FCA Section 166 Appointed Representative Reviews: A Practitioner Guide

TL;DR — Section 166 of FSMA gives the FCA power to require a regulated firm to commission a "skilled person" to report on a matter — and AR oversight is one of the most common scopes in the post-PS22/11 era. This piece sets out what triggers a s.166 on AR oversight, what scope letters typically cover, what skilled persons look for, what remediation looks like, how principal-firm work-product differs from AR-side work-product, and what the engagement costs.

Table of contents

• What section 166 actually does
• Why AR oversight is now a common s.166 scope
• Common s.166 triggers in the AR context
• Anatomy of an AR-oversight scope letter
• What the skilled person looks for
• Principal firm work-product vs AR-side work-product
• Remediation expectations and follow-through
• Costs, timing and operational impact
• How to prepare before the FCA writes the scope letter
• FAQ

What section 166 actually does

Section 166 of the Financial Services and Markets Act 2000 allows the FCA to require an authorised firm to provide a report by a skilled person — typically a Big Four firm or a specialist consultancy on the FCA's skilled-person panel — on any matter the FCA specifies. The cost is borne by the firm. The report is delivered to the FCA. The scope is set by the FCA in a scope letter.

In practice s.166 is the FCA's most powerful supervisory tool short of enforcement. It is non-public (unless the firm or the FCA chooses to disclose), it produces a forensic-quality output, and it almost always identifies issues — by design, a scope letter is written when the FCA already has a working hypothesis that something is materially wrong.

The procedural fundamentals practitioners should know:

• The skilled person is appointed by the firm but accountable to the FCA. The firm cannot direct the work; the skilled person reports to both.
• The scope letter is the central document. It is non-negotiable in substance but the precise language is sometimes the subject of a brief dialogue with the firm.
• The skilled person reports in writing. Findings are typically structured around the scope letter's questions, with evidence and recommendations.
• The FCA receives the final report. The firm receives a copy. There is no formal right of reply to findings the firm disagrees with, though firms regularly produce a management response.
• Recommendations almost always lead to remediation. The FCA monitors implementation.

Why AR oversight is now a common s.166 scope

Since PS22/11, s.166 has been the FCA's preferred tool for testing principal-firm oversight. There are several reasons.

First, the regime is rule-rich and evidence-heavy. The FCA can articulate a scope letter with clear, testable questions — does the principal evidence the F&P checks, does the principal sample AR communications, does the principal approve the financial promotions. A skilled person can answer those questions definitively from the firm's records.

Second, the issue is typically structural rather than transactional. An individual mis-selling case may be best addressed through past business review or redress. Inadequate oversight is a system issue — the kind of issue s.166 is designed for.

Third, the cost is borne by the firm. The FCA is resource-constrained; s.166 transfers the diagnostic cost to the firm that created the supervisory question.

Fourth, the output is durable. A skilled person report is a written, evidenced, externally-produced document that the FCA can use as the basis for subsequent supervisory action — including variation of permission, attestation requirements, or enforcement referral.

For the underlying oversight expectations being tested, see principal firm oversight obligations.

Common s.166 triggers in the AR context

In 2026, AR-oversight s.166 reviews are most often triggered by one or more of the following:

• Inconsistent self-assessment. The annual self-assessment narrative is inconsistent with the MI the principal has filed (revenue, complaints, F&P).
• Complaint pattern. A spike in complaints from customers acquired through one or several ARs, or a FOS pattern at AR level, or a single complaint involving suspected systemic mis-selling.
• Financial promotion pattern. AR-distributed financial promotions in market that the principal's approval queue does not cover, or where withdrawals have been required.
• F&P incident. A senior individual at an AR with adverse regulatory history that the principal had not identified, or a senior individual whose conduct produces customer harm.
• Notification failures. A series of late or absent notifications under PS22/11, suggesting weak governance.
• Whistleblowing. A whistleblower disclosure to the FCA about AR oversight at the principal.
• Network-wide pattern. For network principals, a pattern of issues across the AR book that suggests the oversight model rather than any individual AR is the problem.
• Crystallised customer harm. A market event (an insolvent product, a failed scheme, an issue with a third-party investee) that the AR distributed and the principal did not adequately oversee.

The FCA is explicit that a single trigger is enough. It is also explicit that an issue identified by the principal and notified proactively is treated differently from an issue the FCA identifies first.

