SMCR+ View - April 2026 – “Phase 1” SMCR review policy statements

Everyone thought when the FCA said "Q2 2026" for their SMCR Review Policy Statement it meant the 30 June 2026...but, here we are in April with the FCA's PS26/6, the PRA's PS12/26, and HMT's response to their Consultation Paper on Phase 2 changes.

The headline is that the PRA and FCA are bringing in several changes as of 24 April 2026 (i.e., Friday this week)! Thankfully, these changes are generally focussed on making the regime more flexible for firms and so while firms need to think about the changes they may want to make to their policies and procedures, you don't need to do this by Friday 24 April 2026 and these can be made in due course. However, there are some changes in guidance around the roles of certain SMFs (e.g., SMF 7s and SMF 18s) which firms will need to consider in relation to their existing populations. If you have certain SMF applications in-flight or current/imminent Senior Manager transitions its worth considering the changes coming in on Friday 24 April 2026 in case it supports/changes your current strategy.

Other changes being made to the regime by the FCA and PRA are coming in on 10 July 2026 (e.g. changes to the Enhanced firm thresholds). Generally, there are some significant wins for the industry here - e.g., greater flexibility with regards to the 12-week rule, greater flexibility with submitting updated statements of responsibilities, etc. While the 12-week rule is a good example of the regulators progressing in their endeavour to make the regime more flexible, their unwillingness to make it even more flexible to accommodate industry feedback might suggest that they are not yet ready to fully address the key concerns of the industry…this might be a litmus test for Phase 2 changes, and how much the FCA and PRA will really change the SMCR once HMT have removed much of the detail relating to the regime from FSMA 2000.

However, the more meaningful Phase 2 changes that will come once there is appropriate legislative change are still some time away. HMT have maintained the line that legislative change will happen "when parliamentary time allows", but the FCA has indicated that it plans to consult on Phase 2 proposals "later this year". Let's see what happens. HMT have, however, made it clear that they are going to be taking out a huge amount of detail from FSMA 2000 (e.g., requirements regarding the Certification Regime, Conduct Rule breach reporting) and leaving it to the regulators to create their own rules.

Read our full update on (i) the FCA and PRA's Policy Statement on Phase 1 SMCR changes, and (ii) what's in store for Phase 2 here. If you have questions please do contact Amy Sumaria (Managing Associate), Penny Miller (Partner), or Alannah Mansfield (Associate).

This edition also covers:

• The FCA's new webpage on non-financial misconduct ("NFM"), setting out what firms should (and shouldn't) be doing ahead of the 1 September 2026 implementation deadline.

• The FCA's findings on good practice and areas for improvement in firms' approaches to operational resilience, based on its review of annual self-assessments.

• The BoE, PRA and FCA responses to the Treasury Committee's report on AI in financial services, and the Financial Ombudsman Service's response to The Mills Review.

• The FCA's multi-firm review of customer due diligence, enhanced due diligence controls and ongoing due diligence controls.

• Other updates, including the FCA's publication on Consumer Duty Board Reports, governance proposals from the PRA's consultation on high LTI mortgage lending, and the FCA's Primary Market Bulletin No. 62.

• The latest enforcement actions, including a PRA Final Notice involving the failure to deal openly and cooperatively with the PRA and a FCA Warning Notice in relation to a lack of integrity.

As always, please do reach out to us with any feedback or questions.

1. FCA webpage - Non-Financial Misconduct

Ahead of the new NFM rule and guidance coming into force on 1 September 2026, the FCA has published this webpage setting out what firms should be doing before the changes take effect. In particular, the FCA indicates that firms should be reviewing whether they need to update their approach to staff policies, Conduct Rule breach reporting, fit and proper assessments and regulatory references, and ensure that staff and managers understand how the changes apply to them. Perhaps helpfully, the FCA also clarifies what firms do not need to do - i.e., there is no requirement to carry out retrospective analysis on past Conduct Rule breach determinations, revise past fitness and propriety assessments, monitor employees' private lives or social media accounts, or investigate allegations about employees' private lives where they are trivial, implausible, or irrelevant.

We're already assisting a number of clients with their NFM implementation projects, including updating policies and procedures and preparing updated training for staff and managers, with firms looking to get ahead of that post-summer holidays implementation deadline. Given the additional SMCR changes coming in on 24 April 2026 and 10 July 2026 as a result of the FCA and PRA's latest policy statements, it may be that firms want to do a more holistic review of their policies and procedures.

Please do reach out to Amy Sumaria (Managing Associate), Penny Miller (Partner) or Andrea Finn (Partner) if you'd like to discuss how we can help.

