Certified Persons, Significant Harm Functions and the Annual Fitness Cycle
The Certification Regime is the second pillar of the FCA’s Senior Managers and Certification Regime (SM&CR) and the one most firms underestimate operationally. While the Senior Managers Regime applies to a small number of named senior individuals — typically 5-15 SMFs in a Core-tier firm — the Certification Regime applies to a much larger population of “certified persons” performing what the FCA designates as Significant Harm Functions. For an Enhanced firm, this can be 100-500 employees. For a smaller firm, it may be 10-30. In every case, the operational burden of running an effective Certification Regime is substantial — and the consequences of getting it wrong include personal liability for the SMFs responsible for the framework, regulatory action against the firm, and reputational exposure when conduct issues escalate.
This guide explains how the Certification Regime actually works in practice — which roles are in scope, what the annual fitness cycle requires, how Material Risk Takers and other defined categories are identified, and what good Certification Regime governance looks like operationally. It also covers the recruitment dimension — what the regime means for candidates moving between regulated firms, how Regulatory References work in practice, and what FD Capital sees when supporting firms with their certification framework.
What’s missing from most online explanations of the Certification Regime is the operational reality — the volume of work, the technology requirements, the HR integration challenges, and the risk that the regime becomes administrative compliance rather than substantive fit-and-proper governance. That’s the gap this guide fills.
What the Certification Regime Is
The Certification Regime requires firms to identify employees performing Significant Harm Functions, assess their fitness and propriety on appointment and annually thereafter, and certify them as fit and proper to perform their roles. Unlike SMFs, certified persons are not pre-approved by the FCA — the firm makes the certification decision itself. But the firm bears responsibility for the integrity of those decisions, and the SMF responsible for the certification framework (typically SMF16) carries personal liability under the Duty of Responsibility.
The regime applies to all FCA-regulated firms above the Limited Scope tier. The specific scope of “Significant Harm Functions” varies modestly between Core and Enhanced firms but the framework is essentially the same.
Significant Harm Functions — Who’s In Scope
The Certification Regime applies to employees performing functions that could cause significant harm to the firm or its customers. The full list is set out in SYSC 27 of the FCA Handbook. The most commonly relevant categories include:
Material Risk Takers (CASS firms, IFPRU firms, MIFIDPRU firms)
Material Risk Takers (MRTs) are individuals whose professional activities have a material impact on the firm’s risk profile. The MRT identification methodology varies by regulatory framework — under MIFIDPRU, MRTs are identified using the K-factor framework; under IFPRU and dual-regulated firms, the EBA Regulatory Technical Standards apply. MRT identification is a substantive annual exercise, not a check-the-box process.
Client-Dealing Functions
Employees who deal with clients in specific ways — providing investment advice, undertaking customer-facing functions in particular sectors, or interacting with clients in roles where conduct matters most. The full definition is set out in SYSC 27.7.
Functions Subject to Qualification Requirements
Roles that require specific FCA-mandated qualifications — most notably investment advisers under RDR who must hold appropriate qualifications. Certification under SM&CR is in addition to the qualification requirements, not a substitute.
CASS Oversight Functions
Employees with significant CASS responsibilities below the SMF level — typically including senior CASS team members, CASS reconciliation leads, and others with material CASS-related decision-making authority.
Functions Subject to the Algorithmic Trading Regime
Individuals responsible for algorithmic trading activity — a more recent addition to the certification scope reflecting the FCA’s focus on the conduct dimensions of automated trading.
Manager of Certified Employees
An important and often-overlooked category: employees who manage certified employees are themselves certified. This creates a cascade — once you have one certified employee, their manager is certified, and that manager’s manager is certified, all the way up to the SMF level. The cascade is one reason the certified population in larger firms grows quickly.
Other Sector-Specific Functions
The full list includes other categories specific to particular firm types — proprietary trading roles, certain insurance functions, specific consumer credit functions, and similar. The scope assessment for any specific firm requires careful reference to SYSC 27 against the firm’s actual activities.
The Annual Certification Cycle
Every certified employee must be assessed as fit and proper at least annually. The annual cycle typically runs as follows:
| Step | Timing | Activity |
|---|---|---|
| 1. Identification | Throughout the year, formalised at cycle start | Identify employees performing Significant Harm Functions; refresh at material role changes |
| 2. Self-attestation | Cycle window (typically annual) | Each certified employee attests to their continuing fitness |
| 3. Manager assessment | Cycle window | The certified employee’s manager assesses their fitness based on observed conduct, performance and any reported breaches |
| 4. Background checks | Cycle window or rolling | Refreshed credit, criminal, and regulatory history checks where appropriate |
| 5. Compliance verification | Cycle window | Compliance function verifies the framework has been applied consistently |
| 6. Certification decision | Cycle close | Formal decision to certify, certify with conditions, or not certify each individual |
| 7. Record-keeping | Continuous | Internal records maintained showing the basis of each certification decision |
Most firms run the cycle once annually, often aligned with the firm’s performance review cycle. Larger firms with hundreds of certified employees frequently use specialist HR/regulatory technology to manage the volume.
