Principal Firm Oversight Obligations: What the FCA Means by Effective Oversight

TL;DR — The FCA's word for what principal firms must do over their ARs is "effective oversight." It is not defined in SUP 12. It has been defined by enforcement. This piece sets out what effective oversight means in the FCA's working vocabulary in 2026 — supervision frequency, MI, financial promotion approval, complaint integration, F&P re-checks, escalation triggers, board reporting — and what the gap looks like when a principal gets it wrong.

Table of contents

• Why "effective oversight" is an enforcement test
• Supervision frequency: what cadence does the FCA expect?
• Management information: the dataset that defines the regime
• Financial promotion approval at the principal level
• Complaint integration: the AR's complaints are your complaints
• Fitness and propriety re-checks
• Escalation triggers and the notification regime
• Board reporting on AR oversight
• Three enforcement themes — anonymised
• A 10-point oversight self-test
• FAQ

Why "effective oversight" is an enforcement test

The phrase "effective oversight" appears in PS22/11, the 2022 Dear CEO letter, the FCA's annual update on AR work, and every Final Notice that has touched the AR regime. It is not defined. The FCA's working definition has emerged from a series of supervisory and enforcement outcomes which together establish what the regulator counts as evidence that oversight is operating.

The components the FCA assesses are:

• Cadence — how often does the principal interact with each AR in a supervisory capacity?
• Coverage — do supervisory activities reach across the AR's regulated activity, not just a slice?
• Depth — are supervisory activities meaningful (file reviews, communications samples, customer outcome testing) or superficial (questionnaires, attestations)?
• Action — when supervision finds something, does the principal act on it?
• Documentation — is the activity and the action evidenced?

The shorthand the FCA uses internally is "form follows substance." The form of an oversight programme — the policies, the templates, the calendar — is necessary but not sufficient. The substance — what the supervision actually discovered and what the principal then did — is the test. The Dear CEO letter of 2022 was unambiguous about this. Principal firms that confuse activity with control are firms with a supervisory problem in waiting.

Supervision frequency: what cadence does the FCA expect?

SUP 12 does not prescribe a frequency. The 2026 working expectation, derived from supervisory engagement and enforcement, is that supervision should be risk-tiered against the AR's regulated activity, customer base and prior conduct history.

In practice this means:

• Tier 1 — higher risk. ARs advising retail customers on investment, mortgage or insurance products; ARs with a prior conduct or complaints record; ARs with material non-regulated revenue from related activities. Cadence: at least quarterly on-site or remote supervisory engagement; monthly MI review at the principal; financial promotion approval per asset; calls or chat sampling monthly.
• Tier 2 — medium risk. Established ARs with a stable customer base, in scopes other than retail advice. Cadence: semi-annual supervisory visit; monthly MI review; financial promotion approval per asset; comms sampling quarterly.
• Tier 3 — lower risk. Introducer ARs (IARs) or ARs with a narrow scope and de minimis customer interaction. Cadence: annual supervisory visit; quarterly MI review; financial promotion approval per asset; comms sampling on a risk-triggered basis.

Two things are worth flagging. First, "frequency" is a floor, not a ceiling. An AR that should be tier 2 on paper but is producing complaints data that suggests tier 1 risk is a tier 1 supervision case until proven otherwise. Second, the FCA expects the tiering to be defensible — documented, dated, and based on data the firm can produce.

For the foundational regime context, see our FCA appointed representative regime overview.

Management information: the dataset that defines the regime

If there is one operating asset the FCA expects a principal firm to be able to produce on demand, it is a working MI pack covering the AR book. The pack must, at minimum, cover:

• AR register reconciliation. Every AR by FRN, scope, appointment date, status. Reconcile to the FCA register at least quarterly.
• Revenue. Regulated and non-regulated revenue per AR per period. The non-regulated piece is one of the metrics PS22/11 made mandatory — track it.
• Complaints. Volume, type, root cause, resolution, FOS escalation, redress paid. Filterable to AR level.
• Customer outcomes. For Consumer Duty firms, the Duty outcome metrics filtered to AR-distributed business — product, price, understanding, support.
• F&P status. Senior individuals at each AR with the date and outcome of the most recent F&P check.
• Supervisory activity. Visits completed, file reviews completed, communications samples reviewed, financial promotions approved, all filterable to AR.
• Notifications. Notifications made to the FCA in the period, with timing and reason.
• Financial soundness. Most recent management accounts or filed accounts for each AR; capital position; any covenant breaches or financial distress indicators.

The MI pack is the basis of the annual self-assessment. It is also the first thing a skilled person under section 166 will ask for. Firms that produce the MI pack from spreadsheets reconciled monthly are firms that produce inconsistent MI. Firms that produce it from a single system of record produce defensible MI.

