Complete Appointed Representative Guide
2025 Edition

Common restrictions include:

Key insight: While ARs have lower initial costs and faster time to market, direct authorisation typically becomes more cost-effective once annual revenue exceeds £300,000-£500,000, depending on the principal's fee structure.

The FCA has published extensive guidance on its expectations for principal firms, particularly in light of several high-profile AR failures that have resulted in significant consumer harm and market disruption.

AML/CTF Framework Requirements:

• Risk assessment: Firm-wide and AR-specific financial crime risk assessments
• Policies and procedures: Comprehensive AML/CTF procedures aligned with principal's framework
• Customer Due Diligence (CDD): Risk-based CDD and Enhanced Due Diligence (EDD) procedures
• Sanctions screening: Real-time screening against UK and international sanctions lists
• Transaction monitoring: Systems to detect unusual or suspicious activity
• Suspicious Activity Reports (SARs): Clear escalation process to principal's MLRO

MLRO Oversight:

The principal's Money Laundering Reporting Officer (MLRO) has specific responsibilities for AR oversight:

• Reviewing and approving AR AML/CTF procedures
• Receiving and assessing AR suspicious activity reports
• Filing SARs to the National Crime Agency (NCA) for AR-related suspicions
• Monitoring AR compliance with AML requirements
• Reporting AR financial crime issues to FCA where required

Sanctions and PEPs:

• Sanctions screening: All AR clients screened against OFSI, UN, and EU sanctions lists
• PEP identification: Enhanced due diligence for Politically Exposed Persons
• Ongoing monitoring: Continuous screening for sanctions and PEP status changes
• Asset freezes: Immediate action protocols when sanctions matches identified

Comprehensive due diligence is the foundation of effective AR oversight. The FCA expects principals to conduct extensive checks before appointing ARs and maintain ongoing due diligence throughout the relationship.

• Companies House verification: Confirming legal entity status, registered address, and filing history
• Ownership structure: Identifying all beneficial owners (25%+ shareholding) and ultimate beneficial owners
• Group structure: Understanding parent companies, subsidiaries, and related entities
• Corporate PEP screening: Checking if any beneficial owners are Politically Exposed Persons
• Sanctions screening: Verifying no owners appear on sanctions lists
• Adverse media: Searching for negative news about the entity or its owners

Individual Due Diligence (Key Persons):

• Identity verification: Passport/driving license and proof of address
• Regulatory history: Checking FCA Register and previous regulatory approvals/withdrawals
• Employment verification: Confirming CV details and employment gaps
• Qualifications: Verifying professional certifications and academic credentials
• References: Professional references from previous employers (minimum 2)
• Credit checks: County Court Judgments (CCJs), bankruptcies, and IVAs
• Criminal record checks: DBS checks where appropriate to the role
• Fit and proper assessment: Comprehensive evaluation of honesty, integrity, and competence

Business Model Due Diligence:

• Business plan review: Assessing viability, sustainability, and regulatory compliance
• Target market analysis: Ensuring appropriate client segmentation and fair value propositions
• Revenue model: Understanding how AR generates income and potential conflicts of interest
• Product and service scope: Confirming proposed activities fall within principal's permissions
• Distribution strategy: How clients are acquired and serviced
• Competitor analysis: Understanding market positioning

Financial Due Diligence:

• Financial statements: Review of 3 years' accounts (if available)
• Financial projections: Assessing projected revenue, costs, and profitability
• Funding sources: Understanding how AR is capitalized and funded
• Professional Indemnity Insurance: Adequate coverage with reputable insurer
• Bank accounts: Verifying business banking arrangements

Operational Due Diligence:

• Systems and technology: Assessment of IT infrastructure, cybersecurity, and data protection
• Compliance framework: Review of policies, procedures, and compliance resources
• Record keeping: Document retention policies and systems
• Outsourcing: Understanding reliance on third-party service providers
• Business continuity: Disaster recovery and operational resilience planning

Ongoing Due Diligence

Due diligence is not a one-time exercise. Principals must conduct ongoing due diligence throughout the AR relationship to identify emerging risks.