The Operational Burden — Why Firms Underestimate It
The Certification Regime looks administratively simple from the outside — identify in-scope employees, run an annual fitness assessment, document the decision. In practice, the operational reality is more demanding:
- Identification is non-trivial. Material Risk Taker identification under MIFIDPRU requires specific calculations against revenue thresholds, K-factor activities, and risk-based criteria. Errors in identification — either missing in-scope individuals or capturing out-of-scope individuals — create either regulatory exposure or unnecessary administrative burden
- Cascade effects mean the population is larger than first estimated. Once identification includes managers of certified employees, the certified population in a typical Enhanced firm reaches 200-500 individuals — substantially larger than firms initially estimate
- Each individual requires substantive assessment. A “fit and proper” assessment that consists of the manager ticking a box has no defensive value if conduct issues subsequently emerge. The FCA expects substantive assessment with documented basis
- Background checks have ongoing cost. Annual refresh of credit, criminal and regulatory checks is required for at least some categories — at scale, this is operationally meaningful
- Records must be maintained for prescribed periods. Certification records must be available for FCA inspection — including the basis of each decision, not just the outcome
- Adverse findings require escalation. Where the assessment identifies fitness concerns, escalation to the appropriate SMF, potentially the board, and consideration of FCA notification obligations all need clear processes
The technology dimension matters too. Firms running certification on spreadsheets and email at scale typically find the process becomes unmanageable around 100-150 certified employees. Specialist regtech solutions or HR platforms with built-in regulatory functionality become operationally necessary at scale.
The Conduct Rules Apply to Certified Persons
Certified persons are subject to the five Individual Conduct Rules (Tier 1) — the same rules that apply to all firm employees. The Conduct Rules are themselves enforceable, with breach reporting obligations attached:
- Where a firm concludes that a Conduct Rules breach has occurred, the firm must report it to the FCA via Form D
- For SMFs and certified persons, the reporting deadline is short — within seven business days
- For other employees, breach reporting is annual
- Breach reports affect the individual’s fitness and propriety record and form part of the Regulatory Reference if they move firms
For more on the Tier 1 Conduct Rules specifically, see our Individual Conduct Rules Guide.
Regulatory References for Certified Persons
Like SMFs, certified persons are within scope of the mandatory Regulatory References regime. When a certified person moves between regulated firms, the new firm must request a Regulatory Reference covering at least the previous six years.
The reference must include:
- The role(s) the individual performed
- Whether they were a certified person and on what basis
- Any Conduct Rules breach findings
- Any disciplinary action affecting fitness
- Whether the firm withdrew certification (and why)
For recruitment purposes, the implication is that conduct issues at one firm follow the individual to the next. Firms recruiting certified persons need to take Regulatory References seriously — not as administrative formality, but as a substantive fitness assessment input. Firms providing references must ensure they capture and disclose the matters required, even where the departing employee disagrees with the firm’s assessment.
The “manager of certified employees” rule means that once a firm has any certified employees, their full management chain is also certified. In practice, this often catches Heads of HR, Heads of Operations, business unit heads and others who weren’t expected to be in scope. Firms reviewing their certification scope frequently discover the population is 30-50% larger than initial estimates because of the cascade. This affects budget, technology requirements, and the design of the annual cycle.
What Good Certification Regime Governance Looks Like
Drawing on FD Capital’s experience supporting firms with their compliance and HR leadership recruitment, well-functioning Certification Regimes typically share several features:
Clear ownership at SMF level
The SMF responsible for the framework — typically SMF16, sometimes shared with HR leadership — is engaged in the framework design, not just delegated administration. The SMF reviews material decisions personally and is accountable to the board for the framework’s effectiveness.
HR-Compliance integration
The Certification Regime sits at the intersection of HR (performance management, disciplinary processes) and Compliance (regulatory framework). Firms where HR and Compliance work together on certification — sharing data, aligned on process, joint ownership of escalation — get better outcomes than firms where the regime is purely a Compliance exercise or purely an HR exercise.
