Skip to content
Lending Agent Oversight

Principal adoption path

This page sets out the sequence a principal firm follows to adopt Lending Agent Oversight, from contract sign through to the first quarterly board pack. The sequence assumes the firm is already FCA-authorised as a principal under FSMA s.39 with appointed representatives on the FCA Register; if authorisation is in flight, the platform’s adoption can run in parallel but the firm must hold the authorisation before going live.

The sequence below is the recommended path. It compresses comfortably into four to six weeks for a firm with up to 200 ARs, longer for firms with more complex network structures or multi-vertical operations.

Step 1: FCA permissions confirmation

Section titled “Step 1: FCA permissions confirmation”

Day 1.

Before tenant provisioning, the operator confirms two facts on the FCA Register:

  1. The firm holds principal-firm permissions (FSMA s.39 status) and the relevant Part 4A permissions for the verticals it intends to supervise.
  2. The firm’s senior management has the relevant SMF designations under SM&CR: SMF1 (Chief Executive), SMF3 (Executive Director), and at minimum SMF16 (Compliance Oversight) where applicable.

The operator records the FRN and the SMF allocation in the tenant record. This is a sanity check, not an authorisation step; the firm bears the regulatory responsibility.

Step 2: Tenant provisioning

Section titled “Step 2: Tenant provisioning”

Day 1 to 3.

The operator creates the tenant. The provisioning task sets:

  • Tenant.legalName, tradingName, frn.
  • Tenant.vertical (one of mortgage, general-insurance, credit-broking).
  • Tenant.rubric (one of MCOB, ICOBS, CONC), defaulted from the vertical.
  • Tenant.brandHex, Tenant.registeredOffice.
  • A unique tenant subdomain on the operator’s domain (default <firm-slug>.oversight.<operator-domain>); custom domain is a separate optional configuration covered in branding.

The operator signs the Article 28 Data Processing Addendum with the firm at this step. The DPA names the sub-processors set out in sub-processors and sets the 30-day sub-processor notice window.

Step 3: AR data import

Section titled “Step 3: AR data import”

Day 3 to 7.

The firm uploads its AR network via the CSV template. The template fields, validation rules, and reconciliation against the FCA Register are documented in network onboarding. The output of this step is ~N rows in the appointed_reps table, each with permissions, status, and the PS22/11 (isSelfEmployed) and SYSC 15A (supportsImportantBusinessService) flags set.

A typical mortgage network of 124 ARs imports in under an hour. A credit-broking network of 200 ARs takes a day with reconciliation queries.

Step 4: Brand kit upload

Section titled “Step 4: Brand kit upload”

Day 5 to 7, parallel with Step 3.

The firm uploads its brand kit via firm settings:

  • Logo (SVG with currentColor fill, 1:1 or wide-aspect, max 100KB).
  • Brand colour token (one hex value; the workspace derives the supporting palette).
  • Footer text (firm legal name, FCA register number, registered office address).
  • Contact details (compliance team email, support phone).

The brand kit propagates to AR-user-facing surfaces, audit emails, and board-pack PDF exports. Detail in branding.

Step 5: User invitations

Section titled “Step 5: User invitations”

Day 7 to 10.

The firm’s principal-admin invites the buyer-side users (other principal-admins, principal-compliance-officers) and the AR-side users (one or more AR-users per AR). Each invitation produces a one-time invitation link with a 7-day expiry.

Recommended user counts at adoption:

  • 2 to 4 principal-admins (typically the SMF16 holder, the head of compliance, and the operations lead).
  • 4 to 12 principal-compliance-officers depending on the network size (one officer per 30 to 50 ARs is the working ratio).
  • 1 AR-user per AR for MI return submission and breach reporting; firms with larger ARs can invite multiple AR-users per AR.

The total user count is the basis for the tier of the operator’s pricing. The firm can add or remove users at any time after adoption.

Step 6: MFA enrolment

Section titled “Step 6: MFA enrolment”

Day 7 to 10, alongside user invitations.

TOTP enrolment is required at first sign-in for every principal-admin and principal-compliance-officer. The user scans a QR code with their authenticator app (Authy, Google Authenticator, 1Password, Microsoft Authenticator) and confirms the first six-digit code.

Per-tenant TOTP requirement for AR-users is a setting the principal-admin enables in firm settings. The default is password-only for AR-users to reduce the friction of first adoption; a firm with 50+ AR-users or with a stronger risk appetite enables AR-user TOTP. Detail in threat model and rate limiting.

Step 7: Catalogue and rubric configuration

Section titled “Step 7: Catalogue and rubric configuration”

Day 10 to 14.

