Section 250 Gap Analysis Checklist

Purpose and scope of this checklist

This checklist is an operational tool for CCOs, compliance directors, and legal teams running a Section 250 gap analysis under the Crime and Policing Act 2026 (c.20). Section 250 comes into force on 29 June 2026 — two months after Royal Assent on 29 April 2026, by virtue of s.255(3).

The checklist covers six phases: establishing the SM&CR baseline; identifying the s.250(3) functional-test population; cross-referencing the two to identify the gap; obtaining declarations; producing the board evidence pack; and maintaining ongoing monitoring.

This checklist is a practical operational framework. It is not legal advice. Whether a specific individual meets the s.250(3) test at your firm depends on the facts of their role. For borderline assessments and where the stakes are material, take advice from qualified solicitors.

What this checklist can and cannot do

This checklist, and CoverProof's platform, can do the following well: pull your SM&CR register from the FCA; apply the s.250(3) functional test systematically to every individual in a structured assessment; identify the gap; drive a declaration cycle with tracked delivery and response; and generate a board evidence pack in PDF/A-3B with a SHA-256 hash.

The functional-test assessment — step 2 of this checklist — involves judgment that a tool can structure but cannot replace. CoverProof's AI-assisted classification applies the s.250(3) wording against a structured profile of each individual's role and authority. The classification is constrained to a fixed verdict schema and requires compliance officer review before declarations are sent. It is not a legal determination. For individuals flagged as Medium- or Low-confidence, or where the assessment will be contested, qualified legal advice is the appropriate next step.

Section 250 has no statutory defence based on documented diligence. A thorough, well-documented process reduces attribution risk and informs prosecutorial discretion under Joint SFO-CPS guidance. It does not create a statutory shield or guarantee any particular prosecutorial or sentencing outcome. There is no Sentencing Council guideline for s.250 yet. Documentation matters — but the correct framing of its value is evidential, not defensive.

• Obtain your firm's FCA register extract via the FCA Register Extract Service. This covers every person approved or certified under SM&CR associated with your FRN.
• Confirm the extract is current — check the date of the most recent update and verify against any personnel changes since that date.
• For group structures: obtain extracts for all relevant FRNs. A group-entity officer with authority over the UK subsidiary falls within scope even if the entity itself is not the regulated firm.
• Record the extraction date and version in your gap analysis record. If PS26/6 simplification has changed your certified population since your last analysis, ensure the baseline reflects the updated register.

• Define your assessment scope: all individuals who may play a significant role in (a) making decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or (b) managing or organising the whole or a substantial part of those activities.
• Assess by function, not by title. A job title of "Head of" or "Director" is not a proxy — assess the actual authority: budget control, operational responsibility, power to commit the firm to material positions.
• Include non-regulated function heads: technology, operations, legal, finance, HR, and procurement roles may qualify when the individual's remit covers a substantial part of the firm's activities.
• Include interim and acting executives. Section 250(3) has no employment-status condition. Interims and contractors who exercise real authority over a substantial part of the firm qualify even without SM&CR approval.
• Include NEDs only on careful analysis. An advisory NED who provides oversight without executive authority generally does not meet the managing-or-organising limb. An NED with de facto executive authority may. Apply the test to the facts.
• For each individual assessed, record: the specific authority that drove the inclusion or exclusion decision; the s.250(3) limb(s) engaged; the conclusion; and your confidence level (High / Medium / Low).

• Compare the s.250(3) functional-test population (Phase 2) against the SM&CR baseline (Phase 1). Anyone in the functional-test population who is not on the SM&CR register is your potential Section 250 gap.
• Separately note SMF holders who also meet the s.250(3) test: document the assessment explicitly for each, even though the conclusion is usually inclusion. This confirms the firm applied the functional test to the whole population, not only the unregistered individuals.
• Flag borderline cases: where the assessment is Medium- or Low-confidence, note the specific uncertainty. Borderline cases warrant closer review and, where material, legal advice.
• Produce a gap analysis record stating: assessment date; methodology applied (the s.250(3) functional test, verbatim); population assessed; gap identified; and who conducted the assessment.

• Send a formal Section 250 declaration request to each individual identified in the gap (and any borderline cases the firm wishes to cover). Each request should name the individual, their role, the basis on which they were assessed as meeting s.250(3), and what they are being asked to acknowledge.
• Send with delivery confirmation. Record the delivery timestamp for each request.
• Track responses against a log that records: date of request, date of delivery confirmation, date of response, and response outcome (signed / declined / no response).
• Chase non-respondents. Document each chase with the date and method. A chased non-response that the board has seen is a materially different position from a silence nobody noticed.
• Handle refusals on the record. Document the refusal, escalate to the board, and take legal advice. Do not treat an unresponded-to request as a signed declaration.
• Where an individual's role changes materially, treat the existing declaration as expired and issue a new one.

• Assemble the complete record: gap analysis methodology and results; every declaration sent with its delivery confirmation timestamp; every declaration received with its response timestamp; any non-responses with the full chase log; and an executive summary the board can read.
• Generate the pack as PDF/A-3B (ISO 19005-3): the long-term preservation format that forbids dynamic content, supports embedded XML audit logs, and ensures the document reproduces identically. Record a SHA-256 cryptographic hash at generation time.
• The hash must be stored separately from the PDF (in your audit database) so that the document's integrity can be verified independently. A stored hash next to the file shows, on demand, that the copy in front of a regulator or court is byte-for-byte the one generated at the time of your analysis.
• Present the pack to the board and obtain a formal minute or resolution recording that the analysis was done, the declaration cycle was completed, and the board has reviewed and accepted the results.
• Retain the board minute and the evidence pack together. The minute is part of the evidence.

• Set declaration renewal reminders: annually as a minimum; sooner on any material change to the individual's role or the firm's structure.
• Integrate Section 250 scope review into joiner processes. A new divisional head or COO should be assessed against the s.250(3) functional test before or on their start date, not at the next annual sweep.
• Integrate into leaver processes. If an individual in the gap leaves, the evidence pack should record the conclusion of their status.
• Re-run the full gap analysis at least annually, and after any significant change to the firm's senior structure or SM&CR register.
• Retain all evidence packs in line with your firm's record-keeping policy so the full audit trail remains available if challenged.

Related guides

Frequently asked questions

Primary sources

• Crime and Policing Act 2026, s.250 — legislation.gov.uk — the attribution mechanism and s.250(3) functional test applied throughout this checklist.
• Crime and Policing Act 2026, s.255 — commencement — source of the 29 June 2026 in-force date (two months after Royal Assent, 29 April 2026).
• FCA — Senior Managers and Certification Regime (SM&CR) — the SM&CR baseline used in Phase 1.
• FCA PS26/6 (22 April 2026) — SM&CR simplification — simplification that reduced the Certified Persons population; affects the Phase 1 baseline.
• FCA Financial Services Register — public record of approved persons by FRN; the starting point for Phase 1.