UK Compliance Recruitment 2026: DORA, CASS & TPR Hiring

Why are UK FCA-regulated firms suddenly competing so intensely for three specific senior compliance disciplines — DORA Compliance Officers, CASS leadership including SMF18 holders, and Heads of Third-Party Risk Management — and what is driving the recruitment market for these roles to tighten faster than firms can respond through ordinary hiring channels?

Three specific senior compliance disciplines have moved from “nice to have eventually” to “needed now” across the UK FCA-regulated population over the period from late 2024 through 2026. Each has its own regulatory driver, each has produced demand that meaningfully exceeds the supply of substantively qualified candidates, and each is now commanding compensation premiums that would have looked extreme even two years ago. The disciplines are: DORA Compliance leadership, for UK firms whose EU subsidiaries, EU branches, or EU service relationships bring them within the scope of the EU’s Digital Operational Resilience Act; CASS leadership including SMF18 holders, driven by the continuing intensification of supervisory engagement on client assets across the investment firm, wealth management, and broking population; and Head of Third-Party Risk roles, driven by the maturing PRA SS2/21 framework, the new UK Critical Third Party regime under FSMA section 312L, and the cross-cutting demands of EU DORA Pillar 4 for cross-border firms.

The pattern across all three is the same. The regulatory framework intensified faster than firms anticipated. The substantive operational expertise required to deliver compliance cannot be acquired in months — it develops through years of direct engagement with the relevant frameworks. The pool of candidates with that direct experience is small relative to the demand. And the consequences for firms of getting senior hires wrong — supervisory scrutiny, individual sanctions under SMCR, remediation programmes that consume management bandwidth for years — make sub-optimal hires costlier than waiting for the right candidate. The combined effect is a recruitment market that has tightened materially over each of the past four to six quarters and shows no immediate sign of loosening.

This article sets out what each of the three recruitment markets looks like in 2026, what specific candidate profiles are in highest demand, what compensation ranges UK firms are recruiting to, and how FD Capital is supporting clients facing these requirements. It is written for senior risk and compliance leaders at UK FCA-regulated firms, the Chief Executives and Chief Risk Officers who carry SMCR accountability for these areas, and the Chairs and senior NEDs whose oversight role makes them ultimately responsible for ensuring their firms’ senior compliance leadership is fit for the regulatory environment.

It is written from the perspective of FD Capital’s team — a specialist finance recruitment firm placing senior risk, compliance, and operational resilience leaders into UK FCA-regulated firms since 2018, with substantive engagement across all three of the disciplines covered.

Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss DORA, CASS, or Third-Party Risk senior recruitment requirements.

The Three Disciplines Driving 2026 Compliance Recruitment

The compliance recruitment market has many moving parts in 2026, but three specific disciplines stand out for the intensity of demand, the scarcity of qualified candidates, and the compensation premiums firms are paying to secure the right hires. Understanding each in turn helps firms calibrate their own recruitment plans against the broader market reality.

DORA Compliance — The EU’s Digital Operational Resilience Act

The European Union’s Digital Operational Resilience Act — Regulation (EU) 2022/2554 — entered into application on 17 January 2025 and represents the most comprehensive piece of operational resilience regulation in the world. The Regulation harmonises ICT risk management requirements across approximately twenty categories of EU financial entities and establishes, for the first time, a direct EU-level oversight regime for the critical technology providers on which the financial system depends. The five operational pillars — ICT risk management, ICT-related incident management and reporting, digital operational resilience testing including Threat-Led Penetration Testing, third-party risk management, and information sharing arrangements — collectively require senior leaders capable of substantive technical engagement, regulatory engagement with the European Supervisory Authorities, and the operational instinct to drive substantive implementation rather than tick-box compliance.

For UK firms, DORA does not apply directly but creates substantial compliance obligations through three routes: EU subsidiaries or EU branches that are themselves financial entities for DORA purposes; service provision to EU financial entities that creates contractual cascading requirements; and potential designation as a Critical ICT Third-Party Service Provider, which produces direct EU oversight regardless of geographic location. UK firms with material EU exposure have therefore been recruiting DORA-experienced leaders intensively across the period from 2023 through 2026, and the market has tightened substantially.

