Skip to content
Lending Agent Oversight

SUP 12 (the AR rulebook)

SUP 12 is the principal supervisor’s working text. Where FSMA s.39 sets the statutory consequence of an appointment, SUP 12 sets the operational rules: who can be appointed, what the contract must say, how the principal must monitor, when records must be kept, and how termination works. SUP 12.6A, inserted by PS22/11, layered enhanced obligations on top.

This page walks the chapter subsection by subsection. For each, what the rule says and how the product evidences compliance.

SUP 12.2: definitions and scope

Section titled “SUP 12.2: definitions and scope”

SUP 12.2 defines the AR and the IAR. An IAR is an AR whose appointment is limited to effecting introductions to the principal or to other authorised persons and providing information about the principal’s products. The IAR may not carry on other regulated activities under the appointment.

The product treats the AR/IAR distinction as first-class:

  • The register stores appointmentType: "AR" | "IAR" on every appointment.
  • The AR detail header renders a type badge.
  • The file-review rubric branches on type. For an IAR, the rubric narrows to introduction-quality and information-accuracy checks. For a full AR, it expands to the per-vertical conduct checklist (MCOB, ICOBS, or CONC) appropriate to the skin.
  • The risk model up-weights scope-creep indicators for IARs, on the basis that an IAR carrying on regulated advice is, by definition, outside scope.

SUP 12.4: appointment and pre-appointment due diligence

Section titled “SUP 12.4: appointment and pre-appointment due diligence”

SUP 12.4 requires the principal to be satisfied on fitness, solvency, suitability, controllers, and resources before entering the contract. The pre-appointment checklist surfaces these tests as a structured workflow:

  • Identity and FCA register checks.
  • Solvency and financial standing evidence.
  • Controller and senior manager fit-and-proper attestations.
  • Resource adequacy assessment (people, systems, training).
  • Self-employed individual cohort flag (PS22/11, see PS22/11).

Each item is recorded against the AR’s pre-appointment record with attribution and a timestamp. Without all items closed, the AR cannot be marked active in the register.

SUP 12.5: the written contract

Section titled “SUP 12.5: the written contract”

SUP 12.5 prescribes required terms in the written contract: the scope of permitted activity, the principal’s right of access to records and personnel, termination triggers, and the AR’s obligation to comply with the principal’s directions.

The product surfaces the contract as a versioned document linked from the AR detail Documents tab. The annual fitness review packet renders the current contract version on file and flags overdue refreshes. The product does not author contracts; it records that one exists, when it was signed, and when it was last refreshed.

SUP 12.6: continuing obligations

Section titled “SUP 12.6: continuing obligations”

SUP 12.6 is the operational supervision rule. The principal must adequately monitor the AR’s activities and the conduct of approved persons or certified persons within the AR. The ongoing fitness and propriety obligation sits across SUP 12.4 (continuing fit-and-proper assessment) and SUP 12.6 (adequate controls and resources) [unverified, source not accessible 2026-05-08; FCA Handbook handbook.fca.org.uk did not return rule text via WebFetch, secondary sources do not pin a specific 12.6.5R citation, the closest verifiable continuing-fitness rule is in SUP 12.4].

“Adequate monitoring” is the term the product is designed around. The composite risk score is the principal’s instrument for evidencing it. Five normalised inputs feed the score: complaints density, breach severity sum, file review score (inverted), time since last review, and MI return anomaly score. The full algorithm is in the Risk scoring architecture page.

The risk dashboard surfaces the composite score per AR with a band badge (low, moderate, elevated, high, critical). The trajectory over the year is rendered on the AR detail page and rolled up into the annual review packet, so a regulator can reconstruct how monitoring intensity tracked the changing risk picture.

SUP 12.6A: enhanced oversight (inserted by PS22/11)

Section titled “SUP 12.6A: enhanced oversight (inserted by PS22/11)”

SUP 12.6A was inserted by PS22/11 with effect from 8 December 2022. It is the load-bearing recent change in the AR regime. The eight enhancements and their product surfaces are walked in detail on the PS22/11 page.

In summary, SUP 12.6A introduces:

  • Annual self-assessment of AR oversight (firm level, director-approved).
  • Annual review of each AR (per-AR fitness review).
  • Enhanced FCA data return (REP025).
  • 30-day pre-appointment notification window.
  • Heightened scrutiny of self-employed AR cohorts.

The annual fitness review packet is the per-AR artefact that feeds both the firm-level self-assessment and the per-AR annual review.

SUP 12.7: notification of appointment

Section titled “SUP 12.7: notification of appointment”

SUP 12.7 governs FS Register notifications when a principal appoints an AR. PS22/11 added a 30-day pre-appointment notification window so the FCA has time to object [checked 2026-05-08, FCA PS22/11 and SUP 12.7 (handbook.fca.org.uk/handbook/SUP/12/7.html, version effective 8 December 2022): principals must notify the FCA at least 30 calendar days before an AR appointment takes effect].

The product generates the data needed for Form A submissions on appointment but does not file with the FCA. The pre-appointment workflow surfaces the notification clock and blocks the “activate AR” action until the 30-day window has elapsed without objection.

SUP 12.8: termination

Section titled “SUP 12.8: termination”

SUP 12.8 governs termination notifications via Form B. The product generates Form B data on termination, captures the termination reason against a controlled taxonomy (regulatory concern, performance, commercial, AR-initiated, other), and preserves the AR record in the register with status: "terminated" for the SYSC 9 retention window.

SUP 12.9: records

Section titled “SUP 12.9: records”

SUP 12.9 sets the required AR records and the retention period: a minimum of three years from the date of termination or amendment of the AR contract, extended to five years for tied agents (i.e. MiFID business) [checked 2026-05-08, FCA Handbook SUP 12.9.1R via secondary sources confirming the three-year general floor and five-year tied-agent floor; Handbook URL handbook.fca.org.uk/handbook/SUP/12/9.html did not return verbatim rule text via WebFetch but the rule is widely cited in this form]. The product applies a six-year default to satisfy the longest commonly applicable floor across the relevant sourcebooks; see SYSC 9 for the cross-cutting retention spine.

The records the product holds against each AR:

  • The s.39 contract and its version history.
  • Pre-appointment due diligence pack.
  • Permissions matrix and change history.
  • Risk score history with input attribution.
  • All breach reports and their SUP 15 timing chain.
  • All file reviews with findings and remediation.
  • All MI returns with submission attribution.
  • All conduct events.
  • The annual fitness review packet for every cycle year.
  • A hash-chained audit log of every supervisory action (Audit-as-evidence).

The cross-cutting effect of SUP 12.9 is that the AR register is not a current-state view; it is a versioned history, queryable as of any date in the retention window.