What is SM&CR (Senior Managers & Certification Regime)?

The Senior Managers and Certification Regime fundamentally changed accountability in UK financial services by ensuring that a named individual is responsible for every significant area of a firm business. When firms deploy AI systems, SM&CR does not create new rules but applies existing accountability expectations to a new technology. The question is straightforward: who is personally responsible for this AI system, and can they demonstrate they are exercising appropriate oversight?

For mid-market firms adopting AI, SM&CR creates practical requirements. The senior manager with responsibility for the business area where AI is deployed needs to understand what the AI does, what risks it creates, and what controls are in place. They do not need to understand the technical details of transformer architectures, but they need to know what the system is designed to do, what it is not designed to do, how it is monitored, and what happens when something goes wrong.

This has implications for how AI is introduced into a firm. Before deploying an AI system that affects any SM&CR-accountable function, the responsible senior manager should be briefed and should sign off on the deployment. The governance framework should define what information senior managers receive about AI system performance, what thresholds trigger escalation, and how AI-related incidents are reported.

The certification regime is also relevant. Staff who use AI systems in certified functions need to understand the limitations of the tools they are using. If a certified individual relies on an AI-generated recommendation when advising a client, they remain personally responsible for that advice. Training programmes should ensure that certified staff understand how AI tools support rather than replace their professional judgement.

For mid-market firms, SM&CR compliance for AI does not require building a separate governance structure. It requires extending your existing SM&CR framework to cover AI systems, ensuring that statements of responsibility reflect AI-related accountability, and that management information includes AI performance and risk metrics. The firms that handle this well integrate AI oversight into existing governance rather than treating it as a separate workstream.