SUP Supervision Manual: Regulatory Reporting and FCA Oversight

What It Is

The Supervision Manual (SUP) is the FCA Handbook chapter that sets out how the FCA supervises authorised firms and what firms must do to facilitate that supervision. It covers the full range of the FCA's supervisory toolkit: regulatory reporting, notification obligations, waiver applications, variation of permission, change in control, appointed representatives, and the FCA's power to commission skilled person reports under section 166 of FSMA.

At its core, SUP creates a two-way relationship between firms and the regulator. Firms must provide the FCA with accurate, timely information about their business through regulatory returns and event-driven notifications. In return, the FCA uses that information — along with its own supervisory intelligence — to assess risk, allocate resources, and intervene where necessary.

The key regulatory returns include the RMAR (Retail Mediation Activities Return) for intermediary firms, the REP-CRIM return for financial crime data, annual financial returns, complaints data returns, and various sector-specific reports. Since the migration from Gabriel to RegData (now accessed through the FCA's Connect portal), the submission process has been modernised, but the underlying obligations remain stringent. Firms submit via RegData on fixed schedules, and the FCA uses the data to populate its risk model and inform its supervisory strategy.

Why the FCA Cares

The FCA cannot supervise what it cannot see. Regulatory reporting is the primary mechanism through which the FCA gathers the data it needs to identify risk, detect harm, and allocate supervisory resources across thousands of authorised firms. Without timely, accurate reporting, the FCA's risk-based supervision model breaks down.

The FCA's approach to supervision is data-driven. It uses information from regulatory returns to build firm-level risk profiles, identify outliers, and flag firms for enhanced supervision. A firm that reports a significant drop in revenue, a spike in complaints, a reduction in capital resources, or an unusual pattern of client money holdings will attract attention. Conversely, a firm that fails to submit returns at all is treated as uncooperative — and an inability to be effectively supervised is itself a breach of the Threshold Conditions.

Section 166 skilled person reports are one of the FCA's most powerful supervisory tools. They allow the regulator to commission a detailed, independent investigation of any aspect of a firm's business — at the firm's expense. The FCA has used Section 166 reports to investigate client money arrangements, systems and controls, conduct of business compliance, financial crime controls, and governance failures. The output of a Section 166 review can lead to requirements, restrictions, enforcement referrals, or — in the most serious cases — cancellation of authorisation.

The FCA has made clear that firms that are difficult to supervise — those that submit late, submit inaccurate data, fail to notify, or obstruct Section 166 reviews — will face consequences disproportionate to the underlying issue. Supervisory cooperation is not optional; it is a fundamental expectation of authorisation.

Who It Affects

Every FCA-authorised firm is subject to SUP. The specific reporting obligations depend on the firm's permissions, activities, and categorisation (flexible portfolio, fixed portfolio, or other). However, certain obligations are universal: all firms must submit annual financial returns, notify the FCA of material events, and cooperate with supervisory requests.

Retail intermediary firms — IFAs, insurance brokers, mortgage brokers, and consumer credit firms — are typically subject to RMAR reporting, complaints data returns, and the annual financial return. Larger or more complex firms may face additional reporting requirements depending on their MiFID status, their prudential categorisation (under MIFIDPRU or IPRU), and whether they hold client money or custody assets.

Consumer credit firms face particular reporting burdens, including data on lending volumes, arrears, defaults, and complaints. The FCA uses this data to monitor market trends and identify firms that may be causing harm through irresponsible lending or aggressive collection practices.

The Section 166 power affects all authorised firms, but in practice it is most commonly deployed against firms in the flexible portfolio (those the FCA supervises most closely) or firms where specific concerns have been identified. That said, any firm can be the subject of a Section 166 review, and smaller firms should not assume they are exempt.

What Firms Get Wrong

The most basic failure is late submission. Regulatory reporting deadlines are fixed and published in advance, yet a significant number of firms submit late, incurring automatic penalties and — more importantly — signalling to the FCA that the firm's compliance infrastructure may be inadequate. Late submission is one of the factors the FCA uses to assess whether a firm meets the Threshold Condition of being capable of being effectively supervised.

The second common failure is inaccurate data. Firms submit returns that contain errors — sometimes because data is manually compiled from multiple sources, sometimes because the firm does not properly understand what is being asked, and sometimes because the firm does not maintain adequate records. The FCA increasingly cross-references data between returns and against external sources. Inconsistencies trigger follow-up questions, and if the FCA concludes that a firm's data is unreliable, the consequences are serious.

Third, firms fail to make required notifications under SUP 15. The notification obligations are broader than many firms realise. Material changes to the business plan, breaches of regulatory requirements, significant complaints, fraud, litigation, changes in control, and matters affecting Threshold Conditions all require notification. The FCA has emphasised that late or missing notifications — particularly around events that subsequently result in customer harm — are treated as aggravating factors in enforcement proceedings.

Fourth, firms are poorly prepared for Section 166 reviews. When the FCA appoints a skilled person, the firm is expected to cooperate fully and promptly. Firms that are disorganised, cannot produce requested documentation, or are obstructive during the review process make matters significantly worse for themselves. The FCA reads non-cooperation as evidence that the firm has something to hide.