2. FCA - new webpage highlighting good practice in firms' approaches to operational resilience and the FCA's Policy Statement on operational incident and material third party reporting

Following the publication of PS26/2 including final rules on operational incident and material third party reporting (which we covered in this SMCR+ View), the FCA has published this webpage providing examples of good practice and areas for improvement in firms' compliance with the operational resilience rules, based on its review of firms' annual operational resilience self-assessments. A key area covered is governance, with the following areas for improvement identified: (i) Board engagement, approval processes and document review trails, (ii) responsibility for monitoring remediation plans, (iii) recorded remediation actions, owners or target completion dates, (iv) Board / Senior Manager understanding of operational resilience responsibilities and commitment to action/investment, and (v) evidence of input from second or third line of defence in the self-assessment. The FCA sets out a number of other findings on this webpage, including around scenario testing and vulnerability management. We'd recommend firms consider these findings and whether any enhancements are needed.

One other point to note is that (as per PS26/6) the FCA is changing (from 10 July 2026) the thresholds for when certain FCA authorised firms will be categorised as an Enhanced SMCR firm. This is important because under PS26/2 the rules on third party reporting are applicable to Enhanced SMCR firms (among others). Therefore, if there are firms that will fall out of scope of the Enhanced regime (because of the changes coming in on 10 July 2026) before the implementation date of the third party reporting requirements on 18 March 2027, they will have much more streamlined implementation projects!

Please do reach out to Alex Ainley (Partner), Amy Sumaria (Managing Associate) or Alannah Mansfield (Associate) if you have any questions.

3. BoE, PRA and FCA response to the Treasury Committee's report on AI in financial services

Earlier this year we covered the publication of the Treasury Committee's report on AI in financial services, which included certain recommendations for the BoE, PRA and FCA to implement by the end of 2026. One of these recommendations was for the FCA to provide practical guidance for firms on the application of existing consumer protection rules to their use of AI and guidance on accountability and the level of assurance expected from Senior Managers for harm caused through the use of AI. The Treasury Committee has now published a report which includes the BoE and FCA's responses to its report, in which the FCA confirms that, together with the BoE and the PRA, it will share examples of good and poor practices in line with this recommendation - one for Senior Managers to watch out for...

The Financial Ombudsman Service has also published its response to The Mills Review - the FCA's call for input on the long-term impact of AI on retail financial services. Some interesting observations in here - including the FOS noting an increase (perhaps unsurprisingly) in consumers using AI in complaint submissions and correspondence (with some citing non-existent past FOS decisions...!), which is resulting in caseworkers spending more time verifying the accuracy of submissions. The FOS does confirm however that it is currently receiving very few complaints about firms' use of AI, but indicates it would welcome clear and consistent regulations and guidance across the sector to aid consumer understanding.

For more information, please reach out to Amy Sumaria (Managing Associate) or Alannah Mansfield (Associate).

4. FCA - multi-firm review of customer due diligence ("CDD"), enhanced due diligence ("EDD") and ongoing due diligence controls

One for those holding the prescribed responsibility for the firm's policies and procedures for financial crime (PR(d)) and Compliance more broadly. These FCA findings arise from the FCA's assessment of CDD systems and controls, specifically focusing on firms' controls against the Money Laundering Regulations ("MLRs"). The FCA found a number of areas for improvement:

• Policies and procedures: The FCA found policies and procedures lacked sufficient detail - including on EDD measures, the frequency of periodic reviews, and how to identify and verify customers who can't provide usual forms of identification. The FCA also found examples of firms failing to follow their own policies, especially around periodic reviews.

• CDD processes: Firms failed to evidence what EDD measures had been taken and recorded, and there were no examples of scenarios or customer types requiring senior management approval - demonstrating a lack of effective governance and oversight.

• Compliance monitoring and audit: Some firms lacked detail on compliance monitoring, with no independent review of CDD / EDD and a lack of version control, meaning firms couldn't demonstrate an audit trail of reviews or changes.

The FCA encourages firms to consider these findings and whether any enhancements are needed. Backlogs in periodic reviews is something we've seen in enforcement cases a number of times and this latest review is likely to focus attention on these matters all the more. If you have any questions, please reach out to Amy Sumaria (Managing Associate).

5. Other

We've briefly summarised some of the other key updates we've seen:

• FCA update on Consumer Duty Board Reports: This publication is one to consider for firms as we head towards Consumer Duty Board report season...This includes the FCA's reflections on year 2 of reporting and suggests areas firms should consider in the next round of reporting. Some key areas the FCA highlight include ensuring Board challenge is better documented, data is more clearly linked to good or poor outcomes (highlighting the need for Boards to push for analysis that goes beyond MI dashboards and that provides genuine insight), improving monitoring of outcomes in distribution chains, and increasing the focus on consumer understanding and support.

• FCA Primary Market Bulletin No. 62: An interesting one from a market abuse perspective - this Bulletin includes the FCA's key findings on misleading disclosures, controls and director conduct in relation to the fines imposed against the CEO and former group finance directors of Carillion plc (which we covered in this SMCR+ View).

