SUP 15 (notifications and breach reporting)
SUP 15 is where the breach-reporting clock semantics come from. It governs notifications a firm must make to the FCA outside the routine return cycle. For a principal firm, SUP 15 obligations are activated by a wide range of events including AR conduct, AR scope creep, senior manager changes, complaint clusters, and operational incidents.
The product distinguishes four notification regimes, surfaces a countdown clock per breach, and captures three timestamps that together evidence the timing of every notification.
The four timing regimes
Section titled “The four timing regimes”| Regime | Source | Trigger examples | Product clock |
|---|---|---|---|
| Immediate (one business day) | SUP 15.3.11R | Significant adverse impact on reputation, ability to provide adequate services, or financial soundness; AR found operating outside scope; AR senior manager subject to police investigation | Red flag after 24 elapsed business hours |
| 10 business days | Product convention for indeterminate severity, escalating | Cases where severity is being triaged; default soft ceiling | Amber flag at 7 business days |
| 30 calendar days | SUP 12.7 (post-PS22/11) | Pre-appointment FCA notification window | Green countdown until objection deadline |
| Reasonable period | SUP 15.3.1R general notification | Anything of which the FCA would reasonably expect notice | No hard countdown; documented escalation if assessment hardens |
The default for indeterminate severity is the 10-business-day soft ceiling, with documented escalation if the severity assessment hardens during triage. The clock starts at awareAt, not reportedAt, because SUP 15 obligations crystallise on awareness.
Form-driven notifications
Section titled “Form-driven notifications”SUP 15.7 covers form-driven notifications for changes that are individually scoped:
- Form A (SUP 12.7): notification of intention to appoint an AR. Carries the 30-day pre-appointment window introduced by PS22/11.
- Form B (SUP 12.8): notification of termination of an AR.
- Other AR-specific forms for change of details, change of permissions, change of controllers.
The product carries the data needed for each form and emits the form payload at the right point in the workflow. Submission to the FCA via Connect or RegData is a future API integration; the demo treats the form submission as a stubbed event with a captured timestamp.
Triggers the demo’s fixture set illustrates
Section titled “Triggers the demo’s fixture set illustrates”The fixture set on the breach triage queue illustrates the SUP 15 trigger taxonomy:
- AR found to be operating outside the scope of its appointment (immediate window).
- AR individual subject to police investigation for conduct relevant to fitness and propriety (immediate window).
- AR’s senior manager resigning without explanation (immediate window).
- A pattern of customer complaints clustering on a single AR (reasonable period; 10-day default).
- Failure of an Important Business Service that the AR supports (immediate window; cross-links to SYSC 15A).
- AR data protection incident with customer impact (immediate window).
- AR breach of training and competence requirements (10-day default).
Each fixture is tagged with its trigger taxonomy code so the breach detail page can render the regulatory route alongside the operational facts.
The three timestamps
Section titled “The three timestamps”The breach detail page renders three timestamps for every breach. Together they evidence the timing of the principal’s response and feed the SUP 15 supervisory metric.
| Timestamp | Definition | Field name | When written |
|---|---|---|---|
| Awareness | When the AR or principal first knew of the matter | awareAt | At breach creation; editable with audit trail until first notification |
| Assessment | When severity was triaged and the regime was selected | assessedAt | Set when the triage step closes |
| Notification | When the FCA notification was filed (demo-mocked) | notifiedFcaAt | Set when the SUP 15 submission is recorded |
The gap between awareAt and notifiedFcaAt is the supervisory metric. It is surfaced on the breach KPI tile on the principal home page and aggregated as a firm-level “median notification lag” indicator.
Cross-links
Section titled “Cross-links”The breach detail page is the product’s single source of truth for SUP 15 timing. Adjacent pages:
- SUP 12 for the underlying obligations on appointment, termination, and continuing oversight.
- DISP 1 for the complaints flow, which is calendar-aligned with SUP 15 but uses a different reporting route.
- SYSC 15A for resilience-relevant breaches and the distinct severity flag they carry on the triage queue.
- Audit-as-evidence for the audit chain that records every state transition on a breach.