As cryptoasset regulation moves under FSMA, SM&CR will be a key test of whether firms are genuinely ready for FCA authorisation, through clear accountability, credible leadership and governance that works in practice.
The Senior Management and Conduct Regime (SM&CR) launched in 2016 for banks and 2018 for Insurers, and the regime is now set to go live for crypto asset firms alongside the FSMA crypto asset regime set to go live in 2027.
Cryptoassets firms seeking authorisation in the UK this Winter (the authorisation gateway opens in Sep 2026) will need to ensure that they can not only evidence and demonstrate robust procedures that meet the SM&CR Regime for their firm but that there is a culture of good conduct and risk management embedded across the organisation.
The regime places clear rules of accountability on Senior Management to ensure effective oversight of their functions and the conduct of the firm and its employees, requiring firms to put in place robust procedures, documentation and reporting to not only evidence compliance with SM&CR but ensure it is deeply embedded at the heart of the firm's conduct.
As a result, SM&CR sets out clear requirements for crypto asset firms' senior management to not only evidence good governance and conduct at a point in time, but to annually review and assess the effectiveness of governance, competence and conduct ongoing.
The FCA’s new cryptoasset authorisation gateway will not simply be a test of policies, procedures and financial crime controls. It will also be a test of governance, accountability and senior management readiness.
As cryptoasset firms prepare for the move into full FSMA authorisation, the Senior Managers & Certification Regime (SM&CR) will form an important part of how the FCA assesses whether firms and their senior leadership are ready to operate within the UK’s cryptoasset regulatory perimeter.
SM&CR requires Senior Management to embed good conduct across the firm and places specific rules of Conduct on both Senior Management and the Firm's Employees, whether or not they are allocated a SMF role:
For existing MLR-registered cryptoasset firms, this represents a material shift in understanding, owning and proactively demonstrating good conduct and risk culture.
For crypto firms, this means moving beyond an AML-focused registration framework and demonstrating the embedding of a broader governance framework, with clear individual accountability, effective oversight and clear lines of responsibility.
SM&CR is designed to ensure that senior individuals have the skills, reputation and experience to ensure Senior Management is suitably accountable for the decisions they make for the areas of the business they oversee. In the crypto sector, this is particularly important given the complexity of business models, the pace of innovation and the potential impact on consumers, markets and financial crime.
Crypto firms applying for authorisation should therefore expect the FCA to look beyond job titles and organisational structure charts. The regulator will want to understand who is making key decisions, how responsibilities are allocated, where autonomy lies and whether senior managers have the experience, capacity, skill and authority to discharge their roles in practice.
A Firm can be assessed as one of three levels of risk: Basic, Core, and Enhanced. Many crypto firms are expected to fall within the Core SM&CR regime, although the applicable category will depend on the firm’s size, structure, activities and final FCA classification. Firms should therefore be ready to identify relevant Senior Management Functions, prepare Statements of Responsibilities, allocate prescribed responsibilities, and evidence how senior managers meet the FCA’s fitness and propriety expectations through annual certification.
First, firms should undertake a full review of the SM&CR requirements and review their proposed governance structure and allocated roles and responsibilities. This means identifying who will hold key senior roles and relevant responsibilities, which may include assessing the fitness and propriety, skills and competence of existing individuals. For Crypto firms, the CEO, executive directors, SMF16 Compliance Oversight and SMF17 MLRO will be of key interest, depending on the firm’s operating model.
Where individuals hold multiple roles, whether within the same firm or across group entities, firms should be ready to explain how conflicts of interest, time commitment, financial and non-financial resources are allocated and how independence will be managed, as well as the appropriateness of any delegation.
Second, firms should strengthen their fitness and propriety assessment process. This should not be limited to collecting CVs and regulatory references. Firms should document how they have assessed honesty, integrity and reputation, competence and capability, and financial soundness using established sources, which include the requirement for firms to do a DBS check on all SMFs. All checks must include criminal record checks, credit checks, personal references, disciplinary history, insolvency history and evidence of relevant training.
Third, firms should prepare robust Statements of Responsibilities. These should clearly explain what each senior manager is accountable for and align with the firm’s actual operating model. Generic wording or template descriptions are unlikely to be persuasive if they do not reflect how the business is run in practice.
Fourth, firms with overseas senior managers should consider how accountability will work in practice. Where key individuals are not UK-based, firms should be able to explain how they will remain sufficiently engaged, oversee UK regulatory obligations and be available to the FCA when required.
Fifth, going beyond Senior management is the ability to demonstrate skills and competence across the organisation outside the Senior Management responsibilities. The requirement to assess competence begins at the onboarding stage and continues through annual review ongoing under the SM&CR regime, evidencing that individuals are and remain skilled and competent to perform their duties. Similarly to the Senior Management fit and proper assessment, competence for Senior Management is to be performed prior to onboarding and certified annually.
Firms will need to perform a fit and proper check on each person initially, as well as demonstrate an effective skills framework with ongoing commitment to supporting individual CPD and training, which is to be assessed before issuing a certificate of competence. Roles such as customer advisory and technical roles may have specific certifications and allocated hours of CPD requirements. Individuals will need to be able to evidence that they remain skilled and competent to perform their duties through annual fit and proper assessments, annual attestations, and ongoing performance management.
SM&CR should not be treated as a standalone compliance exercise. It should be embedded into the wider authorisation pack, including the business plan, governance framework and policies, risk assessments, financial crime controls, as well as operational resilience and business continuity.
Firms will want to consider their corporate governance, how HR and learning and development procedures support SM&CR and how they will evidence ‘tone from the top’ when it comes to displaying effective conduct and risk culture.
The FCA’s message is clear: firms need to show that they are not only commercially ready, but also governed by credible, capable and accountable leadership.
Thistle Initiatives is supporting cryptoasset firms preparing for the new FCA gateway, including governance reviews, SM&CR readiness assessments, fitness and propriety frameworks, PASS preparation and end-to-end authorisation support. Firms that address SM&CR early will be better placed to demonstrate a coherent, well-controlled, and regulator-ready operating model when the application window opens.
The policy framework makes clear that the FCA expects cryptoassets firms to adopt the same level of individual accountability and governance maturity expected of current FSMA-authorised firms. In particular, the application of SM&CR within the finalised regime reinforces the importance of clearly defined senior management responsibilities, robust fitness and propriety assessments, and ongoing accountability. For firms preparing for authorisation, this signals a shift from preparatory interpretation to practical implementation, with SM&CR no longer a forward-looking consideration, but a core component of the FCA’s supervisory expectations under the new regime.
Firms new to FSMA should now be preparing for the FCA cryptoassets authorisation gateway under the cryptoassets regime. This includes developing your authorisation pack, but also preparing to operationally embed the relevant processes in the firm.
Thistle Initiatives' deep FCA authorisation and regulatory experience allows us to provide practical support to help Firms develop target operating models, gap assessments, policies and procedures and authorisation packs that implement and evidence compliance with the FCA’s requirements across Payments and Digital Assets.
By helping firms identify key obligations, undertake gap analysis, strengthen governance arrangements and embed a sustainable compliance framework, we support clients in demonstrating a credible and well-controlled FSMA standard operating model for their applications to the regulator.
William has joined our Payment Services Consulting team as a Manager. He brings experience from Revolut’s Regulatory Affairs team and his previous role as Policy Advisor at UK Finance, where he worked on financial policy for digital assets and payments.
He has led industry working groups, engaged with regulators, and written on emerging trends in payments and innovation. William is passionate about supporting the UK fintech ecosystem and promoting a secure, competitive financial services sector.