Annual Due Diligence Reviews:

• Refreshed ownership and structure verification
• Updated financial position review
• Competence reassessment of key individuals
• Business model evolution and strategy review
• Systems and controls effectiveness assessment
• Professional Indemnity Insurance renewal verification

Event-Driven Due Diligence:

Additional due diligence is required when certain trigger events occur:

• Ownership changes: New shareholders or beneficial owner changes
• Key person changes: New directors, senior managers, or compliance officers
• Business model changes: New products, services, or target markets
• Regulatory events: FCA visits, enforcement action, or regulatory breaches
• Complaint spikes: Significant increases in complaints or complaints patterns
• Financial deterioration: Signs of financial stress or losses

Third-Party Verification

Principals should use independent third parties to verify information provided by ARs and supplement their own due diligence.

Recommended Third-Party Checks:

• Credit reference agencies: Experian, Equifax, or Creditsafe for corporate and individual credit checks
• Companies House: Verify incorporation, filing history, and ownership
• FCA Register: Check regulatory history of individuals and related entities
• Insolvency Service: Bankruptcy and disqualified director checks
• Land Registry: Property ownership verification (for key persons)
• DBS (Disclosure and Barring Service): Criminal records checks
• Professional bodies: CII, CISI, or other relevant qualification verification
• World-Check / Dow Jones: PEP, sanctions, and adverse media screening

Effective ongoing oversight is critical to managing AR risk and meeting FCA expectations. Principals must implement comprehensive monitoring frameworks proportionate to the size, complexity, and risk profile of their AR networks.

Principals should implement monitoring using the three lines of defence model:

• First line (AR operations): AR's own compliance monitoring and controls
• Second line (Principal compliance): Principal's compliance function oversight and monitoring
• Third line (Independent assurance): Internal audit or external compliance reviews

Risk-Based Monitoring:

Monitoring intensity should be calibrated to AR risk rating:

• High-risk ARs: Monthly MI review, quarterly file reviews, quarterly visits
• Medium-risk ARs: Quarterly MI review, semi-annual file reviews, annual visits
• Low-risk ARs: Quarterly MI review, annual file reviews, biennial visits

Risk Factors Influencing Monitoring Frequency:

• Type and scope of regulated activities (advice vs execution-only)
• Target client base (retail vs professional)
• Product complexity (simple ISAs vs structured products)
• AR size and revenue volume
• Geographic spread and cross-border activities
• Track record and compliance history
• Key person changes or business model evolution
• Complaint levels and nature

Management Information and Reporting

Core MI Requirements:

Principals should collect comprehensive management information from ARs, typically on a monthly or quarterly basis:

• Business volumes:
  • Number of new clients onboarded
  • Total clients (active and inactive)
  • Assets under management/administration
  • Transaction volumes and values
  • Revenue and income by source
• Complaints data:
  • Number of complaints received
  • Complaints by category and product
  • Complaints resolution timeframes
  • Redress paid and financial impact
  • Root cause analysis of complaint themes
• Compliance metrics:
  • File review results and compliance scores
  • Regulatory breach log
  • Training completion rates
  • Financial promotions approvals and rejections
  • Data breaches and security incidents
• Financial metrics:
  • Revenue and profitability
  • Expense ratios
  • PI insurance status
  • Outstanding debtor/creditor balances
• Operational metrics:
  • Staff numbers and turnover
  • Key person changes
  • System issues and outages
  • Outsourcing arrangements

MI Analysis and Escalation:

Principals must analyze MI to identify trends, outliers, and emerging risks:

• Peer comparison: Benchmarking AR performance against network averages
• Trend analysis: Identifying deteriorating metrics or sudden changes
• Red flag indicators: Automated alerts for specific risk indicators (e.g., complaint spike)
• Escalation protocols: Clear processes for escalating concerns to senior management
• Board reporting: Regular AR oversight reports to principal's board

File Review Programs

File reviews are a critical component of AR oversight, providing direct insight into compliance with regulatory requirements and quality of client outcomes.

