• PL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK
  • PL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK
Back to Articles

Translating SUP12 into practice: what does effective ongoing oversight really look like for principal firms?

24 June 2026
In light of the recent Supreme Court judgment on Kession, appropriate oversight and monitoring of Appointed Representatives (“AR”) has never been more important. 

In this article we consider the steps that principal firms should take to ensure they have sufficient understanding of the activities being undertaken by their ARs and any potential associated risks. This follows, and should be read as complementary to, our previous article on practical tips for AR registration.

Overview

The FCA’s expectations do not end once an Appointed Representative (“AR”) has been registered; rather, this marks the point at which the principal firm assumes full regulatory responsibility for the regulated activities carried on by its AR.

At its core, the position in SUP 12 is clear: a principal firm remains fully responsible for the regulated activities of its AR, as if it were carrying out those activities itself. This means that appointing an AR is not a delegation of regulatory responsibility, but rather an extension of the principal firm’s own permissions, and one that must be actively controlled, monitored and evidenced.

Whilst SUP 12 sets out a series of prescriptive obligations (including review and reporting requirements – see below), the FCA’s expectations go further. In particular, PS22/11: Improving the Appointed Representatives regime (“PS22/11”) marked a watershed moment, reinforcing the need for principal firms to demonstrate that oversight is proactive, risk-based and effective in practice, rather than simply compliant on paper.

In practical terms, this means principal firms are expected to operate a structured governance, risk and compliance framework, with AR oversight embedded into day-to-day operations and supported by clear policies, management information and escalation processes.

Based on our experience of working with principal firms, ARs and networks, we have summarised below the key pillars of what effective AR oversight looks like in practice.

Documented, Risk-Based Oversight and Active Monitoring

To ensure effective oversight of an AR, principal firms should be able to clearly articulate - and evidence - how that oversight is delivered in practice. This will typically be formalised through an “AR Oversight Policy”, which sets out:

  • The governance structure for AR oversight, including Board and committee reporting lines;
  • The management information (“MI”) framework, covering risks, breaches and complaints;
  • Senior management accountability, including Senior Management Function (“SMF”) oversight of AR activities;
  • Clearly defined escalation routes, calibrated to the severity of issues; and
  • Annual Assessment of the AR.

Whilst SUP 12 does not prescribe the form these arrangements must take, the existence of a clearly articulated oversight policy is a key supervisory expectation which enables principal firms to demonstrate that their oversight framework is structured, consistent and capable of delivering effective control in practice.

In terms of how a principal firm monitors its AR on an ongoing basis, PS22/11 makes clear that oversight should be tailored to the specific risk profile of each AR, taking into account factors such as the nature of its activities, customer base, and complaint history.

A key theme is that oversight must be proactive and data-driven. Principal firms cannot rely on periodic assurances or occasional ‘check-ins’; they are expected to maintain ongoing visibility over the AR’s activities and customer outcomes. Implementing a formal AR Oversight and Monitoring Plan is therefore critical to ensure a structured, risk-based approach and to demonstrate that oversight is embedded in practice. Typically, this plan would include:

  • A documented AR risk assessment framework;
  • A monitoring plan setting frequency, risk level, responsibility and testing approach, including:
    • File reviews;
    • Thematic reviews (e.g. sales practices, client communications, Consumer Duty);
    • Consumer Duty outcomes; and
    • Financial monitoring, resourcing (including training and competence) and growth levels.
  • Annual assessment of the AR;
  • Defined meeting frequency with key AR stakeholders; and
  • Ongoing review of contractual arrangements.

To ensure that they are able to monitor and evidence AR compliance, a principal firm should also maintain a robust MI and reporting framework, capturing:

  • Complaints data and root cause analysis;
  • Breaches and incidents;
  • Financial performance; and
  • Consumer Duty, including testing and outcomes.

It is expected that any compliance monitoring is reported to the Board on a regular basis, proportionate to the nature and scale of the AR’s activities.

Finally, oversight must be capable of driving action. In practice, this may include enhancing controls, restricting activities or terminating the arrangement where necessary, with the FCA expecting principal firms to intervene promptly where there is a risk of consumer harm.

Annual Review and Self-Assessment Obligations

Beyond the day-to-day monitoring, SUP 12 introduces the following formal, periodic review obligations:

  • Annual AR review: the principal must assess whether the AR remains suitable, including:
    • Verifying that the information previously provided is accurate and sufficiently up to date;
    • updating financial checks;
    • The adequacy of its own controls and oversight where any of the following have occurred:
      • The size or volume of the ARs business has increased significantly in a short period of time;
      • An unusually high turnover of senior managers or directory persons / individuals carrying on regulated activities in the AR;
      • A significant increase in complaints relating to the AR;
      • A change in the ARs business model;
      • A change is made to the scope of the ARs appointment; and
    • The fitness and propriety of the AR’s directors / managers responsible for the regulated activities.
  • Annual self-assessment: the principal must also undertake a self-assessment to assess its own compliance with the requirements of SUP 12, identifying and addressing any material deficiencies in relation to its own compliance. This assessment must be approved by the principal’s governing body.  The FCA has made it clear that this self-assessment process should be a challenge process with genuine value judgements about the role of Principal and not simply a ‘tick box’ exercise. 

