Principal firms embedding the new rules for effective appointed representative oversight: Good practice and areas for improvement

As set out in SUP 12.6A[2], the self-assessment document should help principals identify how they are meeting our requirements and consider where they may need to make changes. The self-assessment should make sure principals are proactively assessing, monitoring, and documenting their compliance with the rules. Self-assessments will also make sure that principals’ governing bodies are appropriately sighted on AR arrangements. The self-assessment process should make principals better able to identify gaps in compliance with their obligations and issues which may lead to harm.

A principal firm must have a written record showing compliance with its obligations completed within the last 12 months. It must identify any material deficiencies or concerns about compliance and agree steps to address them. Where, for example, a principal’s business plan includes onboarding more ARs, we would expect to see evidence of active consideration by the firm as to how it will meet its obligations for the oversight of those additional ARs. The self-assessment document must be reviewed and signed off by the principal’s governing body at least annually.

From our telephone questionnaire, approximately 80% of principals said they had completed self-assessments. About 95% of these said they had submitted the self-assessments to their board or governing body for sign-off. 

Our in-depth assessment found 83% of principals had completed their self-assessments, with 52% of these being of a good quality. Our in-depth assessments therefore showed that some principals had not undertaken or properly documented their self-assessment. These checks showed that often principals took a tick-box approach to completing the self-assessment rather than thoroughly assessing the effectiveness of their arrangements to oversee their ARs and assessing the adequacy of their controls and resources.

Examples of good practice 

• Having a clear single document outlining any material deficiencies or concerns in the principal’s AR oversight, with an action plan to address any gaps in compliance. 
• Assessing the effectiveness of the firm’s arrangements for overseeing its ARs, and the adequacy of the firm’s controls and resources. 
• Reviewing the methods used to assess and verify the principal’s compliance with the requirements in our rules. 
• Using a broad range of management information. For example, assessing staff turnover, changes to revenue and complaints rates, non-regulated activity and monitoring and oversight activity.
• Using a RAG (red-amber-green) rating system to group the above potential gaps in compliance and prioritise accordingly. This included a clear timeline showing when the gaps would be addressed.
• Assessing the risk of harm to consumers or market integrity arising from activities or businesses. 
• Discussing this document at board level and clearly dated and signed off by the board at least once every 12 months.

Areas for improvement 

• Adopting a high-level tick-box approach to carrying out and recording the self-assessment, rather than producing a written record capable of being reviewed and approved by the principal’s governing body.
• Not documenting and addressing with a clear action plan any material deficiencies or concerns with the principal’s SUP 12 compliance, as identified in the self-assessment.
• Following an insufficient template which does not cover all the points of a self-assessment set out in SUP 12.6A[3], such as not assessing the adequacy of the principal’s controls and resources and the risk of harm to consumers arising from an AR’s activities or business.
• Failing to show that the self-assessment had been reviewed and signed off by the governing body at least every 12 months.

As set out in SUP 12.6A[4], principals are required to review all relevant information about their ARs’ activities and business at least every 12 months. Annual reviews do not have to be completed for IARs, but IARs do need to be included in the self-assessment. The annual review must include a consideration of the fitness and propriety of an AR’s senior management, its financial position, and the adequacy of the principal’s controls and resources to oversee the AR. Annual reviews improve the ongoing effectiveness of AR oversight, reduce the potential for harm, and allow principals to assess whether the AR remains suitable. Principals can integrate annual reviews into existing internal processes, as long as they meet the standards set out in our new rules.

The record-keeping rules in SYSC 9[-4] require firms to keep orderly records to enable us to monitor a firm’s compliance with our rules. SUP 12.6A.3R[-3] also specifies circumstances in which a firm must carry out an additional review. This includes where an AR’s business model changes or the AR is appointed by another principal. The principal must maintain a written record of each annual (and interim) review which must be kept for at least 6 years. 

From our telephone questionnaire, we found approximately 90% of principals said they had completed their annual reviews. 