Anatomy of an AR-oversight scope letter

A typical s.166 scope letter on AR oversight covers a defined population (the AR book or a sub-set), a defined period (typically two to four years), and a set of testable questions. The structure that has emerged in 2026:

• Scope of work. Identification of the principal firm, the ARs in scope, the period under review, and the regulated activities covered.
• Skilled person. Identity of the skilled person, partner-level oversight, conflict declaration.
• Reporting timetable. Interim findings, draft report, final report.
• Specific questions. The substantive heart of the letter. Typical questions:
• Does the principal have an oversight programme commensurate with the size, complexity and risk profile of the AR book?
• Does the principal evidence operation of that programme during the period?
• Does the principal's pre-appointment due diligence comply with PS22/11?
• Does the principal's MI provide the governing body with the information needed to oversee the AR book?
• Does the principal's complaints function adequately capture, analyse and act on AR-distributed complaints?
• Does the principal evidence the F&P of senior individuals at the ARs on an ongoing basis?
• Does the principal approve AR financial promotions consistently with s.21 FSMA and the COBS / CONC / BCOBS / ICOBS / MCOB rulebooks?
• Does the principal's notification practice comply with the PS22/11 triggers and timelines?
• Does the principal escalate emerging AR issues to its governing body and to the FCA in a timely manner?

• Where customer harm has occurred, does the principal's response include adequate redress?

• Outputs. A written report with findings against each question, a recommendation set with priority and timing, and a remediation roadmap.

A scope letter is not a list of things the FCA wants to learn. It is a list of things the FCA wants to test. The skilled person's job is to test and report.

What the skilled person looks for

In practice, skilled persons run a recognisable methodology in AR oversight reviews:

• Programme documentation review. Reads the AR oversight policy, the self-assessment, the board papers, the MI design.
• Population and sampling. Identifies the AR population in scope, samples ARs across tiers, samples senior individuals, samples financial promotions, samples complaints.
• File reviews. Tests the diligence files on a sample of appointments. Tests the supervisory visit packs on a sample of ARs. Tests the F&P refresh files. Tests the FinProm approvals.
• Comms sampling. This is the area where most principals have the thinnest evidence. The skilled person samples customer communications — calls, chat, emails, social — and tests whether the principal's monitoring captured what was actually said.
• MI reconciliation. Reconciles the MI pack to the underlying systems, looking for the gap between what is reported and what the data supports.
• Governance evidence. Reviews board minutes, committee minutes, and the documented challenge applied to AR oversight reporting.
• Notification reconciliation. Reconciles the notifications log to the AR register and to the supervisory activity log.
• Interviews. Interviews the SMF holders, the AR oversight function, the financial promotions team, the complaints team. Tests consistency of message.

The single highest-signal finding is the gap between policy and practice. A defensible policy with inconsistent operation is the most common finding. A policy that is itself inadequate is rarer but more serious. Each finding is rated for severity and the report ties findings to specific recommendations.

The communications sampling work is where firms most often discover what their AR network has actually been doing. This is also where Sedric's monitoring capability removes the gap before the skilled person finds it — see our appointed representative management software buyer's guide for the operating model.

Principal firm work-product vs AR-side work-product

A distinction that catches firms out: the skilled person's mandate runs to the principal, not to the AR. The skilled person looks at the principal's oversight artefacts — what the principal did, what the principal evidenced, what the principal escalated. The AR's own internal work-product is in scope only to the extent the principal has reviewed and acted on it.

Practical implications:

• The AR's QA file is interesting only to the extent the principal's supervisory programme uses it.
• The AR's complaints handling is in scope through the principal's complaint integration framework.
• The AR's marketing creative is in scope through the principal's approval queue.
• The AR's F&P records are in scope through the principal's F&P refresh programme.

If the principal has been outsourcing oversight to the AR — relying on AR self-assessment, AR-generated MI, AR-confirmed F&P — the skilled person will find that and will record it as a finding. The s.39 transfer of liability cannot be discharged by the AR doing the principal's job.

For the foundational framework the skilled person is testing against, see the FCA appointed representative regime overview.

Remediation expectations and follow-through

A s.166 report generates a remediation programme. The FCA expects the firm to take ownership of the remediation, evidence its completion, and demonstrate sustained operation.

Typical remediation streams that emerge from AR-oversight s.166s:

• Oversight programme uplift. Tiering, cadence, sampling, MI, board reporting all reviewed and re-baselined.
• F&P re-papering. Senior individuals at ARs re-checked against the principal's revised standard, with any new findings triaged.
• FinProm queue reset. All live AR financial promotions re-reviewed; approval queue reset; pre-publication review enforced; communications sampling layered on.
• Complaints reanalysis. AR-distributed complaints over the review period re-analysed for systemic patterns; redress where applicable.
• Customer remediation. Where harm has crystallised, a past business review with FCA agreement on methodology and redress.
• AR book triage. ARs that the principal cannot supervise effectively under the revised programme are terminated, with customer-protection arrangements.
• Governance changes. Where senior management failure is found, SMF changes; where structural failures are found, board-level changes.

