Appointed Representative Management Software: A 2026 Buyer's Guide

TL;DR — The AR regime in 2026 cannot be operated on spreadsheets at scale. Principal firms with material AR books are sourcing dedicated appointed representative management (ARM) software to handle register management, attestation workflow, financial promotion approval, communications monitoring, MI and complaint integration. This buyer's guide sets out what the category should do, the build-versus-buy question, integration considerations, evaluation criteria, and where Sedric fits as the AI-native option.

Table of contents

• Why ARM software is now a category
• What the software should do
• The AR register: the foundation
• Attestation and self-assessment workflow
• Financial promotion approval queue
• Communications monitoring across the AR network
• MI dashboard and board reporting
• Complaint integration
• Build vs buy
• Integration considerations
• Evaluation criteria — a 14-point scorecard
• Where Sedric fits
• FAQ

Why ARM software is now a category

Before PS22/11, AR oversight at most principals was a SharePoint folder and a spreadsheet. The annual return, the F&P file, the financial promotion approvals and the supervisory visit log were managed manually. The regulator was less data-hungry and the operational burden was modest.

That model has been overrun. PS22/11 introduced mandatory annual self-assessment, expanded notification triggers, AR-level revenue and complaints reporting, and explicit due diligence and oversight requirements. The 2022 Dear CEO letter, subsequent supervisory updates, and a steady cadence of section 166 reviews have moved the bar from "evidence the activity" to "evidence the operation of the activity, in real time, against the population." A 100-AR network principal cannot do that on spreadsheets without producing the kind of inconsistency a skilled person will find inside a week.

The result is a real category. ARM software is now a buyer's market with several vendor archetypes:

• Workflow-and-register platforms. Strong on AR register, attestation, document management. Weaker on communications monitoring.
• GRC platforms with AR modules. Strong on policy/risk register integration. Weaker on the specific AR rulebook (SUP 12, PS22/11) and on financial promotion approval.
• FinProm-focused platforms. Strong on financial promotion approval and review. Variable on the rest of the AR oversight stack.
• AI-native communications monitoring platforms. Strong on comms monitoring and FinProm at scale. Variable on register/workflow depth.

The well-organised principal builds an architecture that covers each capability — see the build vs buy section below.

What the software should do

A practitioner's working list of the capabilities a 2026 ARM platform should cover:

1. AR register — single source of truth, FRN-reconciled, tier-rated.
2. Attestation workflow — annual self-assessment generation, F&P attestations, AR contractual attestations, all tracked with sign-off.
3. Financial promotion approval queue — pre-publication review, audit trail, rule-mapped commentary, withdrawal and amendment log.
4. Communications monitoring — sampling and / or 100% coverage of customer-facing communications across the AR network, in calls, chat, email and social.
5. MI dashboard — real-time AR-level metrics, governance-ready outputs.
6. Complaint integration — single complaints intake covering AR-distributed business, with root-cause analysis.
7. F&P refresh management — workflow for senior-individual re-checks, source verification, sign-off.
8. Notification management — triggers, timelines, FCA forms support, audit trail.
9. Document management — diligence files, contracts, visit packs, evidence library.
10. Reporting — board pack output, FCA reporting support, ad-hoc query.

A platform that covers all ten is rare. The buyer's question is which capabilities are best served by which vendor, and what the integration story is between them.

The AR register: the foundation

The AR register is the data foundation that every other capability depends on. A defensible register in 2026:

• Holds every AR by FRN, with reconciliation to the FCA register at minimum quarterly.
• Captures legal name, trading styles, regulated activities, scope of appointment, appointment date, status, principal-AR contract reference.
• Captures senior individuals at each AR with role, F&P refresh date, regulatory reference status.
• Captures the tier rating with documented rationale.
• Captures financial soundness data — most recent accounts, capital position, PII expiry.
• Captures the customer book — customer numbers, regulated revenue, non-regulated revenue, complaint volume.
• Captures the supervisory cadence and the next scheduled supervisory activity.
• Captures notifications made to the FCA with date and reason.

