Relevance
The gap, in Appointed Rep oversight terms.
Six questions the Head of Network Compliance cannot answer cleanly today. Each one is a consequence of the same structural gap: a periodic snapshot where the FCA now wants live evidence.
If you own AR oversight
"Our AR file is forty PDFs, a SharePoint folder, and a tab in a spreadsheet."
The artefacts exist. The picture does not. No single surface shows control performance at the AR level, control by control, on demand. When REP025 falls due, the picture has to be rebuilt from primary documents.
CONSEQUENCE
If you run the AR network
"The attestation cycle eats my team. Then REP025 [FCA report] lands on top of it."
Two to four people spend weeks per cycle chasing late returns, parsing inconsistent attestation formats, and assembling a pack that is already a quarter old when it lands. REP025 collation is a separate workstream that touches the same data.
CONSEQUENCE
If you run the AR network
"If the FCA asked us tomorrow how our ARs are actually behaving against the agreed controls, the real answer is a periodic snapshot."
The AR Agreement is signed at onboarding. The behaviour against it is reconstructed after the fact from email self-attestations. The FCA's Consumer Duty regime is moving away from accepting that reconstruction as evidence.
CONSEQUENCE
If you own AR oversight
"Three of our ARs are always late. We know which three. We chase them every cycle."
The structural late-returners are visible to the team but invisible to the framework. Nothing escalates them automatically. Nothing records that the chase pattern has been the same for six cycles, which is exactly what the FCA's inactive-AR review flagged in 2024.
CONSEQUENCE
If you sit on the principal firm's board
"When the COO asks for a current-state view by end of day, the compliance team opens Excel and starts collating."
Hours of work each time, and the result is already a quarter old when it lands. The board cannot run SM&CR-grade oversight on a view that has to be rebuilt from scratch every time it is requested.
CONSEQUENCE
If you run the AR network
"The AR management platforms we have looked at are workflow tools. They do not evidence control performance."
The market sells you a workflow tool for AR onboarding and training. It does not give you a live, evidenced view of how each AR is performing against your control framework.
CONSEQUENCE
THE INVErSION
Start with the work. The evidence falls out.
GRC starts with risks. The Controls-First Approach starts with controls. For AR oversight, that single inversion is the difference between a pack the FCA believes and a pack no one trusts.
CONTROLS-First
Approach
-
Live view of AR control performance, refreshed each time evidence is filed
-
Attestation chase collapses to an exception list. Hours per cycle, not days
-
Each incident sharpens the control; the new instruction reaches every AR running it
-
Late-return patterns escalate inside the framework, on a path the board can see
-
The COO, the board, and the FCA open the same live view directly. No rebuild required
Proactive AR Oversight
CHASE-first
Approach
-
Periodic snapshot assembled from email and spreadsheets, a quarter old when it lands
-
Person-days per cycle on the attestation chase; REP025 a separate scramble
-
Incident lessons stay in the log; the instruction to the AR never changes
-
Structural late-returners chased manually, no escalation path in the framework
-
Every COO, board, or FCA request triggers hours of rebuilding the AR view from scratch
Reactive AR Oversight
the architecture
One control. Many Appointed Reps. A framework that learns.
Every AR control is set centrally as a parent, rolled out as child instances across the network, and updated across every AR the moment a lesson lands. Six steps, walked through below.
the regulatory moment
Why 2026, not 2024 or 2027.
The reshaped FCA AR regime
The FCA's three-year AR oversight programme found repeated weakness in principal firm oversight. PS22/11 introduced REP025 in December 2022, 30-day advance notification for new ARs, and an annual self-assessment of oversight adequacy. The April 2024 inactive-AR review concluded with hard findings. AR oversight is the FCA's single most-cited area of supervisory action against principal firms.
Consumer Duty cascaded
PRIN 2A applies the Consumer Duty to retail customer outcomes across the value chain, and the Principal is responsible for evidencing that the AR is delivering them. Cross-referenced against AR conduct data, AR complaints volumes, and the AR's own outcome monitoring. SM&CR exposure runs through the same Senior Manager who signs the annual oversight self-assessment.