Fifth, firms do not maintain adequate records to support their regulatory returns. The RMAR and other returns require data on complaints, revenue, capital, professional indemnity insurance, and business volumes. Firms that compile this data retrospectively at submission time — rather than maintaining it continuously — are prone to errors and delays.

What Evidence the FCA Expects

The FCA expects firms to maintain complete, accurate, and contemporaneous records that support every data point in their regulatory returns. This includes financial records sufficient to demonstrate capital adequacy, complaints logs with full details of each complaint and its resolution, records of regulated business volumes, and evidence of professional indemnity insurance cover.

For notifications, the FCA expects firms to have a process for identifying notifiable events and escalating them to the compliance function for timely reporting. The FCA has published guidance on notification timescales — some events require immediate notification, others within a defined period. The firm should be able to demonstrate that its notification process captured each event and that the notification was made within the required timeframe.

For Section 166 readiness, the FCA expects firms to have organised records that can be produced promptly. This does not mean firms need to prepare specifically for a Section 166 review — but it does mean that the firm's records should be in sufficiently good order that a skilled person can conduct their review without unreasonable delay. Board minutes, committee papers, compliance monitoring reports, risk assessments, MI packs, and policy documents should all be accessible.

The FCA also expects the board and senior management to be engaged with regulatory reporting. Board minutes should demonstrate that the firm's senior management reviews regulatory submissions, understands the data, and takes responsibility for its accuracy.

Good Implementation

A well-run firm treats regulatory reporting as a business process, not a compliance chore. Reporting deadlines are calendared at the start of each year, with internal deadlines set well in advance of FCA submission dates. Data is compiled continuously, not retrospectively — MI systems feed directly into return preparation, reducing manual effort and error risk.

The compliance function owns the reporting process but does not operate in isolation. Finance provides capital and revenue data, operations provides business volume data, the complaints team provides complaints data, and the MLRO provides financial crime data. Each contributor understands what is required and delivers data in a standardised format on an agreed schedule.

Returns are reviewed by a senior individual before submission — preferably the relevant SMF holder — who confirms that the data is accurate and complete. A record of the review and approval is maintained, creating an audit trail that demonstrates senior management engagement.

The firm maintains a notification register — a log of all events that have been assessed against SUP 15 notification criteria. Events that require notification are recorded with the date of identification, the date of notification, and the content of the notification. Events that were assessed but did not require notification are also recorded, with the reasoning documented.

For Section 166 preparedness, the firm conducts periodic file reviews and record-keeping audits. Documents are stored in an accessible, organised manner. The firm has a point of contact designated for regulatory requests and a process for responding to information requirements within the timescales specified.

How Our Tool Helps

The MEMA FCA calculator includes a regulatory reporting module that tracks your firm's submission deadlines, alerts you in advance, and provides templates for data compilation. It maps your firm's permissions to the returns you are required to submit, so you have a clear picture of your reporting obligations throughout the year.

The tool includes a notification assessment framework that helps you evaluate whether a specific event triggers a SUP 15 notification obligation. It prompts you to consider all relevant notification categories and generates a documented assessment that forms part of your compliance audit trail.

For capital adequacy calculations — a critical input to several regulatory returns — the tool automates the computation under the applicable prudential regime and flags when your capital resources are approaching minimum requirements.

How Our Service Helps

Our compliance outsourcing service takes the burden of regulatory reporting off your firm's shoulders. We compile and submit your regulatory returns on your behalf, working with your finance and operations teams to gather the necessary data and ensuring submissions are accurate and timely.

For firms that have received a Section 166 notice, we provide hands-on support throughout the review process. We help you organise your records, prepare management for interviews with the skilled person, and ensure that the firm's response to findings is proportionate and credible. We bring direct experience of how Section 166 reviews are conducted and what the FCA expects to see.

We also provide regulatory reporting health checks for firms that want to improve the quality and efficiency of their reporting processes. We assess your current data flows, identify vulnerabilities, and implement improvements that reduce the risk of late or inaccurate submissions.

Relevant Sectors

Wealth management firms face some of the most extensive reporting obligations, including MiFID transaction reporting (where applicable), capital adequacy returns under MIFIDPRU, client money and assets reports, and the standard complaints and financial returns. The volume and complexity of reporting can be overwhelming for smaller wealth firms, particularly those that have grown rapidly without investing in back-office infrastructure.

Consumer credit firms face sector-specific reporting requirements that reflect the FCA's intense focus on consumer outcomes in credit markets. Product sales data, arrears and default data, and complaints data are all closely scrutinised. The FCA uses this data to identify lending practices that may cause harm and to target thematic reviews at firms showing adverse trends.

Insurance brokers must navigate the RMAR, complaints data returns, and — where they hold client money — the CASS returns. The interaction between general insurance and life insurance reporting can be complex for brokers that operate across both sectors. Firms with appointed representative networks face additional reporting obligations related to AR oversight, and the FCA has signalled increased scrutiny of how principal firms report on their AR activities.