pillar. For the day-to-day individual rules, see our COCON conduct rules guide.

What does SMCR mean for small firms?

For a typical small solo-regulated firm — an IFA, mortgage broker, insurance broker, or small wealth manager — SMCR compliance breaks into five working areas:

  1. Senior management functions (SMFs) — designated individuals with personal accountability for specific parts of the firm's business
  2. Certification — annual fitness-and-propriety assessment for staff in certification roles
  3. Conduct rules — six individual rules + four senior rules + the new PS25/23 NFM scope
  4. Statements of responsibilities and the management responsibilities map — written documentation of who is accountable for what
  5. Reporting and notification — REP008 annual returns, SUP 15.3 notifications, FCA Directory updates, Form A/C submissions

Most small firms are in the Core SMCR category (the FCA's middle tier — see SMCR for solo-regulated firms for category criteria). Limited Scope firms have a slimmer regime; Enhanced firms have additional obligations. Almost no small firms are Enhanced — the threshold is set for larger or more complex businesses.

SMCR requirements: what's non-negotiable at any size

Some obligations apply identically whether you have 5 staff or 5,000. Skipping them is not a small-firm exemption — it is a compliance failure.

1. SMF appointments via FCA approval. Every Core firm must have specific SMFs in place (typically SMF1, SMF3 where applicable, SMF9 if a board chair exists, SMF16 compliance oversight, SMF17 MLRO). SMF appointments require pre-approval via Form A under SUP 10C. Departures need Form C within 7 business days.

2. Statement of Responsibilities (SoR) for every SMF. Each SMF holder must have a written, signed Statement of Responsibilities setting out what they are accountable for. The SoR is provided to the FCA on appointment and updated whenever responsibilities change.

3. Annual F&P assessment for SMFs and certified staff. No exemption for small firms. The firm — not the FCA — issues the F&P certificate; the FCA can ask to see the assessment evidence at any time. Our F&P guide walks through the criteria and our F&P Assessment Worksheet provides the template.

4. Conduct rules training and attestation for all conduct rules staff. Initial training on joining + annual refreshers + trigger-based training when rules change materially. PS25/23 is itself a trigger event.

5. Conduct rule breach reporting via REP008. For most solo-regulated firms this runs on a fixed cycle: the reporting period is 1 September to 31 August, and where there is something to report, REP008 is due via RegData by 31 October. (Limited-permission consumer credit firms instead report on their own accounting-reference-date cycle.) The return covers conduct rule breaches by conduct rules and certified staff. Note: the FCA removed the nil-return requirement for reporting periods ending on or after 31 August 2025, so a firm with nothing to report no longer files anything — but it must still run the assessment. See our conduct rule breach reporting guide for the full routing, including the separate Connect route for Senior Manager breaches.

6. SUP 15.3 notification for material conduct issues. Triggered events, not annual. Required where the issue is material and ongoing — don't wait for REP008.

7. FCA Directory updates. When a certified individual's details change — appointment, departure, role change — the firm must update the FCA Directory within 7 business days.

SMCR responsibilities: what scales down at small-firm size

The mechanics that scale down for small firms are about volume, not about removing obligations. Specifically:

Management responsibilities map — for Core firms with simple structures (e.g., a sole principal who holds multiple SMFs), the "map" can be a one-page document. For Enhanced firms it is a multi-page artefact with cross-references. The obligation is the same; the artefact's complexity matches the firm's complexity.

Number of SMFs — many SMF codes exist for functions that simply don't appear at a 5-person firm (Chief Operations, Head of Internal Audit, etc.). Core small firms typically need only SMF1 + SMF16 + SMF17, with SMF9 if there is a designated board chair. Limited Scope firms need even fewer.

Reporting volume — REP008 scales with what's happening at the firm, not with firm size. A firm with one reportable breach files a return for that breach; a firm with none (for periods ending on or after 31 August 2025) files nothing, since the nil return is no longer required. Either way the firm runs the same annual assessment.

Certification population — at a small firm the certified population is small (often 2–6 people: the advisers and discretionary managers). The annual F&P cycle is correspondingly compact, but each individual assessment is just as thorough as at a larger firm.

Whistleblowing infrastructure — the binding SYSC 18.3 internal-arrangements rules and the "whistleblowers' champion" requirement apply to a defined set of larger firms — UK deposit-takers (banks, building societies, credit unions) above a size threshold, PRA-designated investment firms, and insurers within scope of Solvency II. A typical small solo-regulated firm (IFA, mortgage or insurance broker) sits outside that mandatory scope: for these firms SYSC 18 operates as FCA guidance encouraging proportionate whistleblowing arrangements rather than as binding rules. Separately, every firm has obligations under the Public Interest Disclosure Act not to victimise a worker who makes a protected disclosure, and the FCA treats detriment to a whistleblower as relevant to a firm's fitness and propriety. Confirm your firm's exact category before relying on any exemption. See our whistleblowing vs NFM guide for the channel distinctions.

A typical SMCR compliance year at a small firm

What does the work actually look like across 12 months? At a small firm, the cycle generally goes:

March–April:

  • F&P assessments for SMFs and certified staff (annual cycle, often aligned to year-end + post-bonus-decision timing)
  • Conduct rules training refresher (annual, often timed to coincide with F&P)
  • Compliance manual review

September–October:

  • Compile REP008 from the conduct rule breach register for the 1 September–31 August reporting period
  • Assess the period's conduct rules and certified staff breaches; submit REP008 via RegData by 31 October if there is anything to report (no nil return needed for periods ending on or after 31 August 2025). (Senior Manager breaches are reported separately via Connect, as they happen — see our breach reporting guide.)

