Regulatory references under the SM&CR

This article focuses in depth on an issue that has caused frequent headaches for firms already covered by the SM&CR: regulatory references.

Part 1 of this article explains the regulatory references regime in detail.

Part 2 discusses the difficult judgement calls which firms face when dealing with regulatory references.

PART 1 – What is a regulatory reference?

The SM&CR currently applies to “Full Scope Firms”, namely banks, building societies, credit unions, PRA-designated investment firms and insurers. Full Scope Firms currently have to seek regulatory references for their senior managers, significant harm/certification function holders and non-executive directors. Other regulated firms do not currently have to request regulatory references. However, they do have to respond to a regulatory reference request from a Full Scope Firm, albeit in a limited manner. In December 2019, the SM&CR will be extended to cover all firms regulated by the FCA (other than appointed representatives) and such firms will become Full Scope Firms. The FCA has published its near-final rules regarding this extension.

What is the obligation?

Full Scope Firms must implement and maintain policies and procedures which comply with the regulatory reference regime.

Full Scope Firms must take all reasonable steps to obtain regulatory references from each firm that employed/engaged the individual in the previous six years before the references are requested. A firm must request references from former employers even if the former employers are outside of the financial services sector or based overseas. If a Full Scope Firm cannot obtain a regulatory reference from a former employer, it must obtain as much information as possible about an individual’s fitness and propriety and it should record evidence of its efforts.


Full Scope Firms must obtain regulatory references:

  • No later than one month before the end of the process of a senior manager applying for a senior management function;
  • Before issuing a certificate in respect of an individual being appointed to a certified function; and
  • Before appointing a non-executive director who is not a senior manager.

There are some limited exceptions to these timescales. For example, if it would breach the confidentiality of a commercial transaction, then it may be possible for a Full Scope Firm to delay obtaining a regulatory reference.

The FCA expects regulated firms to respond to a request for a regulatory reference within six weeks.

What information must be requested?

A Full Scope Firm must request, from other regulated firms, the information set out in the FCA’s mandatory regulatory reference template, and must provide the referee firm with as much information as needed to let the referee firm understand what the individual’s new function/role will involve (e.g. job title, role description, FCA controlled function code such as SMF4 Chief Risk).
A Full Scope Firm requesting information from a former employer outside of the financial services sector, will usually need to set out the information it is requesting from the former employer. A non-regulated employer is not obliged to provide any information to the Full Scope Firm.

What information must be disclosed?

A Full Scope Firm must respond to a regulatory reference request setting out the information requested in the FCA’s mandatory reference template, including:

  • Have there been any breaches of the individual or senior managers’ conduct rules?
  • Have there been any conclusions that the individual was not fit and proper to perform a regulated function?
  • Have there been any disciplinary outcomes against the individual?

These are quite stark occurrences which a firm will already have deliberated over in the past. The real difficulty is that the mandatory form also (separately) requires a Full Scope Firm to provide all information it is aware of which it considers reasonably relevant to the individual’s fitness and propriety. Whilst a firm does not have to disclose information that has not been verified, it still has to provide a full picture of the individual’s fitness and propriety.

What period of time should a reference relate to?

A Full Scope Firm is only required to provide reference information in relation to the six-year period before the date of the request for the reference, save in the case of information concerning serious misconduct for which there is no time limit.

A Full Scope Firm is also required to update each regulatory reference it has given when matters come to light which would have meant that it would have drafted the reference differently, had it known about those matters when it provided the reference.

Overseas firms

The regulatory reference rules do not apply to overseas firms that do not have an establishment in the UK. Overseas firms with an establishment in the UK need to provide regulatory references for individuals who were employed in their branches in the UK and the content of the reference needs to only relate to their activities regarding the UK.

PART 2 – Examples of difficulties with the regime

Regulatory references are not exempt from English laws regarding employment references. This puts Full Scope Firms between a rock (the regulatory reference regime) and a hard place (an individual’s right to bring a claim for breach of their legal rights).