The register is the document the FCA will ask for first in any supervisory engagement. If the register is in five places, the supervisory engagement is harder than it needs to be. See FCA appointed representative regime 2026 for the regulatory expectation set the register is supporting.

Attestation and self-assessment workflow

PS22/11 introduced the mandatory annual self-assessment. A platform that does the self-assessment well will:

• Pull the underlying AR-level data automatically from the register, the MI dashboard, the complaints log, the F&P file and the notifications log.
• Generate a draft self-assessment narrative populated with the firm's data — not a blank template.
• Route the draft through review, challenge and sign-off, with a named senior manager at each step.
• Produce a board-ready output with executive summary, AR-level appendix, gap analysis and remediation plan.
• Maintain the prior-year self-assessment for comparison and progress tracking.
• Generate the F&P attestation packs for each senior individual at each AR, with re-check evidence.
• Manage AR-side attestations — the principal-AR contract attestations, scope confirmations, training completion confirmations.

The platform should be the single self-assessment system of record. Word documents stitched together from spreadsheets and SharePoint folders are the failure mode every skilled person identifies.

Financial promotion approval queue

Every AR financial promotion is a principal financial promotion. The s.21 FSMA and rulebook compliance burden sits at the principal, and the approval queue is the operational point of control.

What good looks like:

• Centralised intake. Every AR financial promotion submitted into a single queue, irrespective of channel.
• Rule-mapped review. The platform routes the promotion to the right rulebook (COBS 4 / CONC 3 / BCOBS 2 / ICOBS 2 / MCOB 3A as applicable), flags risk-warning, fair-and-not-misleading, prominence and Consumer Duty understanding issues.
• Named approvers. Each approval recorded against a named approver at the principal, with rationale.
• Audit trail. Submission, review, amendment, approval, distribution and any subsequent withdrawal all logged.
• Post-distribution monitoring. The platform observes what the AR actually distributes against what was approved — this is where most enforcement-relevant FinProm gaps arise.
• Withdrawal management. Where a promotion has to be amended or withdrawn, the platform manages the action and the customer-facing correction.

For the regulatory framework the approval queue is implementing, see financial promotions rules 2026 and the COBS 4 guide. The approval queue is the operational application of those rules through the AR chain.

Communications monitoring across the AR network

This is the capability where the category has matured most over the last 18 months and where most legacy ARM platforms are weakest.

The problem the principal is solving: an AR's customer conversations — calls, chat, email, social media activity by AR staff, customer-facing video — are conversations the principal is regulatorily responsible for, but historically the principal had no operational way of seeing them. Communications monitoring closes that gap.

A 2026 capability looks like:

• Capture of communications across the channels the AR uses to interact with customers.
• Coverage at 100% rather than sample-based, where the principal's risk tier requires it.
• Real-time scoring of communications against the principal's policies, the rulebook (COBS / CONC / BCOBS / ICOBS / MCOB), the Consumer Duty outcomes (particularly consumer understanding and consumer support), vulnerability identification and conduct red-flags.
• Rule mapping. Every alert linked to the specific regulatory rule it engages.
• Override discipline. Every override of an alert logged with reasoning and reviewer identity.
• Trending. AR-level conduct trends visible in MI — not just point-in-time alerts.
• Integration with the AR oversight workflow — alerts feeding into the supervisory programme, complaints function and F&P refresh process.

This is the capability that lets a principal scale an AR network without scaling its supervisory headcount. It is also the capability skilled persons find missing on the typical AR-oversight s.166. See our overview of the section 166 process for context.

MI dashboard and board reporting

The board has to see — and challenge — the AR oversight position. A 2026 dashboard should produce, in real time:

• AR population by tier with movement in the period.
• Regulated revenue and non-regulated revenue per AR.
• Complaints volume and root-cause profile per AR.
• Financial promotion approvals throughput; withdrawals; failure rate.
• F&P status per senior individual with refresh status.
• Communications monitoring alert profile per AR.
• Customer outcome metrics for AR-distributed business, mapped to Consumer Duty outcomes.
• Notifications made in the period; due notifications outstanding.
• Supervisory activity completed in the period; activity scheduled.