Our in-depth assessment found 82% of principals had completed their annual reviews, with 43% of these being of a good quality. Some principals involved in our in-depth assessment could not show that they had undertaken an adequate annual review of information about their AR. This was due to either a poor audit trail, insufficient record-keeping or the review not covering the matters required in our rules. Some principals involved in the in-depth assessment were adopting a tick-box approach to completing annual reviews. The records of these reviews did not always include all the points set out in SUP 12.6A[5]. Some principals could not show how they recorded or conducted the annual review or how they fulfilled their continuing obligations to assess their ARs under SUP 12[8].

Examples of good practice

• Having a strong understanding of ARs’ business models, including any unregulated business they do.
• Having a clear document reviewing any change in an AR’s business model or its senior management, or where an AR has been appointed by another principal.
• Embedding Consumer Duty compliance into the review. For example, considering fair value assessments and training for staff on Consumer Duty. 
• Reviewing measures such as: ARs’ disaster recovery processes, ARs’ staff numbers, wind-down plans, data protection and GDPR compliance, IT security and back-up, and portals to keep track of training at ARs.  
• Ensuring that issues identified as part of ongoing monitoring of the AR are incorporated into the review.
• Assessing AR activity to prepare a full analysis of their activity and business to feed into its annual review. For example, some firms used quality assurance checks on AR client files and customer satisfaction surveys to support the preparation of a full analysis of their ARs’ activity and business to feed into their annual reviews.

Areas for improvement 

• Not properly documenting the annual review and adopting a tick-box approach rather than a holistic review of AR’s activities covering the points set out in SUP 12.6A.2R[-11].
• Using an insufficient template that does not cover all the requirements of the annual review as set out in our rules. 
• Relying on limited information about the AR. For example, performing a website check on the AR and looking through an AR declaration, or basing an assessment on an email exchange and self-declaration from the AR in answer to the principal’s questions. It is the principal’s, not the AR’s, responsibility to carry out the annual review.
• Providing a lack of detail either because of a poor audit trail, insufficient record-keeping or a limited review.
• Lack of evidence-gathering when significant issues are identified, and issues not being escalated for consideration to the governing body.

Principals should have a written AR agreement which clearly states what activities the AR is permitted to do and complies with relevant requirements as set out in SUP 12.5[-10]. Principals are required to have adequate controls over an AR’s regulated activities for which they have accepted responsibility, and resources to monitor and enforce an AR’s compliance with our requirements for those activities. The principal should establish on reasonable grounds that the AR is fit and proper, complies with our rules and operates within the scope of their appointment. Principals should also review whether their oversight remains appropriate in certain situations. For example, if the size or volume of the AR’s business involving regulated activity increases significantly in a short period of time, the principal may need to consider making changes to their oversight.

From our telephone questionnaire, two thirds of firms said they use data and management information to monitor ARs’ activities to make sure they are not acting outside of scope. Over half said they regularly reviewed their AR agreement and approximately 50% said they made regular firm-facing visits or held regular meetings with their ARs. Less than a third said they checked consumer-facing materials, such as websites, social media or leaflets. 

Examples of good practice  

• Proactive monitoring of the AR’s activities including potential unregulated activities. This may include reviewing marketing materials/websites, scrutinising publicly available information such as Trustpilot reviews, and an AR's financial accounts and consumer contracts. Monitoring is clearly documented including any follow-up with ARs where appropriate.
• Conducting in-person visits to ARs, performing mystery shopping exercises and random file checks on ARs to make sure they are not acting outside of scope. 
• Analysing monthly activity comparing the activity report the AR submits with the principal’s own data.
• Performing quarterly and ad hoc checks on ARs which feed into the annual review.
• Setting up alerts to identify any changes to AR websites and linking AR marketing material directly to the principal’s website for a clear customer journey.
• Reviewing all new financial promotions upon publication to ensure compliance.
• Having a standard agenda item to discuss ARs at board meetings or relevant governance meetings, with discussions clearly recorded through detailed minutes. If issues are identified, these are taken forward and appropriate action is taken.