• FCA Regulatory Priorities Report 2026 for Payments firms: We mentioned that the FCA had published a raft of these sector-specific reports in the last SMCR+ View - now it's the turn of the payments sector. There's a particular focus in here on ensuring firms have effective governance, oversight and systems and controls, especially in relation to keeping customers' money safe, financial crime and operational resilience. You'll be able to find a full summary of this in the next edition of Payments View.

• PRA Consultation Paper on high loan to income ("LTI") mortgage lending: One for mortgage lenders - in CP6/26, the PRA proposes removing the current 15% high LTI cap for individual lenders and instead applying the limit at the aggregate market level. From a SMCR+ View perspective, the PRA proposes that firms lending above 15% would need to ensure effective Board oversight, including monitoring against risk limits and demonstrating preparedness to reduce high LTI lending if needed. Evidence of Board oversight may be requested by regulators. The consultation closes on 1 July 2026.

• FCA webpage on improving applications for authorisation for asset managers: The FCA lists common issues it sees with authorisation applications for asset managers - one to bear in mind if you're going through this process. One area of focus is the location of mind and management, with the FCA identifying issues where individuals can't make day-to-day decisions without overseas approval, and firms run by offshore Senior Managers without the right to work in the UK. Other areas include oversight of outsourced functions, Consumer Duty considerations and conflicts of interest.

6. Enforcements

We've seen a number of FCA and PRA enforcement actions which we summarise below:

• FCA Warning Notice, Hartley Pensions Limited ("HPL"): The FCA has published Warning Notice 26/4 against an individual at HPL, who the FCA considers to have breached Individual Conduct Rule 1 (act with integrity). The FCA state that the individual dishonestly used customers' pension funds, made false representations to obtain money for a company they owned, dishonestly provided false and misleading information to the FCA on multiple occasions (including in response to statutory information requests), and improperly caused the firm to withdraw and invest very substantial pension funds without due diligence or pension holders' consent, for their own financial benefit. The related Warning Notice 26/3 against HPL alleges breaches of the FCA's Principle 1 (integrity), Principle 3 (management and control) and Principle 6 (customers' interests) - another significant catalogue of alleged misconduct ...

• PRA Final Notice, The Bank of London Group Limited and its parent company, Oplyse Holdings Limited: This Final Notice relates to breaches of PRA Fundamental Rules 1 (integrity), 3 (act in a prudent manner), 4 (maintain adequate financial resources) and 7 (be open and cooperative in dealings with regulators), as well as multiple PRA Rulebook provisions on capital reporting, large exposures, notifications and related party transactions. The PRA found that the firms had repeatedly misrepresented their capital positions, including by providing falsified documents and failing to disclose capital shortfalls. Most seriously, the PRA found that a Senior Manager had falsified documents to mislead the PRA as to the true capital position (we haven't seen a related enforcement action for this Senior Manager yet...). The PRA determined that these breaches were egregious, persistent and involved intentional misconduct, and imposed a financial penalty of £2 million (reduced from £12 million due to the firms' serious financial hardship) and emphasised the importance of accurate, timely and transparent regulatory reporting, robust governance and effective capital management - particularly for new banks.

• PRA Final Notice, U K Insurance Limited: In this Final Notice, the PRA found a breach of PRA Fundamental Rule 6 (organise and control affairs responsibly) due to deficiencies in financial controls, staff capability, training and resourcing within the firm's finance and actuarial functions. Preventative and detective controls were found to be ineffective, with inadequate planning for the impact of an internal project on regulatory reporting and insufficient documentation of risk acceptances. Although the firm promptly reported the error once discovered and undertook significant remediation, the breaches were considered serious due to their impact on the reliability of prudential data.

• FCA Final Notice, Dinosaur Merchant Bank Limited ("DMBL"): This Final Notice relates to failures to maintain effective arrangements to detect and report suspicious orders and transactions (breaching the UK Market Abuse Regime), as well as a breach of the FCA's Principle 3 (management and control). The FCA found that DMBL failed to detect and report suspicious orders and transactions in its contract for difference business, particularly following the introduction of a new order execution platform. The firm didn't perform adequate risk assessments or preparations to ensure its market abuse surveillance systems were functioning correctly for the new platform, resulting in a significant volume of trades not being captured by its automated surveillance system. This led to missed detection of potential market abuse, including insider dealing and market manipulation, and delayed submission of Suspicious Transaction and Order Reports ("STORs") to the FCA. The FCA also found that DMBL's compliance function was inadequate, with deficiencies in governance, risk management, alert calibration, and escalation procedures - DMBL lacked documented policies and procedures for handling surveillance alerts and failed to provide sufficient management information to its Board, hindering timely identification and remediation of issues. The FCA imposed a financial penalty of £338,000 on DMBL.

If you have any questions on any of the above enforcement actions, please do reach out to Emma Sutcliffe (Partner), Amy Sumaria (Managing Associate), or Thomas Makin (Managing Associate).