The dashboard should generate a board pack with one click — the same data the AR oversight team uses operationally, framed for governance challenge. See our principal firm oversight obligations deep dive for what the governance challenge should look like.

Complaint integration

DISP 1 requires the principal's complaints arrangements to capture AR-distributed business. A 2026 ARM platform supports that with:

• Single intake covering AR-distributed complaints irrespective of channel.
• AR-level filtering and root-cause analysis.
• Feedback into product governance and AR-specific supervisory review.
• Read-across to Consumer Duty outcome reporting.
• Read-across to F&P — repeated complaint mentions of an individual trigger F&P review.
• FOS escalation and outcome tracking.

The complaints function and the AR oversight function should see the same data on the same dashboard.

Build vs buy

The "build vs buy" question for ARM software in 2026 is rarely binary. Most network principals end up with a mixed architecture — buying for the capabilities where the regulatory complexity is high or the AI is hard, and building for the capabilities that are firm-specific.

Generally:

• Buy for communications monitoring at scale. The AI capability required (regulatory-aware language models, vulnerability detection, rule mapping) is not a build-it-yourself project.
• Buy for financial promotion approval. The rule mapping and the queue management are commodified by mature vendors.
• Buy for MI and dashboarding where the vendor's data model fits the firm.
• Build or buy a workflow tool for AR register and attestation if the firm's processes are deeply embedded — but increasingly buy is the default.
• Buy for F&P refresh workflow if the firm uses a third-party screening provider; build a wrapper if not.
• Integrate rather than build for complaint integration, since the firm's complaints handling typically already runs in a complaints system.

The build path that has fallen out of favour is "build a comms monitoring system in-house." The compliance-tuned LLM stack required is no longer a reasonable in-house build for any firm whose core competency is regulated activity rather than data science.

Integration considerations

ARM software does not live alone. It connects to:

• Identity and HRIS — for senior-individual data, regulatory reference flow, F&P attestation.
• Customer system / CRM — for customer-numbers, regulated-revenue and complaint linkage.
• Telephony / contact-centre / chat / email — for communications capture.
• Marketing-tech stack — for financial promotion lifecycle from creative through distribution.
• Complaints system — for the AR-distributed complaints filter.
• Risk / GRC platform — for risk-register linkage.
• Reporting — for board-pack export, FCA reporting support.

The integration story is the buying decision as much as the feature list. A vendor with five out of ten capabilities, deep integrations and an open API beats a vendor with eight out of ten capabilities and a closed environment.

The two integration risks to evaluate:

• Communications capture. Is the vendor able to capture from the AR's telephony / chat / email / social channels, or only from the principal's? An AR's own contact centre is a frequent capture gap.
• Data residency and privacy. Customer communications involve personal data. UK GDPR, the cross-border transfer regime, and the principal's data-processing relationship with the AR all bear on the architecture.

Evaluation criteria — a 14-point scorecard

When evaluating an ARM vendor:

1. Rule mapping. Does every alert link to the specific rulebook reference (SUP 12.5.5R, COBS 4.2.1R, etc.) it engages?
2. Compliance-dedicated AI. Is the underlying model fine-tuned for financial-services compliance, or general-purpose LLM with prompt engineering?
3. Coverage. Can the platform monitor 100% of customer communications across the AR network, in the channels the ARs actually use?
4. Override discipline. Is every alert override logged with reasoner identity, timestamp and reasoning?
5. Real-time scoring. Are flags surfaced in real time or batch-processed retrospectively?
6. MI integration. Does the platform produce board-ready MI from the same data the operational team uses?
7. Self-assessment generation. Does the platform produce a draft annual self-assessment from the firm's data?
8. F&P refresh. Does the platform manage the F&P refresh workflow with source verification and named sign-off?
9. Financial promotion approval. Does the platform run the approval queue with pre-publication review and post-distribution monitoring?
10. Complaints linkage. Does the platform integrate AR-distributed complaints with root-cause analysis and F&P feedback?
11. Notification management. Does the platform support the PS22/11 notification triggers with timeline tracking?
12. Audit trail. Can every decision be reconstructed from the audit log alone?
13. References. Can the vendor cite UK-regulated principal-firm customers — by sector — at a comparable scale?
14. Independent recognition. Has the vendor been recognised by independent industry bodies (e.g., RegTech100) and backed by reputable institutional investors?

