SM&CR reform and payment firms: scope before substance

ByRob Bratby Posted on Payments Regulation, UK
SM&CR reform and payment firms: scope before substance

HMT published its response to the Senior Managers and Certification Regime reform consultation on 22 April 2026, alongside FCA Policy Statement PS26/6 and PRA Policy Statement PS12/26. Most of the rule changes take effect on 24 April 2026. The first question payment firms should ask is not what the reforms do, but whether SM&CR applies at all. It does not reach pure authorised payment institutions or e-money institutions: the regime attaches to authorised persons under Part 4A of the Financial Services and Markets Act 2000, and APIs and EMIs sit outside that perimeter.

In short: HMT’s 22 April 2026 response to the SM&CR reform consultation, with FCA PS26/6 and PRA PS12/26, sets a package aimed at a 50% reduction in compliance burden. Most items need primary legislation. For SM&CR payment firms the changes matter; for pure APIs and EMIs the scope question comes first. The regime attaches only to authorised persons under Part 4A of FSMA 2000.

Regulatory background: where SM&CR attaches

SM&CR was introduced for banks through the Financial Services (Banking Reform) Act 2013, which inserted sections 59 to 63F and 64A to 64C into FSMA 2000. It was extended to insurers in 2018 and to all solo-regulated firms except benchmark administrators in December 2019. The trigger in every case is that the firm holds a Part 4A permission under FSMA section 31.

Authorised payment institutions are authorised under regulation 6 of the Payment Services Regulations 2017. E-money institutions are authorised under regulation 6 of the Electronic Money Regulations 2011. Neither regime grants a Part 4A permission. Both sit within the FCA’s supervisory scope, but they are separate statutory authorisations, and the FCA’s SM&CR guidance confirms that the regime does not apply to firms whose only regulated status is under the PSRs 2017 or the EMRs 2011.

Dual-regulated firms are different. A credit institution that also provides payment services, or a bank running an e-money line of business, holds a Part 4A permission and is fully within SM&CR. Small payment institutions and small EMIs remain outside. That distinction drives everything that follows.

The 22 April package: what changes and when

HMT’s response sets six reform items that require primary legislation: removing the Certification Regime from FSMA; reducing the number of Senior Management Functions needing pre-approval; repealing prescriptive Statements of Responsibilities; streamlining Conduct Rules to a notification and training basis; introducing time-limited and conditional senior manager approvals; and aligning the Financial Market Infrastructure SM&CR introduced under the Financial Services and Markets Act 2023. No timetable is given. The package will move at the pace of the next suitable financial services bill. HMT, FCA and PRA are working to a joint target of a 50% reduction in SM&CR compliance burden.

FCA PS26/6 and PRA PS12/26 move earlier, using the regulators’ existing rule-making powers. A 12-week SMF application window replaces the current approach. Reporting process changes take effect on 10 July 2026. The non-financial misconduct alignment set out in PS25/23 commences on 1 September 2026. The signalling is that the regulators will use their existing flexibility now and wait for Parliament to deliver the structural changes.

A parallel consultation on appointed representatives closed on 9 April 2026. It proposes bringing ARs into SM&CR. For payment firms using ARs, or considering doing so, this is a separate track worth watching: the AR reforms could catch firms that are out of scope on the principal side.

The PSR/FCA consolidation is a separate track again. It reorganises the regulator, moving payment systems functions from the PSR into the FCA, but it does not change the statutory perimeters. APIs remain authorised under the PSRs 2017 and EMIs under the EMRs 2011. Neither acquires a Part 4A permission by virtue of the consolidation.

The practical question for fintechs is therefore not “does SM&CR get easier” but “does SM&CR apply to me”. The answer turns on the specific FCA authorisation held, not on a general impression of being FCA-regulated.

Commercial and operational implications

Three points matter for SM&CR payment firms in transactional contexts, and for the counsel advising PE-backed payments businesses.

First, diligence. A regulatory due diligence questionnaire that asks whether the target has an SM&CR compliance programme is asking the wrong question of a pure API or EMI. The right question is which FCA authorisations the target holds, whether any group company holds a Part 4A permission, and whether any individual performs a role that would be in scope under a dual-regulated subsidiary or a pending authorisation upgrade. Diligence checklists drafted for banks need rewriting before they are sent to fintech targets.

Second, warranties. Warranties that reference the “FSMA approved persons regime” without qualification are ambiguous when the target is an API or EMI. Sellers should seek clarification; buyers should anchor specific warranties to the actual regime applicable, PSRs 2017 or EMRs 2011 for pure firms, SM&CR only for dual-regulated entities.

Third, authorisation upgrades. A fintech moving from EMI status to credit institution status crosses the SM&CR threshold at the point a Part 4A permission is granted. Transaction structures that contemplate an authorisation change mid-deal need to plan the SMF application timeline as a condition precedent, and the new 12-week application window gives a predictable hook for that planning.

Bratby Law’s regulatory due diligence service is built around this kind of scope analysis.

Viewpoint

The reform package is welcome. SM&CR has grown heavier than the underlying policy rationale required, and the structural streamlining is overdue. But the more useful message for the payments sector is that the regime does not attach as widely as general commentary suggests.

Payment firms sold simplification they do not currently need can be advised away from compliance programmes they should not be running. That diverts legal spend and creates a misleading impression of the regulatory footprint in transactional contexts. For dual-regulated firms the reforms will matter. For pure APIs and EMIs the near-term issue is the AR consultation and the possibility, not the certainty, that a future authorisation upgrade brings SM&CR into view.

The scope question has always been the important one. The 22 April package is a useful moment to answer it clearly.

For advice on SM&CR scope, regulatory due diligence on fintech targets, or warranty drafting for payments M&A, contact Rob Bratby via the Payments Regulation practice area.

By Rob Bratby, Managing Partner, Bratby Law. 30+ years in regulated industries, including current Fractional General Counsel to UKPI. Chambers UK Band 2, Legal 500 Leading Partner.

Select topics of interest
Rob Bratby

Lawyer

Telecoms | Data | Payments | Managing Partner, Bratby Law | Fractional General Counsel | Chambers-ranked telecoms lawyer

Similar Posts