The candidate profile in highest demand combines substantive prior DORA implementation experience — ideally including practical Pillar 4 register development, contractual remediation across third-party portfolios, or TLPT programme establishment — with cross-jurisdictional regulatory fluency, technical depth in ICT risk, and supervisory engagement capability. Candidates with this combination are scarce, and senior DORA Compliance Officer compensation has accordingly moved into the £140,000-£200,000 base salary range at large firms, with Heads of ICT Risk reaching £150,000-£280,000 plus LTIP at firms where the role sits on the Executive Committee.

Read more in our DORA Complete UK Guide covering the five pillars in detail, the Critical ICT Third-Party Service Provider regime, UK divergence under SS1/21, and the implementation timeline. For specific recruitment requirements, see our DORA Compliance Recruitment service page covering the full role landscape and current compensation benchmarks.

CASS Leadership — Client Assets and SMF18

The Client Assets Sourcebook — chapter 9 of the FCA Handbook — governs how regulated firms hold, protect, control, and account for client money and client assets. CASS is one of the most prescriptive areas of UK financial services regulation, and one of the most consequential. The framework operates through a statutory trust over client money, strict segregation requirements between client assets and the firm’s own assets, daily reconciliation discipline (both internal client money reconciliation and external reconciliation against bank statements), the CASS Resolution Pack, the SMF18 senior management function with personal regulatory responsibility, the quarterly CMAR submission to the FCA, and the annual CASS audit conducted to standards published by the Financial Reporting Council.

The CASS recruitment market has tightened materially over the past three to four years. The intensification of FCA supervisory engagement on client assets — through specific multi-firm reviews, individual firm Section 166 skilled person reviews, and ongoing supervisory dialogue — has driven demand for senior CASS professionals across the investment firm, wealth management, broking, and fund administration population. The personal regulatory liability that SMF18 holders accept under SMCR — combined with the substantive technical expertise the role requires — has produced a candidate pool that is small relative to firm-level demand.

The candidate profile in highest demand combines substantive CASS operational track record (typically five to ten years of direct CASS experience at firms of comparable scale and complexity), CASS chapter expertise matched to the firm’s specific regulated activities, demonstrable reconciliation discipline, substantive prior engagement with CASS auditors across multiple audit cycles, and the personal credibility and judgement that SMF18 candidacy requires. Candidates with this combination are particularly scarce for CASS large firms — those holding more than £1 billion in client money or more than £100 billion in safe custody assets — where the SMF18 must be a dedicated senior appointment.

Compensation ranges reflect the scarcity. Heads of Client Assets at CASS large firms are typically commanding £150,000-£230,000 base plus bonus. SMF18 holders at CASS large firms with dedicated allocation typically reach £180,000-£280,000 base plus LTIP, reflecting the personal SMCR liability premium. Even CASS Managers at smaller firms are now in the £75,000-£120,000 base range, materially above where the same roles sat three years ago.

Read more in our CASS Complete UK Guide covering CASS 6 custody and CASS 7 client money, the statutory trust framework, the CASS Resolution Pack, the SMF18 oversight function, the CMAR return, and the annual CASS audit. For specific recruitment requirements, see our CASS Recruitment service page covering Heads of Client Assets, SMF18 holders, CASS Managers, and adjacent roles.

Third-Party Risk Management — A Newly Critical Discipline

Third-party risk management has moved from a back-office procurement function to one of the central regulatory priorities for UK financial services firms. The drivers are structural: financial firms have become deeply dependent on third-party providers — cloud hyperscalers, SaaS platforms, payment networks, market data providers, custodians, transfer agents, fund administrators, technology operations partners — to deliver essentially every customer-facing service. The concentration of that dependency on a small number of providers (particularly the cloud hyperscalers Amazon Web Services, Microsoft Azure, and Google Cloud) has created systemic concerns that no individual firm can address through its own arrangements alone.