The FCA expects evidence of operation, not just completion. A remediation plan that delivers an updated policy is not remediation; a remediation plan that delivers an updated policy plus three quarters of evidenced operation under that policy is remediation. Many s.166s are followed by a "skilled person check-in" or an attestation requirement at 12 months.

For the underlying due diligence remediation often required, see appointed representative due diligence.

Costs, timing and operational impact

A practitioner-grade view of cost and timing:

• Skilled person fees. [Verify with Reg Lookup] AR-oversight reviews typically run from low six figures for a small principal with a tight scope, to multiple seven figures for a network principal with hundreds of ARs and a complex business model. Sampling, interview load and report complexity drive cost.
• Internal resource. Skilled persons consume significant internal time — pulling files, populating MI, sitting interviews, reviewing drafts. A 12-month s.166 commonly absorbs 1-3 FTE-equivalent of compliance and operational time at the principal.
• Timeline. Six to twelve months from scope letter to final report is typical. Larger reviews run longer.
• Operational impact. Many firms freeze new AR appointments during a review. Some restructure the AR oversight function during the review.
• Reputational impact. S.166s are non-public by default. Where the FCA chooses to publicise, or where firms have to disclose in audited accounts or to commercial counterparties, reputational impact follows.
• Banking impact. Some banks have de-risked principals during or after AR-oversight s.166 work. The financial cost of debanking can exceed the s.166 cost.
• Follow-on action. A finding-rich report can lead to a variation of permission, an attestation, an asset requirement, or enforcement referral. The s.166 itself is not the end-point.

How to prepare before the FCA writes the scope letter

By the time the scope letter arrives, preparation options are limited. The defensible position is to anticipate the scope letter.

The proactive moves principals make:

• Run an internal s.166-style review against the FCA's published expectations and against TR16/6 and the 2022 Dear CEO letter, using internal audit or an external advisor.
• Test the gap between policy and practice yourself — sample communications, sample files, sample F&P refreshes — before the skilled person does.
• Reconcile the self-assessment narrative to the MI and the underlying data, every reporting cycle.
• Build a single artefact repository — the FCA does not give bonus marks for "we have it but it's in five places."
• Surface emerging issues to the FCA voluntarily. The firm that brings the issue is treated very differently from the firm the issue is brought to.
• Make sure the MI dashboard the board sees is the same MI dashboard the AR oversight team operates from.

The single best mitigation is real-time monitoring of AR activity and a defensible artefact base. Principals that operate with retrospective evidence collection always find gaps in a s.166. Principals that operate with continuous evidence collection rarely do.

FAQ

Is a s.166 review the same as enforcement? No. S.166 is a supervisory tool. It can lead to enforcement, but the s.166 itself is not enforcement. Many firms have a s.166 outcome that is then resolved through supervisory engagement and remediation.

Can the firm choose the skilled person? The firm proposes from the FCA's panel; the FCA approves. Realistically the firm has some choice but the FCA can decline a proposed nomination and frequently does where it sees a conflict.

Are s.166 reports made public? Not by default. The FCA has discretion to publish; firms have discretion to disclose. Most s.166 reports remain non-public.

What is the relationship between s.166 and SMCR? S.166 findings on individual senior managers can feed SMCR enforcement and accountability decisions. Where individual conduct failures are found, the FCA can pursue the SMF individually as well as the firm.

Can the firm negotiate the scope letter? Substantively limited. The firm can clarify language, surface practical concerns about sampling or population, and request realistic timelines. The substantive questions are the FCA's call.

Does the s.166 cost get reported anywhere? It is borne by the firm and is a cost in the P&L. Listed firms may disclose if material. Auditors may inquire. Banks providing wholesale facilities sometimes inquire.

How long until the FCA closes the matter after the final report? Variable. A clean report with manageable findings can close in months once remediation is evidenced. A finding-rich report can run for years through follow-on supervisory action.

Benchmark the gap before the FCA writes the scope letter

If reading this list has surfaced patterns that look like a s.166 trigger, Sedric's free Enforcement Risk Scorecard is a 12-question diagnostic — including AR oversight depth, FinProm coverage, complaints integration, F&P refresh cadence, communications monitoring and board reporting — that returns a written risk profile within 24 hours, modelled on the patterns the FCA has tested in recent AR-oversight skilled-person work. Take the Enforcement Risk Scorecard.