Appointed Representative Due Diligence: A PS22/11 Checklist and Methodology

TL;DR — Pre-appointment due diligence is no longer a formality. Under PS22/11, the FCA expects a principal firm to evidence — at the level of senior individuals, the business model, the financial position and the control environment — that the proposed AR can carry on regulated activity safely under the principal's supervision. This piece sets out a working methodology, a 30-item checklist and the documentation file the FCA expects principals to retain.

Table of contents

• Why pre-appointment due diligence is now an FCA evidentiary test
• The PS22/11 due diligence framework
• Fitness and propriety: at the level of named senior individuals
• Financial soundness: not just an account check
• Business plan review: what the AR will actually do
• Regulatory history, sanctions and AML screening
• Control environment assessment
• The documentation file the FCA expects
• A 30-item pre-appointment checklist
• FAQ

Why pre-appointment due diligence is now an FCA evidentiary test

Before PS22/11, due diligence was implied by SUP 12 and inconsistently practised. The 2022 Dear CEO letter and the PS22/11 final rules made the expectation explicit: a principal must conduct due diligence proportionate to the AR's proposed business, and must retain the evidence base.

The shift is from "the AR represented to us that" to "we verified that, from this source, on this date, signed off by this senior individual." The standard the FCA applies on review is whether a third party, looking only at the documentation file, could reconstruct the reasoning that led to the appointment. If the file does not support reconstruction, the file is inadequate.

Three operational implications follow:

• Templates and tick-box forms do not survive review.
• AR self-attestations are starting points, not evidence.
• Decision-maker accountability — who signed off, when, on what evidence — must be named and dated.

The diligence file is the artefact that decides whether an appointment is defensible in a supervisory review or a section 166 exercise.

The PS22/11 due diligence framework

PS22/11 does not prescribe a methodology. It prescribes outcomes — the principal must be able to evidence, at the point of appointment, that:

• The proposed AR can carry on the proposed regulated activity competently.
• The senior individuals at the AR meet F&P standards.
• The AR has adequate financial resources for the proposed business.
• The AR's control environment is consistent with the principal's regulatory obligations.
• The risk to customers and to the principal is understood and acceptable.

In practice, a working methodology covers five workstreams: F&P, financial soundness, business plan, regulatory and integrity screening, and controls assessment. Each workstream produces evidence; each evidence pack is signed off by a named senior individual; the aggregate evidence supports a documented appointment decision approved at the appropriate governance level.

The full operating context is set out in our FCA appointed representative regime overview.

Fitness and propriety: at the level of named senior individuals

F&P at the AR level is meaningless. F&P at the named individual level — every senior individual the AR will deploy on the regulated activity — is the standard.

The 2026 working standard for each senior individual:

• Identity verification. Photo ID and proof of address verified from source, retained on file.
• Regulatory register check. FCA register, FOS published decisions, FSCS published cases, PRA register where applicable, register history (any previous firms, dates, scope).
• Criminal record disclosure. Standard or enhanced DBS check where role permits; equivalent overseas check where the individual has overseas history.
• Credit history. Reputable credit reference report — county court judgments, bankruptcy, IVA, defaults.
• Sanctions screening. OFSI list, UN, EU, US OFAC and equivalent — and the screening repeated at the level of the individual, not just the legal entity.
• Adverse media. A documented search against major and trade press for the period [Verify with Reg Lookup — your retention policy], with adverse findings investigated.
• Employment and qualification verification. Last three roles verified with prior employers; SPS / RDR qualifications verified at source where applicable; supplementary qualifications and CPD evidenced.
• References. Two regulatory references where the individual has been a senior manager elsewhere, retained on file. The regulatory reference is the SMCR document; it is not optional.
• Conflicts disclosure. Self-declaration of conflicts, related parties, outside business interests — verified against other workstreams.
• Sign-off. A named senior manager at the principal signs off the F&P pack with documented reasoning.

Two implementation notes. First, regulatory references for individuals moving between firms within scope of the SMCR are a SYSC 22 requirement and the AR's senior individuals will often be in scope. Second, the F&P file is a living document — it forms the baseline for ongoing F&P re-checks once the AR is appointed.

Financial soundness: not just an account check

The PS22/11 reforms explicitly require principals to assess the AR's financial soundness in proportion to the proposed business. The standard is not "is the company solvent" but "can the AR sustain the business model the principal will rely on?"