File Review Methodology:

• Sample selection: Risk-based sampling covering different advisors, products, and client types
• Review criteria: Standardized checklist covering all applicable COBS requirements
• Scoring methodology: Consistent scoring to enable tracking and comparison
• Documentation: Comprehensive file review reports with findings and remediation actions

Key File Review Areas:

• Client classification: Correct categorization as retail, professional, or eligible counterparty
• Know Your Customer (KYC): Adequate client information and risk profiling
• Suitability/appropriateness: Quality of needs analysis and product recommendations
• Disclosures: Clear fee disclosures, conflicts of interest, and risk warnings
• Client agreements: Properly executed terms of business
• Financial promotions: Compliance with COBS and approved marketing materials used
• Execution quality: Best execution and timely transaction processing
• Record keeping: Complete and accessible client files

Remediation Process:

When file reviews identify issues, principals must ensure effective remediation:

• Remediation plan: Clear actions, owners, and deadlines for each finding
• Root cause analysis: Understanding why the issue occurred (training gap, process failure, etc.)
• Systemic review: Assessing whether issue affects other clients requiring past business review
• Follow-up reviews: Verification that remediation has been effective
• Escalation: Serious or repeated failings may trigger enhanced monitoring or termination

AR Visits and On-Site Reviews

Regular visits to AR premises provide valuable insight into culture, operations, and compliance that cannot be obtained through remote monitoring.

Visit Frequency:

• New ARs: Within 3 months of appointment and again at 12 months
• High-risk ARs: At least quarterly
• Medium-risk ARs: At least annually
• Low-risk ARs: At least every 2 years
• Ad hoc visits triggered by complaints, MI concerns, or regulatory events

Visit Activities:

• Premises inspection: Physical office, security, data protection measures
• Staff interviews: Speaking with advisors, compliance, and operations staff
• Systems demonstration: Reviewing CRM, compliance, and trading systems
• File reviews: On-site review of client files
• Process walkthroughs: Observing client onboarding, advice process, complaints handling
• Document review: Examining policies, procedures, training records, and MI
• Culture assessment: Gauging compliance culture and tone from the top

Visit Reporting:

• Formal visit report documenting observations, findings, and required actions
• Risk rating review and adjustment if needed
• Remediation plan with deadlines
• Follow-up visit or desk-based review to verify remediation

PERG 5.8 requires principals and ARs to have a written agreement in place before the AR commences regulated activities. The agreement must comprehensively define the relationship and respective responsibilities.

The FCA requires the written agreement to address the following areas at minimum:

• Scope of appointment: Specific regulated activities the AR is permitted to conduct
• Investment types: Which specified investments the AR can deal in or advise on
• Client types: Whether AR can serve retail, professional, or eligible counterparty clients
• Geographic scope: Permitted territories for conducting business
• Restrictions and limitations: Any additional constraints on AR's activities
• Responsibilities: Clear allocation of responsibilities between principal and AR
• Compliance obligations: AR's duty to comply with FCA rules and principal's procedures
• Monitoring rights: Principal's rights to monitor, review, and visit AR
• Information provision: AR's obligation to provide MI, reports, and notifications to principal
• Termination provisions: Notice periods and termination rights for both parties

Essential Clauses

Beyond the FCA's mandatory requirements, well-drafted AR agreements should include additional provisions to protect the principal and clarify the relationship:

1. Activities and Permissions Clause:

• Detailed schedule of permitted regulated activities
• Specific investment types and restrictions
• Client categorization permissions
• Maximum transaction or portfolio sizes
• Prohibited activities and products
• Process for requesting permission scope changes

2. Compliance and Conduct Clause:

• Obligation to comply with all FCA rules as if AR were directly authorized
• Duty to follow principal's policies, procedures, and compliance manual
• Requirement to maintain competence and professional standards
• Training and CPD obligations
• Financial promotions approval process
• Client classification and suitability/appropriateness obligations

3. Monitoring and Oversight Clause:

• Principal's right to conduct file reviews, visits, and audits
• AR obligation to provide access to records, premises, and staff
• MI reporting requirements (frequency, format, and content)
• Notification requirements for material events, breaches, and complaints
• Remediation obligations when issues identified

4. Financial and Commercial Terms:

• Principal fees (retainer, platform fees, compliance fees)
• Revenue share or commission split arrangements
• Payment terms and invoicing procedures
• Charges for additional services (training, legal, compliance support)
• Consequences of late payment or non-payment

5. Professional Indemnity Insurance:

• Minimum coverage levels required
• Acceptable insurers and policy terms
• AR obligation to maintain continuous coverage
• Requirement to notify principal of any coverage changes or claims
• Evidence of cover to be provided annually

