Skip to content
ConductLog

SMCR Compliance Software for Small Firms: What to Look For

Most SMCR compliance software is built for banks and large insurers with hundreds of employees and six-figure compliance budgets. If you run a small FCA-regulated firm — an IFA, mortgage broker, or insurance broker with 1–50 staff — the enterprise platforms are wrong for your firm in both scope and price.

This guide helps you evaluate what your firm actually needs in SMCR compliance software, particularly with the PS25/23 non-financial misconduct deadline arriving on 1 September 2026.

Why small firms need different software

Enterprise SMCR platforms are designed for firms with 500+ employees, dedicated compliance teams of 10–20 people, and budgets of thousands per month. They include modules for role mapping, responsibilities allocation, regulatory reference management, gift and hospitality tracking, personal account dealing, and dozens of other features.

A 5-person IFA does not need any of that.

What a small firm needs is specific and focused:

  • Conduct rule compliance tracking — record and assess breaches against specific COCON rules
  • Investigation case management — handle NFM allegations with a structured workflow from 1 September 2026
  • F&P assessment support — assess whether misconduct findings affect fitness and propriety under FIT 2.2
  • Audit-ready documentation — generate records suitable for FCA review
  • Annual attestation tracking — manage the certification regime annual process

Everything else is noise for a small firm.

The pricing problem

The SMCR software market has a structural gap. Here is what a small firm faces today:

Solution type Typical cost Designed for NFM investigation support
Enterprise SMCR platforms Typically £1,500–£3,000+/year Banks, large insurers (500+ staff) Partial — general case tracking, not FCA-specific
Horizontal GRC platforms Typically £2,000–£5,000+/year Enterprise risk teams No — broad compliance, not SMCR-specific
Template packs from consultancies Typically £500–£1,000 one-time Any firm size No — static documents, no investigation workflow
Compliance consultant retainers Typically £500–£2,000/year Any firm size Manual — consultant handles it, but no audit trail
Spreadsheets and Word documents Free Any firm size No — no structure, no COCON mapping, no audit trail

For a firm with 5–20 staff, the enterprise platforms can cost many times more than what the firm would pay for a purpose-built tool. Template packs help with initial policy setup but do not guide you through an actual investigation when an allegation arrives.

Must-have features for small firms

When evaluating SMCR compliance software as a small firm, focus on these features:

1. Structured investigation workflow

The most important feature from September 2026 onwards is a process for handling conduct rule breach allegations — particularly NFM. This means:

  • A way to log an allegation (anonymous or named)
  • Step-by-step guidance through the investigation process
  • Evidence collection and timeline tracking
  • A structured COCON rule assessment at the end

If the software treats "case management" as a generic ticketing system without regulatory specificity, it will not help you when an allegation arrives at 4pm on a Friday and you need to know what to do.

2. COCON rule mapping

The software should map investigation findings to specific conduct rules — Rule 1 (integrity), Rule 2 (due skill, care, and diligence), and so on. Generic "breach" or "incident" labels are insufficient. The FCA expects you to identify which specific rule was breached and why.

3. F&P assessment integration

When a conduct rule breach is found, the software should prompt you to assess fitness and propriety impact under FIT 2.2. This is not optional — it is a required step for serious findings. Use our free F&P Decision Tree to understand how this assessment works.

4. Audit-ready report generation

The FCA may ask to see your investigation records during a supervisory visit or thematic review. The software should generate a clear, structured report covering:

  • Allegation details
  • Investigation steps taken
  • Evidence reviewed
  • COCON assessment and reasoning
  • F&P determination
  • Outcome and remedial actions

A well-formatted report demonstrates a robust process. A folder of emails and handwritten notes does not.

5. Annual attestation support

The SMCR certification regime requires firms to certify that certification function holders are fit and proper at least annually. The software should track certification dates, store assessment records, and alert you before certifications lapse.

