Source of funds and source of wealth are two distinct customer due diligence concepts that are regularly conflated in practice. The confusion is understandable — both concern the origins of a customer’s money, and in some cases the information required to satisfy one overlaps with the information required for the other. But they are not the same thing, and treating them as interchangeable creates compliance risk. A firm that believes it has conducted adequate source of wealth due diligence because it has verified source of funds, or that substitutes a source of funds declaration for the deeper enquiry that source of wealth requires, is likely to fail FCA scrutiny when that scrutiny arrives.

This article sets out the distinction between the two concepts, when each is required, what adequate verification looks like, and where regulated firms most commonly go wrong.

The definitions

Source of funds refers to the origin of the specific funds involved in a particular transaction or business relationship. Where did the money for this transaction come from? The answer to this question is transactional and specific: the funds came from the customer’s salary, from the proceeds of a property sale, from a business dividend, from an inheritance received last year. Source of funds information relates to the particular flow of money that the firm is facilitating or handling.

Source of wealth refers to the origin of the customer’s overall wealth — the economic activities that have generated the totality of their assets and financial position. How did this person accumulate what they have? Source of wealth is biographical and holistic: the customer built a business and sold it, or had a career as a senior professional, or inherited family wealth, or generated wealth through investment activity over many years. Source of wealth information relates to the customer’s overall economic history rather than any specific transaction.

The relationship between the two is that source of funds should be consistent with source of wealth. If a customer’s source of wealth is a career as a salaried professional and their source of funds for a particular transaction is described as the proceeds of a business sale, that inconsistency requires explanation. Source of funds information that cannot be reconciled with what the firm knows about source of wealth is a risk signal that warrants further enquiry.

When each is required

The Money Laundering Regulations 2017 do not specify precisely when source of funds verification is required and leave significant discretion to firms. The general expectation — reinforced by JMLSG guidance — is that source of funds should be verified where the transaction or business relationship warrants it given the customer’s risk profile and the nature of the transaction. For high-value transactions, for transactions that appear inconsistent with the customer’s known profile, or for customers in higher-risk categories, source of funds verification is a core component of the CDD process.

Source of wealth is specifically required in several contexts. It is a mandatory component of enhanced due diligence for PEPs — the MLRs require firms to establish the source of wealth and source of funds of PEPs and their family members and close associates. It is also expected as part of EDD for high-risk third country relationships and for any customer relationship where the risk assessment indicates that standard CDD is insufficient to adequately understand and manage the money laundering risk.

In practice, most wealth management firms and private banks apply source of wealth requirements to all high-net-worth or ultra-high-net-worth clients, not just those who are PEPs, because the AML risk profile of managing substantial assets from complex or opaque origins warrants this level of enquiry regardless of whether the customer holds a prominent public function.

What adequate verification looks like

Source of funds verification

Source of funds cannot be satisfied by declaration alone. A customer stating that the funds came from a property sale requires the firm to verify that a property sale occurred, that the proceeds were consistent with the amount described, and that the funds received can plausibly be traced to that event. Verification does not require forensic certainty — it requires that the firm takes reasonable steps to satisfy itself that the customer’s explanation is plausible and consistent with available evidence.

Verification methods will vary with the transaction and the customer. For a large incoming transfer described as property sale proceeds, a solicitor’s completion statement or conveyancing correspondence may be appropriate. For funds described as salary or bonus, recent payslips or an employer confirmation letter. For business sale proceeds, the sale agreement or board minute. The appropriate evidence depends on what is proportionate given the transaction value and the customer’s overall risk profile.

The key compliance failure in source of funds verification is accepting declarations without supporting documentation, or accepting supporting documentation without considering whether it adequately evidences what it purports to. A bank statement showing a credit described as “property sale” does not verify that a property was sold — it shows that a credit was received with that description. The firm needs to consider whether the available evidence actually answers the question it needs to answer.

Source of wealth verification

Source of wealth verification is more substantive than source of funds and typically requires a biographical understanding of the customer. For a PEP or a high-net-worth client, the firm needs to understand not just the headline claim — “I built a business” or “I had a career in finance” — but enough of the underlying detail to assess whether the stated source of wealth is plausible given what the firm can independently verify or observe.

Verification approaches include: company registry searches to verify business ownership and activity; LinkedIn and other open-source checks to verify employment history and seniority; press coverage or publicly available information for customers who are genuinely prominent; property registry searches for customers whose wealth is primarily in real estate; and for customers from jurisdictions where the stated source of wealth is inherently higher risk, more intensive enquiry that may include specialist due diligence providers.

The FCA’s expectation for PEP source of wealth verification is explicit: firms should not rely solely on the customer’s self-declaration. The information provided by the customer should be tested against what the firm can independently verify, and any material inconsistencies should be escalated and documented. A PEP who claims a source of wealth that is inconsistent with their known public role and salary — where the wealth significantly exceeds what their stated career would plausibly generate — is a material risk signal that requires a clear documented response.

Common failures in practice

Confusing the two concepts

The most common failure is treating source of funds verification as equivalent to source of wealth enquiry. A firm that collects bank statements showing where the money came from for a specific transaction, files them as “source of wealth documentation,” and proceeds has not conducted source of wealth due diligence. It has conducted source of funds verification — and incomplete source of funds verification at that, since the bank statement shows origin but may not explain how the funds arrived in that account.

Accepting unverified declarations

The second most common failure is accepting customer declarations without verification. “Mr X states that his wealth derives from a successful IT business” is not source of wealth verification. It is a record of what Mr X has told the firm. Verification requires that the firm has taken steps to satisfy itself that Mr X did indeed build an IT business, that the business generated the level of wealth being described, and that this history is consistent with other information the firm holds. The difference between a declaration and a verified fact is exactly where the FCA finds firms falling short in thematic reviews and enforcement cases.

Failing to identify the inconsistency between source of funds and source of wealth

Where source of funds information is inconsistent with source of wealth — where the transaction involves amounts or origins that cannot be reconciled with the customer’s economic history — the firm needs to treat this as a risk signal requiring escalation and further enquiry. Firms that collect both pieces of information but do not compare them, or that compare them and record the inconsistency without escalating it, are failing at exactly the point where the controls matter most.

The MLRO’s role in setting standards

The quality of source of funds and source of wealth verification across a firm is determined primarily by the policies, training, and oversight that the MLRO establishes. An MLRO who has defined clear standards for what constitutes adequate verification, trained the first and second line on those standards, and established a review process that identifies inadequate verifications before they create regulatory exposure is providing the oversight the function requires. An MLRO who has delegated this to written policies without checking whether those policies are being applied in practice is not.

FD Capital places MLROs, financial crime specialists and compliance leaders in FCA-regulated firms across all sectors, including wealth management, private banking and investment management where source of wealth due diligence is a central component of the AML framework. We understand the technical requirements of the role and the standard that regulated firms need from their MLRO appointment.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Investment Firm CFO Recruitment
• Risk and Compliance Recruitment

Related Guides

• SMF17 — MLRO Function Guide
• Politically Exposed Persons: FCA Guide
• KYC: A Complete Guide for UK Regulated Firms
• Individual Conduct Rules Guide

PEP screening generates more false positives than almost any other component of a regulated firm’s customer due diligence process. A common name, a partial name match, an incorrectly configured screening threshold — each of these can flood the alert queue with matches that have no connection to political exposure whatsoever. The operational consequence is significant: compliance teams spend substantial time reviewing and clearing alerts that do not represent genuine risk, and the volume of false positives creates two related problems. The first is operational — the cost and time of clearing alerts. The second is regulatory — a firm that is drowning in false positives may clear genuine ones too quickly, under time pressure and alert fatigue.

Managing PEP screening effectively at scale is therefore not primarily a technical question about which screening vendor to use. It is a risk management question about how to configure the screening process to identify genuine PEPs accurately while minimising the operational burden of false positives — and how to document that approach in a way that satisfies FCA scrutiny.

What the regulations require

The Money Laundering Regulations 2017 require regulated firms to identify customers who are PEPs, family members of PEPs, and known close associates of PEPs. The definition of a PEP under the regulations applies to individuals who are or have been entrusted with a prominent public function — heads of state, members of parliament, senior government officials, senior executives of state-owned enterprises, senior figures in international organisations, and similar. The definition extends to family members and known close associates of such individuals, though the close associate category presents its own identification challenges.

For domestic PEPs — those holding public functions in the UK — the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 introduced a risk-based approach that distinguished between UK PEPs and foreign PEPs. The regulations made clear that the risk associated with UK domestic PEPs should be assessed as lower than that associated with foreign PEPs, unless specific factors indicate higher risk. This was reinforced by FCA guidance in 2023 and the subsequent Dear CEO letter to retail banks about the treatment of domestic PEPs — a communication prompted in part by high-profile cases in which UK political figures had complained about being denied banking services based on their PEP status.

The practical effect of this guidance is that regulated firms should not apply the same level of enhanced due diligence to a UK MP as they would to a senior official of a higher-risk foreign government. Both require identification and assessment. The proportionate response to that identification is different.

Why false positives occur at scale

False positives in PEP screening have three main causes. The first is name matching methodology. Screening systems that match on partial names or phonetic equivalents will generate matches for common surnames and given names. A firm that screens all customers against PEP databases using fuzzy matching at a 70% threshold will generate substantial volumes of matches for any customer whose name has even a loose resemblance to a listed PEP. The challenge is that reducing the matching threshold increases the risk of missing genuine PEPs. The appropriate configuration depends on the firm’s customer base, business model, and risk appetite — and it requires ongoing calibration rather than a one-time setting.

