AR adoption path
This page is for the AR-individual. The principal firm has invited you to its tenant in Lending Agent Oversight. The principal firm runs the workspace; you (the AR-user) submit MI returns, file breach reports, and view the supervisory record kept on your AR.
The sequence below is the path from invitation through to first quarterly MI return.
What you have received
Section titled “What you have received”The principal firm sent you an invitation email from <firm-name>@oversight.<operator-domain> (or from a custom email-sender domain the firm has configured). The email contains:
- A one-time invitation link with a 7-day expiry.
- The principal firm’s name, FRN, and registered office.
- The principal firm’s compliance contact email.
- A short description of what the workspace is and what you will be expected to do.
If the link has expired, contact your principal firm’s compliance team. The principal-admin can issue a new invitation. The operator does not handle AR-user invitations directly; the principal firm is the controller.
Step 1: First sign-in and account setup
Section titled “Step 1: First sign-in and account setup”The invitation link opens the sign-in page on the principal firm’s tenant (<firm-slug>.oversight.<operator-domain> or the firm’s custom domain). Sign-in steps:
- Click the invitation link.
- Set a password. The workspace requires a minimum of 12 characters with at least one number and one symbol; the workspace measures strength with
zxcvbnand rejects passwords with a score below 3 (which excludes most leaked-credential reuse). - Confirm the email on the invitation matches yours.
- Read and acknowledge the principal firm’s privacy notice.
The first sign-in writes a user.activated audit event with your IP, user-agent, and timestamp. The principal-side compliance team sees the activation in the user-management surface.
Step 2: MFA enrolment (if your firm requires it)
Section titled “Step 2: MFA enrolment (if your firm requires it)”Whether MFA is required for AR-users is a per-tenant flag set by the principal-admin. The default is password-only for AR-users; firms with a stronger risk appetite or with 50+ AR-users typically enable the flag.
If your firm has enabled the flag, the workspace prompts you to enrol an authenticator app at first sign-in:
- Open Authy, Google Authenticator, 1Password, Microsoft Authenticator, or another TOTP-compatible app.
- Scan the QR code shown by the workspace.
- Enter the first six-digit code to confirm enrolment.
- Save the recovery codes the workspace shows you. These are one-time codes; if you lose your phone, you use a recovery code to sign in once and then re-enrol.
MFA enrolment writes a user.mfa-enrolled audit event. From this point, every sign-in requires the password plus a TOTP code.
Step 3: Look around
Section titled “Step 3: Look around”Once signed in, you land on the AR home page (/ar). The page shows:
- Required actions widget at the top. Open MI returns, breach reports awaiting your response, file reviews you can challenge.
- Performance summary. Your AR’s current risk score, file-review average, breach count over the last 12 months.
- Recent communications from the principal firm’s compliance team.
- Quick links. Submit MI return. File a breach. View profile. View audit log.
Spend 10 to 15 minutes clicking around. The free-explore design lets you read every surface without taking any action; nothing you do here writes to the audit log other than the page-view events for your own audit.
The audit log surface (/ar/audit) shows you every event recorded against your AR. This is the same log the principal-side compliance team sees, scoped to your AR. You can read what file reviews are scheduled against you, what breaches are filed against you, and what risk-band changes have been recorded.
Step 4: First MI return
Section titled “Step 4: First MI return”Your first MI return is typically the current quarter’s return, or the most recent quarter if the current is in flight. The principal firm’s required actions widget shows the deadline.
Open /ar/mi. The form fields are:
| Field | Type | Note |
|---|---|---|
period.year, period.quarter | dropdown | Pre-filled with the active quarter |
newBusinessVolumeGBP | currency | Total new-business volume for the period, GBP |
newBusinessCount | integer | Count of new-business transactions |
complaintsReceived | integer | Total complaints received in the period |
complaintsUpheld | integer | Total complaints upheld; cannot exceed complaintsReceived (Zod refinement) |
breachesSelfReported | integer | Breaches you have already reported in the workspace |
conductEventsLogged | integer | Other conduct events recorded |
cancellations | integer | Cancellations in the period |
The form saves drafts to your browser’s localStorage as you type, so you can come back to a partially completed return later. When you submit, the data is validated server-side against MIReturnDraftSchema and written to the database. The submit is the terminal transition; once submitted, you cannot edit the figures.