6. Breach reporting data

You need to file REP008 annually with data on conduct rule breaches. The software should collect and structure this data throughout the year, rather than requiring you to compile it from scattered records at reporting time.

Features you probably do not need

Enterprise platforms include features that add cost without adding value for small firms:

  • Role mapping and responsibilities allocation — useful at a 500-person bank where responsibilities are complex. At a 5-person IFA, you know who does what.
  • Regulatory change management — tracks FCA Handbook changes across dozens of sourcebooks. A small firm can manage this with FCA email alerts and a compliance calendar.
  • Gift and hospitality registers — relevant at firms with significant corporate entertainment. Most small IFAs and brokers do not need a dedicated system for this.
  • Personal account dealing tracking — required at firms with material access to inside information. Most small advisory firms are not in this category.
  • Multi-entity management — designed for groups with multiple regulated entities. A single-entity firm does not need this.

Evaluation checklist

Use this checklist when assessing any SMCR compliance software for your small firm:

Pricing

  • Is the price proportionate to your firm size? (Under £50/month for a firm with fewer than 20 staff is a reasonable benchmark)
  • Is pricing per-firm, not per-seat? (Per-seat pricing punishes firms that want all staff to access the system)
  • Are there hidden costs for onboarding, training, or support?

Functionality

  • Does it have a structured investigation workflow, or just a generic case tracker?
  • Does it map findings to specific COCON rules?
  • Does it prompt for F&P assessment after a conduct rule finding?
  • Can it generate audit-ready reports?
  • Does it track annual certifications?

Usability

  • Can a compliance officer with no IT background use it without training?
  • Does it work in a web browser without installing software?
  • Can you get started in under an hour?

Regulatory fit

  • Is it built for the UK FCA regime, or adapted from a US/EU product?
  • Does it reference COCON, FIT, and SMCR specifically — or use generic "compliance" language?
  • Does it reflect PS25/23 NFM requirements?

Data and security

  • Where is data stored? (UK hosting preferred for regulatory data)
  • Can you export your data if you switch providers?
  • Is there appropriate access control?

The template pack question

Many small firms are considering buying a template pack from a compliance consultancy instead of ongoing software. Template packs typically include:

  • An NFM policy document
  • Investigation procedure templates
  • F&P assessment forms
  • Conduct rules training materials

These are useful for initial setup. The gap is what happens when an allegation actually arrives. A Word template does not guide you through the investigation. It does not track evidence or timelines. It does not generate an audit trail. And it does not prompt you to assess F&P impact — you have to remember to do that yourself.

For many small firms, the right approach is both: a template pack (or a consultant) for initial policy setup, plus ongoing software for the investigation workflow when you actually need it.

What to do next

  1. Assess your current process. Do you have a documented investigation process for conduct rule breaches? Use our free NFM Investigation Checklist to see what a complete process looks like.
  2. Map your requirements. Use the evaluation checklist above to identify what your firm actually needs.
  3. Check the deadline. Review our FCA PS25/23 deadline guide for key dates and a practical preparation timeline — the 1 September 2026 deadline is firm with no transitional period.
  4. Test your COCON knowledge. Use our free COCON Conduct Rules Self-Assessment to check whether you can map misconduct scenarios to specific rules.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 24 March 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA PS25/23: The September 2026 Deadline Every Small Firm Should Know

What FCA PS25/23 means for small regulated firms. Key dates, obligations, and a practical timeline to prepare for the 1 September 2026 non-financial misconduct deadline.

FCA Non-Financial Misconduct: What Small Firms Must Do Before September 2026

Step-by-step guide for small FCA-regulated firms preparing for PS25/23 non-financial misconduct requirements. Covers investigation processes, COCON assessment, and F&P impact.

COCON Conduct Rules Explained: The Complete Guide for Small FCA Firms

A practical guide to the FCA's COCON conduct rules for small regulated firms. Covers all six individual conduct rules, senior manager rules, and PS25/23 changes.