Here is a brief summary of the legal risks which apply to regulatory references in England and Wales:

  • Defamation – If Firm A makes a false statement to Firm B which harms an individual’s reputation, the individual could claim against Firm A for defamation. Therefore, Firm A must ensure that any references it gives are true and supported by evidence.
  • Malicious falsehood – If Firm A provides a reference which contains untrue comments which were made maliciously or recklessly, the individual can sue Firm A for damages.
  • Deceit – If Firm A intentionally and knowingly makes a factual statement which it knows is not (or is reckless as to whether it is) true, and that reference is relied upon to an individual’s detriment, the individual can sue Firm A for deceit.
  • Negligent misstatement – Firm A owes a duty of care to Firm B and the individual when giving a reference. A failure to comply with the duty can give rise to claims of negligent misstatement.
  • Breach of duty – If Firm A fails to comply with the FCA’s rules on regulatory references, Firm B and the individual could claim against Firm A for breach of duty.
  • Constructive dismissal – If Firm A gives a damaging reference, or fails to give a reference, in relation to an existing employee, the employee could (if they have at least two years’ service) claim that the firm has breached the term of mutual trust and confidence and claim constructive unfair dismissal. (Members of an LLP cannot claim constructive dismissal.)
  • Victimisation – If Firm A provides a reference which is tainted by the fact that an individual has raised a complaint about characteristics which are protected under equality legislation (such as age, sex, disability/health, pregnancy/maternity), then the individual can sue Firm A for victimisation.

Firm B can also be liable for acting on the basis of information related to such complaints. The individual may also have grounds to bring a claim against Firm B if Firm B discriminates in the way it responds to a reference request because of the protected characteristics of the individual or any other person.

The way many firms avoid these risks when giving normal (non-regulatory) references is to provide a factual reference only (e.g. with dates of employment and job title) or to not provide a reference at all. However, it will not be possible for a Full Scope Firm to adopt these approaches to regulatory references because they are required to respond fully to the questions on the mandatory template reference form.

Why are these real risks?

A blemished regulatory reference could prevent an individual from working in the financial services sector for a long time. Many firms will not take the risk of recruiting a candidate who has a regulatory reference which casts even a small doubt regarding his or her fitness and propriety.
Individuals have limited options to mitigate their financial losses if they receive a damaging reference. Accordingly, their losses are likely to be substantial. This will motivate individuals (and their lawyers) to enter into disputes readily with former employers to try to prevent or limit a damaging regulatory reference. We have attended presentations given by lawyers who act mainly for individuals (not employers) and that is the message they gave – an individual has to do whatever he or she can to prevent a damaging reference.

Of course, each time a firm provides a regulatory reference which states anything negative about an individual, it will give rise to a fresh possible claim against the firm.
A real-life scenario

Allegations of misconduct are raised by an employee about a senior manager. These allegations, if proven, would affect the firm’s view of the manager’s fitness and propriety. The manager is suspended pending an investigation. However, before the firm has the chance to investigate the allegations against the individual, he or she resigns. A short time later, the firm receives a request for a regulatory reference.

The FCA has confirmed that firms are not obliged to conclude investigations in these circumstances but it would be best practice for them to do so. However, supposing the investigation is not concluded, then HR, Compliance and/or Management now have to make a decision with regards to what (if anything) the firm will say in the reference. The FCA has said in a policy statement that firms are not obliged to disclose details of individuals who have been suspended pending internal investigation. Therefore, a firm could take the view that it does not need to disclose details of the allegation in the reference. However, this does not sit easily with the obligation on firms to provide all information which is reasonably relevant to an assessment of the individual’s fitness and propriety. One can imagine that if allegations are related to, say, sexual harassment or dishonesty, the firm giving the reference may feel quite uneasy about not referring to such allegations in the reference.

A further difficult decision is whether to offer the individual the opportunity to review the underlying evidence and to respond, so that his or her response can be taken into account when the firm provides the reference. To be clear, the firm is not required to allow the employee to see the draft reference or to comment on the drafting.

Supposing the individual then raises convincing and/or plausible defences to the allegations which could potentially be corroborated with further investigation. How far down the rabbit hole is the former employer prepared to go to be fair to the individual?
Finally, if something is stated in the reference about the individual’s alleged conduct, the firm giving the reference should consider whether that would then trigger a reporting obligation to the regulator because there has been a breach of the conduct rules.


As Andrew Bailey (Chief Executive of the FCA) put it, the regulatory reference regime was designed to prevent ‘rolling bad apples’. At the core (pardon the pun) of the regime, is a requirement for relatively frank disclosures to be made by firms about outgoing or former staff. Such firms face a real risk of having to fend off threats of litigation from individuals who may (justifiably) be very worried that they cannot work in the financial services sector again due to potentially trivial (or unfounded) allegations of misconduct which may be included in a regulatory reference.

SM&CR Toolkit News

Claire Cummings

Claire practises financial services law with a focus on regulatory issues, cryptocurrencies and tokens, trading and brokerage documentation and advising both existing and start-up funds and fund managers.

If you would like to discuss any of the points we raise, please contact me or one of our other lawyers.

Phone: 0207 585 1406