A 2026 working financial assessment:

• Filed accounts. Last two filed sets at Companies House, reconciled to management accounts.
• Management accounts. Current management accounts not more than three months old; cash position; working capital; debtor and creditor profile.
• Forecast. A 12-24 month forecast for the business under the principal's supervision; assumptions documented; sensitivity to the regulated business.
• Capital structure. Equity, debt, related-party balances, intercompany positions. For groups, the AR's position within the group.
• Owner finances. Where the AR is owner-managed, the principals' personal finances should be assessable — bankruptcy is a F&P trigger.
• Insurance. PII at appropriate limits, fidelity and crime cover where relevant, expiry dates and renewals tracked.
• Banking. Banking relationship verified — including any history of facility withdrawal, which can be a flag for AML or financial-crime risk.
• Tax. No outstanding HMRC issues; current with VAT and PAYE; any tribunal history.

For higher-tier ARs — particularly those with significant non-regulated revenue or complex group structures — a forensic accountant review is increasingly common. The cost is small compared to the cost of an AR financial failure mid-supervision.

Business plan review: what the AR will actually do

The principal needs to be able to describe, in writing, what the AR will do, for whom, by what means, generating what revenue, and at what conduct risk. The business plan review is where that description gets built.

Components:

• Target market. Customer segments, vulnerability profile, geographic scope, distribution channel.
• Product set. Specific products the AR will distribute, with reference to the principal's product governance approvals.
• Distribution. How the AR acquires customers — own marketing, third-party introducers, network referrals, embedded channels. Where the AR uses its own ARs (sub-principal models), the chain needs explicit mapping.
• Revenue model. Fee, commission, hybrid; reconciled to the principal's permitted commission structures and to PROD / Consumer Duty fair value.
• Volumes. Expected customer numbers, expected revenue, ramp profile.
• Staffing. Senior individuals named, advisory staff named, support staff sized.
• Premises and infrastructure. Where the regulated activity will be conducted; IT environment; data handling; record retention.
• Customer journey. From first contact through advice / sale / complaint, with control points mapped to the principal's policies.
• Marketing approach. What media, what content, what approval process. Reconcile to financial promotions rules 2026 and to COBS 4.
• Risk assessment. The AR's own assessment of conduct risk, with the principal's view recorded.

The business plan is the document the principal then supervises against. A vague business plan produces unsupervisable AR activity. A specific business plan produces a clear test of compliance.

Regulatory history, sanctions and AML screening

A separate workstream covers regulatory and integrity screening at the legal entity level — distinct from the senior-individual F&P workstream.

• FCA register at FRN level. Existing permissions, prior permissions, prior status, any prior AR relationships.
• Variations of permission and withdrawals. Any history of FCA action, including supervisory engagement and own-initiative variation.
• Past relationships. Prior principal relationships and the reason for termination — pull and verify with the prior principal, not just with the AR.
• Sanctions. OFSI, EU, UN, US OFAC, with documented search outputs retained.
• AML / financial crime. Money laundering risk assessment of the AR as a customer relationship — beneficial ownership, source of funds for the business, transaction profile expectations.
• HMRC and litigation. Court records, tribunal records, insolvency records, employment tribunal records.
• Trading style names. All trading styles the AR uses; reconcile to FCA register; ensure marketing under each trading style is captured by the principal's approval queue.

The AR's prior principal relationships are one of the highest-signal pieces of evidence and one of the most often skipped. A prior principal that terminated for conduct reasons is a flag the FCA expects the incoming principal to have considered. The TR16/6 thematic review is still cited in 2026 supervisory work — "AR hopping" between principals is one of the patterns the FCA actively scans for.

Control environment assessment

A principal cannot supervise activity that is operationally chaotic. The control environment assessment establishes whether the AR has the controls to operate within the principal's framework.

Components:

• Senior management responsibilities. Internal allocation of responsibilities at the AR, named individuals, reporting lines.
• Policies and procedures. Customer-facing policies (complaints, vulnerability, customer due diligence), conduct policies, marketing policies. Reconcile to the principal's group.
• Record keeping. Customer file structure, call recording, chat retention, email retention. Reconcile to the principal's record retention requirements.
• Training. Initial training, ongoing CPD, evidence of completion.
• Internal monitoring. Whether the AR has any first-line QA, supervisory review or compliance function of its own.
• Data and IT. GDPR data flows; data processor relationship between AR and principal where customer data flows; cyber posture at a level appropriate to the AR's customer base.
• Outsourcing. Any material outsourcing by the AR that affects regulated activity — assessable by the principal under the principal's outsourcing framework.

Once the AR is appointed, the control environment becomes the operating substrate for the principal's ongoing supervisory programme. See principal firm oversight obligations for what that programme then looks like.

