The FCA Appointed Representative Regime in 2026: A Practitioner Overview

TL;DR — The appointed representative regime is now four years into a structural overhaul. PS22/11 changed the day-to-day operating burden for principal firms, the FCA's supervisory model has shifted from periodic thematic review to continuous data collection, and enforcement against principals — not just against the ARs themselves — has become a credible regulatory tool. This piece sets out what the regime now looks like in steady state, what changed under PS22/11, and what a 2026 supervisory visit looks like for a principal firm with a meaningful AR book.

Table of contents

• The regime in one paragraph
• Why s.39 FSMA is the part that matters
• What PS22/11 actually changed
• The annual self-assessment and notifications regime
• Network principals: the additional obligations
• Enforcement themes 2023-2026
• What a 2026 supervisory visit looks like
• A practitioner checklist
• FAQ

The regime in one paragraph

An appointed representative is an unauthorised person who carries on regulated activities under a written contract with an authorised firm — the principal — that has accepted full regulatory responsibility for everything the AR does within the scope of that contract. The statutory hook is s.39 of the Financial Services and Markets Act 2000. Everything else — SUP 12, PS22/11, the Dear CEO letter, the annual self-assessment, the network principal rules — is regulatory architecture built on top of that one statutory transfer of liability. The principal is on the hook for the AR's conduct, the AR's financial promotions, the AR's complaints, and the AR's regulatory breaches. The FCA does not authorise the AR. The FCA holds the principal.

Why s.39 FSMA is the part that matters

Practitioners sometimes treat the AR regime as a SUP 12 problem. It is not. SUP 12 is the rulebook; s.39 FSMA is the liability. The provision says that anything the AR does in the carrying on of business for which the principal has accepted responsibility is to be treated as done by the principal. That is a statutory transfer, not a contractual indemnity. A principal cannot contract out of it, cannot delegate it to the AR, and cannot reduce it by adding indemnity language.

Three consequences flow from that:

• Conduct of business rules apply at the principal level. If the AR mis-sells, the principal has mis-sold. If the AR issues a non-compliant financial promotion, the principal has issued a non-compliant promotion. The FCA can take action against the principal for the AR's conduct without ever taking action against the AR.
• Financial accountability sits with the principal. Customer redress, FOS awards, FSCS contributions and FCA financial penalties are payable by the principal even where the loss-causing conduct was carried out by an AR the principal had only superficial oversight of.
• Senior Managers Regime accountability runs to the principal's senior managers. The SMF16 (Compliance Oversight) of the principal is accountable for compliance with the regulatory regime as it applies to AR activity. The Prescribed Responsibility for the AR oversight programme — where applicable — sits with a named senior manager. There is no AR-side SMCR to absorb that accountability.

If you remember nothing else from this section, remember this: every AR is a regulatory limb of the principal. Treat it accordingly.

What PS22/11 actually changed

The FCA's December 2022 policy statement on AR regime improvements — PS22/11 — was the most significant change to the regime since FSMA itself. It bedded in across 2023 and is now the operating baseline.

The headline changes:

• Annual self-assessment. Every principal must produce, at least annually, a written self-assessment that records the firm's oversight arrangements, evidences they are operating effectively, identifies gaps, and is reviewed and approved by the principal's governing body. The FCA can request it at any time.
• Annual revenue and complaint data return. Principals must now report, annually, the regulated and non-regulated revenue generated by each AR and the complaints volume per AR. This populates the FCA's data-driven supervisory model.
• Notification triggers expanded. A principal must notify the FCA at least 30 calendar days before appointing an AR (Form REP025 for the AR notification, plus the application for individual approvals where required). Termination notifications, complaint-volume changes, and changes in regulated activities also trigger notification within prescribed periods.
• Due diligence requirements made explicit. Principals must conduct pre-appointment due diligence proportionate to the proposed business and document the evidence base. See our deep dive on appointed representative due diligence.
• Ongoing oversight made explicit. Principals must oversee AR activity on a continuous basis, with the level of oversight proportionate to the size and complexity of the AR book and the inherent risk of the regulated activities being conducted.
• Termination obligations strengthened. Where the FCA expects a principal to terminate an AR — for fitness and propriety reasons, conduct reasons, financial reasons — there are notification timelines and customer-protection obligations.

The Appointed Representatives (Amendment) Regulations 2022 sit alongside PS22/11 and modify the FSMA exemption regime to enable the rule changes. Read together, the two instruments are the legal basis for the 2026 operating model.