The second cause is database scope. Most commercial PEP databases include not just current PEPs but former PEPs, family members, and close associates. The further these individuals are from the original PEP, the lower the regulatory risk they represent in most cases — but the screening system will generate matches regardless. A firm whose screening vendor includes distant relatives of former government officials in its PEP database will generate alerts for individuals who represent no meaningful enhanced risk, and managing those alerts consumes compliance resources.

The third cause is inadequate risk stratification in the post-alert review process. Even where the initial match is genuine — where the alert correctly identifies a customer who is or is related to a PEP — the question of what to do with that identification depends on the risk assessment. A UK local councillor is a PEP. A former head of state of a country with high corruption risk is a PEP. The same alert process should not be applied to both.

A risk-based approach to reducing false positives

Calibrate the matching threshold by customer segment

The appropriate matching threshold is not the same for every customer. For higher-risk customer segments — where the consequences of missing a genuine PEP are most significant — a lower threshold (generating more alerts, including more false positives) is appropriate. For lower-risk customer segments — domestic retail customers with straightforward profiles — a higher threshold reduces alert volume without materially increasing the risk of missing genuine PEPs.

This segmented approach needs to be documented. The firm’s AML risk assessment should explain why different thresholds apply to different segments, and the calibration decision should be reviewed periodically — particularly when the customer base composition changes or when typology trends suggest that PEP-related risk in particular segments is changing.

Establish tiered alert disposition processes

Not all PEP alerts warrant the same investigation depth. A tiered disposition process — where alerts are stratified by risk profile immediately after they are generated, and the level of investigation proportionate to that stratification — reduces the time spent on low-risk false positives and focuses enhanced scrutiny where it is most needed.

A typical tiering approach might distinguish between alerts that are clearly false positives (name match only, no other matching data, domestic low-risk profile), alerts that require basic review (some matching characteristics but low-risk jurisdiction and position), and alerts that require full enhanced due diligence (genuine PEP match, higher-risk jurisdiction, complex source of wealth). The parameters of this tiering need to be documented and reviewed by the MLRO.

Use negative screening data systematically

Many false positives can be cleared efficiently if the firm maintains and uses a negative screening list — a documented record of individuals who have been reviewed, determined not to be genuine PEPs, and cleared. Re-screening the same individual repeatedly without reference to previous review decisions generates unnecessary alert volume and review burden.

The negative screening record should be maintained with the date of the review, the reason for the clearance, and the reviewer’s name. It should be subject to periodic refresh — an individual who was correctly cleared three years ago may have since taken on a prominent public function — but for most individuals the refresh cycle can be extended beyond the standard screening frequency without material risk.

Review database scope with your vendor

Commercial PEP database providers offer different configurations of who is included in their datasets. Some include former PEPs indefinitely; others apply a time decay — reducing the risk score of individuals who left prominent public functions some years ago. Some include close associates defined broadly; others take a narrower approach. Working with your screening vendor to configure the database scope appropriate to your firm’s business model and customer base — rather than accepting a default configuration — can materially reduce alert volume without compromising the effectiveness of the screening programme.

MLRO accountability for PEP screening quality

Under SMCR, the MLRO (SMF17) holds personal accountability for the adequacy of the firm’s AML framework, including the PEP screening process. This means the MLRO cannot treat false positive management as a purely operational matter delegated to the compliance team. The MLRO needs to satisfy themselves that the screening configuration is appropriate, that the threshold and tiering decisions are documented and defensible, that the alert disposition process is consistently applied, and that the volume and nature of PEP alerts is reported to them with sufficient frequency to identify emerging issues.

In an FCA supervisory review, the MLRO will be expected to explain the firm’s PEP screening methodology, including the threshold calibration decisions and the rationale for them. A firm that has not documented these decisions — where the threshold is whatever the vendor defaulted to and no one can explain why — is in a materially weaker position than one where the MLRO can demonstrate that the screening configuration is a deliberate risk management decision.

FD Capital places MLROs and financial crime specialists in FCA-regulated firms across all sectors. Where the MLRO role requires specific expertise in transaction monitoring, PEP screening, or the design of AML frameworks, we understand the technical requirements and can identify candidates with the relevant experience.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment
• SMCR Compliance Recruitment

Related Guides

• SMF17 — MLRO Function Guide
• KYC: A Complete Guide for UK Regulated Firms
• Politically Exposed Persons: FCA Guide

UK MLRO salary 2026: what an MLRO earns by firm type and size

The Money Laundering Reporting Officer role has changed significantly over the past five years. Increased FCA enforcement activity, the expansion of the sanctions compliance function into most MLRO remits, the growing sophistication of financial crime typologies, and the personal accountability that SMCR imposes on SMF17 holders have all combined to raise both the demand for experienced MLROs and the market rate for attracting them. What an MLRO earns in 2026 depends substantially on the firm type, the regulatory complexity of the role, and whether the individual is holding the function on a full-time or shared basis.

The figures below draw on FD Capital’s placement data across FCA-regulated sectors and reflect current market conditions. They represent base salary only unless otherwise stated and do not include bonuses, which in most regulated firms are constrained by the remuneration code applicable to the firm’s regulatory category.

Small FCA-only regulated firms (under £50m revenue, limited AML risk)

At the smaller end of the market — consumer credit firms, small investment advisers, recently authorised payment institutions — the MLRO role is typically a combined appointment. The individual holds SMF17 alongside a broader compliance remit, and the MLRO function constitutes perhaps 40–60% of their overall role. In this context the relevant salary benchmark is the total compensation for the combined role rather than for the MLRO function alone.

For a Head of Compliance and MLRO at a firm of this size, market rates in 2026 sit in the range of £55,000–£75,000. Firms at the lower end of this range are typically those with simpler regulatory profiles — a single FCA permission, a UK-only customer base, modest transaction volumes. Firms at the upper end have more complex permissions, higher-risk customer segments, or are in sectors where AML typologies are more sophisticated.

Where the MLRO function is genuinely shared — an individual holding SMF17 for multiple firms on a fractional basis — the day rate for experienced practitioners typically runs at £400–£600 per day, with the allocation across firms reflecting the total time commitment to each.

Payment institutions and e-money institutions

Payment firms and e-money institutions present a specific AML risk profile. The high transaction volumes, the speed of payment processing, and the prevalence of authorised push payment fraud and mule account activity make the MLRO role at these firms demanding in ways that are qualitatively different from most other regulated firm types. The MLRO at a mid-size payment institution is typically managing a substantial transaction monitoring operation and dealing with AML typologies that evolve rapidly.

Dedicated MLRO salaries at payment institutions typically range from £70,000–£100,000 for smaller to mid-size firms, rising to £100,000–£130,000 at larger firms with significant transaction volumes or complex product sets including crypto asset services where the AML risk is elevated and specialist knowledge commands a premium.

Investment management and wealth management firms

The MLRO at an investment management or wealth management firm deals primarily with source of wealth verification, PEP management, and the risk of managing assets that may derive from corruption, tax evasion, or unexplained wealth. The complexity of these assessments — particularly for ultra-high-net-worth clients and clients from higher-risk jurisdictions — makes this a technically demanding variant of the MLRO role.

At smaller wealth management firms (AUM under £1bn), MLRO salaries typically range from £70,000–£95,000. At mid-market firms (AUM £1bn–£10bn), the range is £90,000–£130,000. At large asset managers and major wealth management businesses (AUM above £10bn), senior MLRO appointments command £130,000–£180,000, reflecting both the complexity of the role and the supply constraints in finding individuals with the specific combination of technical AML knowledge and wealth management sector experience.

Retail and commercial banking

MLROs at UK retail and commercial banks operate within the most heavily regulated segment of the AML market. The combination of PRA oversight, the expectation of a dedicated and adequately resourced financial crime function, and the regulatory history that follows most UK banks from previous AML enforcement actions means that MLRO appointments at this level command a significant premium.

At smaller challenger banks and specialist lenders, MLRO salaries sit in the range of £100,000–£140,000. At mid-size banks with significant retail deposit bases, the range is £130,000–£180,000. At the major clearing banks and international banking subsidiaries, senior MLRO and Deputy MLRO appointments can reach £180,000–£250,000, though appointments at this level often involve candidates with either previous regulatory approval at major institutions or direct experience of FCA or NCA engagement.

Insurance firms

Insurance presents a specific set of AML challenges — premium finance arrangements, the use of insurance products for layering purposes, and the cross-border complexity of reinsurance and specialty lines. The MLRO at an insurance firm needs sector-specific AML knowledge that is not directly transferable from banking or investment management.

At smaller insurers, MLRO salaries typically range from £65,000–£90,000. At mid-size and Lloyd’s market firms, the range is £90,000–£130,000, rising to £130,000–£160,000+ for complex roles at major insurance groups with international operations and significant specialty or life insurance exposure.

Consumer credit firms

Consumer credit MLROs typically operate at the lower end of the market rate range, reflecting both the relatively contained AML risk profile of most consumer lending businesses and the fact that the MLRO role is frequently combined with a broader compliance function. Salaries at consumer credit firms typically range from £55,000–£80,000 for combined compliance and MLRO appointments, rising toward £80,000–£100,000 at the largest consumer finance businesses where the transaction volumes and fraud typologies warrant a more senior and dedicated appointment.

