Aurhor: James Borley, Director of Payment Services
The UK’s forthcoming cryptoasset regime under the Financial Services and Markets Act 2000 (FSMA) will fundamentally reshape the regulatory expectations applying to firms operating within the digital assets sector. While much of the public attention has focused on financial promotions, prudential regulation and stablecoins, one of the most significant developments for firms seeking FCA authorisation is likely to be the application of the Senior Managers and Certification Regime (SM&CR).
For many cryptoasset firms currently registered and operating under the Money Laundering Regulations (MLRs) framework, SM&CR will represent a substantial governance and accountability shift. Founder-led structures, informal decision-making processes and rapidly evolving operational models are likely to face increased regulatory scrutiny as firms transition into fully authorised FSMA entities.
The FCA’s direction of travel is increasingly clear: cryptoasset firms authorised under FSMA will be expected to operate with governance standards broadly comparable to those applying across mainstream financial services sectors.
What is SM&CR?
Introduced across the UK financial services sector following the 2008 financial crisis, SM&CR was designed to strengthen individual accountability and improve governance standards within regulated firms.
The regime operates through three core components:
- the Senior Managers Regime;
- the Certification Regime; and
- the Conduct Rules.
At its core, SM&CR seeks to ensure that firms allocate clear responsibility for key business functions and that senior individuals can be held accountable where regulatory failures occur.
The FCA has consistently emphasised that firms should not treat SM&CR as a purely administrative exercise. Instead, it increasingly views the regime as a central mechanism for embedding governance, operational discipline and cultural accountability.
For cryptoasset firms, this may require substantial changes to existing management structures and reporting arrangements.
Senior Management Functions
Under SM&CR, certain senior roles require FCA approval before individuals can perform them. These controlled functions are referred to as Senior Management Functions (SMFs).
While the final application of SMFs to cryptoasset firms remains subject to consultation and policy development, firms seeking authorisation should expect the FCA to require several core functions typically seen across other FSMA-regulated businesses.
Common SMFs likely to apply include:
SMF1 – Chief Executive
The Chief Executive function will typically hold overall responsibility for managing the firm’s business and implementing strategy.
For many founder-led crypto firms, this individual is likely to become one of the primary points of regulatory accountability. The FCA is expected to assess not only technical expertise but also governance capability, regulatory understanding and oversight competence.
SMF3 – Executive Director
Executive directors involved in running regulated business activities may also require FCA approval.
This is particularly relevant for firms were multiple founders or senior executives exercise material influence over strategy, operations or product development.
SMF16 – Compliance Oversight
The Compliance Oversight function is expected to become particularly significant for cryptoasset firms transitioning into FSMA regulation.
The FCA is likely to expect firms to appoint appropriately experienced compliance officers capable of overseeing:
- financial promotions compliance;
- Consumer Duty obligations;
- market abuse controls;
- prudential requirements;
- operational resilience; and
- financial crime frameworks.
Many crypto firms may face challenges recruiting individuals with sufficient experience across both digital assets and mainstream UK regulatory frameworks.
SMF17 – Money Laundering Reporting Officer (MLRO)
The MLRO function already exists for firms operating under the MLRs. However, under FSMA authorisation, the FCA is likely to apply heightened expectations regarding the seniority, independence and effectiveness of MLRO oversight.
Given the FCA’s continued concerns regarding financial crime risks within crypto markets, the MLRO role is expected to remain a key area of authorisation and supervisory focus.
SMF24 – Chief Operations Function
For firms with complex operational infrastructure, including custody arrangements, trading systems or outsourced technology dependencies, the FCA may expect dedicated operational oversight through an approved senior manager where appropriate.
This is particularly relevant given the increasing regulatory focus on operational resilience and third-party risk management.
Other Potential SMFs
Depending on a firm’s size, complexity and business model, additional SMFs may apply, including:
- SMF2 – Chief Finance Function;
- SMF4 – Chief Risk Function;
- SMF9 – Chair; and
- SMF27 – Partner Function.
The FCA’s expectations are likely to increase significantly for larger firms, trading platforms or businesses safeguarding substantial customer assets.