The supervisory response has been to develop both firm-level requirements (under FCA SYSC 8 and PRA SS2/21) and a new direct oversight regime for the most critical third parties (the UK Critical Third Party regime under FSMA section 312L, introduced by the Financial Services and Markets Act 2023). The PRA’s SS2/21 took effect on 31 March 2022 with full implementation expected over a transitional period, and reached substantive maturity through 2024-2026. The FCA’s parallel SYSC 8 expectations have intensified through ongoing supervisory engagement. The CTP regime brings direct supervisory oversight of designated providers by the Bank of England, FCA, and PRA jointly. For UK firms with EU operations, the cross-border dimension introduces EU DORA’s Pillar 4 ICT third-party risk requirements, which go beyond UK SYSC 8 / SS2/21 in some respects (particularly the Register of Information requirement and the specific contractual provisions in DORA Article 30).

The candidate profile in highest demand combines substantive UK regulatory track record under SYSC 8 and PRA SS2/21, cloud expertise where relevant (technical understanding of cloud architecture combined with cloud-specific regulatory expectations), lifecycle discipline (pre-contract due diligence, contractual provisions, ongoing monitoring, business continuity, exit strategy), concentration risk analytical capability, supervisory engagement experience, and where applicable cross-jurisdictional capability spanning UK and EU regimes. Senior candidates with this combination are scarce relative to demand, and Heads of Third-Party Risk at large firms now command £160,000-£240,000 base plus LTIP. Cloud Risk Managers — a relatively new dedicated role — typically reach £150,000-£220,000 base plus LTIP at firms with substantial cloud workloads.

Read more in our Third-Party Risk Management Complete UK Guide covering FCA SYSC 8 and PRA SS2/21, the third-party relationship lifecycle, the UK Critical Third Party regime, cloud outsourcing, concentration risk analysis, and the cross-cutting EU DORA dimension. For specific recruitment requirements, see our Third-Party Risk Recruitment service page covering Heads of Third-Party Risk, Heads of Outsourcing, Cloud Risk Managers, Vendor Risk Managers, and adjacent specialist roles.

What’s Driving the Tightening Recruitment Market

Five specific dynamics underlie the tightening recruitment market across all three disciplines.

Regulatory frameworks intensified faster than firms anticipated. Each of the three frameworks reached substantive maturity over the period from 2022 through 2025. DORA moved from adoption in December 2022 to full application in January 2025. The UK operational resilience framework reached full implementation on 31 March 2025. The PRA’s SS2/21 transitioned through to full effect across the same window. The CTP regime under FSMA s312L was introduced through the Financial Services and Markets Act 2023 and the Bank of England, FCA and PRA developed the substantive policy framework through 2024-2025. Firms whose recruitment planning assumed slower regulatory evolution have found themselves needing senior hires faster than the market can supply them.

Substantive operational expertise cannot be developed in months. The defining characteristic of these three disciplines is that meaningful capability develops through years of direct engagement with the specific frameworks. CASS expertise develops through CASS audit cycles and reconciliation discipline operated daily. DORA expertise develops through Pillar 4 register implementation, contractual remediation programmes, and TLPT programme establishment. Third-Party Risk expertise develops through lifecycle management of substantial third-party portfolios. None of this can be acquired through training programmes or shorter assignments in adjacent disciplines.

The cross-border dimension narrows the candidate pool further. For firms with EU operations, candidates capable of navigating both UK SYSC 8 / SS2/21 and EU DORA simultaneously — or both UK SS1/21 and EU DORA’s operational resilience requirements — are particularly valuable. This cross-jurisdictional capability is rarer than single-regime expertise and accordingly commands premium compensation.

SMCR personal liability deters some otherwise-qualified candidates. The Senior Managers and Certification Regime makes individual senior managers personally accountable for the firm’s compliance in their area of responsibility, with the Duty of Responsibility under FSMA section 66A meaning the individual can be held personally liable for failures. For SMF18 in particular — but also for senior DORA Compliance Officers and Heads of Third-Party Risk where the firm has allocated specific Prescribed Responsibilities — this personal liability deters some candidates who would otherwise be excellent fits, further reducing the effective candidate pool.