After submission:
- The principal-side compliance team sees the return in the AR detail page.
- The compliance team marks the return
acceptedorqueried. A queried return triggers a notification to you with the team’s note; you address the query (typically by replying via your firm’s compliance contact) and the team resubmits the marker. - Your risk score recomputes; the MI anomaly input updates with the new period’s data.
Detail in MI return integration.
Step 5: First breach report (if applicable)
Section titled “Step 5: First breach report (if applicable)”If you have a breach to report, open /ar/breaches/new. A breach is any departure from the FCA’s rules, your principal firm’s policies, or the regulatory expectations that govern your activity. When in doubt, file the report; the principal firm’s compliance team makes the materiality assessment.
The form fields:
| Field | Type | Note |
|---|---|---|
title | string | Min 4, max 200 chars |
description | string | Min 20, max 10000 chars; do not paste customer PII, reference customers by case ID |
category | enum | conduct, financial-crime, data-protection, complaints-handling, advice-suitability, disclosure, training-competence, other |
severity | enum | minor, moderate, material, significant |
customerImpact | enum | none, potential, actual-low, actual-high |
awareAt | datetime | The moment you became aware of the breach. This drives the SUP 15 clock for your principal firm. |
rootCauseTaxonomy | array | Up to 8 short root-cause tags |
The clock starts on submission. Detail in breach reporting workflow.
Step 6: Ongoing rhythm
Section titled “Step 6: Ongoing rhythm”Once the first MI return is in and the first breach (if any) is reported, your steady-state interaction with the workspace is light:
- Quarterly. Submit the MI return for the period. Typically 15 minutes to fill in if your record-keeping is in order.
- As-and-when. File breach reports. Most ARs file 0 to 4 per year.
- Annually. Review the annual review packet your principal firm has prepared on you. Read the director’s sign-off.
- As-and-when. Challenge a completed file review within 10 working days if you disagree with the findings. The challenge re-opens the review and writes a
review.challengedevent with your note.
You can sign in at any time to see your audit log, your current risk score, and any required actions. The workspace does not push notifications by default; the principal firm’s compliance team contacts you via email for anything urgent.
Profile and certifications
Section titled “Profile and certifications”The /ar/profile page shows the records the principal firm holds on your AR:
- Trading name, legal name, registered office.
- FRN (or
IARindicator if your AR is an Introducer Appointed Representative sharing the principal’s FRN). - Permissions on the FCA Register, with the latest reconciliation timestamp.
- Status (
active,suspended,under-investigation,terminated). - The PS22/11 self-employed flag and the SYSC 15A important-business-service flag.
- Your appointment date and the most recent annual review date.
- Documents the principal firm has uploaded against your AR (training certificates, policy attestations).
If any of the above is wrong, raise it with the principal firm’s compliance contact. The workspace does not let you edit the profile fields directly; the principal-admin and (with limits) the principal-compliance-officer hold the write scope for your AR record.
Off-boarding
Section titled “Off-boarding”If your AR relationship with the principal firm ends, the principal-admin off-boards your account (POST /api/users/:id/off-board, step-up authentication required). At off-boarding:
- Your
User.statusis set tooff-boarded. - Your name and email are tombstoned in place (replaced with stable opaque tokens) under UK GDPR Article 17(3)(b). Detail in retention.
- Your audit-chain attribution is preserved with the opaque token; the principal firm’s record of who took which action remains intact.
- Your sign-in is revoked. You cannot access the workspace from the moment off-boarding is recorded.
The off-boarding event is itself an audit entry visible to the principal firm’s compliance team and to the FCA-auditor (where the per-tenant flag is enabled).
Support
Section titled “Support”If you need help, the firm’s compliance contact (the email shown in the workspace footer) is the first port of call. The platform operator does not provide direct support to AR-users; the principal firm is the controller and is the named support route. The firm’s compliance team escalates to the operator if the issue is platform-level.