The question that starts the conversation

It rarely begins with a regulatory breach. It begins with a question a COO, CRO or CCO finds they can no longer answer with confidence: if the FCA asked us tomorrow to explain what our algorithms are actually doing and who is personally responsible for each material risk they carry, could we give a clear answer?

The firms that commission this kind of work are not poorly managed. They are typically MiFID RTS 6 compliant, their governance documentation is in reasonable order, and their senior teams are experienced.

The issue is that formal compliance with an individual piece of regulation and genuine control in-line with SMCR expectations are often not the same thing.

The FCA's 2025 multi-firm review made that distinction visible across the industry, and the firms that recognised themselves in the findings were not always the ones that expected to.

A firm can be fully compliant with RTS 6 and still leave its SMF holders materially exposed. Compliance sets the floor. It does not determine where the real risks reside.

Where the exposure tends to sit

Three patterns tend to recur in firms with significant algorithmic trading activity, regardless of size or sophistication. In global banks operating through a London entity, each pattern is typically more acute, for reasons that go to the structure of the business rather than the quality of local management.

1. The inventory is incomplete

Firms document what they call algorithms. What tends to go undocumented is everything classified as infrastructure, tooling or models: vendor execution logic, parameter-setting routines, ML-driven pricing components. By the time an inventory is genuinely complete, the population of in-scope systems is typically larger than the one in the self-assessment. An SMF holder cannot demonstrate accountability for risks they do not know they carry.

For London entities within global firms, this problem has an additional dimension. Algorithms are frequently developed and parameterised in New York, Hong Kong or Frankfurt. The UK entity runs them under UK regulatory expectations, but the SMF who signs the Statement of Responsibility may have limited practical visibility over deployment decisions, parameter changes or incidents that originate outside their jurisdiction. The inventory gap in these cases is not primarily a documentation failure. It is a structural consequence of global operating models that were not designed with UK personal accountability requirements in mind.

2. The frameworks do not talk to each other

RTS 6 sits with Compliance. SS5/18 sits with Risk. SS1/23 model risk sits, if anywhere, with a validation function still working out how to apply it to adaptive systems. None were designed to be read together and in most firms they are not. The problem is structural: these regulatory frameworks were written for vertically organised functions, but algorithmic trading risk runs horizontally across all of them simultaneously. A single algorithm can generate conduct risk, model risk, operational risk and personal SMF accountability exposure at the same time, routed through three separate governance structures with different owners, different escalation paths and different annual cycles.

When obligations across RTS 6, SS5/18 and SS1/23 are mapped against actual Statements of Responsibility, the gaps tend to be more significant than anticipated: overlapping coverage in some areas, silence in others, and questions about cross-functional and cross-border accountability that have never been explicitly resolved. When an incident occurs, multiple functions respond separately with no unified view of which named individual is personally accountable.

3. Controls exist but have not been tested in the conditions that matter

Kill switch functionality is present in most firms. The more useful question is whether it has been rehearsed under realistic conditions: not planned downtime, but simultaneous halts across co-deployed strategies in a moving market. Surveillance alert thresholds are typically calibrated once and left to run, even as the trading environment around them changes. The Compliance function is then in the position the FCA described in its 2025 review: monitoring outputs it cannot technically evaluate from systems whose behaviour it cannot meaningfully challenge.

What the work looks like

A structured mandate of this kind runs in stages.

The first establishes a more complete picture of what is actually running, how the governance frameworks map against it, and where the personal accountability gaps reside. A central part of that diagnostic is mapping horizontal risk exposures: identifying where a single risk type cuts across RTS 6, SS5/18 and SS1/23 simultaneously, and tracing whether any named individual has clear accountability for that risk end-to-end. For global firms with London SMF holders, the diagnostic specifically examines whether UK accountability structures have genuine reach into the global book, or whether they exist on paper while operational authority sits elsewhere.

The output is not a findings list but a prioritised roadmap in which every gap is linked to the SMF risk it creates. That framing matters: the same gap looks different depending on whether it is a documentation shortcoming, a structural ownership problem, or a cross-border visibility failure. Remediation has to address the right underlying cause.

Remediation typically spans five areas:

• a unified governance framework integrating RTS 6, SS5/18 and SS1/23 into a single operating model;

• a redesigned self-assessment process with defined evidence standards and external validation;

• documented Risk function authority over algorithmic controls, including the conditions under which parameters can be altered or strategies halted;

• model risk governance for ML components through drift monitoring and validation triggers rather than static annual review cycles;

• and an accountability framework that gives each named SMF a documented, evidenced trail of the reasonable steps they have taken.

That last element is the one which most governance programmes omit. Policies matter. Evidence that named individuals understood their obligations and acted on them is what the FCA will actually test.

The AI dimension

The firms we work with on algorithmic governance are simultaneously confronting a closely related challenge. ML-driven pricing models, adaptive execution strategies and AI-assisted decision tools are already running in production. SS1/23 already requires them to be treated as models within the model risk framework. This is not a future consideration.

Firms that build algorithmic and model risk governance capability now are not merely closing today's compliance gap. They are building the foundations for AI governance that regulators are moving toward. Starting from a framework that already connects risk ownership, model validation, SMF accountability and surveillance across the relevant regulatory frameworks is a significantly better position than starting from scratch when formal AI governance requirements arrive.

What changes

In a mandate of this kind, the most reliable indicator of success is not just updated policies. It is whether the people accountable for algorithmic trading governance engage with it differently.

Consider what a well-executed remediation makes possible. The annual self-assessment becomes a genuine risk management exercise rather than a compliance obligation. When ML components trigger drift monitoring alerts, the review protocol is followed, changes are assessed, and the relevant SMF can evidence exactly what steps were taken. Neither event needs to potentially become a regulatory matter.

The original question gets a materially better answer. Not because the policies are better written, but because the people who need to own them understand what they are accountable for, across functions and across the jurisdictions in which their firm operates, and can show they have engaged with it seriously.

The gap between compliance and control is not always a governance failure. In global firms, it is often a structural one. Closing it requires practitioners who understand how accountability actually works in a real trading business, not just how it is described on paper.

About FMCR

FMCR is a network of senior practitioners, former COOs, global business heads, traders and risk leaders from Tier 1 global banks, providing advisory services to Markets and Banking leadership teams across risk management and performance. For further discussion and initial consultation please contact FMCR at contact@fmcr.com.