Skip to content
Lending Agent Oversight

Who it's for

Three audiences hold the weight of the AR regime: the principal firm that holds the FCA permission, the AR that does regulated business under it, and the regulator or auditor who reads the resulting evidence chain. The product fits all three.

For principal firms

Section titled “For principal firms”

Principal firms authorised by the FCA who supervise an AR or IAR network under FSMA s.39. The buyer is the head of compliance or the head of risk. The day-to-day operator is the compliance officer or compliance analyst running the register, sampling cases, triaging breaches, and assembling the annual fitness review packets.

The market sits at around 100 to 200 UK principal firms across mortgage broking, general insurance, investment, and credit broking. PS22/11 raised the supervision floor in December 2023 and several firms surrendered permissions rather than upgrade. The ones that stayed need better tooling.

What the principal-side surfaces (/demo/principal/...) deliver:

  • Composite risk dashboard at /demo/principal. KPI tiles, top-10 highest-risk ARs, 90-day breach heatmap, next-actions widget, file-review-completion sparkline.
  • AR register at /demo/principal/register. Every AR, filterable, searchable, exportable.
  • AR detail at /demo/principal/register/[arId]. The deep view: risk gauge, permissions matrix, breach history, file reviews, MI returns, conduct events.
  • Breach triage at /demo/principal/breaches. Triage queue with severity badges and SUP 15 countdowns. Drill in to record FCA notification.
  • File reviews at /demo/principal/reviews. Per-skin rubric (MCOB, ICOBS, CONC), structured scoring, findings, root-cause taxonomy.
  • Annual fitness review at /demo/principal/annual-reviews/[arId]. The aggregated picture for SUP 12.6A, with director sign-off.

A pilot is one principal firm, one skin, one AR cohort, six to twelve weeks. The acceptance criteria are register completeness, risk-score legibility, and breach-workflow latency from receipt to FCA notification.

Three roles map onto the principal side: principal-admin (firm settings, billing, user management), principal-compliance-officer (the main story, the persona this product is built around), and principal-auditor (read-only view of the evidence chain). The demo surfaces the compliance officer view.

Adoption path for principal firms.

For ARs

Section titled “For ARs”

Appointed Representatives and Introducer Appointed Representatives carrying out regulated activity under a principal’s permission. AR users are typically the firm owner or compliance lead, with one or more designated MI / breach owners.

What the AR-side surfaces (/demo/ar/...) deliver:

  • AR home at /demo/ar. Required actions widget, performance summary (own risk score, file-review average, breach count), recent comms from the principal.
  • MI return submission at /demo/ar/mi. Quarterly returns, three-step form, draft saving, submit confirmation. Submitted return becomes immediately visible on the principal-side AR detail.
  • Breach report at /demo/ar/breaches/new. Type, severity self-assessment, customer impact, immediate steps taken. Submission triggers the SUP 15 clock on the principal side.
  • Profile at /demo/ar/profile. Own contact details, certifications, permissions.

The demo’s persona switcher flips between principal and AR views. In scripted mode, the script crosses the boundary mid-tour: the visitor becomes the AR submitting an MI return, then files a breach, then switches back to watch the breach hit the principal’s triage queue.

Adoption path for ARs.

For regulators and auditors

Section titled “For regulators and auditors”

The FCA supervisor visiting under SUP 12, the external auditor running an annual fitness review, the internal audit team checking that the evidence chain holds. The product is built to be read.

  • Every supervision action is recorded and timestamped. Every sign-off is attributed.
  • Annual fitness review packets aggregate a year of evidence into one scrolling document.
  • The production design includes a hash-chained audit log with per-tenant retention to a seven-year SYSC 9 floor, with sector overlays in MCOB, COBS, and DISP.
  • Records are exportable. The demo ships CSV export on the AR register; the production design adds PDF export for annual review packets and per-breach evidence dumps.

Regulatory mapping walks through FSMA s.39, SUP 12 (including SUP 12.6A on enhanced oversight introduced by PS22/11), SUP 15 notifications, SYSC 9 record-keeping, SYSC 15A operational resilience, DISP 1 complaints handling, Consumer Duty for principals (PRIN 2A and FG22/5), and FG21/1 vulnerable customers.

Outside scope

Section titled “Outside scope”
  • Direct-to-consumer regulated activity. The product supervises the AR network, it doesn’t replace the AR.
  • Markets outside the UK. The framing is FCA, sterling, UK English in v1.
  • AR user with multiple principal firms in a single account. A user who works for two ARs under different principals needs two accounts.
  • Real-time collaboration. State is per-tab in the demo. The production design uses standard request-response with polling on the breach triage queue.