Deputy MLRO (AMLRO) salary benchmarks

The Deputy MLRO or Anti-Money Laundering Reporting Officer (AMLRO) receives internal SARs from staff and manages the first stage of the triage process, escalating to the MLRO where appropriate. The AMLRO role is a substantial one at larger firms — managing a team of financial crime analysts, overseeing the transaction monitoring alert queue, and making initial filing assessments on a volume that the MLRO cannot manage alone.

AMLRO salaries generally benchmark at 70–80% of the firm’s MLRO salary, reflecting the seniority differential and the fact that the AMLRO does not hold personal SMF approval. Across firm types, this translates approximately to:

• Payment institutions: £55,000–£85,000
• Investment and wealth management: £65,000–£110,000
• Banking: £85,000–£150,000
• Insurance: £55,000–£100,000

What drives salary above or below the mid-point

Within each of these ranges, specific factors move an individual’s compensation toward the upper or lower end. Existing SMF17 approval commands a premium — candidates who are already FCA-approved as an MLRO remove the approval timeline risk for the recruiting firm and are typically more experienced as a result. Sector-specific experience, particularly in higher-risk sectors, commands a premium over general AML expertise. Direct experience of FCA supervisory engagement — thematic reviews, skilled person reviews under Section 166, or enforcement proceedings — is particularly valued given the personal accountability that SMF17 carries.

Candidates who have built and led financial crime functions from a relatively early stage — who have hired teams, designed frameworks, and managed regulatory relationships rather than inherited established programmes — also command a premium, particularly at firms that are building rather than maintaining their AML capability.

FD Capital places MLROs and AMLROs across all FCA-regulated sectors. If you are benchmarking an MLRO appointment or seeking guidance on current market rates, we are happy to provide a detailed discussion based on your specific firm type and requirements.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment

Outsourcing the MLRO function: when it works and when it doesn’t

The question of whether an FCA-regulated firm can outsource its MLRO function — and if so, how — is one that generates significant confusion. The answer depends on the firm’s regulatory category, its size, and the specific structure of the outsourced arrangement. Some regulated firms can legitimately appoint an external MLRO on a shared or hosted basis. Others cannot. And even where outsourcing is permissible in principle, it carries risks and operational constraints that many firms do not fully consider before proceeding.

This article sets out the regulatory framework for MLRO outsourcing under FCA rules, the conditions under which it works effectively, and the circumstances in which it creates more problems than it solves.

The regulatory framework — what the rules actually permit

The Money Laundering Regulations 2017 require that firms appoint an individual as MLRO. The regulations do not expressly prohibit outsourcing this function to an individual employed by a third party — a consultancy, a compliance services firm, or a professional individual working as an independent contractor. The FCA’s SYSC sourcebook similarly does not categorically prohibit MLRO outsourcing for all firm types.

However, SMCR significantly constrains the outsourcing option for most regulated firms. Under SMCR, the MLRO function is SMF17 — a Senior Manager Function that requires the individual to be personally approved by the FCA as a Senior Manager of that specific firm. The key implication is that the FCA must approve the individual in their MLRO capacity for your firm specifically. An individual who holds SMF17 approval for Firm A does not automatically have approval to act as MLRO for Firm B. Each approval is firm-specific.

For dual-regulated firms — banks, building societies, certain investment firms regulated by both the FCA and PRA — the PRA has been explicit that the MLRO must be an employee of the firm and cannot be outsourced. This reflects the PRA’s view that the personal accountability and independence requirements of the MLRO function cannot be adequately maintained through an outsourced arrangement in a systemically important or deposit-taking institution.

For FCA-only regulated firms — consumer credit firms, most payment institutions, smaller investment firms, and others — the position is less categorical but still constrained. The FCA expects the MLRO to have genuine independence, adequate time to fulfil the function, and meaningful access to the firm’s systems and information. An external MLRO who divides their time across multiple client firms can meet these requirements for smaller firms with lower AML risk profiles. It becomes increasingly difficult to demonstrate as the firm’s size and regulatory complexity increase.

When outsourcing works

Very small regulated firms with limited AML risk

The clearest case for a shared or outsourced MLRO is a small FCA-only regulated firm — a consumer credit firm, a small investment adviser, or a recently authorised payment firm — where the volume and complexity of AML activity does not justify a full-time MLRO appointment. A firm with twenty employees that processes a modest number of transactions per month, has a predominantly UK retail client base, and operates a simple business model does not need a full-time MLRO. The regulatory obligation requires the appointment and the function to be performed adequately; it does not require the individual to be dedicated solely to that firm.

In these circumstances, a shared MLRO arrangement — where a specialist compliance professional holds SMF17 approval for multiple small firms simultaneously — can be both regulatory-compliant and commercially sensible. The shared MLRO must be approved by the FCA for each firm separately. They must have adequate time allocated to each firm. They must have genuine access to each firm’s transaction data, customer information, and internal reporting systems. And the arrangement must be documented in a way that the FCA could review and find adequate.

During the FCA authorisation phase

A firm applying for FCA authorisation needs to demonstrate to the FCA that it has identified and appointed its key SMF holders as part of the application. An external MLRO — someone who can hold SMF17 on an interim or shared basis during the authorisation process — allows the applying firm to fulfil this requirement without making a permanent appointment before the business is generating the revenue to support one.

This is a legitimate and common use of the outsourced MLRO model. The expectation, on the FCA’s part and commercially, is that as the firm grows it will transition to a dedicated internal MLRO at an appropriate point. The trigger for that transition is typically the point at which the firm’s AML risk profile — the volume of transactions, the complexity of the customer base, the geographical reach of the business — makes the shared model inadequate.

As a stopgap during MLRO succession

When a firm’s MLRO departs and the replacement has not yet completed the SMF17 approval process, the firm faces a period of MLRO vacancy. An interim external MLRO — individually approved by the FCA for that firm on a temporary basis — can hold the function during this period. This is a practically important use of the outsourced model and is considerably better than leaving the firm without a formally approved MLRO during what can be a 10–16 week approval window.

When outsourcing doesn’t work

Dual-regulated firms

As noted above, the PRA’s position effectively precludes MLRO outsourcing for PRA-regulated firms. Banks, building societies, and major investment firms need an employed, dedicated MLRO. This is not a case where a firm can structure its way around the requirement with a carefully worded contract. The PRA’s concern is about personal accountability and independence, and it is not satisfied by an outsourced arrangement regardless of how it is structured.

Firms with material AML risk

As a firm’s AML risk profile increases — higher transaction volumes, more complex customer relationships, higher-risk geographies or business lines — the outsourced MLRO model becomes progressively less adequate. The MLRO at such a firm needs to be deeply embedded in the firm’s operations. They need to understand the specific customer relationships, the transaction patterns, the business lines that carry higher risk, and the individuals internally who are the first line of defence against financial crime. An external MLRO dividing their time across multiple clients cannot develop or maintain this depth of understanding.

The FCA will assess not whether the outsourced arrangement is permissible in the abstract but whether it is adequate for the specific firm. A firm with a material and growing AML risk profile that continues to use a shared MLRO is making a regulatory bet that will eventually not pay off. When a SAR goes unfiled, when a high-risk customer slips through the EDD process, when the annual MLRO report reveals that the function has been inadequately resourced — the outsourced model is typically part of the explanation.

Where cultural and operational integration is critical

The MLRO’s effectiveness depends substantially on their relationship with the first line of defence — the relationship managers, the onboarding teams, the operational staff who encounter potential financial crime risk daily. An MLRO who is not present in the firm, who does not attend the relevant internal meetings, who is not part of the firm’s culture, cannot adequately discharge the training, culture, and oversight functions that go alongside the formal MLRO obligations.

The MLRO who visits the firm once a month to review SAR decisions and sign off on the annual report is not performing the MLRO function adequately. They are performing a subset of it. For firms where the internal financial crime culture — the awareness of the first line, the quality of internal escalation, the tone around compliance — is a material component of the AML framework, the embedded internal MLRO is not just preferable. It is necessary.

Structuring an outsourced MLRO arrangement correctly

Where outsourcing is genuinely appropriate, the arrangement needs to be documented and structured in a way that withstands FCA scrutiny. The key elements are: a written agreement with the outsourced MLRO that clearly defines the scope, time allocation, and responsibilities of the arrangement; confirmation of the FCA’s approval of the individual as SMF17 for the firm; documented evidence that the MLRO has adequate access to the firm’s systems, data, and personnel; and a clear process for escalation, SAR decision-making, and board reporting.

The firm’s board should understand and formally approve the outsourcing arrangement. It should appear in the firm’s outsourcing register where applicable. And the firm should have a contingency arrangement documented — what happens if the outsourced MLRO is unavailable, resigns, or becomes unsuitable to hold the function.

FD Capital places MLROs in FCA-regulated firms at all stages — including interim and shared arrangements during authorisation or succession periods, and permanent internal MLROs where firms have grown beyond the outsourced model. If you are reviewing your MLRO arrangement or transitioning from an outsourced to an internal model, we would welcome a conversation.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• FCA Authorisation CFO Recruitment
• SMCR Compliance Recruitment

The Money Laundering Reporting Officer is one of the most consequential senior hires an FCA-regulated firm makes. It is a personal accountability role — the individual who holds SMF17 under SMCR is personally responsible to the FCA for the firm’s AML and CTF framework. When that framework fails, when a Suspicious Activity Report is not filed that should have been, when a PEP is onboarded without adequate enhanced due diligence, the accountability does not rest with the firm in the abstract. It rests with the MLRO as a named individual.

