Compliance hiring is the same funnel as any other hire with one structural addition: every step has to be auditable. The regulator can ask, six years later, for the evidence that this candidate met fitness and propriety, that the background screen ran, that the rubric did not produce disparate impact, that the human-review path was offered. If the evidence is not there in the audit trail, the answer is "we cannot demonstrate it".
Three things make compliance hiring harder than its volume suggests.
One, the artefacts are durable. Six years for FCA records under SYSC 9, ten years for SMCR senior-manager records under the FCA Handbook. The audit trail has to survive longer than the hire often does. Manual screening notes on a personal laptop do not meet this bar; a structured, queryable, exportable record does.
Two, the rubric itself is regulated. EU AI Act Article 6 classifies hiring-AI as high-risk; the conformity assessment under Article 43 covers the model card, the data governance, the human oversight, and the post-deployment monitoring. The hiring tool you use is itself in scope. If your tool cannot produce a conformity-assessment-ready artefact, your firm carries the residual risk.
Three, the wrong hire has named regulatory consequences. An FCA-regulated firm that certifies a senior manager who turns out not to be fit and proper is in breach of SMCR. The personal liability sits with the SMF holder who attested. This is not a P and L problem; it is a personal-attestation problem.
This playbook walks one open compliance-constrained role end to end. It assumes you work at an FCA-regulated firm, an EU credit institution under EBA supervision, a healthtech company subject to NHS DTAC clearance, or a critical-national-infrastructure adjacent supplier needing BPSS or SC. The playbook is operational; it is not legal advice. Confirm any specific compliance question with your compliance officer or your regulator before signing.
Sections 03 (the audit trail), 07 (background screening), and 08 (EU AI Act conformity) are the three most-quoted by compliance buyers.
The Picked funnel runs the same way for a compliance-constrained hire as for an unconstrained one. What changes is the wrapper: every stage produces a record that goes into the audit file, every decision is timestamped and logged, every override has a captured reason.
Stage Owner Compliance delta ----------------------------------------------------------------- 01 Role brief and rubric You Regulator-required fields recorded 02 Posting and syndication Picked Same as standard funnel 03 Triage (intake) Picked Right-to-work plus self-declared regulatory-status 04 AI screen (voice) Picked Consent for ADM logged; transcript retained 05 Role-specific assessment Picked 4/5ths fairness audit logged per role 06 Behavioural interview Picked Structured anchors; transcript retained 07 Background screen Vendor + You BS7858 or BPSS or SC depending on role 08 Three finalists arrive Picked → You Audit-trail manifest accompanies finalist card 09 Fitness and propriety attestation You SMCR roles only; SMF attestation logged 10 On-site half-day + offer You Offer letter cites regulatory schemes by name
The hire takes 5 to 15 days longer end to end than the unconstrained equivalent. Background screening is the main contributor (BPSS and SC in particular can run 6 to 12 weeks if the candidate is not pre-cleared). Picked's six funnel stages do not add days; the audit-trail wrapper runs in parallel.
The audit-trail manifest at stage 08 is the artefact a compliance officer will ask to see first. It lists every event, every timestamp, every actor (human or AI), every rubric weight applied, every override and its captured reason. Exportable as a single PDF for inclusion in the candidate audit file. Generated automatically; not manual.
The audit trail is what stays after the hire is forgotten. Six years for general FCA records under SYSC 9.1, ten years for SMCR senior-manager records under the FCA Handbook (most material updated under PRA SS28/15 and FCA Handbook FIT and FIT/Annex). The audit trail has to be retrievable, structured, and unambiguous.
Picked exports the full audit trail for any role as a single PDF on demand, or as a structured JSON envelope for compliance systems that ingest hiring records. The PDF format is the default for inclusion in the candidate audit file. The JSON envelope is for automated ingestion into GRC systems (e.g. Vanta, Drata, Secureframe, Tugboat Logic).
Retention defaults: Picked retains the trail for six years after role-close (matching FCA SYSC 9.1 baseline). SMCR-tagged roles retain for ten years. The retention is configurable per-customer for jurisdictions with longer requirements; the default covers UK FCA and the EU credit-institution equivalents (where the EBA SREP guidelines apply).
It does not include candidate data the candidate has revoked consent for. GDPR Article 17 (right to be forgotten) allows the candidate to withdraw consent; non-hire candidates can do so at any time. For hired candidates, the retention bridge means the trail persists as part of the employment record under the firm's own retention policy.
It does not include personally identifying data the firm did not collect. Picked does not infer protected characteristics from voice, video, or text; the only demographic data in the trail is what the candidate self-declared at the consent step (and even that is optional).
A regulated-role brief carries two layers of fields: the standard role-brief content (covered in the Engineering, Sales, or Product playbook) plus the regulatory-classification fields that determine the audit trail downstream.
Three competencies are weighted higher in regulated-role rubrics than in their unconstrained equivalents. Add or raise these in the role-brief rubric tuning:
These competencies are added on top of the role-family default rubric (from the Engineering, Sales, or Product playbook). The default rubric weights are scaled down proportionally to make room.
