SYSC 4: How the FCA Expects Governance to Be Structured

SYSC 4 is the chapter of the FCA’s Senior Management Arrangements, Systems and Controls sourcebook that sets out how the FCA expects regulated firms to govern themselves. It is not a bureaucratic checklist — it is the FCA’s articulation of what effective governance actually looks like in a regulated financial services firm, and it underpins the personal accountability framework of the SMCR.

For many regulated firms, SYSC 4 operates largely in the background — referenced in governance policies, cited in training materials, but rarely examined in depth. This is a mistake. SYSC 4 sets the governance standard against which the FCA assesses whether a firm’s management body is capable of overseeing the firm effectively, whether its organisational structure is clear and appropriate, and whether its decision-making processes are consistent with the expectations of a well-governed regulated entity. Getting SYSC 4 right is not just a compliance matter — it is the foundation for the SMCR’s accountability framework, the threshold conditions assessment at authorisation, and the FCA’s supervisory view of whether the firm’s senior management is fit for purpose.

The Scope and Structure of SYSC 4

SYSC 4 applies to all FCA-regulated firms with a Part 4A permission, though its specific requirements vary by firm type. For most investment firms, the requirements are set out in SYSC 4.1, which implements the governance provisions of MiFID II. For banks and building societies, PRA requirements run alongside SYSC 4 and are typically more prescriptive. For smaller consumer credit or payment institution firms, the SYSC 4 requirements are somewhat lighter in their formal structure but the underlying governance principles remain the same.

The sourcebook is organised around four interconnected obligations: the management body requirement, the organisational structure requirement, the four-eyes principle, and the record-keeping and delegation framework. Understanding each in depth, and understanding how they interact in practice, is the starting point for building a governance framework that genuinely satisfies the FCA’s expectations.

The Management Body: Composition and Capability

SYSC 4.3A requires firms to have a management body that is collectively responsible for the firm’s strategy, governance and oversight. The management body must collectively possess adequate knowledge, skills and experience to understand the firm’s activities, including its principal risks. Individual members must be of sufficiently good repute, act with integrity and independence of mind, commit sufficient time to their functions, and avoid conflicts of interest that could compromise their independent judgment.

In practice, the FCA assesses management body composition primarily through the SMF approval process. Each proposed member of the management body who holds an SMF must demonstrate individual fitness and propriety through the Form A application process. But the SYSC 4.3A collective assessment goes further: the FCA expects the firm to have assessed whether the management body as a whole — not just individual members — has the range of experience and expertise needed to govern the firm’s specific business.

For a payment institution with a technical founder as CEO, the management body collective capability assessment might identify a gap in regulatory expertise that needs to be filled by an independent non-executive director with a compliance or regulatory background. For a wealth management firm, the collective assessment might identify a gap in investment expertise at board level that requires either a new board appointment or a restructuring of the committee framework to bring that expertise into the governance structure through a sub-committee. The SYSC 4.3A assessment is therefore both a diagnostic tool and a governance design exercise.

The time commitment requirement in SYSC 4.3A is more significant than it might appear. The FCA expects management body members to commit sufficient time to perform their functions effectively — which means not holding so many directorships that their ability to engage with the firm’s business is impaired. For non-executive directors, the FCA has been explicit in its guidance that the time commitment to each board role must be assessed at the point of appointment and monitored thereafter. A non-executive director who holds eight board roles cannot realistically meet the time commitment standard for each of them, and a firm that appoints such an individual has not met its SYSC 4.3A obligation.

The Four-Eyes Principle in Practice

SYSC 4.1.1R requires that the firm’s business is managed by at least two persons — the four-eyes principle. The rationale is straightforward: sole decision-making at the most senior level of a regulated firm creates unacceptable concentration risk. Where a single individual controls all significant decisions, there is no internal check on that individual’s judgment, conduct or potential for misconduct.