Recruiting for this role requires a different approach to most senior finance or risk appointments. Technical knowledge of the Money Laundering Regulations 2017 and the JMLSG guidance is necessary but not sufficient. The MLRO must also navigate the FCA’s approval process as an SMF17 holder, operate with genuine independence from the commercial function, and carry the weight of personal regulatory accountability in a way that most professionals have not experienced before.

This guide sets out what regulated firms need to understand before they start the search, what to look for in candidates, how the SMF17 approval process works, and where hiring most commonly goes wrong.

Who needs an MLRO under FCA rules

The requirement to appoint an MLRO applies to any firm within scope of the Money Laundering Regulations 2017. For FCA-regulated firms, this includes banks, building societies, credit unions, payment institutions, electronic money institutions, investment firms, wealth managers, consumer credit firms, and others. The specific form of the appointment — whether the MLRO must be an employee of the firm or can be an external appointment — depends on the firm’s regulatory category and size, and is discussed further in the context of outsourcing below.

For firms within SMCR enhanced or core scope, the MLRO function corresponds to SMF17. The individual holding this function must be individually approved by the FCA and PRA (for dual-regulated firms) as a Senior Manager. This approval requirement has material implications for the recruitment process and timeline.

The SMF17 approval process — recruitment timeline implications

The single most important planning consideration for MLRO recruitment is the SMF17 approval timeline. Once a candidate is selected, the firm must submit an individual SMF application to the FCA before the candidate can formally hold the function. The FCA’s statutory timeline for determining complete applications is three months, though the actual timeline depends significantly on the completeness of the application and whether further information is requested.

In practice, firms should plan for a minimum of 10–14 weeks from selection to approval for a straightforward application — a candidate with a clear employment history, no disclosable events, and existing SMF approval from a previous role. For candidates without previous SMF approval, or where the application generates requests for further information, the timeline can extend to 16–20 weeks.

The practical consequence is that the search process needs to begin significantly earlier than for most senior appointments. A firm that identifies the need to recruit an MLRO in January and wants the new hire in post by April should have begun the search no later than October. Firms that approach the search as they would an executive hire — beginning when the departure is confirmed, expecting to have someone in the role within three months — consistently find themselves with a gap in MLRO coverage that creates regulatory risk.

During the approval period, the outgoing MLRO should continue to hold the function where possible. Where the outgoing MLRO has already left, the firm needs to make interim arrangements — either a temporary MLRO appointment approved by the FCA or, in some cases, an internal appointment of a suitable individual on an interim basis while the permanent candidate’s approval is processed.

What to look for — the four essential qualities

Technical AML/CTF knowledge

The MLRO must have a substantive understanding of the UK’s AML/CTF framework — the Money Laundering Regulations 2017, the Terrorism Act 2000, the Proceeds of Crime Act 2002, and the relevant JMLSG guidance for the firm’s sector. This is not a role where general compliance knowledge is a substitute for specific AML expertise. The MLRO will be making personal decisions about whether to submit Suspicious Activity Reports to the National Crime Agency, setting policy on customer due diligence and enhanced due diligence, and maintaining the firm’s AML risk assessment. Each of these requires genuine technical knowledge, not familiarity with the general compliance framework.

In 2026, the technical knowledge requirement has expanded. The FCA’s increasing focus on sanctions compliance — particularly following the Russia sanctions regime from 2022 onwards — means MLROs at most regulated firms now carry meaningful responsibility for the firm’s sanctions screening programme alongside the traditional AML and CTF functions. Knowledge of OFSI and the financial sanctions regimes is increasingly a core expectation rather than a bonus.

Judgment and the willingness to file

The most technically capable MLRO is inadequate if they lack the judgment to make sound decisions under uncertainty and the willingness to file SARs even when doing so is commercially inconvenient. The purpose of the MLRO function is to identify and report suspicion, not to confirm it to a forensic standard before acting. The test for filing under POCA 2002 is suspicion — a lower threshold than most commercial contexts would apply to a major decision.

An MLRO who allows commercial pressure to delay or prevent filing — who treats SAR submission as a last resort rather than a professional obligation — is an MLRO who creates regulatory and legal risk for the firm. Identifying candidates with the right filing culture requires probing during the interview process: how do they approach uncertainty, what is their experience of internal pushback on AML decisions, how have they handled situations where the commercial team has disagreed with their assessment?

Board standing and communicative authority

The MLRO must present the annual MLRO report to the board and must be able to communicate AML risk in terms that non-specialist directors understand and take seriously. This requires a different set of skills to the analytical and investigative aspects of the role. An MLRO who is technically excellent but unable to engage a board in a substantive conversation about the firm’s financial crime risk profile cannot fulfil the governance function that the role requires.

This consideration is particularly important for smaller regulated firms where the MLRO may not have the organisational support of a wider financial crime team. The MLRO at a 50-person firm is doing everything — writing policy, training staff, managing the CDD process, reviewing alerts, making filing decisions, and presenting to the board — and needs to be effective across all of those dimensions.

Genuine independence from the commercial function

JMLSG guidance and FCA expectations are clear that the MLRO should have genuine independence from the business development and relationship management functions of the firm. This independence needs to be structural — the MLRO should not report to a business line head whose commercial performance depends on the clients the MLRO might restrict or exit — and cultural. A firm that treats its MLRO as a risk to be managed rather than an oversight function to be supported will not retain good MLROs for long, and will eventually face the regulatory consequences of a culture in which financial crime controls are treated as an obstacle to business.

Sector-specific considerations in 2026

The MLRO role varies materially by sector. At a payment institution or e-money institution, the typologies that matter most are payment fraud, authorised push payment fraud, and the layering of criminal proceeds through payment rails. The MLRO at a wealth manager or private bank is dealing primarily with source of wealth verification, PEP management, and the risk of managing assets derived from corruption or tax evasion. The MLRO at a consumer credit firm faces a different profile again — smaller individual transaction values but high volumes, with fraud typologies prevalent.

Sector-specific experience is therefore not merely preferable — in most cases it materially affects the quality of the MLRO’s judgment and the adequacy of the firm’s AML framework. An MLRO recruited from retail banking into a wealth management firm may have strong technical foundations but will need time to develop the sector-specific knowledge that effective oversight of the wealth management financial crime risk requires. The better the sector fit at the point of hire, the lower the time-to-effectiveness and the lower the transitional risk to the firm.

Where MLRO recruitment most commonly goes wrong

The most common failure in MLRO recruitment is beginning the process too late. The approval timeline makes this appointment uniquely unforgiving of a slow start. A firm that loses its MLRO unexpectedly — through resignation, dismissal, or personal circumstances — and begins searching the following week is already behind.

The second most common failure is treating the role as primarily a compliance appointment rather than a personal accountability appointment. Candidates who have operated within compliance teams but have never held personal SMF accountability are making a material step change when they take the MLRO role. The responsibility is qualitatively different. Not all strong compliance professionals are ready for that transition, and the interview process should explicitly test for it.

The third failure is under-weighting cultural fit with the board and senior leadership. An MLRO whose relationship with the CEO or CFO breaks down — whose escalations are ignored, whose judgments are routinely challenged commercially, who feels unable to file SARs without internal conflict — will either compromise their standards or leave. Either outcome represents a failure of governance with regulatory consequences.

FD Capital places MLROs and Deputy MLROs exclusively in FCA-regulated firms. We understand the SMF17 approval process, the sector-specific knowledge requirements, and the cultural conditions that make MLRO appointments successful. If you are recruiting for this role or planning succession, we would welcome a conversation.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms

Related Guides

• SMF17 — MLRO Function: A Complete Guide
• FCA Conduct Rules Guide
• SMCR: A Complete UK Guide

This article examines what FCA enforcement cases and supervisory communications reveal about how whistleblowing culture fails in regulated firms, why the accountability consequences under SMCR are becoming more acute, and what senior leadership genuinely committed to building a whistleblowing culture needs to do differently.

What enforcement cases actually reveal

The Barclays case: the board’s response to whistleblowing matters as much as the disclosure itself

The Barclays whistleblowing case remains the most instructive UK enforcement example. When an anonymous letter raising concerns about a senior hire was received by the board in 2016, the then-CEO Jes Staley made repeated attempts to identify the author, engaging the bank’s security function in that effort. The FCA and PRA jointly fined Staley £642,430 and found that he had failed to act with due skill, care and diligence.

The significance of the case extends beyond the individual sanction. The FCA’s findings made clear that the regulatory standard for how senior managers respond to whistleblowing concerns is not merely that they refrain from active retaliation — it is that they actively protect the process. A CEO who instructs a security function to identify a whistleblower, even if their motivation is to understand the concern rather than to punish the person raising it, has undermined the entire premise on which internal disclosures operate.

The case also illustrated the board’s responsibility. The board was aware of Staley’s attempts to identify the whistleblower. Its response to that situation — and specifically whether board members with relevant oversight responsibilities fulfilled them — was part of the regulatory assessment. This is what SMCR personal accountability looks like in the context of whistleblowing: not just accountability for the person who caused the harm but scrutiny of those who were aware of it and did not act.

Financial crime cases: whistleblowing failure as a systemic indicator

A significant proportion of the major financial crime cases that have resulted in FCA enforcement action — and particularly those involving money laundering, sanctions breaches, and market abuse — have shared a common feature: internal concerns were raised by staff before the regulatory investigation identified the problem, and those concerns were not adequately acted on. This pattern is not coincidental.

