Section 250 of the Crime and Policing Act 2026 takes effect on 29 June 2026. This checklist walks through the five-phase compliance process: gap identification, declaration cycle, counterparty requests, board evidence, and ongoing monitoring.
Phase 1: Gap identification
Start with two lists, then compare them.
First, export your firm's FCA register extract through the FCA Register Extract Service. This is your record of who the FCA has already approved and certified under SM&CR.
Second, build a list of everyone who meets the s.250(3) "senior manager" test: an individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the firm's activities are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities. In practice that catches more than your obvious SMF holders. A COO, the head of a major division, a risk officer with real authority over a substantial part of operations, all sit inside the test even where they hold no Senior Management Function.
Now cross-reference. Anyone on the second list who is not covered by the first is your potential Section 250 exposure: a senior manager whose offending, committed within the actual or apparent scope of their authority, can make the firm itself guilty of the same offence — and that reaches any criminal offence under the law of England and Wales, Scotland or Northern Ireland, not only offences created by the Act. SM&CR is a separate, regulatory accountability framework — its Duty of Responsibility is enforced through regulatory sanctions rather than criminal prosecution — which is why people inside the s.250 test can fall outside the accountability you already manage.
Write down how you did it. The methodology matters as much as the result. If you ever have to defend the analysis, you need to show how you identified the population, not just hand over a final headcount.
Phase 2: Declaration cycle
Every individual in the gap gets a formal Section 250 declaration request. Each request should name the specific role and the provision it relates to, so there is no ambiguity about why the person is being asked.
Track delivery and response on a system that records confirmation of receipt and the timestamp of each reply. Manual spreadsheets tend to fall apart once you are chasing more than a handful of people.
Chase non-respondents, and log every chase with its date.
Refusals need handling on the record. Document the refusal, escalate it to the board, and take legal advice. A documented refusal that the board has seen is a very different position from a silence nobody noticed.
Phase 3: Counterparty requests
Your exposure does not stop at your own payroll. Identify the significant third parties with material roles in your regulated activities: sub-advisers, outsourced service providers, introducers.
Write to each one and ask them to confirm they have run their own Section 250 analysis. Keep their responses.
Where a counterparty cannot confirm it has done the work, treat that as a live risk. Escalate to your legal team and decide whether the relationship can continue on those terms.
Phase 4: Board evidence pack
Pull the whole cycle into one pack: the gap analysis methodology and results, every declaration sent and received with its timestamp, the counterparty confirmations, and an executive summary the board can actually read.
Generate it as PDF/A-3B (ISO 19005-3), the long-term preservation format that reproduces the document reliably and supports embedded attachments. Record a SHA-256 hash of the file at generation. No file format is admissible in itself, admissibility is decided by a court case by case on authenticity, integrity and chain of custody. What PDF/A-3B and a stored hash give you is the evidence that those tests rely on: a fixed document and a way to prove later that the copy in front of the court is the one you produced. That is what makes the pack a business-record artefact rather than just a tidy report.
Present it to the board and get a formal minute or resolution recording that the analysis was done and the cycle completed. The board's acknowledgement is part of the evidence.
Phase 5: Ongoing monitoring
Section 250 is not a one-off project. Set expiry reminders so declarations are renewed annually and whenever someone's role materially changes.
Fold the scope review into your joiner and leaver processes, so a new division head is captured the week they start rather than at the next annual sweep.
Re-run the full gap analysis once a year, and again after any significant change to the firm's structure or senior personnel.
Retain every evidence pack in line with your firm's record-keeping policy, so the full audit trail stays available if the analysis is ever challenged.
Related articles
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- FCA Registerregister.fca.org.uk/
- FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime