What is the Senior Managers Regime?
The Senior Managers Regime is the part of the FCA's Senior Managers and Certification Regime (SM&CR) that ties responsibility for regulated activity to named individuals. Senior decision-makers are held personally accountable for how their firm is run, and the FCA sets out the framework each firm must apply.
In practice it rests on four things:
- Senior Management Functions, allocated to named people the FCA approves.
- A Statement of Responsibilities for each senior manager, setting out what they own.
- The duty of responsibility: taking "reasonable steps" to prevent regulatory breaches in that area.
- Conduct rules that set enforceable standards of individual behaviour.
The point of the regime is that when something goes wrong, the FCA can identify who was responsible. That principle does not change because a decision was made with software. It does get harder to apply, which is what the Mills Review examines.
What the Mills Review says about the Senior Managers Regime
The Review does not recommend new rules. It concludes the existing framework is sound and needs "progressive adaptation, not wholesale replacement," and it notes that no firm it engaged argued the accountability model should change. For a fuller overview, see what the Mills Review is.
Where it flags pressure is in application. The Review maps each regime against its five-level autonomy spectrum, and finds the Senior Managers Regime operates cleanly while AI supports human decisions, at the operator, collaborator and consultant levels. Strain appears as systems move toward approver and observer, where AI prepares or executes actions and the human sets boundaries rather than making each call. At that point, the Review warns, "meaningful human control" becomes harder to evidence even though accountability remains clear in principle.
Why "reasonable steps" gets harder as AI acts
The duty of responsibility asks a senior manager to show they took reasonable steps. That is straightforward when a person makes the decision and a reviewer checks a sample. It is harder when an AI system triages alerts, drafts a suspicious activity report for sign-off, or prepares a regulatory return, and does so continuously across thousands of cases.
The Review is direct about the gap this can open: without clear assurance, the increasing opacity of more autonomous AI, combined with model drift, could create "a potential gap between the outcomes of AI mediated decisions and the ability of the regulator to identify a de facto responsible party." Accountability stays with the individual, but demonstrating the steps behind it needs different evidence. This is the same evidencing shift we describe for the Consumer Duty.
Assurance: how a senior manager evidences control
The Review's answer is assurance. On page 81 it says "assurance tools, including pre-deployment and ongoing checks, could better enable senior managers to take 'reasonable steps' to prevent regulatory breaches or misconduct, including risks from third-party models operating upstream."
In plain terms, a senior manager evidences control by being able to show what an AI system did and why, before it went live and while it runs. That means pre-deployment testing against real cases, monitoring that flags when a system moves outside expected behaviour, and a full record of decisions, overrides and timestamps. Explainability is the floor here, not a nice-to-have, as we argue in why explainability is not optional. Running that check on every case rather than a sample is the difference between an assertion and an evidence trail a supervisor can inspect.
The accountability chain and third-party models
Most firms will not build their own models. They will rely on general-purpose and domain-specific models from a small number of providers, updated on the provider's schedule, not the firm's. The Review is clear that this does not move the responsibility: the firm and its senior managers remain accountable for outcomes "even where aspects of model behaviour, performance and change sit outside their direct control."
That makes vendor oversight a senior-management task, not just a procurement one. Firms are beginning to name technical-governance responsibilities in Statements of Responsibilities, map their model dependencies, and require the same evidence from a bought-in model that they would from an internal one. The dependency is managed through oversight and assurance, never transferred.
What this looks like in practice
Take a mid-sized specialist lender that has introduced AI to pre-check affordability and flag suitability issues before a human underwriter signs off. The accountable senior manager is not a new "head of AI." It is the existing SMF who owns compliance oversight for that business line.
Their reasonable-steps evidence is no longer a policy document and a quarterly sample. It is a live picture: which cases the model checked, what it flagged, where a human overrode it and why, and an alert when the model's behaviour drifts from its tested baseline. When the FCA asks how the firm governs AI in that process, the answer is a record, not an assurance. That is the practical shift the Mills Review is pointing at, and it maps closely to AI in mortgage compliance more broadly.
Senior manager checklist for AI
- Assign a named senior manager to each AI system in a regulated process, including bought-in models.
- Update the Statement of Responsibilities to reflect who owns AI governance for that area.
- Require pre-deployment assurance: testing against real cases before a system influences outcomes.
- Put ongoing monitoring in place that flags drift, degradation and out-of-bounds behaviour.
- Keep a standing evidence pack: decisions, overrides, timestamps and model changes, ready for a supervisor.
Frequently asked questions
Does the Senior Managers Regime apply to AI-driven decisions?
What are "reasonable steps" for AI under the Senior Managers Regime?
Can a firm delegate accountability for AI to its vendor?
Does the Mills Review change the Senior Managers Regime?
Who is the accountable senior manager for AI in a firm?
AI in mortgage compliance: oversight first, speed follows
AI in mortgage compliance is the use of artificial intelligence to check mortgage case files against regulatory rules, flagging issues for a human to approve before the lender decides. Lenders are racing to put AI into underwriting for speed, but brokers named compliance checking the bigger prize: unsupervised, unauditable AI just reaches the wrong answer quicker.
Point of viewAI's real job in wealth management is compliance, not advice
In wealth management, AI's most transformational use is compliance, not adviser productivity. Compliance has always run on sampling, reviewing two or five percent of files because that is all human bandwidth allowed. AI lets a firm check every case against its own criteria, changing the statistical basis of the control itself.

Dawid Kotur
CEO and co-founder, Curvestone
Dawid co-founded Curvestone in 2024 after a decade working at the intersection of financial services and applied machine learning. He writes about the strategic direction of regulated-industry AI, the FCA's evolving approach to model risk, and the operational changes UK lenders are making in response to Consumer Duty. He sits on the FCA Smart Data Accelerator advisory cohort.
LinkedIn