Review of principal firms in the investment management sector

We set out our findings from our supervisory work looking at how principal firms in the investment management sector understood and complied with their regulatory responsibilities in respect of their appointed representatives (ARs).

Our review identified significant shortcomings in principal firms’ understanding of their regulatory responsibilities for their ARs.

Most principal firms we reviewed had weak or under-developed governance arrangements in place, including a lack of effective risk frameworks, internal controls and resources. Though principals are responsible for the activities of their ARs, most principals were not assessing the risks these activities posed to their firms. Consequently, some principals may not be holding adequate financial resources for both liquidity and capital. Many principals did not identify conflicts of interest inherent in this business model or make attempts to manage them.

We conclude there is a significant risk of harm to consumers and to the market arising from the activities of ARs operating in this sector.

We have written a Dear CEO letter to the chief executive officers of principal firms with appointed representatives in the sector setting out our expectations.

Who this review applies to

In the investment management sector, authorised firms have appointed and accepted responsibility for over 1000 ARs. These authorised firms act as ‘principal’ for their ARs and have regulatory responsibility for their actions. Between them, the ARs in the sector offer services to all client types, including retail.

The findings from this review are relevant for firms with the following business models: asset management; promotion and management of alternative investment funds (AIFs), wealth management activity, contracts for difference providers, fund advisory and arranging activities.

While this review was focused on the investment management sector, the findings may also be applicable to principals and ARs operating in other sectors of the UK financial services industry.

Why we conducted this review

Our previous work in the general insurance sector identified significant shortcomings in the control and oversight of ARs by their principal firms. More recent supervisory work within the investment management sector identified similar concerns, prompting us to carry out this multi-firm review.

Recent years have seen the growth of principals in the sector describing themselves as ‘Regulatory Host’ firms. These are networks which allow small businesses, which would otherwise require authorisation, to operate as ARs under the regulatory umbrella of the principal without necessarily having any relationship with that principal in terms of selling its products or services.

‘Regulatory Host’ firms tend to oversee a wide variety of AR business models. They may also permit people at ARs to be seconded to the principal firm. These people then become approved persons to undertake regulated activities, such as dealing in investments as agent and managing investments, for which the AR cannot be exempt (see our Handbook SUP 12 and SUP 12.2.7G(1)(a).

This arrangement has led to the emergence of ARs marketing themselves as, for example, investment managers, wealth managers and stockbrokers. These descriptions give the impression that such ARs can carry on a wider range of regulated activities than those for which a principal can lawfully accept responsibility.

What we did

The review included a survey of 338 principals, each with between one and 80 ARs, and a diverse range of business models. The aim of the survey was to gain insight into principal and AR business models, the extent of monitoring of ARs undertaken by principals, client numbers and categorisation, product types, sales methods, revenues and prudential oversight.

We selected 15 of these principal firms for more detailed review, including a visit.

We also reviewed the adequacy of financial resources (where required under the prudential regime) of 33 principal firms. We looked at whether senior management in such principal firms were adequately assessing the risks arising from ARs and holding adequate financial resources (capital and liquidity) to cover these risks.

We assessed whether principal firms understand and comply with their regulatory responsibilities for their ARs; in particular:

  • business model risks: whether they had considered the impact on their business and core activities of appointing ARs and had taken reasonable steps to put in place appropriate frameworks to enable them to manage the risks associated with appointing ARs
  • oversight and ongoing monitoring of ARs: whether they could demonstrate that they have adequate oversight and control over the activities of their ARs to ensure compliance with relevant requirements
  • financial resources: whether certain principals could demonstrate they were holding adequate capital and liquidity to mitigate risks arising within their business

What we found

Most principal firms within our survey had weak or under-developed governance arrangements in place, including a lack of effective risk frameworks, internal controls and resources. Deficient risk-management frameworks mean that directors are unable to adequately discharge their responsibilities of providing oversight and direction.

AR on-boarding process

When selecting ARs, the lack of effective risk frameworks meant that many principals failed to fully assess their ability to oversee prospective ARs effectively. This meant that, once on-boarded, some ARs could conduct activities outside their principals’ core areas of expertise. The principal was therefore unable to have adequate oversight.

Some principals misunderstood their ARs’ business models, raising concerns about the quality of due diligence done when they were being taken on.

Some principal firms used generic contracts for their ARs, permitting an AR to undertake regulated activities above and beyond what their business model required.

Firms must have product governance arrangements in place whether they manufacture or distribute products. This means having systems and controls to design, approve, market and manage products throughout the products' lifecycle to ensure they meet legal and regulatory requirements. At most principal firms, product governance arrangements were not in place, so firms could not demonstrate that products offered by ARs had been designed in the best interests of consumers.

Ongoing monitoring of ARs

Firms which accept responsibility for ARs must ensure their ARs comply with relevant regulatory requirements.

A lack of an effective risk framework meant that most principals had not put in place appropriate controls to monitor the activities of their ARs.

In many cases, monitoring was not bespoke to the business model of the AR and the principal often relied on high-level attestations from the AR. Some principals did not challenge the information submitted or ask further questions. At one principal, some ARs were acting outside the scope of their principal’s permission, in breach of the general prohibition.

Many principals were not taking adequate steps to ensure their ARs were complying with relevant regulatory requirements. We found little evidence, for example, of client file reviews, testing or challenge being undertaken by principals. In some cases, where suitability or appropriateness tests were required, the principal had not assessed if these were being conducted in line with our conduct of business rules.