Score each capability from 0 to 3 (absent / partial / acceptable / strong). Apply weight by your specific risk profile. A network principal in retail advice will weight communications monitoring and FinProm approval more heavily than will an institutional broker-dealer with a small AR book.

Where Sedric fits

Sedric is the AI-native option in the category. Built on the industry's first compliance-dedicated LLM, the platform monitors 100% of an AR network's customer communications, marketing assets and partner activity, with every alert linked to the specific regulatory rule it engages and every override logged with reasoning. The MI surfaces risk at the principal-firm level in real time, the financial-promotion approval queue runs against COBS / CONC / BCOBS / ICOBS / MCOB and the Consumer Duty consumer-understanding outcome simultaneously, and the platform feeds the artefacts the annual PS22/11 self-assessment depends on.

Customers include global lenders, banks, trading platforms and insurers operating both directly and through partner and AR networks. Sedric was named to the 2026 RegTech100, raised a $18.5M Series A led by Foundation Capital with Amex Ventures, and grew revenue 5x in the last twelve months. The platform sits alongside an organisation's existing AR register, complaints and F&P workflows rather than replacing them, integrating through an open API.

The use-case Sedric is uniquely well-suited to is the one most principals struggle with: monitoring what the AR is actually saying to customers and what the AR is putting in market, at 100% coverage rather than sample, with rule-mapped output the principal can defend in a supervisory visit. This is the capability that lets a principal scale an AR network without scaling its supervision team. For the related Consumer Duty integration see Consumer Duty compliance software.

FAQ

Do we need ARM software if we have ten ARs? At ten ARs, spreadsheets and a structured SharePoint can technically operate the regime — if the firm is disciplined. The case for software is stronger at twenty-plus ARs, and unavoidable at fifty-plus.

Can our existing GRC platform be extended for AR oversight? Sometimes. The risk register and policy management capabilities transfer; the AR-specific workflow, the financial promotion approval and the communications monitoring usually do not.

How does ARM software handle data residency for AR communications? A well-architected platform handles UK GDPR-compliant capture, processing and retention, with regional data residency where required. Confirm the architecture in vendor evaluation.

Does the AR see the platform? Typically yes — the AR has a portal for attestations, FinProm submissions, training, document upload. The principal sees the oversight layer; the AR sees the workflow layer.

What is the implementation timeline? For a network principal, three to nine months end-to-end. Communications monitoring is the most variable component — capture readiness across the AR base drives it.

How does this interact with the SMCR? The platform supports the SMF holder's prescribed responsibility for AR oversight by producing the evidence base. It does not relieve the SMF of accountability. It evidences the discharge of accountability.

Can the platform support the s.166 process if we are subject to one? Yes — by producing the artefact base the skilled person requires. Principals that have continuous-monitoring evidence going into a s.166 are in a meaningfully stronger position than those who have to reconstruct it under deadline.

See the platform behind the buyer's guide

Sedric's appointed representative management capability — register, attestation, financial promotion approval queue, communications monitoring, MI dashboard and complaint integration — is built on the industry's first compliance-dedicated LLM and operates with every flag linked to the specific FCA rule and every override logged with reasoning. It is the platform that lets principal firms scale an AR network without scaling the supervision team. Book a demo.