Hire an FD/CFO contactus
HIRE AN FD/CFO CONTACT US

SYSC: Senior Management Arrangements, Systems & Controls

  • Home
  • SYSC: Senior Management Arrangements, Systems & Controls

The FCA Handbook Module That Underpins Governance, Risk Management and SMCR

SYSC — the Senior Management Arrangements, Systems and Controls sourcebook — is the FCA Handbook module that defines how regulated firms must organise their governance, risk management, internal controls, and senior accountability. It sits at the top of the High Level Standards section of the Handbook and applies to almost every firm in the FCA-regulated population. SYSC integrates substantively with the Senior Managers and Certification Regime, the Threshold Conditions, the Conduct Rules, and the Consumer Duty — making it the regulatory backbone that ties together the substantive expectations the FCA places on UK financial services firms.

This guide explains how SYSC actually works in practice — its structure, the principal substantive requirements across senior management arrangements, risk management, compliance, internal audit, outsourcing, and operational resilience, and the recurring patterns where firms run into difficulty. It also covers the recruitment dimension — how SYSC shapes the senior compliance, risk and operations roles in regulated firms, and what FD Capital sees during placements where SYSC compliance is central.

What’s missing from most online explanations of SYSC is the practical interpretation. The module is large and technically dense; what’s harder to find is what good substantive compliance looks like across the principal requirements, and how the FCA examines compliance during supervisory dialogue. That’s the gap this guide fills.

The Structure of SYSC

SYSC is structured into multiple sections, with different sections applying to different categories of firm. The principal sections include:

  • SYSC 1 — application and purpose, defining which firms each section applies to
  • SYSC 2-3 — senior management arrangements, including allocation of responsibilities and Statements of Responsibilities
  • SYSC 4 — general organisational requirements for IFPRU investment firms and other specific firm types
  • SYSC 5 — employees, agents and other relevant persons
  • SYSC 6 — compliance, internal audit and financial crime
  • SYSC 7 — risk control
  • SYSC 8 — outsourcing
  • SYSC 9 — record-keeping
  • SYSC 10 — conflicts of interest
  • SYSC 11-13 — sector-specific provisions for various firm types
  • SYSC 14-21 — additional sector-specific provisions including for insurance and investment firms
  • SYSC 22 — regulatory references — see our Regulatory References Guide
  • SYSC 23-28 — Senior Managers and Certification Regime provisions

The application of specific sections depends on firm type. Banks and building societies face different SYSC requirements from insurance firms or investment firms, with the Common Platform Provisions in SYSC 4-10 applying broadly across most firm types.

SYSC and the Wider Regulatory Architecture

SYSC operates as the bridge between the Principles for Businesses (see our FCA Principles Guide) and the detailed sourcebooks (COBS, CASS, MIFIDPRU, etc.). Where the Principles set high-level expectations, SYSC translates those expectations into substantive organisational requirements:

  • Senior Managers Regime — see our Senior Managers Regime Guide — operates substantively through SYSC 24-26
  • Certification Regime — see our Certification Regime Guide — operates through SYSC 27
  • Conduct Rules — see our Individual Conduct Rules Guide — operate through COCON but are referenced extensively in SYSC
  • Threshold Conditions — see our Threshold Conditions Guide — particularly the Appropriate Resources condition is supported by SYSC requirements
  • Operational Resilience — operates through specific SYSC provisions and the Operational Resilience framework
  • Outsourcing — SYSC 8 establishes the framework reinforced by the Third-Party Risk Management framework

SYSC 4 — General Organisational Requirements

The general organisational requirements form the substantive core of SYSC for most firms. Key requirements include:

Senior management arrangements

Firms must have appropriate senior management arrangements with clear allocation of responsibilities. For SM&CR firms, this is operationalised through Statements of Responsibilities and (for Enhanced firms) the Management Responsibilities Map. See our Statement of Responsibilities Guide.

Adequate resources

Firms must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them. The substantive standard supports the Threshold Condition requirement on appropriate resources.

Internal organisation

Firms must have a clear organisational structure with well-defined, transparent and consistent lines of responsibility. Reporting lines, decision-making authority, and committee structures must be documented and operationally embedded.

Three lines of defence

While not labelled explicitly as such in SYSC, the substantive requirements support the three lines of defence model — operational (first line), risk and compliance oversight (second line), and internal audit (third line). See our Three Lines of Defence Guide.

Business continuity and disaster recovery

Firms must have policies and processes to ensure business continuity in case of disruption, supplemented by the Operational Resilience framework that came into full force in March 2025.