6. Data Protection and Confidentiality:

• GDPR compliance obligations
• Data sharing and processing arrangements
• Security and cybersecurity requirements
• Data breach notification procedures
• Confidentiality of client and business information

7. Complaints and Redress:

• AR obligation to report all complaints to principal immediately
• Complaints handling process and principal oversight
• Redress payment responsibility and recovery from AR
• FOS and FSCS implications

8. Indemnities and Liability:

• AR indemnity to principal for losses arising from AR misconduct or breach
• Limitations and exclusions on liability (where appropriate)
• Insurance requirements to support indemnity
• Survival of indemnity post-termination

9. Intellectual Property and Branding:

• License to use principal's branding and trademarks
• Brand guidelines and approval processes
• Website and digital presence requirements
• Termination of branding rights upon cessation

10. Term and Termination:

• Initial term and renewal provisions
• Notice periods for termination without cause (typically 3-6 months)
• Immediate termination rights for material breach, insolvency, or regulatory action
• Post-termination obligations (client handover, records retention, FCA notification)
• Financial settlement on termination (trail commission, final invoices)
• Restrictive covenants and non-solicitation (where enforceable)

Common Pitfalls

Pitfall 1: Vague Scope Definition

Issue: Generic references to "investment business" without specifying exact activities and investment types.

Impact: AR may inadvertently exceed permitted scope, creating regulatory breach and principal liability.

Solution: Use precise regulatory terminology (e.g., "advising on investments (except pension transfers)" rather than "financial advice") and attach detailed schedules listing permitted investments.

Pitfall 2: Inadequate Monitoring Rights

Issue: Agreement doesn't give principal sufficient rights to access AR records, premises, or staff.

Impact: Principal cannot effectively discharge oversight obligations, exposing both parties to regulatory risk.

Solution: Include explicit rights for unannounced visits, file reviews, staff interviews, and system access.

Pitfall 3: Weak Indemnity Provisions

Issue: No indemnity clause or indemnity limited in ways that leave principal exposed.

Impact: Principal bears full cost of AR misconduct without recourse.

Solution: Comprehensive indemnity for all losses arising from AR breach, backed by adequate PI insurance.

Pitfall 4: Insufficient Termination Rights

Issue: Long notice periods or limited termination rights prevent principal from swiftly ending relationship.

Impact: Principal must continue relationship with problematic AR, increasing regulatory and financial risk.

Solution: Include immediate termination rights for material breach, regulatory action, or financial distress.

Pitfall 5: Missing Post-Termination Obligations

Issue: Agreement silent on what happens to clients, records, and trail commission upon termination.

Impact: Disputes over client ownership, poor client outcomes, and regulatory breach.

Solution: Detailed post-termination provisions covering client handover, records transfer, FCA notification, and financial settlement.

SUP 12 Notification Requirements

SUP 12.4 requires principals to notify the FCA when appointing or terminating appointed representatives. These notifications must be made through the AR Directory system.

Appointment Notification Timeline:

• Before appointment: Principal should conduct full due diligence and finalize written agreement
• Upon appointment: AR can commence regulated activities once agreement signed
• Within 30 days: Principal must submit notification to FCA via AR Directory

Important: While ARs can legally commence activities before FCA notification (provided agreement is in place), best practice is to notify the FCA within a few days of appointment to ensure directory accuracy.

Information Required for Appointment Notification:

• AR's legal entity name and trading name
• Registered office address and principal place of business
• AR reference number (if previously appointed by another principal)
• Regulated activities the AR is appointed to conduct
• Investment types covered by the appointment
• Whether AR will deal with retail or professional clients
• Details of any restrictions or limitations
• Start date of appointment
• Contact details for AR compliance officer

Termination Notification:

• Timing: Principal must notify FCA within 30 days of termination
• Information required: Effective date of termination and reason for termination (if requested by FCA)
• Client outcomes: Principal should ensure orderly transition arrangements for AR's clients

Material Change Notifications:

Principals must also notify the FCA of material changes to AR details:

• Change of AR legal entity name or trading name
• Change of registered office or principal place of business
• Changes to scope of appointment (additional or reduced permissions)
• Changes to restrictions or limitations
• Changes to client categorization permissions

FCA AR Directory Requirements

The AR Directory is a public register maintained by the FCA listing all appointed representatives and their principal firms. It is a critical tool for consumer protection and regulatory oversight.