Staff who are close to the business — traders, operations teams, relationship managers — often identify suspicious patterns before the compliance function does. Where the firm’s culture does not support raising those concerns, or where concerns raised are managed rather than investigated, the regulatory exposure accumulates. The FCA’s assessment of firms in enforcement processes routinely considers whether internal disclosures were made and how they were handled, because the answer informs the question of whether the firm was genuinely trying to manage compliance risks or was operating with wilful blindness.

Non-financial misconduct: the emerging enforcement priority

The FCA’s focus on non-financial misconduct — harassment, discrimination, bullying — as a regulatory matter has sharpened significantly. The FCA has been clear that it views non-financial misconduct as directly relevant to an individual’s fitness and propriety under SMCR and to a firm’s overall governance and culture standards. Whistleblowing is the primary mechanism through which non-financial misconduct is brought to the attention of senior leadership.

Firms where the whistleblowing culture does not support reporting non-financial misconduct — because the culture is one where such behaviour is normalised, where senior individuals are protected, or where those who raise concerns find their career progression affected — are firms where the FCA increasingly expects to find other governance failings. The Dear CEO letter on diversity, equity and inclusion published in 2023, and the subsequent focus on non-financial misconduct in enforcement, have made this connection explicit.

The common patterns of whistleblowing culture failure

Tone from the top that contradicts the policy

Many regulated firms have whistleblowing policies that are formally adequate but culturally inert. The policy describes channels, guarantees confidentiality, and prohibits retaliation. Senior leaders speak about the importance of speaking up. And yet staff do not raise concerns internally, or raise them and find the experience discouraging enough that they do not do so again.

The gap between policy and culture is almost always explained by what senior leaders actually do rather than what they say. A CEO who responds defensively to concerns about their own behaviour, a business line head whose team knows that raising concerns will affect their relationship with that leader, or an HR function that is seen as protecting the firm from employment claims rather than protecting staff from misconduct — each of these creates a cultural reality that no policy document can overcome.

Investigation processes that are not genuinely independent

The independence of the whistleblowing investigation process is fundamental to whether the process works. Where disclosures are investigated by people who report to, or have significant professional relationships with, the individual about whom the disclosure has been made, the investigation is structurally compromised before it begins. This is not always a deliberate choice — it is often the result of investigation processes designed for efficiency rather than independence.

Firms need to think carefully about who investigates what. A concern about a senior business line head should not be investigated by someone who requires that individual’s approval for their own career progression. A concern about conduct in a regional office should not be investigated by the regional manager. These arrangements are common and they reliably produce investigation outcomes that do not reflect what actually happened.

Confidentiality failures — accidental and otherwise

Confidentiality is the threshold requirement for an effective whistleblowing process. If the person making a disclosure believes — correctly or not — that their identity will become known to those they have disclosed about, they will not make the disclosure. Firms underestimate how permeable their internal processes are. A disclosure received by a small compliance team in a business where relationships are close, where the nature of the concern makes the identity of the discloser obvious, or where the investigation process itself reveals the identity of the complainant, is not confidential in any meaningful sense.

The FCA’s requirements extend beyond confidentiality — firms must take reasonable steps to ensure that employees who make disclosures are not victimised as a result. Victimisation does not require direct retaliation. Exclusion from projects, being passed over for promotion, being subjected to additional performance management scrutiny — these are forms of victimisation that are harder to identify and address than dismissal but are equally damaging to whistleblowing culture.

No feedback loop for those who disclose

One of the most consistent findings in research on effective whistleblowing cultures is that individuals who raise concerns and receive no feedback about the outcome — who never know whether their concern was investigated, whether it was found to have merit, or what was done about it — are significantly less likely to raise concerns in future and significantly more likely to report externally to the FCA or other authorities. Firms that treat the disclosure as the end of their obligation to the discloser rather than the beginning of a process that should include appropriate communication back have not understood why their arrangements are failing.

What genuine cultural change requires from senior leadership

The FCA has been explicit that senior leaders cannot delegate culture. The tone, the practical reality of what happens when staff raise concerns, and the signal sent by how the firm responds to specific cases are functions of what senior leaders do rather than what they say. Genuine change in whistleblowing culture requires senior leaders who are willing to be held personally accountable for how the firm responds to disclosures — including disclosures about their own behaviour or the behaviour of their peers.

This creates a specific challenge for SMCR firms. The SMF function holders who are personally accountable for governance and culture — the CEO (SMF1), the Head of Internal Audit (SMF5 equivalent in many firms), the Chief Compliance Officer (SMF16 in its compliance oversight incarnation) — need to be people whose response to a disclosure about a senior colleague is to ensure it is properly investigated rather than to protect the relationship. This is a character and values question as much as a competency question, and it is one that boards need to take seriously when making SMF appointments.

The Whistleblowing Champion NED exists specifically to provide board-level oversight that is independent of management. Where that individual is genuinely performing the function — reviewing patterns, forming independent views, holding management to account for the adequacy of the firm’s arrangements — they provide a structural counterweight to the cultural pressures that otherwise tend to suppress internal disclosure. Where the appointment is nominal, that counterweight does not exist.

Practical steps that signal genuine commitment

Firms that are genuinely committed to building a whistleblowing culture share certain practical characteristics. They use multiple disclosure channels — not just a single internal reporting line — including channels that allow disclosures to be received without passing through line management. They conduct regular culture surveys that specifically ask about willingness to raise concerns and perception of what happens when concerns are raised, and they track responses over time. They review the pattern of disclosures against the size of the firm and the complexity of its business, asking whether the volume is plausible — very low disclosure rates in a large, complex firm are often a sign of suppression rather than good behaviour. They train managers specifically on how to respond when a concern is raised — not just on what to do procedurally but on the behaviours that either support or undermine the culture of speaking up. And they review outcomes of disclosures regularly at board level, with the Whistleblowing Champion leading that review.

FD Capital places senior compliance professionals, risk leaders, and Non-Executive Directors in FCA-regulated firms. Where the requirement is an MLRO, CCO, or Whistleblowing Champion NED who has the combination of regulatory expertise and personal qualities that genuine whistleblowing oversight requires, we work exclusively in the regulated financial services space and understand the practical reality of these leadership roles in an SMCR context.

Related Services

• Compliance Recruitment
• NED Recruitment
• MLRO Recruitment
• SMCR Compliance Recruitment
• Financial Crime Recruitment
• Risk and Compliance Recruitment
• Recruitment for FCA Regulated Firms

This article sets out who needs to appoint a Whistleblowing Champion, what the role formally requires, what it demands in practice, and what distinguishes an effective appointment from a nominal one.

Which firms must appoint a Whistleblowing Champion

The requirement to appoint a Whistleblowing Champion applies to UK banks, building societies, credit unions, PRA-designated investment firms, UK branches of overseas banks, and insurers within the scope of Solvency II. For FCA-only regulated firms, the requirement does not apply universally — the FCA’s whistleblowing rules in SYSC 18 apply to firms within the FCA’s enhanced scope for SMCR purposes.

For enhanced scope SMCR firms — which includes most banks, major investment firms, and large insurers — the appointment of a Whistleblowing Champion as a specific board-level NED role is mandatory. For core scope SMCR firms, the requirements are less prescriptive but firms are still expected to have adequate internal whistleblowing arrangements including clear accountability for overseeing them.

The specific requirement is set out in SYSC 18.4, which requires in-scope firms to appoint a Senior Manager to champion the interests of whistleblowers. For dual-regulated firms, this means appointing an SMF function holder — specifically a Non-Executive Director — to hold this responsibility at board level.

What the role formally requires

The Whistleblowing Champion’s formal responsibilities under SYSC 18.4 include: overseeing the integrity, independence and effectiveness of the firm’s internal whistleblowing arrangements and policies; ensuring that those who make disclosures are not victimised as a result; and reporting annually to the board on the operation of the firm’s whistleblowing arrangements.

These formal requirements are deceptively brief. The practical content of the role is substantially more demanding than a reading of SYSC 18.4 alone might suggest. The FCA’s expectation — reinforced by its enforcement approach and its Dear CEO letters on culture — is that the Whistleblowing Champion is a genuine oversight function, not a reporting mechanism.

What the role actually demands in practice

Understanding the whistleblowing framework in detail

An effective Whistleblowing Champion must understand the firm’s whistleblowing policy in substantive terms — not merely know that one exists. This means understanding the channels available to staff, the process by which disclosures are received and investigated, who investigates disclosures and under what independence arrangements, how the firm protects the confidentiality of those who make disclosures, and how the firm identifies and responds to potential victimisation.

A Whistleblowing Champion who cannot describe how a disclosure made by a junior member of staff in a regional office would be handled — who would receive it, who would investigate it, whether the investigator reports to the individual against whom the disclosure is made, and how the outcome would be communicated — has not yet understood the role.

Genuine independence from management

The Whistleblowing Champion must be genuinely independent of executive management in a way that allows them to receive concerns about management behaviour without those concerns being suppressed or managed by the people they concern. This is the structural purpose of requiring the role to be held by a Non-Executive Director rather than an executive. A NED who is not genuinely independent — because of professional relationships, financial interests, or social proximity to executive leadership — cannot provide the oversight that the role requires.