Substantive assessment, not box-ticking
Manager assessments that simply restate “fit and proper” without documented evidence have no defensive value. Good practice is to ground the assessment in observed conduct, performance metrics, any reported issues, and a substantive view of fitness — captured in records that would withstand scrutiny.
Strong technology platform
For firms with 100+ certified persons, dedicated technology — either a regtech solution or a properly configured HR platform — is operationally necessary. Manual processes at scale create errors, missed deadlines, and inconsistent application.
Board engagement on themes, not individuals
The board doesn’t need to see every certification decision, but it should see the themes — overall numbers certified, numbers with conditions or concerns, conduct breach rates, and any structural patterns that might indicate cultural or framework issues.
Active feedback loops
Issues identified during certification should feed into training programmes, supervisory practices, and risk assessments. The certification framework is most valuable when it surfaces issues that would otherwise remain invisible — provided the firm acts on what it finds.
Common Pitfalls in Certification Regime Implementation
Treating certification as administrative. The most common pitfall — running the certification cycle as a compliance formality rather than a substantive fitness assessment process. The FCA expects substance, and weak certification frameworks become enforcement exposures when conduct issues escalate.
Underestimating scope. Initial scope assessments frequently miss the cascade effects, leading to under-resourced frameworks and gaps in fitness assessment.
Inconsistency between business units. Where certification standards vary between divisions (e.g., front-office vs operations), the framework loses credibility internally and externally.
Poor record-keeping. Certification decisions need documented basis. Decisions captured only in tick-boxes or single-line attestations have no defensive value.
Slow Conduct Rules breach handling. The seven-business-day reporting deadline for SMFs and certified persons is short. Firms with weak breach identification processes routinely miss deadlines.
Reference exchange weaknesses. Firms that issue templated references without substantive content, or fail to follow up on reference findings from incoming staff, create weaknesses in the regime that the FCA examines during supervisory dialogue.
A Note from Our Founder — Adrian Lawrence FCA
The Certification Regime is the part of SM&CR that most often catches firms by surprise — both in the volume of certified employees and in the operational burden of running an effective annual cycle. The framework looks simple from the outside but becomes substantial in practice, and the firms that get it right treat it as a genuine fit-and-proper governance function rather than as administrative compliance.
The recruitment angle that comes up most in our placements is what the regime means for candidates moving between firms. The Regulatory References requirement creates real continuity — conduct issues at one firm follow the individual to the next, and settlement agreements cannot mask the substantive matters that need to be disclosed. For both candidates and hiring firms, this means that reference checking is genuinely substantive work, not formal box-ticking. Firms that take references seriously — and candidates that disclose adverse history proactively — typically find the recruitment process runs more smoothly than firms or candidates that try to manage around the regime.
The other dimension worth being explicit about is the SMF accountability that sits behind the certification framework. The SMF responsible for the framework — typically the SMF16 holder — has personal liability under the Duty of Responsibility for the integrity of the certification process. Firms that delegate the framework operationally to HR or middle-management compliance without SMF-level engagement create a weakness that the FCA examines when conduct issues subsequently emerge. The strongest frameworks have visible SMF ownership, with the SMF reviewing material decisions personally and engaging substantively with the design of the annual cycle.
At FD Capital we work on compliance and HR senior recruitment regularly across firms operating Certification Regimes at scale. If you are recruiting an SMF16, a Head of HR with regulatory firm experience, or a Compliance Officer with certification framework expertise, I’m happy to have a direct conversation.
Speak to Adrian about a compliance or HR appointment →
Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383
Hire Compliance and HR Leadership for Certification Regime Frameworks
Effective Certification Regime governance requires SMF16 leadership, strong HR-Compliance integration, and operational capability appropriate to the firm’s certified population. FD Capital places senior compliance and HR leaders with regulatory firm experience across the FCA-regulated population.
020 3287 9501
Further Reading and Authoritative Sources
For the FCA’s authoritative guidance on the Certification Regime, see SYSC 27. For the Conduct Rules that apply to certified persons, see COCON. For the Fit & Proper Test, see the FIT module.
For Material Risk Taker identification, see the MIFIDPRU 7 remuneration framework for investment firms. For the Regulatory References regime, see SYSC 22.
Related Guides: SMCR and SMF Functions
Part of FD Capital’s series of practical guides for FCA-regulated firms: SMCR — The Complete UK Guide | The Senior Managers Regime | Individual Conduct Rules (Tier 1) | Senior Manager Conduct Rules (Tier 2) | ‘Reasonable Steps’ Under SMCR | Statement of Responsibilities & MRM | SMF16 Guide
Accredited Member of GBC 
Accredited Member of LWF 
Carbon Offset via TreeNation