These assessments must be robust, documented and retained for at least six years by the principal firm. In practice, the approach to both the annual review and self-assessment should be clearly set out within the AR Oversight Policy and the AR Oversight and Monitoring Plan, ensuring that these processes are structured, repeatable and supported by underlying monitoring and MI.

Consumer Duty Alignment and Wider Control Framework

PS22/11 makes clear the FCA’s expectation that oversight is aligned with the Consumer Duty and focused on delivering good customer outcomes. This suggests these considerations will now be central to how the FCA assesses whether a principal firm is meeting its SUP 12 obligations in substance. Therefore, principal firms should be able to demonstrate how their oversight framework:

  • Maps AR activities to Consumer Duty outcomes;
  • Monitors customer outcomes and potential indicators of harm;
  • Reflects appropriate product governance and customer journey oversight; and
  • Ensures that consumers are receiving fair value for products and services.

Alongside this, effective oversight relies on a broader control framework to support day-to-day supervision. Typically, this will include:

  • A Financial Promotions Policy, covering approval processes, oversight and record-keeping;
  • A Training and Competence Policy, including fitness and propriety assessments of AR staff, ongoing staff training and competency reviews; and
  • A Complaints Policy, which accounts for centralised logging and escalation of complaints to the principal whilst ensuring DISP-compliance.

While not expressly prescribed by SUP 12, these elements will also be key to demonstrating that the principal’s oversight arrangements are not only well-designed, but operating effectively in practice.

Ongoing Regulatory Reporting, Notification and Record-Keeping Obligations

An important feature of SUP 12, reinforced by PS22/11, is the expectation that oversight is supported by robust reporting, notification and record‑keeping arrangements.

In addition to annual reviews, principal firms must reassess an AR where certain ‘trigger events’ arise, such as shifts in the AR’s business model or activities, changes in senior management more than once in a 12-month period, the appointment of an additional principal, or a spike in complaints (SUP 12.6A.3R). Principal firms should therefore ensure these triggers are embedded in contractual arrangements, requiring the AR to notify the principal firm promptly and enabling onward notification to the FCA where required.

An important development under PS22/11 is the FCA’s move towards enhanced data reporting and closer regulatory engagement. Whilst SUP 12 requires principal firms to submit periodic reports covering matters such as complaints, revenue and remuneration, PS22/11 places a greater emphasis on the depth and use of this data, with principal firms expected to provide more granular information on their AR population, including business activities, revenues and complaints metrics. This reflects the FCA’s concern around potential harm arising in AR models and its shift towards a more proactive and interventionist approach. Principal firms should therefore ensure their internal MI aligns with these requirements and supports the early identification and escalation of emerging risks.

SUP 12.9 mandates that principal firms retain certain key documentation to evidence oversight in practice. This includes copies of the original AR agreement and any subsequent amendments, records of key decisions (such as the rationale and timing of any amendment or termination), and details of any arrangements with other principal firms. These records must generally be retained for at least three years from the date of termination or amendment, alongside longer retention of oversight outputs such as annual reviews and self-assessments. PS22/11 reinforces that this is not simply an administrative requirement, but a critical means of demonstrating that oversight is effective, ongoing and capable of withstanding regulatory scrutiny.

Taken together, these requirements reflect a clear supervisory direction: principal firms should have integrated MI, reporting, notification and record‑keeping frameworks that not only meet SUP 12 requirements, but also enable early identification of risk and prompt, informed intervention.

Conclusion

Taken together, the post-appointment obligations reinforce a clear supervisory message: AR oversight must be evidence-based and outcomes-focused. For principal firms, this means moving beyond a compliance-led approach to one that is embedded within governance, supported by meaningful MI and capable of demonstrating, both to Senior Management and the FCA, that the AR population is being effectively managed in practice. Coupled with HM Treasury’s consultation on the AR regime (AR Consultation post | LinkedIn), this is indicative of the ‘direction of travel’ towards the tightening up of the AR regime. 

This article has been prepared jointly by Legal and Consulting colleagues within our FS Regulatory team, drawing on recent practical experience advising principal firms on AR registration and oversight. If there are any aspects of AR oversight that you would like to discuss, please contact Felicity Rowan or Harry Howe

Related Authors

Harry Howe

Harry Howe

Head of Regulatory Consulting

 
small rubine chair

Felicity Rowan

Director

 

Related Markets

Related Services

Further Reading

International Intellectual Property Magazine
Insights
International Intellectual Property Magazine 18 Jun 2026
Welcome to the fifth issue of our International Intellectual Property Magazine, bringing you up-to-date and relevant news from the ever-evolving world of IP.
 
 
NDA reform under the Employment Rights Act: What employers need to know
Insights
NDA reform under the Employment Rights Act: What employers need to know 16 Jun 2026
The Government’s current consultation on NDA reform signals a significant shift in how confidentiality can be used in harassment and discrimination cases.
 
Protected conversations: An important tool to be used with caution
Insights
Protected conversations: An important tool to be used with caution 20 May 2026
In Tarbuc v Martello Piling Limited, the Employment Appeal Tribunal (“EAT”) found that the employment tribunal had taken an unduly narrow approach when considering whether the employer behaved improperly during a purported ‘protected conversation’ under section 111A of the Employment Rights Act 1996 (“ERA”).