The annual self-assessment and notifications regime

The annual self-assessment is the central artefact of the 2026 regime. It is the document the FCA will ask for first in any supervisory engagement. A defensible self-assessment, at minimum, will:

• List every AR by name, FRN, scope of appointment, regulated activities, customer numbers, regulated revenue and complaint volume.
• Document the firm's oversight programme — supervisory visits, file reviews, financial promotion approvals, MI reviews, F&P re-checks, complaint integration.
• Evidence operation of the programme during the reporting period — completed visits, file review samples, approvals queue throughput, MI reviewed, F&P re-checks completed.
• Identify control failures, near-misses, and gaps; document remediation; name owners.
• Record changes in the AR book — new appointments, terminations, scope changes, business model changes — and the rationale.
• Be reviewed by a senior committee or the board, with minutes evidencing genuine challenge.
• Be signed by the SMF16 or the senior manager holding the Prescribed Responsibility for AR oversight.

The notifications regime works alongside the self-assessment. Notification triggers that catch firms out:

• Appointment of a new AR — 30 calendar days advance notice.
• Change in the regulated activities of an existing AR — notification required.
• Termination of an AR — notification required, with reason.
• AR complaint volumes outside historic norms — supervisory engagement likely.
• Material change in AR financial position — escalation expected.
• Senior individual at the AR resigning or being dismissed for conduct reasons — F&P notification likely.

The single most common supervisory finding under PS22/11 is a notification that should have been made and wasn't — or one that was made late.

Network principals: the additional obligations

A principal with 50 or more ARs, or with ARs generating £1m or more in non-regulated revenue, falls into the "network principal" definition the FCA uses operationally. The rule book does not use that term as a defined category in SUP 12, but the supervisory expectations are real and the FCA applies them.

For network principals, the additional expectations in steady state for 2026:

• A dedicated AR oversight function. Not a "compliance person who looks after ARs" but a defined function with sufficient seniority, resource and budget. The FCA has been explicit that the function's headcount must scale with the size of the AR book.
• Risk-tiered supervision. ARs segmented into supervisory tiers based on regulated activity, customer base vulnerability, complaint history, MI quality, and any prior conduct issues. Tier-1 ARs (highest risk) receive higher-touch supervision than Tier-3.
• Centralised financial promotion approval. Network principals are expected to approve every AR financial promotion, with a documented approval queue, named approvers, and an audit trail. Approval is not a rubber stamp.
• Customer complaint integration. The principal's complaints function must capture, log and root-cause every customer complaint about an AR, irrespective of where the complaint was first lodged. See our work on principal firm oversight obligations.
• MI dashboard. Network principals are expected to maintain a real-time MI dashboard covering AR-level revenue, complaints, customer outcomes, financial position, F&P status, and supervisory activity. The dashboard must be reviewable by the governing body.
• AR communications monitoring. Where ARs communicate with customers (calls, chat, email, social media), the principal is expected to have a means of sampling that communication. This is the part the FCA has been most explicit about since the Consumer Duty's January 2024 outcome reporting kicked in.

Enforcement themes 2023-2026

The FCA has used the AR regime as a supervisory test bed since PS22/11 came into force. The enforcement and supervisory themes that have emerged:

• Inadequate oversight at the principal. [Verify with Reg Lookup] Multiple principals have been the subject of supervisory action — including variation of permission, attestation requirements, and skilled-person reviews — where the FCA has concluded oversight was a paper exercise rather than an operating control.
• Financial promotion failings via ARs. ARs distributing non-compliant promotions in mortgages, general insurance and investment advice, with the principal as the party held to account.
• Consumer Duty failings flowing through ARs. Where AR conduct produced poor consumer outcomes, the FCA has held the principal accountable for Duty failings — not the AR.
• F&P failings. Senior individuals at ARs whose F&P had not been adequately re-tested by the principal, with the principal sanctioned for the failure to refresh.
• Late or absent notifications. Notifications made after the event, or not made at all, treated as a stand-alone breach.
• Debanking and de-risking. Banks declining to provide banking services to principals with weak AR oversight, as the banks themselves face supervisory pressure on financial crime controls in correspondent and adjacent activities.

The FCA's December 2024 update on AR oversight (and subsequent communications through 2025) reiterated that the AR regime remains a supervisory priority and that enforcement against principals — not the ARs — is the FCA's preferred deterrent.