The four-eyes principle does not simply require two individuals to hold SMF titles. It requires that the firm’s business is genuinely managed by at least two individuals — meaning both must have real decision-making authority over the firm’s principal activities, not one as a principal and another as a nominal requirement. The FCA looks at the substance of the arrangement: do both individuals attend key governance meetings? Do both have access to management information? Do both take decisions and exercise judgment on significant matters? Where one individual is clearly dominant and the second is present in name only, the four-eyes principle is not satisfied regardless of what the governance documents say.

For early-stage firms, the four-eyes principle creates a practical challenge when the founding management team is small. A founder who is sole CEO must find a genuine counterpart — whether a co-founder, a non-executive chair, or an independent director — who has real authority and engagement with the business. This is often the first governance design challenge that firms face in the FCA authorisation process, and it is one where getting the right person matters more than getting the right title.

Organisational Structure: Clarity and Appropriateness

SYSC 4.1.1R also requires firms to have a clear and appropriate organisational structure with well-defined, transparent and consistent lines of responsibility. In practice, this means the firm must be able to demonstrate — on paper and in reality — who is responsible for each significant area of the firm’s activities, how that responsibility is exercised, and how information flows between the different parts of the organisation to support effective oversight.

The organisational structure requirement has two dimensions. The first is the internal structure: how the firm’s management layers, business lines and support functions relate to each other, and how authority is distributed across them. The second is the SMCR dimension: how the firm’s management responsibilities map against the SMF holders who bear accountability for each area. SYSC 4’s organisational structure requirement and the SMCR’s Management Responsibilities Map are two expressions of the same underlying obligation — that the firm’s governance structure is coherent and that accountability is clearly allocated.

Firms with matrix structures, dotted-line reporting relationships, or shared service arrangements with group entities face particular challenges in meeting the SYSC 4 organisational clarity standard. The FCA expects to be able to trace accountability from each regulated activity to a named individual with clear responsibility for it. Where dotted-line reporting creates ambiguity about whether a compliance function’s primary accountability is to a local managing director or to a group head of compliance in another jurisdiction, the firm must resolve that ambiguity — typically through clear documented governance arrangements that specify which lines carry accountability rather than simply information-sharing.

The Three Lines of Defence and SYSC 4

SYSC 4 does not prescribe the three lines of defence model, but it is the dominant framework through which FCA-regulated firms operationalise the SYSC 4 governance requirements. The first line — operational management — owns the risks within its business area and is the primary control environment. The second line — risk and compliance — provides independent oversight and challenge of the first line’s risk management. The third line — internal audit — provides independent assurance to the board on the effectiveness of the first and second lines.

The FCA’s SYSC 4 expectations interact with the three lines in specific ways. For the compliance function, SYSC 6 (which sits alongside SYSC 4) requires firms to have a permanent, effective and independent compliance function. For the risk function, SYSC 4.3A requires that the risk function has appropriate stature within the firm — including direct access to the management body and, in the most significant firms, a dedicated Chief Risk Officer (SMF4) who reports directly to the board. For internal audit, SYSC 4.3A and the separately designated SMF5 function require that the head of internal audit has the authority and independence to provide genuine assurance rather than management-directed review.

Where firms cannot sustain all three lines on a standalone basis — as is typically the case for smaller regulated firms — the FCA accepts proportionate arrangements. A small payment institution may not have a dedicated internal audit function, but it must be able to demonstrate how independent assurance is obtained — whether through outsourced audit, periodic independent review by external experts, or audit committee oversight by non-executives with the relevant expertise. The key is proportionality combined with genuine independence: the arrangement must provide real assurance, not just the appearance of it.

Delegation Under SYSC 4

SYSC 4.1.1R requires firms to have adequate internal control mechanisms, including sound administrative and accounting procedures, and arrangements for managing risks. One of the most practically significant aspects of this is the delegation framework — how the management body delegates specific functions to individuals and sub-committees, while retaining ultimate responsibility for the outcomes.

Under SYSC 4, delegation does not transfer accountability. A board that delegates the oversight of the compliance framework to the audit committee retains accountability for ensuring the audit committee is properly constituted, adequately informed and effectively performing its delegated function. An SMF holder who delegates specific tasks to a team retains the SMCR reasonable steps obligation to oversee the delegate’s performance. This is a fundamental principle that firms with complex governance structures must embed in their governance design: delegation is a management technique, not an accountability transfer mechanism.

