Whether someone is a senior manager under Section 250 has nothing to do with their job title or whether the FCA approved them. It turns on a functional test in s.250(3). This guide applies that test to the roles a gap analysis most often gets wrong: the CTO, the COO, the divisional head, and the interim executive nobody put on the register.
What does the Section 250(3) test actually say?
Section 250(3) of the Crime and Policing Act 2026 defines a senior manager as an individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities. No job title appears anywhere in that wording.
This is general information, not legal advice. Consult a qualified solicitor or FCA-regulated compliance adviser for your firm's specific situation.
Three things follow. The test is about authority and scope, not status: it never mentions the Financial Conduct Authority (FCA), an approved-person designation, or a Senior Management Function (SMF — a role the FCA must pre-approve under the Senior Managers and Certification Regime, SM&CR). It covers all of an organisation's activities, not only its regulated ones. And it sets no employment-status condition, so a contractor or interim executive can meet it as readily as a permanent employee.
The sections below apply the test to the roles a register-only gap analysis most often misclassifies.
What does "a significant role" mean in practice?
The statute does not define "significant role" with named criteria, so a court will read it by what the individual actually does. This functional wording traces to the "senior manager" test in the Corporate Manslaughter and Corporate Homicide Act 2007, which deliberately looks at a person's real decision-making and management role rather than relying on the narrower, older "directing mind and will" identification doctrine. Three markers point towards a significant role: decision-making authority over budget and headcount; operational responsibility for delivering a substantial product, service or business line; and authority to commit the organisation to material contracts or risk positions.
Formal delegation paperwork helps the assessment but is not required. If an individual is observably the person who decides, the absence of a signed mandate does not take them outside the test. The reverse also holds: a senior title with no real operating authority is not enough on its own.
The second half of the test, "the whole or a substantial part of the activities", is where most of the genuine difficulty sits. We treat that phrase in depth in a separate guide; the role assessments here assume the individual's remit is large enough to clear it.
Does a CTO or CIO qualify?
The Chief Technology Officer is the clearest example of the gap between SM&CR and Section 250. At most FCA-regulated firms, technology is not a regulated activity, so the CTO is rarely an SMF holder and often holds no certified function either. Yet the CTO usually controls the budget, headcount and operational direction of a substantial part of how the firm runs: its systems, its data, its resilience.
That is what s.250(3)(b) describes — managing or organising a substantial part of the organisation's activities. A CTO with real authority over the firm's technology estate is a strong candidate to be a senior manager under Section 250, and almost never appears on the SM&CR register for that work. The same reasoning applies to a Chief Information Officer or a Head of Engineering with equivalent scope.
Does a COO qualify?
The Chief Operating Officer is, by definition, responsible for organising how the firm operates. A COO whose remit spans operations, change, facilities and vendor management is managing a substantial part of the firm's activities in the most literal sense of s.250(3)(b).
Where a firm has an SMF24 (Chief Operations function) holder, that person is likely both SM&CR-covered and within Section 250 scope. The problem case is the operations lead who sits below the SMF threshold, common at smaller firms that never designated SMF24. The role can meet the s.250(3) test while being entirely absent from the register. The COO is one of the roles where the functional test and the register most often disagree.
Does a CFO qualify?
The Chief Financial Officer usually holds the SMF2 (Chief Finance function), so for the firm's regulated finance activities the CFO is normally both SM&CR-approved and within Section 250 scope. The verdict looks obvious at first glance.
The point worth recording is why the CFO qualifies under s.250: not because they hold SMF2, but because they play a significant role in managing a substantial part of the firm's activities. The SMF designation and the s.250 verdict happen to point the same way here, but they answer different questions. Documenting that reasoning matters, because the same logic is what catches the finance-adjacent roles SMF2 does not cover: a group financial controller, or a head of finance at an unregulated group entity.
Does the head of a business division qualify?
A divisional head running a trading desk, a fund family, an asset class, or a distribution channel is one of the most consistent Section 250 candidates. If the division represents a meaningful fraction of the firm's revenue, risk or client base, the person who decides how it is managed plays a significant role in a substantial part of the firm's activities.
Under SM&CR these individuals are frequently certified rather than SMF-approved, unless the firm has designated SMF6 (Head of Key Business Area). Certification is a firm-level judgement that someone could cause significant harm. That is not the same population as s.250(3). A divisional head who is certified but not SMF-approved is exactly the kind of individual a register-only comparison misses and a functional-test analysis catches.
What about the MLRO and Head of Compliance?
The Money Laundering Reporting Officer (MLRO, SMF17) and the Head of Compliance (Compliance Oversight, SMF16) are nearly always SM&CR-approved, so they will usually appear on your register. Whether they also meet s.250(3) depends on the scope of their authority over the firm's activities, not on their SMF status.
A compliance head who sets and runs the firm's control framework across the whole organisation plays a significant role in organising a substantial part of its activities, and is comfortably within scope. The value of running the functional test on these roles is not that it changes the answer — it rarely does — but that it records, in your evidence, that the firm considered them deliberately rather than assuming SM&CR cover settled the question.
Do interim executives and contractors qualify?
This is the row that catches firms out, and it is the most important one in this guide. Section 250(3) contains no employment-status requirement. An interim Chief Operating Officer, a contract Chief Technology Officer engaged through a personal service company, or a consultant who is effectively running a transformation programme can each meet the functional test. The test asks what the person does, not how they are paid or whether they are on the payroll.
Interim and acting executives are routinely missed for a structural reason: SM&CR approval lags operational reality. Someone steps into a role months before any registration catches up, and may leave before it ever does. A gap analysis built only from the FCA register, or only from the HR system of permanent staff, will not see them at all. Identifying who is actually exercising senior authority on the assessment date, regardless of contract type, is the single highest-value correction a functional-test approach makes.
How do you document a role-by-role assessment?
A defensible assessment records three things for each individual: how the s.250(3) test was applied (the reasoning), what the conclusion was (the verdict), and how confident the firm is in it (a confidence tier — we use High, Medium and Low). For the in-scope verdicts that matter most, note the specific authority that drove the decision: control of a named budget, responsibility for a named business line, a delegation that places a substantial part of the firm's activities in that person's hands.
When I built CoverProof's classification engine, these are the roles I designed it around: the CTO who never reaches the register, the certified-not-approved divisional head, the interim executive who is gone before the paperwork lands. The output is a per-individual record you can put in front of a board or a regulator showing the test was applied to the whole senior population, not just the names that happened to be on the register.
Work through your own senior population the same way, starting with the roles in this guide, and keep the reasoning beside each verdict. With s.250 commencing on 29 June 2026, that documented assessment is what turns a defensible position into a provable one.
Related articles
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime
- FCA Registerregister.fca.org.uk/