SM&CR Fitness and Propriety: The Certification Regime Explained

What Is the Certification Regime?

The Senior Managers and Certification Regime (SM&CR) comprises three interconnected elements: the Senior Managers Regime, the Certification Regime, and the Conduct Rules. The Certification Regime sits between senior management (who require FCA approval) and the general workforce (who are subject to conduct rules only).

The Certification Regime requires firms to identify employees whose roles could cause significant harm to the firm or its customers, and to certify annually that these individuals are fit and proper to perform their functions. Unlike senior managers, certification employees do not require FCA pre-approval. Instead, the firm takes responsibility for assessing and certifying their fitness and propriety.

This represents a significant regulatory responsibility for firms. The FCA has delegated the gatekeeping function to the firm itself, and expects firms to exercise this responsibility with rigour and diligence.

Who Requires Certification?

Certification functions are defined in the FCA Handbook (SYSC 27) and include roles such as:

Significant management functions. Employees who manage a department or business unit that carries out regulated activities, where the role is not a senior management function.

CASS oversight functions. Employees responsible for oversight of the firm's compliance with client asset (CASS) rules, including safeguarding for payment firms.

Proprietary traders. Employees who trade on behalf of the firm using the firm's own capital.

Algorithmic trading functions. Employees responsible for algorithmic trading systems or strategies.

Material risk takers. Employees whose activities could have a material impact on the firm's risk profile.

Client-dealing functions. Employees who deal with clients in connection with regulated activities, where the role involves a degree of responsibility or discretion.

Functions requiring qualifications. Employees whose roles require them to hold specific qualifications under the TC sourcebook.

For payment institutions and EMIs, certification functions typically include the MLRO (if not a senior manager), the head of compliance (if not a senior manager), those responsible for safeguarding oversight, and employees in significant management roles within regulated business units.

The Fitness and Propriety Assessment

The fitness and propriety assessment is the core of the Certification Regime. Firms must assess each certification employee against three criteria:

Honesty, integrity and reputation. Has the individual been convicted of any criminal offence (particularly fraud, dishonesty or financial crime)? Have they been the subject of regulatory action, been dismissed from employment for misconduct, or been involved in the management of a firm that has failed? Are there any other matters that cast doubt on their honesty or integrity?

Competence and capability. Does the individual have the knowledge, skills and experience necessary to perform their function? Have they obtained any qualifications required for their role? Do they demonstrate an adequate understanding of the regulatory requirements relevant to their function?

Financial soundness. Are there any matters relating to the individual's financial position that could affect their ability to perform their function appropriately? This includes outstanding County Court Judgments, Individual Voluntary Arrangements, bankruptcy or similar proceedings.

The Annual Certification Process

Firms must certify each certification employee at least once every 12 months. The certification process should follow a structured approach:

Step 1 — Identify certification employees. Maintain an up-to-date register of all employees who perform certification functions. Review this register whenever there are organisational changes, new hires, or role changes.

Step 2 — Gather information. Collect the information necessary to assess fitness and propriety. This typically involves: self-declarations from the employee covering criminal convictions, regulatory actions, financial difficulties and other relevant matters; credit checks; DBS (Disclosure and Barring Service) checks where appropriate; reference checks for new joiners; and performance and competence data.

Step 3 — Assess fitness and propriety. Evaluate the information gathered against the three criteria. Document the assessment process, the evidence considered, and the conclusion reached.

Step 4 — Make the certification decision. If the individual is assessed as fit and proper, issue the certificate. If concerns are identified, the firm must decide whether to: address the concerns through training or supervision and defer certification; refuse certification and remove the individual from the certification function; or issue the certificate with conditions or enhanced monitoring.

Step 5 — Record and report. Maintain records of each certification assessment, the evidence considered and the decision reached. Report certification outcomes to the board or relevant committee.

Conduct Rules

All certification employees are subject to the Individual Conduct Rules set out in COCON (Code of Conduct sourcebook):

• Rule 1: Act with integrity
• Rule 2: Act with due skill, care and diligence
• Rule 3: Be open and cooperative with the FCA, PRA and other regulators
• Rule 4: Pay due regard to the interests of customers and treat them fairly
• Rule 5: Observe proper standards of market conduct

Certification employees who are also senior managers are additionally subject to the Senior Manager Conduct Rules, including the duty to take reasonable steps to ensure the business is controlled effectively.

Firms must train all certification employees on the conduct rules, ensure they understand how the rules apply to their role, and notify the FCA if a certification employee breaches a conduct rule.

Regulatory References

When a certification employee moves between regulated firms, the new firm must request a regulatory reference from the previous employer. The previous employer must provide the reference within six weeks, covering:

• Whether the individual was assessed as fit and proper
• The outcome of any disciplinary proceedings related to conduct rules
• Whether the firm concluded that the individual was not fit and proper, or would not have been if they had remained in the role

Firms must maintain records of all regulatory references given and received for at least six years. This reference regime ensures that fitness and propriety concerns follow individuals between firms, preventing them from escaping accountability by moving employer.

Common Compliance Challenges

Identifying all certification functions. Firms sometimes fail to identify all employees who should be subject to certification, particularly in smaller firms where individuals may perform multiple roles. A thorough mapping exercise is essential.

Inadequate assessment processes. Some firms treat certification as a tick-box exercise, relying solely on self-declarations without conducting independent checks. The FCA expects a more rigorous approach, including credit checks and, where appropriate, criminal record checks.

Timing failures. Certifications must be renewed at least annually. Firms that allow certificates to lapse — even briefly — are in regulatory breach. Robust tracking systems are essential.

Poor record-keeping. As with training and competence generally, the FCA expects firms to maintain comprehensive records of certification assessments, including the evidence considered and the reasoning for the decision.

Failure to act on concerns. When a fitness and propriety assessment raises concerns, firms sometimes fail to take appropriate action. The FCA expects firms to address concerns promptly, whether through additional training, enhanced supervision, role changes, or in serious cases, removal from the certification function.

Regulatory references. Firms sometimes fail to request references from previous employers, or fail to provide references when requested. Both are regulatory breaches.

Governance and Oversight

The SM&CR makes clear that responsibility for the certification regime rests with the firm's senior management. Typically, the compliance function manages the operational aspects of certification, but oversight should sit with a named senior manager who is accountable for the regime's effectiveness.

The board (or relevant committee) should receive regular reports on: the number of certification employees, certification renewal status, the outcomes of fitness and propriety assessments, any concerns identified and actions taken, and conduct rule breaches by certification employees.

Practical Recommendations

Map all certification functions. Conduct a comprehensive review of all roles against the certification function definitions. Update this mapping whenever organisational changes occur.

Establish a certification calendar. Track certification expiry dates and begin the renewal process well in advance to avoid lapses. Many firms set an internal deadline of 10–11 months to provide a buffer.

Invest in the assessment process. Go beyond self-declarations. Conduct independent checks, review performance data, and make genuine assessments of fitness and propriety. Document the process thoroughly.

Train on conduct rules. Ensure all certification employees understand the conduct rules and how they apply to their specific role. Refresh this training annually.

Integrate with HR processes. Embed certification requirements into recruitment, onboarding, annual review and exit processes. Certification should not be a standalone compliance exercise.

Regulatory Outlook

The FCA continues to refine the SM&CR framework. Recent developments include greater emphasis on the accountability of senior managers for the conduct of their teams, and increased scrutiny of non-financial misconduct (such as bullying and discrimination) within fitness and propriety assessments. Firms should expect the scope and intensity of SM&CR expectations to increase over time.