The Barclays case, in which the then-CEO Jes Staley attempted to identify a whistleblower who had raised concerns directly with the board, illustrated with exceptional clarity why this independence matters. The FCA and PRA imposed a joint fine of £642,430 on Staley for breaching the requirement to act with due skill, care and diligence. The case also highlighted the board’s role in responding to that behaviour — and the specific responsibility of the Whistleblowing Champion to ensure that internal processes protect, rather than expose, those who raise concerns.

Oversight of patterns — not just individual cases

The Whistleblowing Champion should not be receiving individual disclosures directly as a first port of call — that is an executive function. What the Champion should be receiving is aggregated, anonymised information about the pattern of disclosures made to the firm: the volume, the categories of concern raised, the outcomes of investigations, and any patterns that suggest systemic issues rather than individual incidents.

This requires the firm to have MI systems that provide the Champion with genuinely useful information, and it requires the Champion to have the analytical capability and independence to draw conclusions from that information and escalate them to the full board. A Whistleblowing Champion who receives an annual summary prepared by the compliance function, reads it at a board meeting, and notes no concerns is not exercising oversight — they are receiving a report.

The annual board report

SYSC 18.4 requires the Whistleblowing Champion to report to the board at least annually on the operation of the firm’s whistleblowing arrangements. This report should cover: the number and nature of disclosures received; how they were investigated and by whom; the outcomes; cases where victimisation was identified or alleged and how they were handled; the Champion’s assessment of whether the firm’s culture is one in which staff genuinely feel able to raise concerns; and any recommendations for improvement.

A board report that consists primarily of quantitative data without qualitative assessment of whether the whistleblowing function is working does not meet the standard. The Champion is being asked to form a view about culture, not merely to transmit statistics.

What makes a good appointment

The Whistleblowing Champion role requires a NED with a specific combination of characteristics that is rarer than it might appear.

First, genuine independence. This is not merely the formal independence test for NED status — it is independence from the management of the firm in a way that would allow the Champion to pursue a concern about a senior executive without the relationship making this effectively impossible.

Second, the confidence to act on concerns. The value of the Whistleblowing Champion is not tested in normal conditions — it is tested when a disclosure has been made about someone with significant power within the firm, when management’s instinct is to manage the situation rather than investigate it transparently, and when the Champion must decide whether the board needs to know something that management would prefer it did not. This requires a NED with the seniority, credibility and personal confidence to hold that line.

Third, relevant regulatory understanding. A Whistleblowing Champion who does not understand the Protected Disclosures Act, the FCA’s whistleblowing rules, and the SMCR accountability framework cannot effectively oversee whether the firm’s arrangements are adequate. This does not mean the Champion needs to be a lawyer or a compliance specialist, but they need sufficient familiarity with the regulatory context to ask the right questions.

Fourth, the time to do the role properly. A NED who is serving on multiple boards and is attending the Whistleblowing Champion function principally because they had capacity in their schedule is not the right appointment. This is a role that requires active engagement between board meetings — reviewing MI, engaging with the compliance function, and occasionally engaging directly with a specific concern.

Common appointment failures

Firms most commonly fail in the Whistleblowing Champion appointment in three ways. First, they appoint whoever is available on the board rather than whoever is best suited to the role. Second, they treat the role as a formal compliance requirement rather than a substantive governance function, with the consequence that the Champion never meaningfully engages with the whistleblowing framework between annual board reports. Third, they appoint a NED who is too close to the executive team to provide genuine independence — often a former executive of the firm, a long-standing professional associate of the CEO, or someone whose other board positions create conflicts of interest.

The FCA’s culture agenda makes this more than a box-ticking concern. A firm whose Whistleblowing Champion is nominal is a firm that does not in practice have adequate oversight of its internal disclosures process — and where a significant disclosure is made and mishandled, the inadequacy of the oversight function will be a significant factor in the regulatory response.

FD Capital places Non-Executive Directors in FCA-regulated firms, including those with specific SMCR function requirements. Where the requirement is a Whistleblowing Champion NED with the genuine independence, seniority and regulatory understanding that the role demands, we work exclusively in the regulated financial services space and understand both the formal requirements and the practical qualities that distinguish an effective appointment.

Related Services

• NED Recruitment
• SMCR Compliance Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment
• Financial Crime Recruitment
• Recruitment for FCA Regulated Firms

This article examines what RTS 28 actually requires, the most common deficiency patterns, the post-Brexit UK position, and what effective best execution governance looks like from a senior compliance leadership perspective.

What RTS 28 requires — and what it means in practice

RTS 28 requires investment firms that execute client orders to publish, by 30 April each year, a report covering the preceding calendar year. The report must identify the top five execution venues used for each class of financial instrument and provide an analysis of the quality of execution obtained. The obligation applies to firms executing client orders in their own name — it is distinct from, though related to, the best execution obligation under COBS 11.2.

The prescribed content under UK RTS 28 includes: the top five execution venues by trading volume for each instrument class; information on the quality of execution obtained including factors such as price, costs, speed, likelihood of execution and settlement, and size and nature of the order; summary information on how the firm has satisfied itself that it is obtaining the best possible result; information about any close links or conflicts of interest with execution venues; and whether the firm differentiated between retail and professional clients in its execution approach.

The practical challenge is that the format prescription does not determine the quality of disclosure. A firm can comply with the letter of RTS 28 while producing a report that tells the reader nothing substantive about how the firm actually achieves best execution. The FCA’s concern, increasingly articulated in supervisory communications, is with the latter rather than the former.

Where firms most commonly fall short

Generic narrative that does not evidence actual execution quality

The most common deficiency is an RTS 28 report that describes the firm’s best execution policy in summary terms without providing data or analysis that evidences execution quality. A report that states the firm uses leading execution venues and considers multiple execution factors provides no information about whether best execution was actually achieved. The FCA expects the report to contain analysis — not merely assertions.

Firms that do not monitor execution quality on an ongoing basis find it structurally difficult to produce an adequate RTS 28 report because the annual publication is supposed to summarise monitoring that should have been conducted throughout the year. Where this monitoring is absent, the RTS 28 report becomes an exercise in drafting plausible-sounding language rather than genuine disclosure.

Incomplete coverage of instrument classes

RTS 28 requires disclosure across all classes of financial instrument in which the firm executes orders. Firms frequently produce reports that cover the classes where execution is most straightforward — typically equities and funds — and either omit or treat superficially the classes where execution quality is harder to evidence, such as fixed income, structured products, or OTC derivatives. Where a firm executes orders in these classes, the omission is a direct regulatory deficiency.

No meaningful analysis of how execution factors were weighted

COBS 11.2 requires firms to take all sufficient steps to obtain the best possible result when executing client orders, taking into account price, costs, speed, likelihood of execution and settlement, size, nature, and any other relevant consideration. The relative weighting of these factors should depend on the characteristics of the client, the order, the financial instrument, and the execution venue. RTS 28 reports that describe all of these factors without providing any analysis of how the firm actually weighted them in the context of the orders executed during the year do not meet the disclosure standard.

Failure to distinguish between client categories

The RTS 28 requirement to indicate whether the firm applied different treatment to retail and professional clients is substantive, not a checkbox. Where firms treat all clients identically for execution purposes regardless of client category, this requires explanation. Where firms genuinely differentiate, the report should explain how and why. Reports that state differentiation exists without describing it are inadequate.

No connection between the RTS 28 report and the firm’s actual execution monitoring

An adequately governed best execution framework will have ongoing transaction cost analysis, execution quality reporting, regular review of execution venue performance, and periodic review of the best execution policy itself. The RTS 28 report should be a public summary of conclusions drawn from this monitoring process. Where the report cannot be traced back to an internal governance process — where it appears to be produced from scratch for the purposes of publication rather than drawn from ongoing monitoring — this suggests the underlying governance is deficient.

The post-Brexit UK position

Following Brexit, UK firms are subject to the UK onshored version of RTS 28 rather than the EU’s RTS 28. For most purposes the substantive content is identical — the FCA carried across the MiFID II framework as onshored legislation. UK firms are not required to publish RTS 28 reports for their EU business if they execute that business through an EU entity, but UK-executed business for UK and international clients remains within scope.

The FCA has not departed significantly from the EU approach on best execution. UK firms should not assume that regulatory divergence has reduced the obligation. The FCA’s conduct of business rules continue to require firms to take all sufficient steps to obtain the best possible result. The RTS 28 disclosure obligation continues to apply on the same annual cycle. The primary post-Brexit change of relevance to best execution governance is the FCA’s increasing focus on the Consumer Duty, which for retail clients creates an additional obligation to demonstrate that the firm is delivering good outcomes — of which execution quality is a component.

SMCR accountability for best execution

Under SMCR, accountability for best execution oversight typically sits with the SMF16 (Compliance Oversight) holder, although in some firms it is distributed between SMF16 and the individual responsible for investment management or trading operations. The accountability question is not merely who signs off the RTS 28 report — it is who is responsible for ensuring that the firm has the systems and processes to achieve best execution on an ongoing basis, and who is accountable if those systems are found inadequate.

The FCA has been clear that personal accountability under SMCR is not limited to situations where the individual had direct knowledge of a failure. A senior manager who did not establish adequate monitoring systems, did not ensure that best execution was reviewed periodically, or did not escalate concerns when transaction data suggested potential execution quality issues can be in scope for regulatory accountability even if they did not cause the failure directly.

This raises the bar materially for whoever holds accountability for best execution within a firm. It requires not just familiarity with the rules but the operational capacity to build and maintain a genuine best execution framework — one that produces data, requires decisions, and evidences its outputs in a way that would withstand regulatory review.

