Skip to content
Lending Agent Oversight

How it works

The job already exists. Principal firms have been supervising Appointed Representatives under FSMA s.39 since 2000, and SUP 12 has spelled out the continuing obligations for nearly as long. PS22/11 raised the bar again. The product doesn’t invent new work. It stops the existing work living in spreadsheets.

The supervision loop runs in three steps.

Step 1: Register every AR

Section titled “Step 1: Register every AR”

One row per AR. Trading name, legal name, FRN (or “via principal” for IARs), appointment type, permissions, status, controllers, primary contact, the dates that matter (appointed on, last fitness review, next review due). Self-employed flag. Important Business Service flag. The register is the spine of everything else.

The AR register surface lives at /demo/principal/register. Filter on status, risk band, vertical, and time since last review. Search by trading name or FRN. Click a row to land on AR detail.

Step 2: Detect risk early

Section titled “Step 2: Detect risk early”

Each AR carries a composite risk score from 0 to 100, banded Low, Moderate, Elevated, High, Critical. Five inputs feed the score:

InputDefault weight
Complaints density (uphold-weighted)0.20
Breach severity sum (rolling 12 months)0.30
File-review inverse (1 minus mean score)0.25
Time since last review0.10
MI anomaly score0.15

The principal-compliance home (/demo/principal) reads the register and surfaces the picture you can’t get from a spreadsheet: how many ARs are in the critical band today, how many breaches are awaiting FCA notification, how many file reviews are overdue, how many annual reviews are due this month. The top-10 highest-risk ARs sit on the home screen with sparklines, and a 90-day breach activity heatmap shows where the trouble is clustering.

The risk score is a formula, not a black box. Hover any score to see the per-input contribution. Weights are tunable per tenant in the production design.

Step 3: Evidence supervision

Section titled “Step 3: Evidence supervision”

Detection is half the job. The other half is the paper trail. The product runs four supervision instruments end to end:

  • Breach reports with severity, category (conduct, financial-crime, data-protection, complaints-handling, advice-suitability, disclosure, training-competence, other), customer impact, and root-cause taxonomy. SUP 15 notification countdown ticks from the moment of receipt to the must-notify-by date.
  • File reviews scored against the per-skin rubric (MCOB, ICOBS, CONC). Pass / advisory / fail / not applicable per item, free-text findings, root-cause taxonomy, aggregate score that feeds back into the AR’s risk score.
  • MI returns filed quarterly by the AR. Volumes, complaints, breach count, conduct events. Visible to the principal the moment they land.
  • Annual fitness review packets. Risk trajectory over 12 months, breach summary, file review summary, MI return trend, conduct events log, director sign-off. One scrolling document per AR per year.

Every action is recorded. Every sign-off is attributed. Every record is exportable.

The supervision loop in one diagram

Section titled “The supervision loop in one diagram”
sequenceDiagram
    participant AR as AR (firm)
    participant Principal as Principal-compliance officer
    participant System as Oversight platform
    participant FCA as FCA


    AR->>System: File quarterly MI return
    System->>Principal: Surface return on AR detail
    Principal->>System: Sample case for file review
    Principal->>System: Score against MCOB / ICOBS / CONC rubric
    System->>System: Aggregate findings, recompute AR risk score
    AR->>System: Report breach (or principal raises one)
    System->>Principal: Triage queue with SUP 15 countdown
    Principal->>FCA: Record FCA notification (production)
    System->>System: Roll year of evidence into annual packet
    Principal->>System: Director sign-off on annual fitness review

In the live demo, the scripted walkthrough plays this loop in ten steps with a persona switch in the middle.

What the production build adds

Section titled “What the production build adds”

The demo runs entirely on Zustand and seeded fixtures. The production design adds a Postgres-backed register, signed-magic-link auth or session-based principal staff auth, real SUP 15 timing helpers driven by category, an audit chain with hash-linked events, and a retention engine running to a seven-year SYSC 9 floor with sector overlays. None of that changes the supervision loop. It just makes it real.

For the data model, risk-scoring algorithm, state machines, and the mock-vs-real boundary, see Architecture. For the FSMA / SUP 12 / PS22/11 / SUP 15 / SYSC 9 mapping, see Regulatory.