Ongoing through the year:

  • Monthly review of the conduct rule breach register by the SMF16
  • Form A / Form C submissions as people are appointed or leave
  • FCA Directory updates within 7 business days of role changes
  • SUP 15.3 notifications when material conduct issues arise

Trigger events:

  • Rule changes (PS25/23 is the current major one — train + update policies)
  • Enforcement actions in peer firms (review whether the firm has the same exposure)
  • Significant complaints or conduct concerns (investigation cycle launches)

The skeleton above scales naturally — a 5-person IFA might spend 4–8 hours/month on SMCR maintenance; a 50-person firm might spend 4–8 hours/week. The activities are the same; the volume scales with the firm.

How PS25/23 changes the small-firm SMCR cycle from September 2026

PS25/23, effective 1 September 2026, extends the existing SMCR conduct rule scope to make serious non-financial misconduct (NFM) explicitly within scope. The detail is in our PS25/23 deadline guide; for the SMCR cycle specifically, three things change:

  1. The conduct rule breach register now needs to capture NFM evidence — bullying, harassment, discrimination, sexual misconduct — alongside the financial conduct issues it previously focused on.

  2. The annual F&P assessment now needs to look at NFM evidence alongside the traditional skill / qualifications / customer-feedback evidence. A substantiated harassment finding against a certified individual has to feed the F&P decision; it cannot be filtered out as "an HR matter only".

  3. Conduct rules training needs a PS25/23-specific module (initially as a trigger refresher in 2026; thereafter as a standard part of annual training) covering the new scope and the firm's investigation channels.

For a month-by-month implementation plan against the September 2026 deadline, our PS25/23 compliance checklist gives the structured countdown.

SMCR compliance software for small firms — is it worth it?

The honest answer for many small firms is: not yet. The records SMCR requires — F&P assessments, conduct rule breach register, training attestations, Statements of Responsibilities, Form A/C copies — can be kept in spreadsheets, a shared drive, and a documented compliance manual. That's how most small firms have done SMCR since 2019 when the regime came in.

Software starts to make sense when:

  • The firm has 15+ certified staff (the F&P assessment cycle becomes time-consuming)
  • The firm has multiple offices or hybrid working making physical document management slow
  • An audit or supervision interaction reveals gaps that better evidence trails would close
  • The firm is preparing for an acquisition or due diligence event and needs everything reachable in one place

For the buyer's checklist on what to look for, see our SMCR compliance software guide.

Common mistakes small firms make on SMCR compliance

1. Treating the Statement of Responsibilities as a one-time setup task. It needs updating whenever the SMF's responsibilities change. A 2019 SoR that hasn't been touched is unlikely to reflect the firm's actual operating reality in 2026.

2. Skipping the annual conduct rules refresher. Initial training is not enough. The annual refresher is part of the firm's demonstration that staff understand the conduct rules — without it, the firm cannot easily evidence that breaches were "trained against".

3. Missing a reportable REP008. Where the firm has taken disciplinary action for a conduct rule breach, REP008 must be filed by 31 October. (For periods ending on or after 31 August 2025 there is no nil-return obligation when there is nothing to report — but the firm must still run the assessment to know which case applies.)

4. Not updating the Directory promptly. The 7-business-day window is short. Diary-mark it as part of leaver/joiner processes.

5. Confusing the Duty of Responsibility with day-to-day SMCR. The Duty of Responsibility (set out in section 66B FSMA via SMCR) is the statutory power the FCA uses to take action against individual SMFs when a regulatory breach occurs in their area of accountability. It is not a separate compliance workstream — it sits behind everything an SMF does.

6. Assuming PS25/23 is "just an HR matter". Post-1 September 2026 this is not defensible. NFM evidence feeds the conduct-rule and F&P workflow; the SMF16 owns it, not HR alone.

What to do next

If you are reviewing your firm's SMCR compliance:

  1. Use the COCON Self-Assessment to confirm staff are correctly classified (SMF / certified / conduct rules staff / excluded).
  2. Use the F&P Decision Tree to check your assessment logic against worked examples.
  3. Use the PS25/23 Readiness Pack for the underlying policy templates.
  4. Use our PS25/23 compliance checklist for the September 2026 implementation timeline.
  5. Schedule a focused 90-minute board (or principal-level) review against the five SMCR working areas listed at the top of this guide — agree owners, dates, and any escalation routes.

SMCR is a continuous obligation, not a one-time project. Small firms that build a stable annual rhythm — F&P in March, conduct rules training in April, the REP008 assessment around the 31 August period-end (filing by 31 October if anything is reportable), monthly register reviews — find the work bounded and predictable. Firms that don't build the rhythm find every supervision interaction surprises them.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 4 June 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA Certification Regime: Annual Renewal Step-by-Step for Small Firms

How the FCA Certification Regime annual renewal works at a small firm — who needs certifying, the 12-month fitness-and-propriety cycle, what evidence to gather, and a step-by-step renewal process.

FCA Conduct Rule Breach Reporting: REP008, SUP 15 and When Each Applies

How FCA conduct rule breach reporting works at a small firm — REP008 for conduct rules and certified staff, the separate route for Senior Managers, the annual deadline, and what counts as a notifiable breach.

FCA Prescribed Responsibilities: The Core-Firm List and How to Allocate Them

The FCA prescribed responsibilities that apply to Core solo-regulated firms, what each one means, who to allocate them to, and how the small-firm carve-outs work under SYSC 24.