SM&CR and Document Obligations: What Senior Managers Need to Know

The Accountability Framework and Its Documentary Consequences

The Senior Managers and Certification Regime fundamentally changed the relationship between individual accountability and corporate record-keeping in UK financial services. Under SM&CR, senior managers are personally accountable for the areas of the business they oversee. The Duty of Responsibility (section 66B(5) of the Financial Services and Markets Act 2000) provides that a senior manager may be held liable for a regulatory breach in their area of responsibility unless they can demonstrate they took reasonable steps to prevent or mitigate it.

"Reasonable steps" is not an abstract concept. It is an evidentiary standard. When the FCA investigates whether a senior manager took reasonable steps, it examines the documentary record: what decisions were made, when, by whom, with what information, and with what oversight mechanisms in place. The quality of this documentary record determines whether the senior manager can discharge their burden of proof.

Statements of Responsibilities

The Statement of Responsibilities is the foundational document of SM&CR accountability. Each senior manager must have a current, accurate Statement of Responsibilities that sets out the areas of the firm for which they are responsible. The document must be submitted to the FCA and kept up to date.

The documentary obligations arising from Statements of Responsibilities are as follows:

• Accuracy at all times: The Statement must reflect the senior manager's actual responsibilities, not a historical or aspirational description. When responsibilities change — whether through reorganisation, delegation, or the departure of a colleague — the Statement must be updated and re-submitted.
• Version control: The firm must retain all versions of each senior manager's Statement of Responsibilities, with clear dating showing when each version was effective. In an investigation, the FCA will want to establish which version was in force at the time of the relevant conduct.
• Handover documentation: When a senior manager departs or transfers responsibilities, a formal handover must occur. The FCA expects a documented handover that includes the current state of affairs in the departing manager's areas, any known issues or risks, and the identity of the incoming manager. This handover document should be signed by both parties and retained.

Management Responsibilities Maps

The Management Responsibilities Map is the firm-level counterpart to individual Statements of Responsibilities. It provides a comprehensive view of how the firm has allocated its prescribed responsibilities and overall responsibilities among its senior managers.

The Map must be a living document, updated whenever there is a significant change to the firm's management structure. Firms should ensure that:

• The Map is reviewed at least annually, with the review documented.
• Changes to the Map are version-controlled, dated, and signed by an appropriate authority (typically the Board or Compliance function).
• The Map is cross-referenced to individual Statements of Responsibilities to ensure consistency.
• Historical versions of the Map are retained for the same period as Statements of Responsibilities.

The Reasonable Steps Defence in Practice

The practical significance of SM&CR document obligations becomes apparent when a senior manager needs to demonstrate reasonable steps. Consider a scenario: a compliance failure occurs in a business unit overseen by a senior manager. The FCA opens an investigation. The senior manager asserts that they took reasonable steps — regular oversight meetings, appropriate escalation procedures, adequate resourcing.

The FCA's first question will be: where is the evidence? The documentary record must show:

• Meeting records: Minutes of oversight meetings, with attendees, agenda items, decisions, and action points. Signed or electronically confirmed by attendees.
• Escalation evidence: Records of issues escalated from the business unit, with dates, the senior manager's response, and follow-up actions taken.
• Delegation records: If the senior manager delegated any responsibilities, evidence of the delegation (scope, recipient, oversight mechanism) and evidence that the delegated responsibilities were monitored.
• Training and competence records: Evidence that staff in the business unit were appropriately trained and that the senior manager had oversight of the training programme.

Each of these documentary requirements is best served by electronic records with immutable audit trails. Meeting minutes that are electronically signed and cryptographically hashed provide stronger evidence than Word documents stored on a shared drive. Escalation records with per-event timestamps and IP addresses are more credible than email threads that may have been modified or selectively deleted.

Certification Regime: Annual Attestation Evidence

The Certification Regime extends SM&CR's accountability framework to material risk-takers and other significant staff who are not senior managers. Firms must certify these individuals as fit and proper at least annually. The certification process must be documented, and the documentation must include:

• The criteria against which the individual was assessed.
• The evidence considered (qualifications, training records, conduct history, regulatory references).
• The decision and the identity of the decision-maker.
• The date of certification and the date of the next required certification.

Annual certifications are prime candidates for electronic signing. The certification document can be routed to the decision-maker through a signing platform, with the audit trail recording precisely when the document was reviewed and signed. This provides cleaner evidence than a manual process and ensures that overdue certifications are identifiable.

Building an SM&CR-Ready Document Infrastructure

Firms that treat SM&CR document obligations as an afterthought — producing records retrospectively when an investigation begins — will find the exercise difficult and the results unconvincing. The FCA is experienced at distinguishing contemporaneous records from reconstructed ones.

An SM&CR-ready document infrastructure has the following characteristics:

Immutability: Documents are stored in tamper-proof systems that prevent modification after signing. The FCA places significant weight on the integrity of the documentary record. Documents that could theoretically have been altered carry less evidential weight than those stored in systems with provable immutability.

Per-event audit trails: Each document action — creation, review, signing, approval — is logged as a discrete event with metadata (timestamp, IP address, user identity). This granularity allows the firm (and the FCA) to reconstruct the exact sequence of events surrounding any document.

Retention aligned to regulatory periods: SM&CR documents should be retained for a minimum of six years from the date the individual ceases to perform the relevant function. Firms should consider longer retention periods for senior managers involved in areas with long-tail risk.

Under SM&CR, the documentary record is not a byproduct of good management — it is the evidence that good management occurred. Senior managers who cannot produce that evidence when it matters most have already lost the argument.

The firms that navigate SM&CR most effectively are those that embed document integrity into their daily operations, rather than treating it as a compliance exercise to be addressed after the fact. Tamper-proof document signing, immutable storage, and comprehensive audit trails are not luxuries — they are the infrastructure of accountability.