The opportunity cost of poor hires has grown. Sub-optimal senior compliance hires produce protracted remediation, increased supervisory attention, and individual sanctions exposure for those above them in the SMCR chain. The cost of waiting for the right candidate has accordingly become smaller than the cost of accepting an imperfect fit, which extends recruitment timelines and further tightens the market.

How FD Capital Supports Firms Across These Three Disciplines

FD Capital has been placing senior risk, compliance, and operational resilience leaders into UK FCA-regulated firms since 2018, and has built substantive specialism across all three of the disciplines covered in this article. Our network includes senior professionals with direct DORA implementation experience across the five operational pillars; senior CASS professionals across CASS 6 custody, CASS 7 client money, CASS 7A distribution, CASS 8 mandates, and the broader framework; and senior Third-Party Risk professionals across SYSC 8 outsourcing, PRA SS2/21 implementation, cloud outsourcing, vendor lifecycle management, exit strategy development, and concentration risk analysis.

Adrian Lawrence FCA personally leads briefings for senior mandates across these disciplines given the technical complexity of the regulatory frameworks and the consequences of getting senior compliance and risk hires wrong. Initial introductions to specific named candidates within 48 hours where the requirement is urgent. Full shortlist within five to ten working days for specific assignments. Appointment typically completing within 35 to 56 days for senior permanent roles, with additional time for SMCR approval engagement where SMF18 or other SMF appointments are involved.

Our service is founder-led, sector-experienced, and built specifically for the UK FCA-regulated firms market. Initial consultation is confidential and at no charge. Call 020 3287 9501 for an immediate senior recruitment requirement, or email recruitment@fdcapital.co.uk.

Related Reading

• DORA: A Complete UK Guide — the EU’s Digital Operational Resilience Act explained for UK firms
• CASS: The Client Assets Sourcebook Explained — CASS 6, CASS 7, SMF18, the CMAR, and the annual CASS audit
• Third-Party Risk Management: A Complete UK Guide — SYSC 8, PRA SS2/21, the CTP regime, cloud outsourcing
• Operational Resilience: A Complete UK Guide — SS1/21, SYSC 15A, important business services and impact tolerances
• Regulatory Reporting: A Complete UK Guide — FCA RegData / PRA returns and the Head of Regulatory Reporting role
• SMCR: The Senior Managers and Certification Regime Explained — personal accountability framework underlying all three disciplines
• Section 166 Skilled Person Reviews: A Complete UK Guide — the supervisory tool that has driven much of the recruitment activity

FD Capital Recruitment Services

• DORA Compliance Recruitment — DORA Compliance Officers, Heads of ICT Risk, TLPT Leads
• CASS Recruitment — Heads of Client Assets, SMF18 holders, CASS Managers
• Third-Party Risk Recruitment — Heads of Third-Party Risk, Cloud Risk Managers, Vendor Risk Managers
• Operational Resilience Recruitment — operational resilience leadership across UK and EU frameworks
• Regulatory Reporting Recruitment — Heads of Regulatory Reporting and adjacent senior roles
• Chief Compliance Officer Recruitment — CCO and Compliance Director recruitment
• Chief Risk Officer Recruitment — CRO recruitment across the FCA-regulated population
• Risk and Compliance Recruitment — broader risk and compliance professional recruitment
• FCA-Regulated Firms Recruitment — specialist FCA-regulated firms hub

External References

• Regulation (EU) 2022/2554 (DORA) — the official text on EUR-Lex
• FCA Handbook — CASS — the Client Assets Sourcebook
• PRA SS2/21 — Outsourcing and Third Party Risk Management
• FCA Handbook — SYSC 8 — Outsourcing requirements
• Financial Services and Markets Act 2023 — including section 312L creating the CTP regime
• ICAEW — professional body for Chartered Accountants

Adrian Lawrence

Adrian Lawrence FCA is the founder of FD Capital and a Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW). He holds a BSc from Queen Mary College, University of London, and has over 25 years of experience as a Chartered Accountant and finance leader working with private, PE-backed and owner-managed businesses across the UK. He founded FD Capital to connect growing businesses with the Finance Directors and CFOs they need to scale — and personally interviews candidates for senior finance appointments.