SYSC 6 — Compliance, Internal Audit and Financial Crime

Compliance function

Firms must have a permanent and effective compliance function with appropriate authority, resources, expertise and access to all relevant information. The compliance function must:

  • Monitor and assess the firm’s compliance with regulatory obligations
  • Advise senior management on regulatory matters
  • Report regularly to senior management on compliance matters
  • Have direct access to senior management

For most SM&CR firms, the compliance function reports to the SMF16 (Compliance Oversight) holder. See our SMF16 Guide.

Internal audit function

Where appropriate to the nature, scale and complexity of the business, firms must have a separate and independent internal audit function. The internal audit function must:

  • Establish and maintain an audit plan
  • Issue recommendations based on the work conducted
  • Verify compliance with those recommendations
  • Report to senior management at least annually

Financial crime function

Firms within scope of the Money Laundering Regulations must have an MLRO and appropriate financial crime arrangements. See our MLR 2017 Guide and SMF17 Guide.

SYSC 7 — Risk Control

SYSC 7 establishes the substantive risk management requirements:

  • Risk management function — appropriate to the firm’s nature, scale and complexity, with appropriate authority, resources, and access to information
  • Risk management policies and procedures — covering risks the firm is exposed to, with appropriate review and update cycles
  • Risk identification and management — substantive processes for identifying, assessing, monitoring and managing risk
  • Senior management oversight — risk management as a senior management responsibility, frequently held by SMF4 (Chief Risk Function) for firms requiring it. See our SMF4 Guide

The risk control framework supports the firm’s overall governance and is examined during FCA supervisory dialogue.

SYSC 8 — Outsourcing

SYSC 8 sets out the regulatory framework for outsourcing. Key requirements include:

  • Firms remain responsible for compliance with regulatory obligations regardless of outsourcing arrangements
  • Substantive due diligence on outsourced service providers before engagement
  • Written outsourcing agreements specifying the terms of the arrangement
  • Ongoing monitoring of outsourced provider performance
  • Business continuity arrangements covering outsourced functions
  • Regulatory access to outsourced information and operations
  • Specific arrangements for material outsourcing

The outsourcing framework intersects with broader operational resilience and third-party risk management requirements, particularly the EBA Guidelines on Outsourcing implemented through SYSC 8.

SYSC 10 — Conflicts of Interest

SYSC 10 requires firms to identify, manage and (where necessary) disclose conflicts of interest:

Identification

Firms must identify potential conflicts including:

  • Conflicts between the firm and its customers
  • Conflicts between different customers
  • Conflicts arising from staff personal interests
  • Conflicts arising from inducements or commissions
  • Conflicts arising from the firm’s structure or business model

Management

Where conflicts are identified, firms must take appropriate steps to manage them — typically through structural separation, information barriers, disclosure to affected parties, and similar techniques.

Disclosure

Where conflicts cannot be managed adequately to prevent damage to customer interests, the firm must disclose the conflict to affected customers and decline to act if disclosure is insufficient.

SYSC and the Senior Managers and Certification Regime

The SMCR provisions in SYSC 23-28 are operationally substantial and integrate across the regime:

SMCR scope and tier definition

SYSC 23 defines which firms are subject to SMCR and how the regime applies — Limited Scope, Core, or Enhanced. See our SMCR Guide.

Senior management functions

SYSC 24 sets out the SMF designations applicable to firms — see our individual SMF guides including SMF2 (CFO), SMF16 (Compliance Oversight), SMF17 (MLRO), and others.

Statements of Responsibilities and Management Responsibilities Map

SYSC 25 sets out the requirements for SoR and (for Enhanced firms) MRM. See our SoR & MRM Guide.

Prescribed responsibilities

SYSC 26 sets out the prescribed responsibilities that must be allocated among SMFs in firms within scope.

Certification regime

SYSC 27 establishes the Certification Regime, requiring firms to certify employees performing Significant Harm Functions as fit and proper. See our Certification Regime Guide.

Reasonable steps

SYSC 28 reinforces the “reasonable steps” defence under section 66B FSMA. See our Reasonable Steps Under SMCR Guide.

SYSC and the “Substantively Effective” Standard

One of the recurring themes in FCA supervisory dialogue on SYSC is the difference between documentary compliance and substantively effective compliance. SYSC requires firms to have arrangements, systems, and controls — but the FCA increasingly tests whether those arrangements are substantively effective in practice, not just documented. Compliance functions exist on paper but lack authority and resources; risk management policies exist but don’t drive operational decisions; outsourcing arrangements have written contracts but inadequate ongoing oversight. These patterns are flagged consistently during supervisory reviews.

Common SYSC Compliance Pitfalls

Inadequate compliance function authority and resources. Where the compliance function reports too low in the organisation or lacks resources for its scope.

Internal audit function gaps. Where firms claim internal audit through outsourced arrangements or non-independent functions that don’t substantively meet the SYSC standard.

