PS26/6 and the AR-into-SM&CR consultation: what principal firms should be doing right now

Two reform tracks landed on UK principal firms within four days of each other. They are not separate workstreams. They are converging on the same operating point: the principal firm is being made structurally accountable for the operational reality of its AR network, not just for the paperwork it files.

The first track is PS26/6, the FCA's Phase 1 SM&CR policy statement (joint with the PRA's PS12/26), published on 22 April 2026 and in force on 24 April. The second is the HM Treasury consultation on AR regime reform, which closed on 9 April 2026 with three structural proposals on the table. Both arrive in the same supervisory weather as the FCA inactive AR review (21 April 2026) and the Sapia Partners Final Notice (20 April 2026), with the HMT FSMA statutory-deadline reforms confirmed on 12 May 2026 setting the timetable underneath.

This piece walks three areas:

1. How PS26/6 sharpens senior accountability for AR oversight through the SMF7 lens.

2. What the HMT consultation's three structural proposals mean for the principal-AR relationship.

3. The operating discipline that closes the gap between the reform direction and most current AR oversight functions.

PS26/6 and the SMF7 lens on AR oversight

In most principal firms today, the Compliance and Money Laundering Reporting function carries AR oversight inside SMF7's portfolio. The AR network is reviewed annually. Conduct issues are logged and managed inside the compliance function. Certification decisions and breach notifications sit on a quarterly rhythm, with senior attention drawn in only when something escalates. The evidence for "we oversee our ARs" is largely the annual file.

PS26/6 streamlines Phase 1 SM&CR. The certification regime is simplified, the conduct rules notification process is trimmed, and the SMF approval flow is aligned with the FSMA statutory-deadline reforms. The framing is consistent across the document: the reform is meant to make senior accountability sharper, not softer. Paired with the 21 April inactive AR review's "active and data-led oversight" language, the supervisory expectation is now legible. Senior accountability for AR oversight, evidenced by operational data, demonstrable on demand.

What this tends to expose is a fit problem, not a willingness problem. The SMF7 holds a portfolio. AR oversight is one item in it. The annual file is built by the compliance function and signed off by SMF7. Inside a supervisory conversation that asks for the current operating state of the AR network, the annual file is the wrong artefact in the wrong tense. The Sapia Partners Final Notice is the loud version of this gap, but the quiet version is in most firms.

The three HMT proposals, in operational terms

The HMT consultation puts three proposals on the table. None are yet in force. All three reshape the principal-AR relationship in ways the principal firm should be operationally building toward, regardless of which form the outcome takes.

The first is a dedicated principal permission gateway. Today, a firm becomes a principal as a by-product of holding the right permissions, with no specific authorisation step for the principal status itself. The proposal would introduce a permission gateway with its own threshold conditions and ongoing obligations. The second is direct FOS jurisdiction over ARs, where the AR becomes a respondent in its own right while the principal remains liable for the conduct underneath. The third is a dedicated AR SMF, aligning the AR regime with SM&CR through a named senior function for AR oversight. The direction of travel is the same in each case: AR oversight becomes a defined operational capability with regulatory artefacts attached.

What is easy to miss is how interlocking the three are. A permission gateway forces the principal to evidence its AR oversight capability at authorisation and on an ongoing basis. A direct FOS jurisdiction forces the AR's complaints picture and the principal's complaints picture to be consistent at the artefact level, not just in a quarterly roll-up. A dedicated AR SMF forces a role definition, a reporting line, and an operating model where today there is often a paragraph in a job description. Firms that prepare for one of the three by accident prepare for the other two by design.

The operating discipline that closes the gap

Most principal firms today hold the AR network in two places. Working memory in the compliance function, and an annual file. Between reviews, the picture is reconstructed from REP025 submissions, complaints volumes, and the occasional escalation. The Head of Network Compliance, where the role exists, spends most of the period chasing inputs. The SMF7 sees the picture once a year, in a form built for the file rather than for the decision.

The reform direction asks for something different. Continuous oversight of the AR's actual operations, evidenced by operational data, available on demand. The operating model that produces it is not a heavier annual review. It is an operating layer that holds each AR as a node, with controls, indicators, complaints, and actions sitting underneath, updating in the rhythm of the work.

Where principal firms tend to trip is at the seam between the reform language and the existing operating model. Reading "active and data-led oversight" as a documentation upgrade misses the structural move underneath. The annual file does not become defensible by getting longer. It becomes defensible by becoming a formal cut of a state that was already there.

The solution: continuous oversight as an operating layer

Two mechanisms inside the operating layer carry the load.

• The pitfalls of annual-file thinking, attestation-led evidence, and AR oversight sitting inside a portfolio rather than as a function are fixed by the Controls-First Approach. Controls are mapped first, per AR. Risks, indicators, and actions fall out as RCIA decomposition. Every control has a live state that updates as the work happens, so the annual file becomes a cut, not a build.

• The pitfalls of network fragmentation, inconsistent AR artefacts, and inability to roll up a defensible network view are fixed by the Parent-Child module. Each AR sits as a node in the same structure. The principal sees the network in aggregate and any AR in detail from the same surface, so the supervisor, the FOS, and the board draw from the same underlying state.

What the operating layer looks like in practice is undramatic. The annual review still exists. The REP025 submission still exists. The SMF7 sign-off still exists. They stop being the moment the picture gets built and start being formal cuts of a picture that was already current.

Next step

Pick one AR. The one with the most concentrated revenue, or the one with the thinnest oversight today. Map its controls. Pick three attestation-led controls and convert them to indicator-led. Run a single quarterly cut for the SMF7 against that AR, in the form a supervisor would ask for. The exercise sizes the gap between the current operating model and the reform direction in a week, against one node, before the network move is committed.

If that exercise sounds useful, the AR network wedge page is at /who-its-for/ar-network-oversight. We are happy to walk through it and show you how the operating layer works in an AR network setting.