Statements of Responsibilities and the Management Responsibilities Map
A central component of SM&CR is the requirement for firms to allocate prescribed responsibilities clearly across senior management.
Each approved senior manager must maintain a Statement of Responsibilities (SoR) setting out their specific regulatory accountabilities.
Larger firms may also be required to maintain a Management Responsibilities Map (MRM) documenting governance structures and reporting lines.
For crypto firms accustomed to relatively informal governance arrangements, this may require substantial operational change.
The FCA is likely to scrutinise closely whether responsibilities are genuinely understood and embedded in practice, particularly where firms operate through international group structures or decentralised operational models.
The FCA is increasingly sceptical of unclear governance arrangements or situations where accountability becomes fragmented across multiple jurisdictions, and additionally likely to impact the ‘Location of Offices’ Threshold Condition.
Certification Regime and Staff Fitness and Propriety
Beyond senior management, the Certification Regime requires firms to assess annually whether certain staff are fit and proper to perform roles capable of causing significant harm to the firm or its customers.
Within cryptoasset businesses, this may capture individuals involved in:
- trading activity;
- algorithmic systems;
- client asset oversight;
- product governance;
- operational infrastructure; and
- financial promotions.
Firms will therefore need robust processes for assessing employee competence, conduct, qualifications and integrity.
Again, this may prove particularly challenging for rapidly scaling firms with international workforces or limited prior experience operating within regulated financial services environments.
Conduct Rules and Culture
The FCA’s Conduct Rules are likely to become increasingly important for crypto firms under FSMA authorisation.
These rules apply basic standards of integrity, due skill, customer treatment and regulatory cooperation across firms’ workforces.
The FCA has repeatedly emphasised that SM&CR is ultimately intended to drive cultural change rather than simply increase documentation.
For crypto firms, this may represent one of the most significant long-term implications of the regime.
Historically, parts of the crypto sector have prioritised rapid innovation and commercial growth over formal governance structures. Under FSMA regulation, however, firms are likely to face increasing expectations regarding governance maturity, escalation processes and challenge culture.
Operational Resilience and Individual Accountability
Operational resilience is also expected to interact closely with SM&CR obligations.
The FCA increasingly expects firms to identify clearly which senior managers hold responsibility for:
- cyber resilience;
- outsourcing oversight;
- incident response;
- customer communications during disruption; and
- third-party dependency management.
Where operational failures occur, regulators are increasingly likely to assess not only firm-level controls but also whether appropriate senior management oversight existed.
For crypto firms reliant on cloud providers, distributed ledger infrastructure and complex outsourcing arrangements, this creates heightened accountability risk for senior individuals.
Conclusion
The application of SM&CR to cryptoasset firms authorised under FSMA is likely to represent one of the most significant governance developments within the UK digital assets sector.
The FCA is clearly moving towards a framework in which crypto firms are expected to operate with governance, accountability and conduct standards broadly comparable to those applying across traditional financial services sectors.
For many firms, this will require substantial enhancement of governance structures, senior management oversight and internal accountability arrangements.
Ultimately, firms that begin preparing early for SM&CR implementation, particularly around senior manager appointments, governance mapping and operational accountability, are likely to be significantly better positioned during the FCA authorisation process and ongoing supervision. The FCA will likely want to interview SMFs as part of the assessment of any application for authorisation and will need assurance that they understand their responsibilities and have the competence to execute them.
How Complyport Can Help
Complyport assists firms in preparing for these enhanced regulatory requirements through:
- SM&CR gap analysis and implementation programmes.
- Senior Manager Function identification and role mapping.
- Statements of Responsibilities drafting and review.
- Management Responsibilities Map design and implementation.
- Governance framework reviews and Board effectiveness assessments.
- FCA authorisation application support for cryptoasset firms.
- Fitness and propriety assessment frameworks.
- Operational resilience and outsourcing governance reviews.
- Consumer Duty implementation and monitoring frameworks.
- Ongoing compliance advisory and outsourced compliance services.
To discuss how your firm can prepare for the implementation of SM&CR under the future UK cryptoasset regime, contact Complyport and book a meeting with one of our Subject Matter Experts today.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