Volatile market conditions
Insurance and IFA distribution margins are under pressure after hard market and a softer fee environment for protection and pensions advice. Expense ratios are under board scrutiny. Compliance and operations salary inflation has made hiring out of the problem unaffordable for most firms in this band. The real CFO conversation is: produce the evidence with what you have, not with more.
Soft market, more mis-selling temptation. The FCA wants principals watching their ARs harder, and Consumer Duty makes the oversight test sharper every cycle. A live control framework is the lowest-cost route to a defensible answer.
what the board sees
Every line in the board report traces back to operational reality.
The Head of Network Operations and Compliance produces the evidence. The board reads what it produced. The FCA reviews what the board read. Three audiences, one operating layer.
Controls and Actions
Structured instruction where work evidences itself.
Each attestation, each exception, each piece of evidence files against the named control it tests, on the ARs it relates to. The picture assembles as the work happens. There is no separate collation step before the board pack, and REP025 falls out of the same data.
Lessons learnt
Every incident strengthens the operating posture.
When an incident lands at one AR, the control sharpens for all of them. The revised instruction reaches every AR running that control on the next cycle. One AR's lesson becomes the operating standard for the network, which is exactly what Consumer Duty asks the Principal to demonstrate.
Reporting and Audit
The audit trail exists by construction.
When the FCA asks for evidence of AR oversight, the trail is already there. Date-stamped, attributed, linked to the named control. No reconstruction from email threads and spreadsheet histories. REP025 and the SM&CR annual oversight self-assessment draw from the same source.
IN Production
"CoVi has become our primary internal governance and monitoring tool. The system helps us stay in sync with a challenging and constantly evolving regulatory environment, centralising evidence for our risk and compliance framework."
Pro MGA Solutions
Head of Compliance
IN PRODUCTION
54 Agents. One firm. One Controls-First Approach.
A UK principal firm running 54 Appointed Representatives deployed the Controls-First Approach across the full network. Controls were inventoried and owned first. Risk Incidents captured what went wrong. Simplified onboarding and on-going monitoring.
The firm's Head of Compliance describes what changed. The platform is now their primary internal governance and monitoring tool.
Read the case study.
Differentiation
Three comparisons the Head of Network Operations will make. All three answered.
Against email, spreadsheets, and colour codes
The team that runs AR oversight on email, spreadsheets, and a colour code is not under-equipped. It is over-equipped with the wrong shape of equipment. Each artefact is fit for one moment in the cycle. None is fit for the question the FCA now asks: show me, live, how this AR is behaving against the agreed framework, control by control, with the Consumer Duty outcomes attached.
A live control framework answers that question by construction. Attestations, exception logs, and evidence packs all get filed against the named control they relate to, on the AR they relate to. The picture assembles itself as the work happens, and REP025 is a report off the side of it, not a separate workstream.
Against AR management platforms
AR management platforms are workflow tools for the AR lifecycle. They handle onboarding, the FCA register submissions, training records, and the AR Agreement itself. They do not maintain a live view of how each AR performs against the principal firm's control framework, because that is not what they were built for.
AR oversight at FCA standard is a control framework problem. The framework sits alongside the AR management platform, not in place of it. If your firm already runs one, the framework feeds off the same evidence and gives the Head of Network Operations and Compliance the live view the platform does not produce.
Against the GRC pattern
GRC tools are built for the second-line reviewer, populated by the first-line operator, and the first line does not use them. That is the structural failure of the category. The result is a tool the risk team owns and the operations team avoids, with real work continuing in email and spreadsheets next to the tool that was meant to replace them.
Context Visualised is the decision center for regulated firms. The Head of Network Operations and the AR oversight team are the buyers and the people who open it every day. The compliance team gets the evidence layer they need, because the operating team produces it on a tool they actually open. RiskOps is GRC seen from the side of the people who do the work.
From quarterly snapshots to live evidence. In weeks.
RiskOps for principal firms
Every AR, in context.
Every cycle, evidenced.
Live oversight of every Appointed Representative (AR), with FCA-grade evidence already in place before the supervisor asks for it. For Heads of Network Operations or Compliance who want every AR's posture on screen this morning, not reconstructed next quarter.
Why we start with the work, not the register
Built by an operator who has seen these challenges from the auditor's and the regulator's perspective. In production at a UK principal firm running 54 Appointed Representatives.