Regulated-firm sourcing has a smaller pool by design. Candidates with SMCR experience, with active SC clearance, or with NHS DTAC familiarity are a finite set; the supply is tighter than for unregulated equivalents.
Three sourcing moves the hiring manager can make for regulated roles.
The Picked AI screen and the role-specific assessment run the same way for a regulated-role candidate as for an unconstrained one. What is different is the consent flow at intake and the retention of the artefacts.
Every candidate sees a structured consent page at the start of the funnel. For regulated roles, the consent page adds three explicit acknowledgements on top of the standard GDPR consent:
Withdrawing consent at any point is the candidate's right under GDPR Article 17. For regulated-role candidates who withdraw, the funnel halts; retained data is purged within 30 days (the standard purge cycle), unless the candidate was hired (in which case the audit trail persists as part of the employment record).
Voice transcripts from the AI screen and the behavioural interview, plus the structured score sheets, plus the assessment item-level responses, all go into the audit trail at stage 02 (logged) and surface in the audit manifest at stage 08.
The 4/5ths fairness audit runs on every batch of candidates for the role. For regulated firms, the audit is logged per stage (screen, assessment, interview) and per protected group, with the per-group selection rate, the baseline-group rate, and the 4/5ths-rule pass-fail determination. The audit output is exportable as a single artefact for inclusion in the firm's annual fairness review.
The screen and assessment run in 25 plus candidate-side languages; the audit trail captures the language the candidate chose. For roles where English-only is a regulatory requirement (some FCA-regulated client-facing roles), the role brief specifies it and the intake filters accordingly. For roles where it is not a regulatory requirement, candidates can run in their preferred language and the fairness audit cross-checks across language.
Accessibility: the funnel supports candidates who need adjustments (extended time on the assessment, alternative input modalities, captioned playback of the screen for review). The adjustments are logged in the audit trail without being attached to the rubric score (the score uses the unadjusted-equivalent calibration).
Background screening kicks in at offer-accepted. The standard the firm screens to depends on the role classification and the regulator. Picked integrates with named screening providers; the integration logs the screen output into the audit trail at stage 07.
BS7858:2019 is the British Standard for security screening of personnel employed in environments where the security or safety of others is the responsibility of the employer. Most FCA-regulated firms screen to BS7858 for all hires regardless of SMCR classification. The screen covers: identity verification, right to work, 5-year employment history with gap explanation, 5-year address history, credit history (focusing on adverse data), criminal records check (basic DBS in UK; equivalent in EU), professional-regulator history, character references.
Typical timeline: 5 to 10 working days for a clean screen; 15 to 25 working days if any item triggers follow-up. Cost: 80 to 200 GBP per candidate depending on the provider.
Named providers Picked integrates with: HireRight, Sterling, Veremark, Onfido (for identity-and-right-to-work specifically), Experian Hunter, ClearMark. The firm picks the provider; Picked logs the screen output into the audit trail.
Baseline Personnel Security Standard. Required for any role accessing UK-government-classified information at OFFICIAL or above. Covers identity, nationality and immigration status, employment history (3 years), criminal records (unspent convictions).
Timeline: 4 to 8 weeks. Cost: typically passed through at cost (around 100 to 200 GBP per candidate plus the firm's admin time). The candidate is the subject; the firm is the sponsor.
Required for sustained access to SECRET-classified information. SC is conducted by UKSV (UK Security Vetting). The candidate completes the eSecurity Questionnaire; UKSV runs the checks; the clearance is granted, refused, or referred.
Timeline: 6 to 12 weeks typically; up to 6 months for complex cases (extensive foreign-national family ties, foreign-residence history). The clearance is portable across UK-government contractors for up to 24 months between sponsoring employers, which is why SC-cleared candidates are over-represented in pre-existing networks.
For SC-required roles, the offer letter is conditional on clearance being granted. The candidate cannot start in the SC-required parts of the role until clearance is confirmed; they can typically start in non-SC parts of the role while clearance is in progress.
For healthtech firms supplying the NHS, DTAC is a clearance for the firm and its critical systems, not for individual hires. However, hires whose roles touch DTAC-cleared systems may need to acknowledge the firm's DTAC undertakings and complete the firm's information-governance training within 30 days of start.
NHS suppliers also typically run enhanced DBS checks for clinical-facing roles. The enhanced DBS adds barred-lists checks and a wider history window than the basic DBS used in BS7858.
The EU AI Act classifies hiring AI as high-risk under Annex III, section 4. As of February 2026, hiring tools that affect EU candidates must meet the conformity-assessment requirements under Articles 9 through 17. The Picked side of the funnel is built to spec; the customer side has its own obligations that this section covers.
EU AI Act Article 26 sets out deployer obligations. The firm (i.e. the hiring company using Picked) has separate obligations from Picked. These include:
Public bodies and certain private-sector deployers of high-risk AI must conduct a fundamental rights impact assessment under Article 27. For most FCA-regulated firms and EU credit institutions, FRIA applies. The assessment covers: the deployer's purpose, the period of use, the categories of natural persons likely to be affected, the specific risks of harm, the measures to mitigate those risks.