Directory Information:

The AR Directory contains:

• AR's name and FRN (Firm Reference Number)
• AR's address and contact details
• Principal firm details and FRN
• Regulated activities AR is appointed to conduct
• Date of appointment
• Any restrictions or limitations on AR's scope

Directory Accuracy Obligations:

Principals are responsible for ensuring AR Directory information is accurate and up to date. This includes:

• Submitting initial notification within 30 days of appointment
• Updating the directory within 30 days of any material changes
• Notifying terminations within 30 days
• Conducting periodic reviews (at least annually) to verify accuracy

Consumer Use of Directory:

Consumers and businesses use the AR Directory to:

• Verify an AR is legitimately appointed and authorized to conduct regulated activities
• Check the scope of an AR's permissions before engaging their services
• Identify the principal firm responsible for the AR
• Make complaints or claims to the correct entity

Inaccurate directory information can result in consumer harm (e.g., engaging with unauthorized individuals) and regulatory sanctions for the principal.

Timeline Expectations and Best Practices

Pre-Appointment Phase (4-8 weeks):

1. Initial discussions and AR application to principal
2. Due diligence and fit and proper assessments (2-4 weeks)
3. Negotiation and finalization of written agreement (1-2 weeks)
4. Systems setup and training (1-2 weeks)

Appointment Phase (Day 1):

1. Written agreement executed by both parties
2. AR commences regulated activities
3. Principal submits AR Directory notification (best practice: within 1-3 days)

Post-Appointment (First 30 days):

1. FCA notification confirmed submitted (legal deadline: 30 days)
2. AR Directory entry verified for accuracy
3. Initial monitoring MI requested
4. First compliance check-in scheduled

Choosing between becoming an appointed representative or seeking direct FCA authorisation is one of the most important strategic decisions for firms entering regulated markets. The right choice depends on multiple factors including business model, growth ambitions, cost considerations, and operational preferences.

• New market entrants: Firms new to regulated activities seeking faster time to market
• Limited capital: Firms unable to meet FCA capital adequacy requirements (£20,000-£730,000)
• Smaller operations: Annual revenue expected to be under £300,000-£500,000
• Compliance support needs: Firms lacking in-house regulatory expertise
• Standard business models: Operating within established frameworks (e.g., mortgage broking, investment advice)
• Testing business model: Proving concept before committing to full authorisation
• Limited scope: Focused on specific regulated activities that align well with available principals

When Direct Authorisation is Preferred:

• High-growth ambitions: Planning rapid scaling where AR revenue share becomes prohibitively expensive
• Innovative business models: Unique propositions that don't fit standard principal frameworks
• Brand independence: Strong brand identity and desire for complete autonomy
• Multiple revenue streams: Diversified business requiring broad permissions not available through single principal
• International expansion: Plans to establish overseas entities or operate cross-border extensively
• Institutional focus: Primarily serving professional clients who prefer dealing with directly authorised firms
• Higher revenue expectations: Projected annual revenue exceeding £500,000 where direct authorisation costs are justified
• Technology platforms: Building proprietary platforms or infrastructure requiring full operational control

Comparative Analysis

Growth Considerations

Transitioning from AR to Direct Authorisation:

Many firms start as ARs and later seek direct authorisation as they grow. Key considerations for this transition:

• Optimal timing: Typically when annual revenue reaches £500,000-£1,000,000 and ongoing AR costs exceed direct authorisation costs
• Transition planning: 9-12 months to plan, apply, and achieve authorisation while maintaining AR status
• Dual operation: Continue as AR while FCA application is in progress to avoid business disruption
• Client communication: Managing client expectations during transition
• Systems build-out: Establishing compliance infrastructure before authorisation
• Capital raising: Securing capital to meet FCA requirements
• Principal relationship: Managing relationship with principal during transition (some agreements include restrictive covenants)

Revenue Threshold Analysis:

The following illustrates the cost crossover point where direct authorisation becomes more economical:

• £200,000 revenue: AR typically cheaper (£50,000-£70,000 vs £60,000-£90,000 for direct auth)
• £500,000 revenue: Roughly equivalent cost (£100,000-£150,000 for both models)
• £1,000,000 revenue: Direct auth significantly cheaper (£70,000-£120,000 vs £200,000-£400,000 AR costs)
• £2,000,000+ revenue: Direct auth clearly optimal (AR costs can exceed £500,000/year vs £100,000-£150,000)

Exit Strategies

Exiting AR Relationship:

Firms may exit AR relationships for several reasons. Having a clear exit strategy is critical:

• Seeking direct authorisation: As discussed above, natural progression for growing firms
• Switching principals: Finding a principal with better terms, broader permissions, or superior support
• Business sale: Acquirer may have different principal relationships or direct authorisation
• Business closure: Winding down operations entirely
• Relationship breakdown: Irreconcilable differences with principal

Exit Challenges:

• Client ownership: Disputes over who retains client relationships
• Trail commission: Ongoing commission entitlements post-termination
• Non-compete clauses: Restrictions on approaching clients or operating in same market
• Regulatory gap: Period where AR can't operate while awaiting new principal or direct auth
• Systems and data migration: Transferring client records and operational data

Managing Smooth Exits:

• Clear exit provisions in written agreement addressing all key issues
• Advance planning and communication with principal
• Orderly client handover or transfer processes
• Professional conduct throughout to maintain relationships and reputation
• Legal review of agreement terms before triggering exit

The FCA has identified the AR regime as a supervisory priority due to repeated instances of consumer harm and market abuse involving appointed representatives. Understanding common failings and enforcement trends is critical for both principals and ARs.

Between 2020 and 2024, the FCA has taken significant enforcement action against principals and ARs:

• Fines totaling £100+ million: Levied against principals for failing to adequately oversee ARs
• Multiple authorisations withdrawn: Principals had permissions removed due to systemic AR failures
• Skilled persons reviews: Section 166 reviews imposed on principals to assess AR oversight frameworks
• Restrictions on AR appointments: Several principals prohibited from appointing new ARs pending remediation
• Consumer redress schemes: Multi-million pound redress programs for victims of AR misconduct

Key FCA Concerns:

The FCA's 2023 thematic review of the AR regime highlighted several systemic issues:

• Inadequate due diligence: 70% of principals reviewed had deficient pre-appointment due diligence
• Insufficient oversight: Monitoring frameworks often tick-box exercises rather than effective supervision
• Weak financial crime controls: AML/CTF frameworks not properly extended to AR activities
• Poor complaint handling: Delays in identifying and addressing AR complaint themes
• Conflicts of interest: Commercial interests prioritized over consumer protection

Supervisory Findings

Common Principal Failings:

1. Inadequate Due Diligence:

• Superficial background checks of AR key persons
• Failure to verify qualifications and experience claims
• Inadequate financial due diligence on AR viability
• No assessment of AR's business model sustainability
• Insufficient AML/CTF screening

2. Ineffective Monitoring:

• MI collected but not analyzed or acted upon
• File reviews conducted but findings not remediated
• Visits infrequent and poorly documented
• No escalation process for concerning trends
• Same monitoring applied to all ARs regardless of risk

3. Poor Governance:

• Board not receiving adequate MI on AR performance and risks
• No clear ownership of AR oversight at senior management level
• Inadequate resources allocated to AR supervision
• Conflicts of interest between commercial and compliance functions

4. Training and Competence Gaps:

• No verification of AR staff competence before client-facing activities
• Inadequate ongoing training on regulatory changes
• No assessment of training effectiveness
• CPD requirements not monitored or enforced

5. Financial Promotions Failures:

• AR marketing materials not properly reviewed before use
• Misleading or unclear risk warnings
• Inadequate disclosure of fees and conflicts
• Social media and digital marketing not supervised

Common AR Failings:

1. Unsuitable Advice:

• Recommending inappropriate products to vulnerable clients
• Inadequate needs analysis before making recommendations
• Failing to consider client risk appetite and capacity for loss
• Pushing clients into higher-risk or higher-commission products

2. Poor Client Classification:

• Treating retail clients as professional to reduce regulatory obligations
• Inadequate client categorization processes
• Not reassessing client classification when circumstances change

