The most common Section 250 misreading we see is "we are SM&CR-compliant, so we are Section 250-compliant". The statute does not say that. Section 250(3) defines a senior manager by what they do, not by who the FCA has approved, and that test reaches well past your SMF register.
What the statute actually says
Section 250(3) of the Crime and Policing Act 2026 defines a "senior manager" as an individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities.
Three concepts carry the weight: "significant role", "decisions about how... activities are to be managed", and "the whole or a substantial part". None of them mentions FCA approval, an SMF function code, or a Certified role under SM&CR. The test asks what the individual actually does inside the organisation. That wording is not new in spirit. The functional "senior manager" test traces back to the Corporate Manslaughter and Corporate Homicide Act 2007, s.1(4)(c), and the attribution structure mirrors the Economic Crime and Corporate Transparency Act 2023, s.196. What is genuinely new in 2026 is the uncapped offence scope.
Why SM&CR cannot be a complete answer to Section 250
SM&CR (the Senior Managers and Certification Regime) exists for FCA supervision of regulated financial-services activity. Its reach is the regulated activities a firm performs and the responsibilities the FCA cares about, and its core accountability mechanism, the Duty of Responsibility under FSMA s.66B, is enforced through regulatory sanctions, fines, prohibitions, withdrawal of approval, rather than criminal prosecution.
Section 250 is a different animal: a corporate criminal-attribution rule that applies to every UK body corporate and partnership, across all of their activities. When a senior manager commits an offence within the actual or apparent scope of their authority, the organisation commits it too. And the offence can be any criminal offence under the law of England and Wales, Scotland or Northern Ireland, not only something created by the 2026 Act.
Two things follow. People who run a substantial slice of non-regulated work, a head of technology, a chief operating officer, a managing partner over a major division, can satisfy s.250(3) without appearing on any SM&CR list. And someone who is SM&CR-approved for one regulated activity might not meet s.250(3), because their significant role is too narrow to count as "the whole or a substantial part".
Three classes of "missed by SM&CR" individuals
Three patterns recur when we work through a firm's register.
The CTO or CIO with budget and operational authority over a substantial part of the firm's technology. They plainly meet s.250(3) for that activity, and they are almost never on SM&CR for it.
The head of a major business division, a trading desk, an asset class, a fund family, who holds real decision-making authority over that division. They meet the test for those activities, yet they are often Certified rather than SMF-approved.
The interim or acting senior executive, where the SM&CR approval lags behind the operational reality. The person is running the function long before the paperwork catches up.
A register-only gap analysis cannot see any of these. A functional-test gap analysis can. CoverProof's classification engine is built around exactly this distinction; the test mechanics are set out in our Methodology.
"A significant role" — what counts
The statute does not list named criteria for "significant role", which means a court will read it functionally, looking at the substance of what the individual does rather than their title or formal status.
Decision-making authority over budget and headcount counts. So does operational responsibility for delivering a substantial product or service, and authority to commit the organisation to material contracts or risk positions. Formal delegation paperwork helps, but it is not the deciding factor. If a person is observably the one who decides, they meet the test.
The point cuts both ways. A senior title with no operational authority is not enough. A purely ceremonial CEO would arguably fail, while the deputy who actually makes the calls would meet it.
"The whole or a substantial part" — and how to evidence it
Alongside "significant role", the statute sets a scope test: "the whole or a substantial part of the activities". A board member clears it. So does the head of a business unit responsible for a meaningful share of the firm's revenue or risk, and the head of a function, compliance, finance, risk, technology, whose remit runs across the whole organisation.
Evidence for the "substantial part" element is practical. Organisation-chart placement, the scope of authority delegations, and reporting lines from material teams all speak to it. Record the assessment against those artefacts in the board paper or evidence pack, so that a reviewer in 2028 can reconstruct why the firm drew its scope conclusion where it did.
What a complete s.250 gap analysis must do
A defensible gap analysis is not "compare our SM&CR register to a list of names". It has to apply the s.250(3) functional test independently to every individual with senior responsibility for any substantial part of the organisation's activities, including operational and non-regulated work.
For each person, it should produce a record that shows how the test was applied (the reasoning), what it concluded (the verdict), and how confident that conclusion is (the confidence tier). And the record has to be reproducible: same input, same methodology version, same verdict.
CoverProof persists every classification with the SHA-256 input hash, the methodology version, the prompt fingerprint, the reasoning steps, and an auditor-grade summary. The full disclosure is in Methodology.
The cost of getting this wrong
If a senior manager later commits a qualifying offence within the actual or apparent scope of their authority, the organisation is treated under s.250(1) as having committed that offence.
Section 250 does not create an adequate-procedures or reasonable-steps defence. The evidential value of documented governance rests on being able to show three things: that the firm understood who its senior managers actually were, that those people were required to declare what they were doing, and that the firm acted on what came back. That is the gap-analysis-to-declaration-to-evidence-pack chain.
Missing one individual the court later finds in scope is not fatal on its own. But it leaves a much harder record to explain than one where the firm can show it ran the functional test deliberately and kept the evidence. s.250 comes into force on 29 June 2026, the end of the two-month period after Royal Assent on 29 April 2026, fixed by the statute itself; there is no commencement order to wait on and no discretion to extend it, only Parliament could change that date. The work is worth starting now.
Related articles
Who qualifies as a senior manager under Section 250? A role-by-role guide
9 min read
Documented governance under Section 250: building an evidence record
11 min read
Section 250 Gap Analysis: The Complete Compliance Checklist
5 min read
SM&CR vs Section 250: What Is the Difference?
5 min read
What Is Section 250 of the Crime and Policing Act 2026?
8 min read
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime
- Corporate Manslaughter and Corporate Homicide Act 2007, s.1www.legislation.gov.uk/ukpga/2007/19/section/1
- FCA Registerregister.fca.org.uk/