The delegation framework must be documented. The FCA expects firms to be able to produce a clear record of what has been delegated, to whom, with what authority limits, and with what monitoring and reporting obligations. In practice, this means maintaining a delegation register or equivalent document that links the management body’s responsibilities to the individuals and sub-committees that exercise them. Board terms of reference, committee charters and individual job descriptions should all be consistent with the delegation framework and should be reviewed and updated when organisational changes affect the allocation of responsibilities.

SYSC 4 and the SMCR: The Accountability Interface

SYSC 4 and the SMCR are deeply interconnected, and understanding how they interact is essential for firms that want to build a coherent governance framework rather than two parallel systems that run alongside each other without genuine integration.

The SMCR’s Statement of Responsibilities maps directly onto the SYSC 4 organisational clarity requirement: the SoR is the individual-level expression of what the Management Responsibilities Map describes at the firm level. A firm with a clear SYSC 4 governance structure will find the SoR drafting exercise straightforward, because the accountability it documents in the SoR should be a direct reflection of the governance structure that SYSC 4 requires. A firm that struggles to draft clear SoRs typically has an underlying governance clarity problem that SYSC 4 is designed to address.

The SMCR’s reasonable steps obligation — the mechanism through which SMF holders avoid personal liability for failures within their area — also operates through the governance framework that SYSC 4 requires. An SMF holder who can point to a governance structure that provides them with adequate information, through clear reporting lines, from appropriately resourced functions, is in a much stronger position to demonstrate reasonable steps than one operating in an ad hoc governance environment where information flows are informal and accountability is unclear.

Common SYSC 4 Failures Identified in FCA Supervision

The FCA’s supervisory and enforcement work consistently identifies the same categories of SYSC 4 failure. The most common are: management bodies that lack genuine collective expertise across the firm’s principal risk areas; organisational structures with unclear lines of responsibility particularly at the boundary between business lines and control functions; governance documents that describe an aspirational structure rather than the one actually in operation; delegation frameworks that exist on paper but are not reflected in how the firm actually makes decisions; and compliance and risk functions that lack the independence, stature and resource to provide genuine second-line challenge rather than documentation of first-line decisions.

Each of these failures has two dimensions: the technical breach of SYSC 4’s requirements, and the more significant practical consequence that the firm’s governance does not actually provide the oversight and control that SYSC 4 is designed to require. The FCA’s supervisory approach has consistently been to look through governance documentation to assess whether the firm’s governance actually operates as described — and where it does not, to treat the gap between documented and actual governance as the primary concern.

Building a SYSC 4-Compliant Governance Framework in Practice

For a firm building its governance framework from scratch — typically in the context of an FCA authorisation application or a significant governance restructuring — the starting point is a gap analysis against the SYSC 4 requirements. This covers: the management body’s collective competence across the firm’s principal activities and risks; the four-eyes principle and whether the two most senior individuals have genuine joint accountability; the organisational structure and whether lines of responsibility are clear, documented and consistent with the SMCR allocations; the three lines of defence and whether each line has appropriate independence and resource; and the delegation framework and whether the board’s delegated functions are properly documented and monitored.

The governance framework that results from this analysis should be documented in a set of core governance documents: board terms of reference; committee charters for each sub-committee; a delegation register; the Management Responsibilities Map; and individual Statements of Responsibilities for each SMF holder. These documents should be consistent with each other, reviewed at least annually, and updated when material organisational changes occur. The consistency between these documents and the firm’s actual governance practice is the standard the FCA will assess — and it is the standard that SMF holders should hold themselves to, not simply as a regulatory compliance matter but as the foundation of the individual accountability that the SMCR requires them to exercise.

Key References

• FCA Handbook SYSC 4 — General organisational requirements
• FCA Handbook SYSC — Senior management arrangements, systems and controls
• FCA — SMCR guidance