Senior Manager Conduct Rules (Tier 2): The Complete Guide
The Four Additional Conduct Rules That Apply to Every SMF
The Senior Manager Conduct Rules — Tier 2 of the FCA’s Conduct Rules framework — apply only to Senior Management Function holders and impose four additional standards of conduct beyond the five Tier 1 rules that apply to all employees. These four rules are the operational specification of what it means to be a senior manager in an FCA-regulated firm. They establish what reasonable steps look like, what disclosure is expected, and how delegation must be managed. Breach of any of these rules is itself enforceable, with civil regulatory sanctions including financial penalties, prohibitions and public censure available to the FCA.
This guide explains the four Tier 2 rules in detail, with practical examples of how they apply, what documentation discipline good SMFs maintain to evidence compliance, and how the rules interact with the Duty of Responsibility under section 66B FSMA. It also covers what FD Capital sees in successful SMF candidates — the practices that distinguish SMFs who manage the regime well from those who run into difficulty when failures emerge.
What’s missing from most online explanations of the Tier 2 rules is the operational reality of what evidence looks like. The rules use language like “reasonable steps” and “appropriate disclosure” — these are judgment-laden standards, and what matters in practice is the contemporaneous documentation that demonstrates the SMF actually took those steps. That’s the gap this guide fills.
Who Is Subject to Tier 2 Conduct Rules
The Tier 2 rules apply to anyone holding a Senior Management Function. This includes:
- All approved SMFs across all named functions (SMF1, SMF2, SMF3, SMF4, etc.)
- All SMFs across all firm tiers — Limited Scope, Core, and Enhanced
- Both solo-regulated and dual-regulated SMFs
The Tier 2 rules apply in addition to the five Tier 1 rules — meaning SMFs are subject to nine Conduct Rules total. The interaction matters: a single course of conduct might breach both a Tier 1 rule (e.g., Rule 1: integrity) and a Tier 2 rule (e.g., SC1: effective control), and breach reporting needs to capture both dimensions.
The Four Senior Manager Conduct Rules
The Tier 2 rules are set out in COCON 2.2.
SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively
The “effective control” rule. Captures the SMF’s responsibility for ensuring that the area of business they are accountable for operates with appropriate systems, controls and oversight. The SMF doesn’t have to personally execute every control — they have to take reasonable steps to ensure the controls exist and are operating.
Practical implications:
- The SMF needs to understand the control framework in their area, including key control owners, escalation paths, and reporting flows
- The SMF needs to be informed about control failures and near-misses, with appropriate response
- The SMF needs to challenge inadequate controls and ensure remediation
- The SMF needs to be able to demonstrate ongoing engagement with the control framework — through committee minutes, control reports reviewed, decisions taken
Common breach scenarios: persistent control failures the SMF was aware of but did not remediate; inadequate oversight of areas where the SMF had visible warning signs; failure to invest in control improvements where the SMF had decision-making authority.
SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system
The “regulatory compliance” rule. Captures the SMF’s responsibility for ensuring that the firm’s activities in their area comply with the FCA Handbook and other applicable regulatory requirements.
Practical implications:
- The SMF needs to understand the regulatory framework applicable to their area — at least at the level needed to identify when matters require expert input
- The SMF needs to engage with compliance, legal and other expert input on regulatory matters
- The SMF needs to ensure the firm’s activities are designed to comply, not merely to avoid detection
- The SMF needs to be able to demonstrate awareness of regulatory developments and engagement with implementation
Common breach scenarios: persistent non-compliance the SMF was aware of; failure to invest in compliance capabilities the SMF had authority to authorise; tolerating a culture in their area where regulatory requirements were treated as obstacles rather than obligations.
SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively
The “delegation oversight” rule. Recognises that SMFs can and do delegate operational delivery of their responsibilities, but constrains how delegation works — the SMF retains accountability and must ensure both appropriate delegate selection and effective ongoing oversight.
Practical implications:
- Delegation decisions need to be deliberate — to a named individual with appropriate capability
- Delegation arrangements need to be documented — what is being delegated, to whom, with what reporting arrangements
- Ongoing oversight is required — regular reporting, escalation triggers, and personal review of material matters
- The SMF cannot “delegate and forget” — visible engagement is required
Common breach scenarios: delegating critical responsibilities to under-qualified individuals; failing to receive or review reports from delegates; ignoring escalations that should have triggered SMF action; treating delegation as a way to avoid accountability rather than to manage workload.
SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice
The “regulatory disclosure” rule. Imposes a positive obligation on SMFs to ensure appropriate information flows to the regulator. The rule operates alongside Principle 11 (which applies to firms) and SUP 15 notification requirements (which specify particular notification obligations).