The documentation file the FCA expects

A defensible appointment file in 2026 contains:

• The signed principal-AR contract.
• The completed application form (the principal's internal form).
• The F&P pack for each senior individual, with source documents and the sign-off note.
• The financial soundness pack with supporting accounts and the sign-off note.
• The business plan and the principal's review note.
• The regulatory and integrity screening pack with documented searches and the sign-off note.
• The control environment assessment with the gap remediation plan where applicable.
• The risk rating decision — the tier assigned to the AR, with the rationale.
• The customer due diligence / AML file on the AR as a relationship.
• The board / committee minute approving the appointment, with documented challenge.
• The FCA notification (Form REP025 / appointment notice) lodged at least 30 calendar days in advance.
• The post-appointment go-live checklist — first supervisory visit scheduled, first MI cycle, first F&P refresh date set.

The file should be in a single retrievable location, indexed, and producible on request. Paper files and email-attachment archives produce gaps. Single-system files do not.

A 30-item pre-appointment checklist

1. AR legal name, FRN (if existing), companies house number and trading styles all verified.
2. AR ultimate beneficial owners identified and sanctions-screened.
3. Principal-AR contract drafted, reviewed by counsel, and reflects PS22/11.
4. Scope of appointment narrowly defined and aligned to the principal's permissions.
5. Each senior individual at the AR identified, named, role-mapped.
6. F&P pack completed per senior individual — ID, register, criminal, credit, sanctions, adverse media, employment, qualifications, references.
7. Regulatory reference under SYSC 22 obtained for each in-scope individual.
8. Financial soundness pack completed — accounts, management accounts, forecast, capital structure, owner finances, insurance, banking, tax.
9. PII at appropriate limit verified and renewal tracked.
10. Business plan documented at sufficient specificity to supervise against.
11. Target market reconciled to the principal's product governance.
12. Distribution channels mapped, including any sub-channel or third-party introducer relationships.
13. Marketing approach reconciled to FinProm approval queue ownership.
14. Customer journey mapped to control points.
15. Regulatory history pack completed at AR FRN level and at trading style level.
16. Prior principal relationships verified with prior principals — not just with the AR.
17. AML / financial crime risk assessment of the AR as a relationship completed.
18. Tax, litigation and tribunal record reviewed.
19. Control environment assessed — policies, record keeping, training, monitoring, IT, outsourcing.
20. Customer file template, call recording and chat retention reconciled to principal record retention.
21. Data processing agreement in place between principal and AR.
22. Risk tier assigned with documented rationale.
23. Initial supervisory cadence determined and diarised.
24. First financial promotion approval workflow set up.
25. First MI cycle defined — what the AR will report, on what cadence.
26. First F&P refresh date diarised.
27. Customer redress liability and FOS exposure modelled.
28. Appointment approved at the correct governance level, with documented challenge.
29. Form REP025 / appointment notification lodged at least 30 calendar days in advance.
30. Post-go-live review diarised at 90 days.

FAQ

Is a regulatory reference under SYSC 22 always required? For individuals moving from one SMCR firm to another, yes. For senior individuals at an AR who fall within the SMCR for the principal's purposes, yes. The reference is a regulatory document, not a courtesy.

Can the AR fund its own due diligence? The cost can be charged but the work is the principal's responsibility. The principal cannot rely on the AR's procurement of the diligence work; the principal must commission, review and sign off.

How long should pre-appointment due diligence take? For a higher-tier AR with multiple senior individuals, four to eight weeks is typical. Compressed timelines correlate with gaps. The 30-day pre-notification window is a floor, not a target.

What is the role of the SMF holder in the appointment decision? The SMF holding the prescribed responsibility for AR oversight (where applicable) signs off the appointment decision. The SMF16 (Compliance Oversight) signs off the compliance assessment. The SMF1/SMF3 retains executive accountability.

Do we need a separate diligence file for an IAR? Yes, but the scope and depth scale to the IAR's narrower scope. F&P, financial soundness, regulatory history and a focused business plan review remain mandatory.

What is "AR hopping" and why does it matter? The pattern of an AR moving between principals after a termination, with the new principal unaware of the prior principal's concerns. Verifying with the prior principal is the control. The FCA has been explicit since TR16/6 that this is a pattern principals must screen for.

How long do we retain the diligence file? At least the duration of the appointment plus the principal's general regulatory retention period — typically six years from termination, with some categories retained longer.

Audit the marketing the AR plans to put in market

The diligence file is one half of the answer. The other half is the financial promotions the AR will distribute under your name from day one. Sedric's free Marketing Comms Audit will take up to ten of the AR's draft assets — websites, social, email, customer scripts — and return a written report within 24 hours, scored against COBS 4 / CONC 3 / BCOBS 2 / ICOBS 2 / MCOB 3A as applicable, the Consumer Duty consumer-understanding outcome, and the principal-firm liability the s.39 transfer puts on you. Every flag is linked to the specific rule. Run a free comms audit.