Risk management not driving decisions. Where risk management exists as a documentary discipline without substantive influence on commercial and operational decision-making.

Outsourcing oversight weakness. Where outsourcing contracts exist but ongoing oversight is inadequate.

Conflicts of interest weaknesses. Particularly where commercial pressures encourage conflicts that are not substantively managed.

Senior management capacity gaps. Where the senior management team is too small for the firm’s complexity, or where SMF capacity is stretched across too many responsibilities.

SMCR documentation that doesn’t reflect operational reality. Where SoRs and MRMs are documented but operational responsibilities differ.

Three lines of defence collapse. Where the substantive separation between business, risk/compliance, and audit is compromised by reporting lines or organisational structures.

SYSC and Senior Recruitment

SYSC compliance shapes senior recruitment substantially:

  • SMF16 (Compliance Oversight) — owns SYSC 6 compliance function delivery
  • SMF4 (Chief Risk Officer) — owns SYSC 7 risk control framework
  • SMF17 (MLRO) — owns SYSC 6 financial crime function
  • SMF24 (Chief Operations) — frequently owns SYSC 8 outsourcing and SYSC 4 operational organisation
  • Head of Internal Audit — typically not an SMF but a senior role with substantial regulatory significance
  • Head of Compliance — operational head reporting to SMF16
  • Head of Risk — operational head reporting to SMF4

For senior recruitment generally across these roles, see our CCO Recruitment, CRO Recruitment, and FCA Regulated Firm Recruitment pages.

A Note from Our Founder — Adrian Lawrence FCA

SYSC is the regulatory backbone that ties together everything else in UK financial services regulation. Firms with strong SYSC compliance — substantive senior management arrangements, effective compliance and risk functions, robust outsourcing oversight, embedded conflicts management — typically run their FCA dialogue from a position of strength. Firms with documentary SYSC compliance but weak operational substance frequently find themselves under supervisory pressure when the FCA tests whether the arrangements actually work.

The recruitment angle that comes up most often in our placements is the senior team capacity question. SYSC requires firms to have appropriate senior management for their nature, scale and complexity. Firms that try to operate with senior teams below the calibre or capacity their activities require typically face SYSC-related challenges that surface through FCA dialogue. Hiring boards looking at senior compliance, risk, or operations roles should think about whether the proposed appointment is calibrated to the firm’s SYSC requirements — not just the immediate functional gap.

For senior compliance and risk leadership specifically, the SYSC dimension has become an essential interview topic. Strong candidates demonstrate familiarity with SYSC requirements applicable to the firm, experience operating SYSC-aligned frameworks, and engagement with FCA dialogue on SYSC matters. The candidate pool with substantive SYSC experience varies by firm size and sector, but at the senior end is meaningfully tight.

At FD Capital we work on senior compliance, risk and operations mandates regularly across UK regulated firms. If you are recruiting senior leadership and want to discuss SYSC implications, I’m happy to have a direct conversation.

Speak to Adrian about a senior regulated firm appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire Senior FCA-Regulated Firm Leaders

SYSC compliance requires senior management capacity across compliance, risk, internal audit and operations. FD Capital places SMFs and senior leaders across UK regulated firms with appropriate consideration of the SYSC framework.

020 3287 9501

FCA Regulated Firm Recruitment › | CCO Recruitment | Contact Us

Further Reading and Authoritative Sources

For the SYSC sourcebook itself, see SYSC in the FCA Handbook. For the broader Handbook architecture, see the FCA Handbook.

Related Guides: FCA Handbook and Governance

Part of FD Capital’s series of practical guides for FCA-regulated firms: PRIN — The 11 FCA Principles | SUP — The Supervision Manual | DISP — Dispute Resolution | PERG — Perimeter Guidance | SMCR — Pillar Guide | The Senior Managers Regime | The Certification Regime | Three Lines of Defence | SMF16 — Compliance Oversight | SMF4 — Chief Risk Officer

FCA Regulated Firms

Specialist Recruitment for FCA Regulated Businesses

FD Capital places CFOs, Finance Directors, MLROs, Compliance Officers and senior risk professionals in FCA and PRA-regulated firms. Every mandate is led personally by Adrian Lawrence FCA — an ICAEW Fellow with an FCA practising certificate.

By Role
By Firm Type
SMF & Regulatory Guides

Led personally by Adrian Lawrence FCA — ICAEW Fellow & FCA practising certificate holder.

All FCA regulated firm services →

FD Capital
FD Capital
FD Capital

FD Capital Recruitment Ltd is registered at Companies House (no. 13329383) and has been providing CFOs and Finance Directors since 2018 and is operated by an ICAEW-registered practice. Our founder Adrian Lawrence FCA holds an ICAEW practising certificate.