SM&CR sorts the people at an FCA-authorised firm into three groups, with FCA pre-approval reserved for the most senior. Knowing who falls outside that net is where a Section 250 gap analysis begins.
The three parts of SM&CR
SM&CR covers everyone at an FCA-authorised firm, but it grips them with different strength.
The first part is the Senior Managers Regime. These are people holding a Senior Management Function (SMF), and they need the FCA to approve them before they can act. The second part is the Certification Regime: staff in roles that could cause significant harm. The firm certifies them once a year. The FCA does not pre-approve them. The third part is Conduct Rules staff, which is almost everyone else on the payroll, with narrow carve-outs for ancillary roles like catering or security.
For Section 250, the line that counts is the one between SMF holders the FCA has approved and everyone else.
What approved person status actually means
When the FCA approves someone, it has signed off on one named person doing one named function at one named firm. It is a personal authorisation, not a licence you carry around, and it falls away the moment you change firm or change role.
That approval pins accountability to the functions you were approved for. It says nothing about authority you hold outside them. A senior manager can run a substantial part of a business through influence and seniority that no SMF stamp ever touched, and the regime simply does not reach that authority. The SM&CR Duty of Responsibility (FSMA s.66B) is enforced through regulatory sanctions, not criminal prosecution.
The gap Section 250 targets
SM&CR maps the roles the FCA chose to define: the SMFs it pre-approves, the certified functions firms sign off each year. That map has edges.
Plenty of people steer a firm without sitting on it. A chief operating officer, the head of a major division, a technology or operations lead who decides how a large slice of the business runs day to day, sometimes the regime requires pre-approval, often it does not. Section 250 of the Crime and Policing Act 2026 was written for that population. The point is not that SM&CR broke. It is that real decision-making authority in a modern firm spreads wider than the roles the regime was built to capture.
Section 250(1) is what makes the gap bite. Where a senior manager of a body corporate or partnership commits a criminal offence while acting within the actual or apparent scope of their authority, the organisation commits that offence too. The offence can be any criminal offence under the law of England and Wales, Scotland or Northern Ireland. It is not limited to anything created by the 2026 Act. That uncapped scope is the genuinely new piece. The attribution mechanism itself echoes the Economic Crime and Corporate Transparency Act 2023, and the functional test for who counts as a senior manager traces back to the Corporate Manslaughter and Corporate Homicide Act 2007.
Running an SM&CR gap analysis for Section 250
The work comes down to comparing two lists.
List one: everyone currently approved or certified under SM&CR. List two: everyone who satisfies the s.250(3) test, meaning an individual who plays a significant role in making decisions about how the whole or a substantial part of the firm's activities are managed or organised, or in the managing or organising of those activities. SM&CR status is beside the point for the second list. Someone can meet the test with no SMF and no certification at all.
Whoever sits on list two but not list one is your potential Section 250 exposure.
That comparison is where this stops being abstract. CoverProof pulls your FCA register extract to build the approved-and-certified baseline, then classifies each individual against the verbatim s.250(3) wording. From there the workflow runs: gap analysis identifies the uncovered individuals, a declaration cycle goes out to confirm their roles, and the responses are captured in a PDF/A-3B evidence pack. That format (ISO 19005-3) is built for long-term preservation and supports the embedded hashing and attachments that go to authenticity, integrity and chain of custody, the things a court weighs when it decides whether a document stands up. The clock is fixed: s.250 comes into force on 29 June 2026, two months after Royal Assent, by statute. There is no commencement order to wait on and no regulator with discretion to move it.
Related articles
Who qualifies as a senior manager under Section 250? A role-by-role guide
9 min read
The Section 250 functional test: why SM&CR-covered isn't Section 250-covered
9 min read
Section 250 Gap Analysis: The Complete Compliance Checklist
5 min read
What Makes Compliance Evidence Admissible as a Business Record?
6 min read
What Is Section 250 of the Crime and Policing Act 2026?
8 min read
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime
- FCA Registerregister.fca.org.uk/
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- FSMA 2000, s.66B — Duty of Responsibilitywww.legislation.gov.uk/ukpga/2000/8/section/66B