The firm’s principal-admin configures:

  • The risk-scoring weights. Defaults sum to 1.0: w_complaints=0.20, w_breach=0.30, w_reviewInverse=0.25, w_timeSinceReview=0.10, w_miAnomaly=0.15. The firm can adjust within the constraint that weights sum to 1.0; the 90-day backtest panel shows the band-distribution shift before saving.
  • The file-review rubric. The vertical’s default rubric (MCOB, ICOBS, or CONC) is loaded; the firm can add firm-specific items, set scoring weights, and define a sampling rule (typical: 5% of customer files per AR per quarter, with risk-band weighting).
  • The MI return cadence. Default quarterly with the FCA-quarter calendar; firms with a different internal cadence can configure monthly or fortnightly returns.
  • The annual review cycle. Default 12-month rolling cycle anchored to the AR’s appointedOn date; the firm can configure a fixed annual cycle anchored to a calendar quarter.
  • The breach-reporting taxonomy. The default category list (conduct, financial-crime, data-protection, complaints-handling, advice-suitability, disclosure, training-competence, other) is the SUP 15 working set; the firm can add tenant-specific subcategories.

The firm’s compliance lead and SMF16 sign off the configuration before going live.

Step 8: Pilot AR cohort

Section titled “Step 8: Pilot AR cohort”

Week 3 to 4.

The firm picks 5 to 10 ARs for the pilot cohort. The cohort should include at least one AR in each risk band, at least one self-employed AR (the PS22/11 case), and at least one AR with a recent breach or complaint history (so the workflow is exercised end-to-end).

The pilot exercises:

  • AR-user sign-in and MI return submission.
  • AR-user breach report submission with the SUP 15 clock.
  • Principal-side breach triage and FCA notification (recorded in the workspace; the actual notification to the FCA happens out of band via standard FCA channels).
  • Principal-side file review with the rubric.
  • Annual review packet aggregation and director sign-off.

The pilot playbook (pilot playbook) sets out the six-week pilot template.

Step 9: Full network rollout

Section titled “Step 9: Full network rollout”

Week 4 to 6.

After the pilot, the firm rolls the workspace out to the remaining ARs. The rollout is typically split into two waves to manage support load:

  • Wave 1: ARs with active risk concerns, breach history, or upcoming annual reviews. These benefit from being in the workspace immediately.
  • Wave 2: ARs in the low and moderate risk bands. These can be onboarded over the following two weeks.

The principal-admin sends invitation emails to AR-users for each AR. The AR’s first task in the workspace is to submit an MI return for the current quarter (or the most recent quarter if the current is in flight).

The firm’s compliance team monitors sign-in rates and chases AR-users who have not signed in within 7 days of invitation. The workspace’s user-management surface shows pending invitations and last-login timestamps.

Step 10: First quarterly board pack

Section titled “Step 10: First quarterly board pack”

Week 6 onwards.

At the end of the firm’s first full quarter on the workspace, the principal-admin generates the quarterly board pack. The pack aggregates:

  • AR register summary by risk band.
  • Breach activity over the quarter, with FCA notifications and resolution status.
  • File review completion rates and finding distributions.
  • MI return submission rates and anomaly flags.
  • Annual reviews due in the next quarter.
  • Risk-score weight changes and their impact on band distribution.

The pack is exported as PDF (with the firm’s brand kit applied) and as JSON (for the firm’s own analytics). The board pack is itself an audit event recorded in the chain.

This is the first artefact the firm shows to its board, and it is the moment adoption is “complete” in the operational sense. From here the firm runs the workspace as part of its standard supervisory rhythm.

Ongoing operating rhythm

Section titled “Ongoing operating rhythm”

Once adopted, the firm operates the workspace on a stable cadence:

  • Daily. Compliance team reviews the breach triage queue and the next-actions widget. Any breach with a SUP 15 clock running is reviewed for materiality.
  • Weekly. Compliance team reviews ARs that have moved up a risk band, ARs with overdue file reviews, and ARs that have submitted queried MI returns.
  • Monthly. Compliance lead reviews the audit log for any insider-threat indicators and signs the monthly attestation (covered by the firm’s DPIA mitigations, see DPIA).
  • Quarterly. Board pack. AR-user MI returns. Sample-based file reviews per the firm’s sampling rule.
  • Annually. Annual review packets for ARs reaching their cycle date. Firm-wide self-assessment under PS22/11. DPIA review.

The next pages in this chapter cover the specific mechanics: network onboarding for Step 3, branding for Step 4, and pilot playbook for Step 8.