Financial promotion approval at the principal level

Every financial promotion issued by an AR is a financial promotion issued by the principal. The principal is responsible for s.21 FSMA compliance, COBS 4 / CONC 3 / BCOBS 2 / ICOBS 2 / MCOB 3A compliance as applicable, and the Consumer Duty consumer understanding outcome. The principal cannot delegate this and cannot indemnify it.

The 2026 operating expectation is:

• A defined approval queue at the principal, with named approvers and recorded approval rationale per asset.
• Pre-approval review of every promotion before publication — for ARs in higher-risk scopes.
• A defined process for AR-originated social media content — including LinkedIn posts by AR staff that promote the firm's regulated activity. Many firms still treat social media as out of scope. It is not.
• A monitoring layer that captures what the AR has actually distributed, against what was approved. The gap between "what we approved" and "what they published" is where most enforcement-relevant FinProm breaches arise.
• A withdrawal and amendment log — when a promotion is pulled, when an amendment is required, when a customer-facing correction is issued.

For the underlying rules see financial promotions rules 2026 and the COBS 4 guide. The rules are the same whether the promotion is issued directly or via an AR. Liability, in both cases, sits with the authorised firm.

Complaint integration: the AR's complaints are your complaints

DISP 1 requires the principal to operate complaints arrangements that cover AR-distributed business. In practice this is one of the most common control failures the FCA has called out in AR work.

What good looks like in 2026:

• A single complaints intake at the principal that captures complaints irrespective of where they were first lodged — the AR, the principal, the website, the call centre, the FOS.
• Root-cause analysis at the level of the regulated activity, the product and the AR. If three ARs are producing the same complaint type, that is a product or process issue, not an AR-specific one.
• Feedback into product governance and into AR-specific supervisory review. A complaint pattern at an AR is a trigger for additional supervisory attention.
• Read-across to the Consumer Duty outcomes pack. Complaints are one of the principal data sources for the Duty annual board report.
• Read-across to F&P. A senior individual at an AR who is repeatedly named in complaints is a F&P review trigger.

Complaints integration is where the most defensible principals separate from the rest. Treating an AR's complaints as the AR's problem is the opposite of effective oversight; it is the model the FCA reproved in the 2022 Dear CEO letter.

Fitness and propriety re-checks

The principal is responsible for the F&P of senior individuals at the AR who are carrying on regulated activities or who are accountable for them. PS22/11 made this explicit — both the initial check and the ongoing assessment.

The 2026 operating expectation:

• Annual F&P attestation per senior individual at the AR, evidenced and dated.
• Source-of-record checks, not self-attestations — credit, criminal record (where the role permits), regulatory register, sanctions, adverse media.
• Trigger-based re-checks when MI suggests an issue — complaints uplift, regulatory contact, financial distress at the AR, departure of a senior individual.
• Documented sign-off at a named senior manager at the principal, on each attestation cycle.
• Escalation route for borderline cases — committee review, suspension of AR activity pending resolution, termination.

"We rely on the AR to confirm F&P" is not F&P. F&P is the principal's responsibility, evidenced by the principal, signed off by the principal.

Escalation triggers and the notification regime

Effective oversight is partly about knowing when to escalate — to internal governance and to the FCA. The notification regime under PS22/11 sets statutory triggers; the principal's own escalation framework should set internal triggers ahead of the statutory ones.

Internal escalation triggers that defensible principals have built in:

• Complaints volume at an AR up by [a defined %] year-on-year — trigger committee review.
• A single complaint involving suspected mis-selling — trigger immediate supervisory review.
• F&P concern about a senior individual at an AR — trigger F&P committee.
• AR financial distress (covenant breach, late account filings, missed regulatory revenue thresholds) — trigger commercial and supervisory review.
• AR breach of the principal-AR contract — trigger legal and supervisory review.
• AR conduct giving rise to a possible Consumer Duty failing — trigger product governance review.
• Customer outcome metric for AR-distributed business outside tolerance — trigger root-cause analysis.

External notification triggers (statutory under PS22/11):

• Appointment of a new AR — 30 calendar days advance.
• Termination of an AR — notification with reason.
• Material change in regulated activity scope of an AR — notification.
• Senior individual at the AR fitness concerns — F&P notification.
• Complaint patterns suggesting systemic conduct issues — supervisory engagement.

The single most common pre-enforcement issue the FCA flags is failure to escalate internally before the regulator has to surface it externally. The principal that brings a developing issue to the FCA is in a meaningfully better position than the principal the FCA brings the issue to.

Board reporting on AR oversight

The principal's governing body must be in a position to demonstrate that it understands the AR oversight programme and that it has tested it. The annual self-assessment is the headline document, but it cannot be the only AR-related artefact the board sees.