What effective best execution governance looks like

Firms with robust best execution frameworks typically share several characteristics. They maintain ongoing transaction cost analysis that allows comparison of actual execution against benchmarks. They have a formal execution venue review process — typically quarterly — that assesses whether the top five venues remain appropriate and whether the ranking has changed in ways that require explanation. They maintain a documented best execution policy that is reviewed at least annually and updated when the firm’s business or the market environment changes materially. They produce MI for the compliance oversight function that makes execution quality visible as a governance matter, not just an operational one. And they produce the RTS 28 report as an output of this governance process rather than as a standalone annual exercise.

The compliance resource requirement for this framework is not trivial. Firms that treat best execution as primarily a disclosure obligation tend to under-invest in the monitoring and governance infrastructure that makes adequate disclosure possible. The consequence is an RTS 28 report that is technically published but substantively inadequate, and a governance framework that will not withstand supervisory scrutiny.

The compliance leadership implication

Best execution is one of those regulatory areas where the gap between adequate and inadequate governance is largely invisible until a regulatory interaction makes it visible. Firms that have been publishing RTS 28 reports for several years without FCA comment should not assume those reports have been assessed as adequate — the FCA’s supervisory capacity means that many disclosures are not reviewed in depth until a firm comes under specific scrutiny.

The senior compliance leader — whether SMF16 holder, CCO, or Head of Compliance — who is accountable for best execution governance needs both the regulatory expertise to understand what adequate governance looks like and the operational credibility to build it within the firm. This is a role that combines technical knowledge of COBS 11 and RTS 28 with the standing to drive investment in transaction cost analysis infrastructure and the confidence to present execution quality MI as a governance matter to the board.

FD Capital places senior compliance professionals with the MiFID and COBS expertise that FCA-regulated investment firms need. Where the requirement is an SMF16 holder with direct experience of best execution governance, an interim Head of Compliance to lead a framework review, or a CCO who can engage credibly with the FCA on execution quality matters, we work exclusively in the regulated financial services space and understand the specific competency requirements.

Related Services

• Compliance Recruitment
• SMCR Compliance Recruitment
• Investment Firm CFO (MIFIDPRU)
• CRO Recruitment
• Risk and Compliance Recruitment
• Section 166 Review

This article sets out the specific failure modes the FCA has identified repeatedly, the supervisory signals that indicate scrutiny is coming, and what the underlying compliance leadership problem usually is.

What COBS 9 and 9A actually require

Before identifying where firms fail, it is worth being precise about the standard. COBS 9 applies to personal recommendations in relation to designated investment business. COBS 9A applies to ongoing suitability for discretionary portfolio management and ongoing advisory services with periodic assessment. The requirements are not limited to the moment of recommendation — they extend to the quality of information gathered, the quality of reasoning documented in the suitability report, the ongoing appropriateness of recommendations, and the adequacy of systems to evidence all of the above.

COBS 9.2 requires firms to take reasonable steps to ensure that a personal recommendation is suitable for the client, based on the client’s knowledge and experience, financial situation, and investment objectives — including risk tolerance. None of these elements is optional. All must be documented in a way that evidences the reasoning, not just the conclusion.

The seven failure modes the FCA returns to

1. Client information gathering that is superficial rather than substantive

The most common finding across thematic reviews is that firms gather client information at the level required to complete a form rather than at the level required to understand the client. Attitude to risk questionnaires that produce a number rather than a narrative understanding of how the client would actually behave during a drawdown are a persistent problem. A client who scores 6 out of 10 on a risk questionnaire and a client who scores 6 but has just retired, has no other liquid savings, and has never experienced a material investment loss are not the same client. The FCA expects firms to demonstrate that they understand the difference.

The specific deficiencies the FCA has identified include: not establishing whether the client can financially bear losses consistent with the recommended risk level; not understanding the purpose of the investment beyond a generic investment objective; not establishing investment horizon in a way that informs the recommendation; and not updating client information periodically to reflect changed circumstances.

2. Suitability reports that describe the recommendation without explaining why it is suitable

COBS 9.4 requires that where a personal recommendation is made, a suitability report must specify the recommendation and explain why it is suitable having regard to the client’s information. The word “explain” is doing significant work here. Firms frequently produce suitability reports that describe what has been recommended and that the client’s attitude to risk is moderate, but do not demonstrate the connection between the client’s specific circumstances and the recommendation made.

The FCA’s supervisory expectation is that a suitability report should allow the regulator — or an informed third party — to understand why this recommendation was made for this client at this time. Template language that could apply to any client with a moderate risk profile does not meet that standard.

3. Centralised investment propositions applied without genuine tailoring

The growth of centralised investment propositions has created a structural suitability problem for many firms. A CIP is not inherently unsuitable, but using one requires firms to demonstrate that the proposition is appropriate for each individual client rather than that the client has been matched to a proposition category. The FCA has found that many firms treat the CIP as the end point of the suitability process rather than as one input into it. Where a firm’s recommended portfolios cover three to five risk-rated model portfolios and the entire client base distributes across those options, the FCA will ask how individual client circumstances were genuinely taken into account.

This is particularly acute for clients with concentration risk in other assets, clients with tax considerations that affect portfolio structure, clients approaching or in decumulation, and clients whose stated attitude to risk is inconsistent with their capacity for loss.

4. Insufficient assessment of capacity for loss

Attitude to risk and capacity for loss are different things, and firms regularly conflate them. A client can have a high attitude to risk and a low capacity for loss — for example, a client who is psychologically comfortable with volatility but whose financial circumstances mean that a significant loss would materially affect their standard of living. COBS 9 requires both to be assessed. The FCA has found that many firms assess attitude to risk adequately and capacity for loss inadequately or not at all. This is a specific, recurring finding that has appeared in thematic reviews across investment advice, discretionary management, and pension transfer advice.

5. Inadequate governance of the suitability framework itself

The FCA’s supervisory attention has increasingly moved upstream from individual suitability assessments to the governance of the suitability framework. This means asking who owns the framework, how it is reviewed, what MI is produced about suitability quality, what oversight the Compliance function exercises over suitability quality, and what happens when problems are identified. Firms that can demonstrate strong individual suitability processes but cannot demonstrate that there is meaningful senior management oversight of whether the framework is working are increasingly exposed.

Under SMCR, the accountability question is explicit. The individual holding SMF16 (Compliance Oversight) has personal accountability for the compliance function’s oversight of suitability. Where the FCA finds that suitability oversight has been inadequate, the question of whether the SMF16 holder exercised their function effectively is live.

6. Pension transfer advice — a persistently elevated risk area

Defined benefit pension transfer advice carries specific suitability requirements under COBS 19 and has been a persistent enforcement priority. The FCA’s review of DB transfer advice found widespread deficiencies including: inadequate critical yield analysis; insufficient consideration of scheme benefits being given up; advice that was in practice a rubber stamp for a client decision already made; and advisers without adequate competence or sufficient support from the firm’s compliance function. The FCA has withdrawn the authorisation of multiple firms in this area and has made clear that the risk of personal accountability for senior managers at firms with systematic DB transfer advice failings is real.

7. Inadequate file review and quality assurance processes

Post-advice file review is one of the FCA’s primary supervisory tools for assessing suitability quality. Firms whose file review processes are cursory, whose reviewers are not genuinely independent of the advisers whose files they review, or whose QA processes do not result in meaningful remediation are at significant supervisory risk. The FCA expects file review to be a genuine quality control mechanism, not a compliance exercise. Where file review identifies recurring problems that the firm has not addressed, this compounds the original suitability deficiencies.

The supervisory signals that precede scrutiny

Firms are not selected for supervisory attention randomly. The signals that tend to precede a Section 166 review or thematic inclusion include: high volumes of complaints relating to investment performance or advice quality; patterns in FOS decisions against the firm; a portfolio that has drifted materially from stated investment objectives; significant changes in adviser population or business model without corresponding compliance review; and intelligence from other sources including whistleblowing.

Section 166 reviews in the suitability space are typically triggered when the FCA has a specific concern it wants to investigate with greater depth than its own resources allow. A skilled person appointed under Section 166 will assess the firm’s suitability framework against a detailed specification agreed with the FCA. The findings feed directly into the FCA’s assessment of whether enforcement action is warranted and what remediation is required.

The compliance leadership problem

Most suitability failures in regulated investment firms are not caused by dishonesty or deliberate non-compliance. They are caused by compliance functions that are under-resourced relative to the complexity of the business, by SMF16 holders who lack the specific COBS and MiFID suitability expertise to identify where the framework is inadequate, or by governance structures that have not kept pace with growth in the adviser population or assets under management.

The practical consequence is that firms facing FCA scrutiny often find that their compliance leadership, while competent in a general sense, has not had the experience of designing and running a suitability framework under active regulatory examination. This is precisely the capability gap that firms need to address before — rather than after — the FCA makes contact.

FD Capital places senior compliance leaders with the specific suitability and COBS expertise that FCA-regulated investment firms need. Whether the requirement is a CCO who has managed a Section 166 review, an SMF16 holder with direct experience of the FCA’s thematic review process, or an interim Head of Compliance to lead a suitability framework remediation programme, we work exclusively in the regulated financial services space.

If your firm is conducting a suitability framework review or is facing regulatory scrutiny, please contact us to discuss how we can help identify and place the right senior compliance professional.