Practical implications:
- The SMF needs to be aware of significant matters in their area that would warrant regulator notification
- The SMF needs to ensure that the firm’s notification processes are working in their area
- The SMF needs to escalate where notification has not been made and circumstances suggest it should be
- The SMF cannot rely on others to notify if they personally have direct knowledge requiring notification
Common breach scenarios: knowing about significant matters and not ensuring notification; tolerating a culture where bad news is suppressed before reaching the regulator; engaging in or condoning concealment of regulatory matters.
The Connection to the Duty of Responsibility
The Tier 2 Conduct Rules and the Duty of Responsibility under section 66B FSMA are related but distinct enforcement bases:
- Tier 2 Conduct Rules are themselves enforceable. Breach of a rule is the cause of action — the FCA can take action because the rule was breached, regardless of any specific underlying contravention by the firm
- Duty of Responsibility requires a firm-level contravention of a relevant requirement, occurring in the SMF’s area, where the SMF did not take reasonable steps. Without the firm-level contravention, the Duty of Responsibility doesn’t engage
In practice, FCA enforcement against SMFs frequently invokes both — a Senior Manager Conduct Rules breach and a Duty of Responsibility finding can be linked to the same underlying conduct. The “reasonable steps” test is essentially the same standard across both, but the Tier 2 rules can engage where the underlying conduct doesn’t quite reach a relevant requirement contravention. See our Reasonable Steps Guide for detail.
The Documentation Discipline That Distinguishes Good SMFs
The defining feature of well-functioning SMFs is contemporaneous documentation. The Conduct Rules and the Duty of Responsibility both turn on what the SMF actually did — and “did” is evidenced by records made at the time, not by recollections constructed during enforcement investigation.
The documentation that good SMFs maintain typically includes:
Committee minutes and board records
Minutes of committees the SMF chairs or attends, with their interventions, challenges, and decisions captured accurately. Where the SMF disagreed with a decision, the dissent should be recorded. Where the SMF raised concerns, those concerns should be visible. Generic minutes that don’t capture individual contributions provide no defensive value.
Decision logs
Significant decisions taken outside committee context — particularly during fast-moving situations — recorded with the basis of the decision, the information considered, and the alternatives. Decision logs need not be elaborate but they need to capture enough to demonstrate considered judgment.
Escalation records
Where the SMF escalated concerns — to the board, to other SMFs, to the regulator — the escalation should be documented with the substance of the concern and the response received. Verbal escalations carry less defensive weight than documented ones.
Challenge records
Where the SMF challenged proposals or activities, the challenge should be documented. Compliance with the challenge (or refusal to address it) should be tracked.
Personal notes
Even informal personal notes — diary entries, notes from one-to-one conversations, contemporaneous records of events — can have evidential value. SMFs who maintain consistent personal note-taking discipline are better positioned than those who don’t.
Information requested and reviewed
What information the SMF requested, what they actually reviewed, and what they did with it. This is particularly important for delegation oversight under SC3 — being able to demonstrate that reports were not just received but engaged with substantively.
The most consistent feature of FCA enforcement against SMFs is the question: “What did you do?” When a contravention occurs in the SMF’s area, the FCA examines what the SMF actually did — what information they had, what challenge they raised, what escalation they made, what decisions they took. Vague answers about “general oversight” or “trusting the team” rarely satisfy the reasonable steps test. Specific answers grounded in contemporaneous documentation typically do. The SMFs who manage the regime well are those who have built documentation discipline into their day-to-day work, not those who try to construct evidence after the fact.
Sector-Specific Tier 2 Application
The four Tier 2 rules apply to all SMFs uniformly, but the practical application varies by SMF type:
SMF1 (CEO)
SC1 (effective control) is dominant — the CEO holds overall responsibility for the firm’s controls. SC4 (disclosure) is also prominent — CEOs are typically the senior point of contact for FCA dialogue and are expected to ensure appropriate information flow.
SMF2 (CFO)
SC2 (regulatory compliance) is dominant for areas like regulatory reporting and capital adequacy. SC3 (delegation) matters significantly — most CFOs delegate operational regulatory reporting to senior finance team members and must oversee that delegation effectively. See our SMF2 Guide.
SMF4 (CRO)
All four rules apply with significant weight, but SC1 (effective control) is foundational — the CRO’s role is fundamentally about ensuring the firm’s controls work. SC4 (disclosure) matters significantly for risk-related notifications. See our SMF4 Guide.
SMF16 (Compliance Oversight)
SC2 (regulatory compliance) is dominant — the SMF16’s role is fundamentally about regulatory compliance. SC4 (disclosure) is critical because the SMF16 frequently bears responsibility for ensuring FCA notifications are made appropriately. See our SMF16 Guide.
SMF17 (MLRO)
SC4 (disclosure) is dominant — the MLRO has specific notification obligations under both SMCR and the Money Laundering Regulations. See our SMF17 Guide.