What a 2026 supervisory visit looks like

A 2026 FCA visit to a principal firm with a material AR book follows a recognisable pattern. The typical request list includes:

• The most recent annual self-assessment, with the board pack that approved it.
• The AR register, including FRN, scope, appointment date, business model and tier.
• The pre-appointment due diligence file for a sample of recent appointments.
• The supervisory visit schedule and completed visit packs for a sample.
• The financial promotions approval log for the last six months.
• The complaint log filtered to AR-distributed business, with root-cause analysis.
• The MI pack for the last quarter, with evidence of governance review.
• The F&P refresh file for senior individuals at a sample of ARs.
• The notification log — every notification made to the FCA, with timing.
• Records of any AR terminations, with reasons and customer-protection actions.
• Communications samples — where the FCA wants to look at what ARs are saying to customers.

The conversation that follows is rarely about whether the documents exist. It is about whether the evidence inside the documents is consistent — whether the self-assessment reflects what the MI shows, whether the financial promotion approvals reflect what the comms samples show, whether the F&P refresh file reflects what the complaints log shows. Inconsistency is the finding the FCA is hunting for, because inconsistency suggests the controls are decorative.

For a deeper view on the skilled-person process when supervision escalates, see our FCA section 166 appointed representative guide.

A practitioner checklist

• Confirm the AR register is current, complete, and reconciled to the FCA register at FRN level.
• Confirm the annual self-assessment is current, signed by the SMF and reviewed by the governing body within the last 12 months.
• Reconcile the self-assessment narrative to the underlying MI — revenue, complaints, F&P status, oversight cadence.
• Reconcile the notifications log to the AR register — every appointment, termination, scope change in the period accounted for.
• Sample the financial promotion approval queue — verify that every AR-distributed promotion ran through a named approver and is logged with the approval rationale.
• Sample the supervisory visit packs — verify that observations, findings and remediation tracking are documented, not just visit dates.
• Sample the complaints log filtered to AR business — verify root-cause analysis and read-across to the principal's product governance.
• Review the AR communications monitoring framework — what gets captured, what gets sampled, who reviews, what gets escalated.
• Review the AR oversight function's resourcing — headcount, seniority, budget — against the size and complexity of the AR book.
• Confirm the board pack for AR oversight contains forward-looking risk indicators, not just backward-looking activity counts.

FAQ

What is the difference between an AR and an IAR (introducer appointed representative)? An IAR is an AR whose scope is limited to introducing customers to the principal and providing information that does not amount to advice. IARs are subject to a lighter version of the same s.39 transfer of liability. The principal is still on the hook.

Does the AR regime apply to overseas activity? The s.39 transfer applies to regulated activities carried on in the United Kingdom. Overseas activity by a UK AR can still be in scope where the activity has a UK nexus — see SUP 12 for the territorial scope.

Can a single firm be both an AR and a principal? Yes, but rarely. A firm with sufficient permissions to be a principal generally has its own authorisation and does not need to act as an AR. The exception is in some network structures where a sub-principal model operates.

What is the difference between an AR and an Employee? An employee acts under the employer's direct contract of employment and is the employer's own agent. An AR is a separate legal entity acting under a written principal-AR contract. The s.39 transfer applies only to the AR.

How does the Consumer Duty apply through the AR chain? The Duty applies to the principal firm directly. The principal is responsible for delivering Duty outcomes for customers acquired through ARs. The AR is not separately accountable to the FCA for the Duty — the principal is.

Does an AR need to comply with COBS? The AR's activity must comply with COBS as applied by the principal. The principal is regulatorily responsible for compliance. The AR is contractually obliged via the principal-AR contract.

What is the role of the Senior Managers Regime in AR oversight? The SMF16 (Compliance Oversight) generally holds the prescribed responsibility for compliance with the AR regime. Many principals also allocate a specific oversight responsibility to a named senior manager — sometimes a Head of AR Oversight reporting to the SMF16.

See your AR oversight evidence as the FCA will see it

A 2026 supervisory visit is no longer a documentation review — it is a consistency test across self-assessment, MI, communications samples and notifications. Sedric is the AI-native platform that monitors 100% of AR customer communications, marketing assets and partner activity, surfaces risks at the principal level in real time, and feeds the evidence base your annual self-assessment depends on. Every flag is linked to the specific SUP 12 or COBS rule it engages, every override is logged with reasoning, and the platform produces the artefacts an FCA supervisor expects to see. Book a demo.