Related Services

• Compliance Recruitment
• SMCR Compliance Recruitment
• CRO Recruitment
• SMF2 CFO Recruitment
• Section 166 Review
• Risk and Compliance Recruitment

Under the Senior Managers and Certification Regime, firms that have taken disciplinary action against an employee for a breach of the Conduct Rules must notify the FCA. This notification obligation sits within the FCA’s Supervision manual (SUP 15) and has specific requirements around timing, content and scope that many firms — particularly those without dedicated regulatory reporting expertise — do not fully understand.

The notification obligation is one of the most operationally challenging aspects of SMCR for compliance functions. The threshold for what must be reported, the definition of disciplinary action, and the timeline for notification all require careful judgement. Firms that over-notify create regulatory noise and may signal governance weakness. Firms that under-notify face enforcement risk. Getting the threshold right consistently requires a clear internal process, senior accountability, and documented decision-making.

This post explains the notification obligation in detail, sets out the FCA’s expectations based on supervisory guidance and published enforcement outcomes, and identifies the most common failures firms make in breach reporting.

Who Is Subject to the Notification Obligation

The conduct rules notification obligation applies to all FCA solo-regulated firms within scope of SMCR — which covers the vast majority of FCA-authorised firms. Banks and dual-regulated firms have equivalent obligations under the PRA’s framework.

The obligation applies where a firm takes disciplinary action against any employee in scope of the Conduct Rules — which under SMCR means almost all employees of the firm, not just Senior Managers or Certified Persons. The breadth of this scope is wider than many firms appreciate: the Conduct Rules apply to substantially the entire workforce (with limited exceptions for certain ancillary staff), so the potential population for conduct breach notifications is correspondingly large.

What Triggers the Notification Obligation

The trigger is specific: a firm must notify the FCA when it takes disciplinary action against a staff member for a conduct rules breach. Both elements of this trigger require careful analysis.

What counts as a conduct rules breach

A conduct rules breach is a failure to meet one or more of the standards in COCON (the Conduct Rules sourcebook). The key standards are:

• Rule 1: Acting with integrity
• Rule 2: Acting with due skill, care and diligence
• Rule 3: Being open and cooperative with regulators
• Rule 4: Paying due regard to customer interests
• Rule 5: Observing proper standards of market conduct

For Senior Managers, the additional Senior Manager Conduct Rules (SC1-SC4) also apply. See our Senior Manager Conduct Rules guide for full detail on these.

Not every workplace misconduct issue is a conduct rules breach. A member of staff who is disciplined for poor timekeeping has not necessarily breached Rule 2 (due skill, care and diligence) — though depending on the severity and context it could be relevant. A member of staff who is disciplined for dishonesty in their expense claims has almost certainly breached Rule 1 (integrity). The question the firm must ask is whether the disciplinary matter engages one of the COCON standards, which requires a substantive assessment rather than an automatic classification.

What counts as disciplinary action

The FCA defines disciplinary action broadly. It includes formal warnings (written or final), suspension, demotion, reduction of remuneration, and dismissal. It does not require dismissal — a formal written warning for a conduct matter is sufficient to trigger the notification obligation if it relates to a conduct rules breach.

Critically, an outcome that does not meet the technical definition of disciplinary action — for example, a performance improvement plan that does not constitute a formal disciplinary measure under the firm’s HR framework — would not trigger notification even if it relates to conduct concerns. However, firms should be careful about structuring outcomes to avoid the notification trigger where the underlying conduct genuinely warrants regulatory reporting.

The FCA has made clear in enforcement outcomes that structuring HR processes to avoid notification obligations is itself a conduct and governance concern.

The Notification Timeline

The firm must notify the FCA as soon as reasonably practicable after it becomes aware that disciplinary action has been taken for a conduct rules breach. The FCA’s guidance indicates this should typically happen within 10 business days of the disciplinary outcome — though this is not a hard statutory deadline, and the expectation of “as soon as reasonably practicable” means the threshold is substantively prompt.

Where a disciplinary process is ongoing, the notification obligation is triggered by the conclusion of that process — not by the initiation of an investigation or the point at which the firm first suspects a breach. Firms do not need to notify the FCA about ongoing investigations before a disciplinary outcome has been reached, but they should not delay notification once a disciplinary decision has been made pending internal review processes.

For Senior Managers, there is an additional notification consideration: where the firm becomes aware that a Senior Manager may have breached the Duty of Responsibility or the Senior Manager Conduct Rules in connection with a regulatory breach by the firm, the firm should consider whether a SUP 15 notification is required independently of any internal disciplinary process.

The Content of the Notification

The FCA’s prescribed form for conduct rules notifications is SUP 15 Annex 4R. The notification must include:

• The identity of the individual
• Their role and Senior Management Function or Certified Function (if applicable)
• The conduct rules provision breached
• The nature of the breach
• The disciplinary action taken
• The date of the disciplinary action
• Any relevant context the firm considers material

The quality of the notification content matters as much as the fact of notification. Notifications that describe the breach in vague terms — “employee failed to meet expected standards” — are less informative than notifications that clearly identify the specific conduct rule breached, describe the underlying conduct, and explain the disciplinary outcome. The FCA uses notification data both for individual supervision and for thematic analysis of conduct patterns across the industry.

The Annual Report Requirement

In addition to individual breach notifications, firms must submit an annual report to the FCA summarising conduct rules breaches and disciplinary actions in the preceding year. This report is submitted via the FCA’s RegData system (formerly Gabriel) and covers:

• The number of conduct rules breaches reported
• The conduct rules provisions involved
• The disciplinary outcomes
• Whether any individuals were Senior Managers or Certified Persons

The annual report serves a different supervisory function from individual breach notifications: it enables the FCA to assess the overall conduct profile of a firm and to identify patterns that individual notifications might not reveal. A firm with a significant number of conduct breach notifications that are all classified as Rule 2 (skill, care and diligence) raises different supervisory questions than a firm with a similar number classified across all five rules.

What the FCA Actually Scrutinises

Based on FCA supervisory dialogue and published enforcement outcomes, the aspects of conduct breach reporting that draw the most supervisory attention are:

Under-reporting

The most common failure is firms that take disciplinary action for conduct that clearly engages the Conduct Rules without making the required notification. This sometimes reflects a genuine misunderstanding of the threshold. More often it reflects an internal process where the HR function manages the disciplinary outcome and the compliance function is not consistently involved in the classification decision.

The FCA has found in thematic reviews that many firms have weaker processes for identifying and reporting lower-level conduct breaches (written warnings, performance-related outcomes) than for reporting serious matters such as dismissals. The notification obligation applies equally to both.

Notification quality

Vague or incomplete notifications — those that identify the individual and outcome but do not clearly describe the conduct or the rule breached — are less useful to the FCA and may attract follow-up queries. Firms that invest in clear, substantive notification drafting avoid this friction.

Process consistency

The FCA expects the notification decision to be consistent — applying the same threshold across similar cases. Inconsistency in whether similar conduct is classified as a notifiable breach suggests that the classification process lacks rigour. Documenting the rationale for notification decisions (and for decisions not to notify) provides a defensible record in the event of supervisory challenge.

Senior Manager involvement

Where a conduct breach involves a Senior Manager — whether as the subject of the disciplinary action or as a manager who failed to identify or prevent a breach within their area — the FCA expects the notification to clearly identify the Senior Manager Conduct Rules dimension. A notification that characterises a Senior Manager’s failure to oversee a conduct issue as a Rule 2 breach when it could more accurately be characterised as an SC1 or SC2 breach may attract scrutiny.

Building a Robust Notification Process

Firms that manage this well typically have the following in place:

• A clear ownership model — the compliance function (typically the SMF16 holder’s team) owns the classification decision and the notification, not HR
• A trigger mechanism — HR-initiated disciplinary processes automatically route through compliance for conduct rules classification before conclusion
• A documented decision framework — a written framework setting out the threshold for notification, worked examples, and an escalation path for borderline cases
• A record of non-notification decisions — documenting cases where a disciplinary matter was assessed and found not to meet the notification threshold, with the rationale
• Regular review against the annual report — using the annual report cycle to audit whether the year’s notifications and non-notification decisions are consistent and complete

The SMF16 holder carries personal accountability for the firm’s compliance function, including the adequacy of its breach notification process. Where the process is weak, the accountability sits with whoever holds that function. See our SMF16 guide for the full scope of the Compliance Oversight function.

Interaction with Regulatory References

Conduct rules breach notifications interact with the regulatory reference framework. Where a firm has notified the FCA of a conduct breach by an individual, that information must be disclosed in the regulatory reference provided to future regulated employers when that individual applies for an SMF or Certified Function role. Firms must retain records of conduct breach notifications for at least six years specifically to enable accurate regulatory reference disclosure.

This creates a practical governance requirement: the compliance function must maintain conduct breach records in a format accessible for regulatory reference purposes, not just for internal disciplinary records. See our post on SMCR vs the Approved Persons Regime for context on why the regulatory reference requirement was introduced and how it operates.

Related Reading

Further reading on conduct obligations and SMCR: FCA Conduct Rules Guide | Individual Conduct Rules | Senior Manager Conduct Rules | Conduct Rules Training: How to Change Behaviour | SMCR Guide | SMF16 Compliance Oversight Guide | SMCR vs the Approved Persons Regime | SMCR Reform 2026 | SMCR for Limited Scope Firms | Regulatory Reporting Guide | FCA Regulated Firm Recruitment