Annual self-assessment
The principal’s regulated year culminates in a small set of governing-body-approved documents. SUP 12.6A (introduced by PS22/11) requires an annual self-assessment of AR oversight and an annual review of each AR. PRIN 2A requires an annual board report on Consumer Duty outcomes. The product’s annual fitness review packet is the per-AR artefact that feeds both.
This page describes the combined cycle and the way the product encodes director sign-off.
What the rules require
Section titled “What the rules require”| Obligation | Source | Frequency | Audience |
|---|---|---|---|
| Self-assessment of AR oversight | SUP 12.6A | At least annually | Firm’s governing body |
| Annual review of each AR | SUP 12.6A | At least annually, per AR | Internal |
| Consumer Duty board report | PRIN 2A | At least annually | Firm’s governing body |
The two SUP 12.6A obligations are distinct. The self-assessment is firm-level, asking “is our AR oversight programme adequate”. The annual review is per-AR, asking “is this specific AR fit and proper, and is its activity within scope”. They share inputs but produce different outputs.
The PRIN 2A board report is also firm-level but different in subject. It asks “are the four Consumer Duty outcomes being delivered across our retail business”, which for a principal firm includes all retail business carried on by ARs in scope of their appointments.
The annual fitness review packet as the per-AR input
Section titled “The annual fitness review packet as the per-AR input”The annual fitness review packet is structured to feed all three obligations from a single per-AR document. Its sections:
| Section | Feeds | Source data |
|---|---|---|
| AR overview | Annual review (SUP 12.6A) | AR register, contract record |
| Risk score trajectory | Annual review, self-assessment | Risk score history over the cycle year |
| Breach summary | Annual review, self-assessment | Breach log, SUP 15 timing |
| File review summary | Annual review, self-assessment, Consumer Duty | File review log with rubric findings |
| MI return trend | Annual review | Submitted MI returns for the cycle year |
| Conduct events log | Annual review | Conduct events, training completions, attestations |
| Consumer Duty outcome attestation | Consumer Duty board report | Per-outcome indicators (see Consumer Duty) |
| Vulnerable customer outcome summary | Consumer Duty, FG21/1 | Vulnerable-customer roll-up indicators |
| Director sign-off panel | All three obligations | AuditEvent of sign-off |
The principal’s home page shows a roll-up across all per-AR packets: count reviewed, count signed off, exceptions, director attestation status. That roll-up is the firm-level self-assessment input, with narrative sections added by the firm before submission to the governing body.
Director sign-off as an audit object
Section titled “Director sign-off as an audit object”PS22/11 requires the firm-level self-assessment to be approved by the firm’s governing body. The product captures sign-off as a distinct audit object:
{ action: "annual-review.director-sign-off", actorRole: "principal-admin", subjectType: "annual-review", subjectId: <annualReviewId>, at: <timestamp>, prevHash: <SHA-256>, hash: <SHA-256>,}Two properties of the sign-off object earn their place:
- Distinct actor role. The signing user must hold
principal-adminand be designated as a director-level signatory in the firm’s user register. A compliance-officer-level review event is captured separately and does not satisfy the SUP 12.6A sign-off requirement. - State lock at sign-off. The hash of the sign-off event includes the hash of the packet contents at that point. Any subsequent change to the packet contents creates a new state with a new hash, which would reveal that the sign-off was made against earlier content.
The same audit object structure handles Consumer Duty board report sign-off. A single sign-off may close out both SUP 12.6A and PRIN 2A obligations where the packet content covers both purposes; in that case the sign-off event carries both action tags.
The cycle year
Section titled “The cycle year”The product treats the cycle year as configurable per principal firm but defaults to calendar year. The packet is generated in draft state at the start of each cycle year and accumulates evidence as the year progresses. At year-end, the packet enters review state, then signed-off state. After sign-off, the packet is locked except for an explicit “challenge and reissue” flow that creates a new packet version with audit traceability to the prior version.
Cross-links
Section titled “Cross-links”- SUP 12 for SUP 12.6A in context.
- PS22/11 for the eight enhancements that include this annual cycle.
- Consumer Duty for the per-outcome content of the Consumer Duty section.
- Audit-as-evidence for the audit chain that locks the packet at sign-off.