SMF24 (Chief Operations)
SC1 (effective control) is dominant — operational resilience and ICT risk both turn on whether the firm’s controls work effectively. See our SMF24 Guide.
Common Breach Scenarios
Looking at FCA enforcement patterns since SMCR introduction, common Tier 2 breach scenarios include:
Persistent regulatory failures the SMF was aware of. Where a contravention has been identified, raised, and not adequately remediated under the SMF’s tenure, both SC2 and the Duty of Responsibility typically engage.
Failure to challenge. Where an SMF received information that should have prompted challenge to a decision or activity, and didn’t challenge, the “reasonable steps” defence becomes hard to make out.
Inappropriate delegation. Delegating critical responsibilities to under-qualified individuals, or delegating without effective oversight, breaches SC3 even where the underlying activity was satisfactory.
Concealment from the regulator. Knowing about significant matters and failing to ensure appropriate disclosure breaches SC4. This includes both active concealment and passive tolerance of concealment.
Cultural tolerance of poor conduct. Where an SMF tolerates a culture in their area where regulatory matters are deprioritised or where bad news is suppressed, the cultural failure can itself breach SC1 or SC2.
The Recruitment Dimension — What Hiring Firms and Candidates Should Know
For recruitment purposes, the Tier 2 rules matter in three ways:
Candidate experience with the regime
Experienced SMFs have lived the documentation discipline, decision-making approach, and regulatory engagement style that the Tier 2 rules require. Candidates new to SMF status need to develop these habits — and the firm needs to support that development. First-time SMFs are not disqualified by the regime, but they need stronger support during the early period.
The firm’s culture matters substantially
SMFs cannot fulfil the Tier 2 rules in firms where the culture obstructs them. Boards that don’t engage substantively with regulatory matters, that suppress challenge, or that prioritise speed over compliance create environments where SMFs cannot reasonably meet the standards required. Experienced candidates evaluate these factors during interview and frequently walk away from firms where the cultural conditions don’t support effective SMF performance.
Reference checking captures conduct issues
Tier 2 breach findings — like Tier 1 — are disclosable in Regulatory References. A candidate with a history of Senior Manager Conduct Rules breach findings is at a substantive disadvantage that requires careful management during recruitment.
A Note from Our Founder — Adrian Lawrence FCA
The four Tier 2 Conduct Rules are the operational specification of what it means to be a senior manager in a regulated firm. The rules look short on paper — four sentences — but they impose substantial demands when applied to actual senior management practice. The “reasonable steps” standard, the delegation oversight requirement, the disclosure obligation, and the effective control requirement together describe a discipline that experienced SMFs internalise and practice consistently.
The conversation I have with candidates approaching SMF for the first time is usually about documentation. The biggest practical adjustment from a non-regulated leadership role to an SMF role is the contemporaneous documentation discipline — capturing decisions, challenges, escalations, and information flows in records that would withstand subsequent scrutiny. Most senior leaders develop these habits over time; the candidates who build them deliberately from the start of their SMF tenure are better positioned than those who learn them through difficulty later.
The conversation I have with hiring boards is sometimes about whether the firm’s culture supports the Tier 2 framework. SMFs cannot meet the rules in firms where challenge is suppressed, where bad news is filtered before it reaches senior management, or where regulatory matters are treated as obstacles rather than obligations. Experienced candidates evaluate these cultural factors carefully — and walk away from firms where the conditions don’t support effective performance. The firms that recruit the strongest SMFs are the ones that have done the cultural work, demonstrably support their senior managers in carrying out the regime, and create environments where the discipline the rules require is actually possible.
At FD Capital we work on senior management mandates regularly across the FCA-regulated population. If you are recruiting an SMF and want to discuss how the cultural and operational dimensions of the role affect candidate matching, I’m happy to have a direct conversation.
Speak to Adrian about a Senior Manager appointment →
Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383
Hire Senior Management Function Approved Persons
SMF placements require candidates with the discipline, regulatory awareness and leadership capability to operate the Conduct Rules framework effectively. FD Capital places SMF candidates across all named functions, with appropriate matching to firm culture and regulatory profile.
020 3287 9501
Further Reading and Authoritative Sources
For the FCA’s authoritative guidance on Conduct Rules, see COCON, with the Tier 2 rules at COCON 2.2. For the Duty of Responsibility, see section 66B of the Financial Services and Markets Act 2000. For breach reporting, see SUP 15.
Related Guides: SMCR and SMF Functions
Part of FD Capital’s series of practical guides for FCA-regulated firms: SMCR — The Complete UK Guide | The Senior Managers Regime | The Certification Regime | Individual Conduct Rules (Tier 1) | ‘Reasonable Steps’ Under SMCR | Statement of Responsibilities & MRM | FCA Conduct Rules — Pillar Guide
Accredited Member of GBC 
Accredited Member of LWF 
Carbon Offset via TreeNation