Picked provides an FRIA template aligned with the EU AI Act guidance. The firm completes the template, reviews it annually, and lodges it as part of the AI system's deployer documentation. The template is on /trust/compliance.
For FCA-regulated firms hiring into SMF (Senior Management Function) or certified-function roles, fitness and propriety is the gate before the offer is signed. The hiring SMF (or where the role is itself an SMF, an existing SMF in the firm) attests that the candidate is fit and proper under the FCA Handbook FIT and FIT/Annex.
The FCA Handbook FIT defines three pillars:
The hiring SMF reviews the candidate's full audit trail: Picked screen, assessment, interview, structured references, background screen, fitness-questionnaire self-declarations. The SMF signs a written attestation that the candidate is fit and proper for the function, citing the evidence reviewed. The attestation is logged in the audit trail at stage 09 and forms part of the SMF's personal compliance file.
The attestation does not have to be conclusive on all three pillars; it has to be a documented judgement based on the available evidence. If a pillar is unclear, the firm typically asks for additional evidence (specialist references, financial soundness check, regulatory clearance from prior regulator) before signing the attestation.
On accepting the offer, the candidate acknowledges the SMCR Conduct Rules in writing. The five Tier 1 (individual) Conduct Rules apply to all certified-function and SMF staff: act with integrity, act with due care skill and diligence, be open and cooperative with regulators, pay due regard to client interests, observe proper standards of market conduct.
The acknowledgement is logged in the audit trail and surfaced in the firm's annual SMCR certification cycle. Picked stores the acknowledgement; the firm exports it to the FCA at certification and at investigation.
Certified-function holders must be re-certified annually as fit and proper. The annual certification draws on: ongoing performance evidence, conduct-rule breaches if any, regulator references at exit and re-entry, the firm's internal monitoring. Picked retains the original audit trail and supports re-certification by re-running the structured-reference flow if the firm requests it; we do not run the re-certification itself.
The finalist card for a compliance-constrained role has the same blocks as the role-family default plus the audit-trail manifest. The manifest is the load-bearing artefact for the compliance officer reviewing the hire.
A one-page summary of every funnel event for the candidate: timestamps, scores, override actions, fairness-audit determination, consent records, language used. Exportable as PDF for the candidate's audit file. Available before the offer is signed; not as an afterthought.
Read the headline of all three first. Then the audit-trail manifest of the rank-1 candidate. Then the rubric breakdown. Then the case-study or interview transcripts for any competency that is borderline. The order matters; the audit trail surfaces issues earlier than the score breakdown.
About 18 percent of compliance-role finalists in our beta have been overridden by the hiring manager (similar to the engineering rate; lower than sales). Most overrides are based on: an audit-trail flag the rubric did not weight (e.g. an inconsistent right-to-work disclosure resolved during the funnel), a regulator-specific evidence gap, or a structured-reference signal that surfaced post-rubric.
Compliance-role offer letters have five fields beyond the standard offer:
The offer letter is pre-reviewed by an employment lawyer who is also familiar with the firm's regulatory framework. The first compliance-role offer in any firm is the one to review carefully; subsequent offers in the same role family can use the templated version.
Compliance-role onboarding has mandatory artefacts that ordinary onboarding does not. The first 90 days are the period in which the firm's SMF holders carry direct liability for ensuring the new hire is operating to standard; under-investment here is personal regulatory risk.
Standard 30-60-90 cadence with two additions for compliance roles.
At day 30: confirm Conduct Rules training is complete; confirm the information-security training is complete; confirm any role-specific qualifications are scheduled (e.g. CFA Level 1 for some investment roles, ICA International Diploma for compliance roles, NHS information-governance for healthtech). Log the confirmation in the audit trail.
At day 60: structured one-on-one focused on the three compliance-specific rubric competencies from section 04 (risk awareness, evidence orientation, escalation instinct). The conversation is captured in the personnel file. Concrete behaviours are recorded; vague descriptions do not survive a regulator review.
At day 90: the formal performance review. For certified-function roles, the 90-day review is the first input to the annual certification cycle. The review uses the rubric the candidate was hired against; the deltas between hiring score and 90-day score are recorded and explained.
If a Conduct Rules breach is suspected (whether by the new hire or by anyone reporting to them), the firm's internal-breach-reporting process kicks in. The hiring manager, the SMF, and the compliance function are notified. The investigation is documented; the outcome is logged in the personnel file. For serious breaches, the FCA must be notified within 7 working days under SMCR.
Conduct-rule breaches in the probationary period are not automatically grounds for dismissal; they are grounds for investigation, mandatory training, written feedback, and where appropriate withdrawal of certification. The audit trail covers the firm; the firm's response covers the hire.
The whole playbook in one page. Print this section; pin it; come back to it every time you open a compliance-constrained role.
The people building Picked. Method posts, model cards, fairness audits, product opinions. Edited and signed off by the engineering and research leads.