Areas for improvement 

• Monitoring is completed as a tick-box exercise with little analysis of the information found.
• Not addressing any issues identified as part of ongoing monitoring.  
• Not understanding the AR’s business model.
• Not having sufficient resources to monitor and oversee ARs. 
• Not checking consumer-facing materials such as websites, social media, or leaflets to make sure ARs are not acting outside of scope. 
• File reviews or calls with ARs are unrecorded and largely informal. 
• Not undertaking file reviews or observing interactions between ARs and consumers.
• AR agreement does not clearly state the regulated activities the AR is permitted to carry out.
• Boards and/or governing body not discussing AR oversight or making use of management information (MI) to identify and appropriately manage any AR-related risks.

Principals must carry out adequate checks and due diligence on any prospective AR before onboarding. This includes verifying that the firm is financially stable and is otherwise suitable to act as an AR, for example, that relevant staff are competent to carry out the proposed activity. 

Most firms that participated in our telephone questionnaire and in-depth assessments said they had not taken a new or different approach to onboarding ARs or IARs since our rules changed. This was either because they had no further plans to onboard ARs, or because they had not appointed a new AR since the new rules were introduced. From the telephone questionnaire, approximately 10% said they had taken a new approach and now included more detailed checks of an AR’s financial stability, business model and staff competency in the onboarding process.

Examples of good practice

• Clear, documented procedures for onboarding ARs that are maintained and kept up to date. 
• Providing training on an initial and ongoing basis to ARs about the regulated activity they undertake, the financial products they sell and the regulatory expectations relating to their business.
• Greater due diligence when onboarding ARs. For example, reviewing financial accounts and linked individuals on Companies House, anti-money-laundering procedures, and financial due diligence checks. In addition, considering what the AR’s unregulated activities will be and whether there is risk of consumer harm. 

Areas for improvement

• Relying solely on automated checks when undertaking background searches on an AR, not using human judgement or oversight.   
• Failing to have an appropriate understanding of the required contract terms set out in SUP 12.5[-9] (and legislation) for AR agreements.  
• Not considering the impact appointing an AR will have on the principal’s financial and non-financial resources.

Some of these examples are also in our guidance on good practice and areas for improvement[-8] for firms who have permissions for credit broking.

All principals should anticipate the potential need to terminate an AR relationship. This may be due to unresolved issues with the AR, high senior management turnover at the AR (with no satisfactory explanation), the AR acting outside of scope of the AR agreement, delivering poor customer outcomes, or if maintaining the relationship would no longer be appropriate. Where no regulated activity has been carried on for some time, principals should consider whether the AR arrangement remains suitable or whether it should be terminated.

If a principal decides to terminate an AR, it should take all reasonable steps to make sure there is orderly winding down of any relevant business. This includes considering how pipeline business will be handled and any potential impact on the AR’s customers. Most firms that participated in our telephone questionnaire and in-depth assessments said they had not taken a new or different approach to terminating ARs or IARs since our rules changed. This was either because they had not yet terminated any ARs or because they were confident their existing termination process met the new rules. From the telephone questionnaire, approximately 10% said they had taken a new approach and some firms said they now performed more frequent checks on their ARs during termination and took additional steps to ensure orderly wind-down.

Examples of good practice

• Terminating an AR relationship where the AR has not conducted regulated activities for some time and does not have a valid reason for continuing to use the principal’s permissions.
• Regular reviews of ARs’ activities to avoid harm to consumers from the ‘halo effect’ of being listed on the Financial Services Register purely to promote risky unregulated activities. 
• Monitoring the size of ARs and any changes in ARs’ business models to inform assessments of whether the principal can continue to effectively manage and oversee their ARs, or whether remedial steps or termination may be needed.
• Having a clear offboarding policy which reflects the principal’s obligation to terminate contracts with ARs where issues cannot be rectified.

Areas for improvement

• Not checking an AR’s website after termination to make sure it no longer stated it was an AR or could undertake regulated activities on behalf of the firm.
• Not having a clear mechanism for considering whether, in particular circumstances, it would be appropriate to terminate AR arrangements.