A defensible board cadence on AR oversight in 2026:

• Quarterly: MI pack with AR-tier-level metrics; supervisory activity completed; financial promotion approvals throughput; complaints by AR; F&P status changes; notifications made; emerging risk.
• Semi-annual: AR oversight programme review — is the model working, what has changed, where is risk concentrated.
• Annual: Approval of the annual self-assessment, with documented challenge.

The board pack should be specific enough that an outside reader — a skilled person, an FCA supervisor — can reconstruct the governing body's understanding of the AR book from the pack alone. If the board pack uses generic language ("oversight remains effective"), it is not doing the job.

Three enforcement themes — anonymised

[Verify with Reg Lookup] for specific firm names and amounts; the following are the supervisory patterns the FCA has surfaced.

• The "register-only" principal. A firm with a large AR book whose oversight programme consisted of maintaining the AR register, collecting annual attestations from each AR, and issuing pre-approved marketing templates. The FCA found no evidence of communications sampling, no MI integration of AR complaints, and no documented F&P re-checks. Outcome: variation of permission limiting new AR appointments, skilled-person review, remediation programme, customer redress.

• The "FinProm gap" principal. A network principal in mortgage and protection distribution that approved its ARs' standard marketing collateral but did not capture the ARs' social media content or the bespoke financial promotions distributed by some of the ARs' embedded networks. The FCA's review found a material gap between what was approved and what was actually in market. Outcome: section 166 review, customer remediation, public censure.

• The "F&P paper" principal. A wealth network principal whose F&P framework relied on the ARs themselves attesting to the F&P of their senior individuals. The FCA found a number of senior individuals with adverse regulatory history that the principal had not identified at appointment. Outcome: supervisory attestation, F&P re-papering across the AR book, oversight uplift, near-term reduction in AR book size.

The pattern is consistent. Each case turned not on what the principal said it did, but on what the evidence showed it did. The control gap was the gap between the policy and the artefacts.

A 10-point oversight self-test

• Can you produce, in one document, the current AR register with FRN, scope, tier, regulated revenue, complaints YTD, and F&P status?
• Is the MI for that register produced from a single system, or stitched together from spreadsheets?
• Can you evidence at least one supervisory activity per AR in the last quarter at tier-appropriate cadence?
• Can you sample, on demand, customer-facing communications from each AR?
• Can you produce, for any AR financial promotion in market, the approval record and the post-distribution monitoring evidence?
• Can you produce, for each senior individual at each AR, an in-date F&P attestation evidenced at source?
• Can you reconcile your notifications log to your AR register — every change in scope, appointment, termination accounted for?
• Does your board pack contain forward-looking risk indicators on AR oversight, or only activity counts?
• Does your annual self-assessment match what the MI, the complaints log, and the F&P file would tell an external reader?
• If a section 166 review were commissioned tomorrow, would the work-product withstand scrutiny?

FAQ

What does "effective oversight" actually mean in SUP 12? SUP 12 sets out the obligation in principle and gives examples — but does not define cadence, MI or specific control activities. The working definition has been established through PS22/11, the Dear CEO letter, and supervisory and enforcement outcomes.

How often must I supervise an AR? There is no prescribed cadence. The 2026 working expectation is risk-tiered — tier 1 ARs at least quarterly engaging supervision, tier 3 at least annually.

Who is responsible for approving an AR's financial promotions? The principal. Approval is a SUP / COBS / CONC / BCOBS / ICOBS / MCOB activity carried out by an authorised firm. The AR cannot self-approve.

Can I delegate F&P checks to a third party? You can outsource the operational task but not the responsibility. The principal must be able to evidence that the third party's process meets the standards the principal would apply itself.

What is the minimum board cadence on AR oversight? Quarterly MI review and annual approval of the self-assessment. Most network principals run semi-annual programme review in addition.

Does Consumer Duty apply to AR conduct? Yes — through the principal. The principal is responsible for Consumer Duty outcomes for customers acquired through ARs.

What is the typical cause of a section 166 review on AR oversight? A supervisory finding that the principal's oversight cannot evidence operation — typically a gap between the self-assessment narrative and the underlying data, or a complaints pattern at an AR that the principal had not identified.

Benchmark your AR oversight against current FCA expectations

If reading this list has surfaced gaps you want to size before they surface in supervision, Sedric's free Enforcement Risk Scorecard is a 12-question diagnostic — including AR oversight depth, FinProm approval coverage, complaints integration, F&P refresh cadence and board reporting — that returns a written risk profile within 24 hours, modelled on the patterns the FCA has called out in AR enforcement since PS22/11. Take the Enforcement Risk Scorecard.