3. Exceeding Scope:

• Providing advice when only appointed for execution-only arranging
• Advising on products outside permitted investment types
• Serving retail clients when restricted to professionals
• Operating in jurisdictions outside permitted scope

4. Financial Crime Breaches:

• Inadequate customer due diligence
• Failure to conduct ongoing monitoring of client relationships
• Not screening against sanctions lists
• Failing to report suspicious activity to principal's MLRO

5. Record Keeping Deficiencies:

• Incomplete client files lacking key information
• Failure to document advice rationale and suitability
• Poor complaint records and resolution documentation
• Inadequate retention periods for client records

Case Studies

Case Study 1: Investment Advice Principal - £40m Fine

Facts: A principal firm with 500+ ARs providing investment advice failed to adequately supervise their network. Several ARs recommended high-risk unregulated collective investment schemes (UCIS) to retail clients, resulting in £200m+ consumer losses.

Failures:

• Inadequate due diligence before appointing ARs with poor regulatory history
• No effective monitoring of AR activities or complaint trends
• Financial promotions for UCIS not properly reviewed
• Commercial incentives prioritized over consumer protection

FCA Action: £40 million fine, skilled persons review, and restriction on new AR appointments

Lessons: Effective monitoring is not optional. Principals must have robust frameworks to identify emerging risks and intervene before consumer harm occurs.

Case Study 2: Consumer Credit Principal - Authorisation Withdrawn

Facts: A principal operating in the consumer credit sector appointed 300+ ARs offering debt management services. FCA supervision identified widespread poor advice, unfair contract terms, and inadequate financial crime controls.

Failures:

• Appointed ARs without verifying competence or financial viability
• No file reviews or quality assurance monitoring
• Widespread unsuitable debt solutions recommended to vulnerable clients
• Inadequate AML controls allowing prohibited clients to be onboarded

FCA Action: Permission to appoint ARs withdrawn, existing ARs required to cease activities, consumer redress scheme of £15 million

Lessons: The AR model is not a way to avoid regulatory responsibility. Principals must ensure ARs meet the same standards as if directly employed.

Case Study 3: Mortgage Network - £8m Fine

Facts: A mortgage network principal failed to prevent ARs from processing fraudulent mortgage applications, resulting in £20m+ lender losses and consumer detriment.

Failures:

• No effective fraud controls or transaction monitoring
• Inadequate verification of income and employment documentation
• Suspicious activity patterns not identified through MI analysis
• Conflict of interest between commission income and fraud prevention

FCA Action: £8 million fine and enhanced monitoring requirements

Lessons: Financial crime controls must be embedded in AR oversight frameworks with active monitoring and escalation processes.

Business Planning:

• Define business model and target market clearly
• Identify specific regulated activities needed
• Develop 3-year financial projections
• Assess capital requirements and funding sources
• Create implementation timeline

Principal Selection:

• Research potential principals in your sector
• Compare fee structures and revenue share models
• Assess principal's reputation and FCA regulatory record
• Review principal's permissions scope and restrictions
• Evaluate support services offered (compliance, training, systems)
• Request references from other ARs in the network
• Review template AR agreement before commitment

Due Diligence Preparation:

• Prepare comprehensive business plan for principal review
• Gather identification and proof of address for all key persons
• Obtain professional qualification certificates
• Prepare detailed CVs with full employment history
• Arrange professional references from previous employers
• Clean up any credit issues (CCJs, defaults) if possible
• Prepare to explain any gaps in employment or regulatory history

Financial Arrangements:

• Arrange Professional Indemnity Insurance at required coverage levels
• Set up business bank account
• Secure working capital for initial 6-12 months
• Budget for principal fees, setup costs, and ongoing expenses

Infrastructure Setup:

• Establish business premises (or virtual office if permitted)
• Set up IT infrastructure (computers, internet, phone systems)
• Implement data protection and cybersecurity measures
• Establish record keeping and document management systems
• Set up accounting and bookkeeping systems

Post-Appointment Checklist:

First 30 Days:

• Complete all principal onboarding training
• Attend compliance induction and systems training
• Set up access to principal's platforms and systems
• Review and understand all principal policies and procedures
• Establish initial MI reporting processes
• Verify AR Directory listing is accurate
• Update website and marketing materials with AR disclosure

First 90 Days:

• Onboard first clients following principal's processes
• Conduct first business review with principal
• Submit first MI report and review with compliance
• Complete any additional product or regulatory training
• Establish rhythm for ongoing compliance and reporting

Ongoing Obligations:

• Submit MI reports within required timeframes
• Report all complaints immediately to principal
• Seek principal approval for all marketing materials before use
• Maintain CPD records and complete required training
• Notify principal of any material business changes
• Cooperate with principal monitoring (file reviews, visits)
• Maintain PI insurance and provide evidence of renewal
• Keep comprehensive client records and documentation
• Report any regulatory breaches or suspicious activity

For Principals Onboarding ARs

Pre-Appointment Checklist:

Governance and Framework:

• Establish board-approved AR strategy and appetite
• Develop comprehensive AR policies and procedures
• Create risk assessment framework
• Design monitoring and oversight program
• Allocate adequate resources (staff, budget, systems)
• Define roles and responsibilities within principal
• Implement AR-specific MI and reporting systems

Legal and Documentation:

• Prepare comprehensive AR agreement template
• Have agreement reviewed by regulatory lawyers
• Create application forms and due diligence questionnaires
• Develop standardized due diligence checklist
• Prepare onboarding documentation pack

Capital Adequacy:

• Assess capital impact of AR appointment using MIFIDPRU/BIPRU calculations
• Ensure adequate capital buffer for projected AR network growth
• Notify PI insurer and obtain confirmation of coverage extension
• Budget for increased annual FCA fees

AR Application Review:

• Review business plan for viability and compliance
• Assess alignment with principal's strategy and risk appetite
• Evaluate target market and product scope
• Analyze financial projections and funding

Due Diligence:

• Conduct Companies House verification
• Identify and verify all beneficial owners
• Verify identity of all key persons
• Check FCA Register for regulatory history
• Obtain and verify references from previous employers
• Conduct credit checks on entity and key persons
• Verify qualifications and professional memberships
• Conduct PEP and sanctions screening
• Review adverse media and litigation history
• Assess competence through interviews and assessments
• Review financial statements and projections
• Evaluate systems and operational infrastructure
• Review PI insurance certificate

Risk Assessment:

• Complete business model risk assessment
• Assess financial crime risk
• Evaluate market conduct risk
• Consider operational and systems risk
• Determine initial risk rating (high/medium/low)
• Define appropriate monitoring frequency based on risk

Appointment Process Checklist:

Agreement and Onboarding:

• Finalize and execute written agreement
• Set up AR on principal's systems and platforms
• Provide access to compliance manual and procedures
• Deliver compliance and regulatory training
• Provide product and systems training
• Assign relationship manager and compliance contact
• Establish reporting schedules and requirements

FCA Notification:

• Submit AR Directory notification within 30 days
• Verify directory entry accuracy
• Provide AR with FRN and directory confirmation

Initial Monitoring:

• Schedule first compliance check-in (within 30 days)
• Plan first on-site visit (within 90 days)
• Set MI submission deadlines
• Establish file review schedule

Ongoing Oversight Checklist:

Regular Monitoring:

• Review MI reports within required timeframes
• Analyze MI for trends, outliers, and red flags
• Conduct regular file reviews per monitoring plan
• Perform scheduled on-site visits
• Review and approve all financial promotions
• Monitor complaint patterns and themes
• Track remediation of identified issues
• Escalate concerns to senior management as needed

Annual Reviews:

• Conduct comprehensive annual AR review
• Refresh due diligence (ownership, key persons, financials)
• Reassess risk rating and adjust monitoring accordingly
• Review AR agreement terms and update if needed
• Verify PI insurance renewal and adequacy
• Review training completion and competence
• Assess AR performance against objectives
• Update AR Directory if any material changes

Event-Driven Actions:

• Conduct additional due diligence for ownership or key person changes
• Investigate complaint spikes or patterns immediately
• Respond promptly to regulatory breaches or incidents
• Update AR Directory within 30 days of any material change
• Escalate serious issues to board and FCA as required

Board Reporting:

• Provide quarterly AR oversight reports to board
• Report on network growth, risk profile, and performance
• Escalate significant issues or trends
• Present thematic analysis of monitoring findings
• Review AR strategy and appetite annually