There are inherent conflicts of interest in this model which must be managed (see SYSC 10.1). Some principals did not identify or record any conflicts on their conflicts of interest register despite the existence of some obvious conflicts. We were concerned that many principals referred to their ARs as ‘clients’ rather than ARs for which they held regulatory responsibility. This creates a potential conflict of interest. In some management information packs, the commercial arrangements and the focus on whether ARs had paid their fees in a particular month appeared to have prominence over the AR’s conduct in the same period.

We have seen rapid growth in the numbers of ARs registered by some principals without comparable enhancements made to governance and risk frameworks to align with that growth. Many principals were overseeing a wide variety of business models their ARs operated without putting in place appropriate resources (see our rules in COND 2.4), including enough appropriately skilled and experienced people.

No principal firm we reviewed was regularly reviewing their ARs’ websites. Some of these sites contained non-compliant financial promotions (see our rules), and some had inaccurate information about the AR’s regulatory status. 

Several principals maintained relationships with what they believed to be inactive/dormant ARs for long periods. Since these AR agreements were not terminated, the inactive ARs remained on the Financial Services Register. This meant these ARs could carry out regulated activity but without any oversight. This creates a risk of harm to consumers and to the market.

We found several examples where none or only some of the directors and other individuals performing relevant controlled functions within ARs had been approved to undertake such functions, as required by our rules

Capital and liquidity assessment

As principals are responsible for their ARs (including any liabilities that arise) they should be assessing risks to their firms arising from their ARs’ activities and considering what financial resources are appropriate to meet their obligations. However, most principals were not assessing the risks to their firms arising from the activities of their ARs. Furthermore, some were not adequately assessing their risks across all risk types, including liquidity risk and their compliance with the overall liquidity adequacy rule (see BIPRU 12.2.1R) where it applies. Failure to adequately assess and mitigate risks affects firms’ ability to calculate their financial adequacy. Consequently, these principals may not be holding adequate financial resources, both liquidity and capital (see our rules in COND 2.4).

As a result, where we reviewed firms’ assessments of the adequacy of their financial resources (where required under the prudential regime), more than 90% of these failed the ‘use test’ and were not fit for purpose. To pass this test, the Board’s discussion and challenge of the assessment and the subsequent governance actions should, as a minimum, evidence:

  • the Board’s understanding of the firm’s business and the associated risks
  • the actions in place to mitigate these risks
  • the risks the Board is willing to take and
  • the degree to which these risks can and cannot be mitigated against

Many of these principals may not be correctly calculating their Pillar 1 capital requirement, one of the requirements of their threshold conditions. IFPRU firms should consider the guidance in the Regulatory Technical Standard (Chapter 5a, article 34a, paragraph 3) on own funds requirements for investment firms based on fixed overheads.

Many principals (subject to BIPRU and IFPRU) rely on Professional Indemnity Insurance (PII) to mitigate the risks arising from their ARs. Though insurance can form part of an appropriate risk mitigation approach, it is not a substitute for maintaining adequate financial resources in all circumstances. This is because a significant number of scenarios are not covered by PII policies (due to exclusions, limitations etc).

We found that some principals were not following our requirements to include their ARs’ revenues when submitting their fee tariff data from which we calculate their annual FCA regulatory fees. This meant that they paid lower regulatory fees than they should have, with the balance covered by other fee-payers.

Alternative Investment Fund Managers

In recent years, we have seen the growth of the ‘Host AIFM’ model. Under this model, a principal firm is appointed as the alternative investment fund manager (AIFM) to an alternative investment fund (AIF); the AR is usually appointed as an adviser to the AIF. People from the AR may be seconded to the principal, in which capacity they can undertake portfolio management activity. 

For these purposes, the seconded individual is approved to perform the customer-dealing function on behalf of the principal. Under such an arrangement, when marketing AIFs, the AR, rather than the AIFM, claims to be the fund manager when, legally, this role is taken by the principal as the AIFM.

There are inherent conflicts of interest within the ‘Host AIFM’ model where, for instance, employees of an AR are appointed to carry out controlled functions for the principal. We did not receive assurance in all cases that such conflicts of interest were being identified and managed by firms.

We saw evidence that some firms had failed to put in place appropriate control and risk management frameworks, including experienced people, to oversee the AIFs and the activities of the seconded portfolio managers. For instance, some firms were managing AIFs that traded daily, yet in some cases, checks on trading activity were being undertaken monthly.

We found that some principals were failing to maintain effective arrangements, systems and procedures to prevent and detect market abuse because they misunderstood their regulatory obligations under the Market Abuse Regulation. For instance, a number of firms were not proactively monitoring the trading activity of the AIFs they managed in order to detect and report suspicious orders and transactions.

Some firms had ceased to be the AIFM to a particular AIF/s some time before our visit, but had not reported such changes (as they should under our rules using this form) to us, which meant that our records were not accurate.

We have significant concerns about this hosting model and will continue to assess the risks associated with it.

Foreign-owned ARs of contracts for difference providers

We found that several principals that act as contracts for difference providers had recently registered ARs. Most of these ARs were owned by shareholders based overseas. UK-based directors were usually hired by agents of the overseas shareholders and typically did not have any day-to-day involvement in the AR’s business. In most cases, the AR was inactive, despite paying relatively high fees to its principal. Most did not have a UK bank account.

We found that third-country entities, with very similar names to the AR entities, were advertising their services overseas but referencing the FCA firm registration number of the AR, and more broadly FCA regulated status, on foreign websites. In many cases, these overseas businesses were linked, by ownership, to the ARs. It appears that third-country investors were given the impression they were contracting with an FCA-registered entity, when they were potentially contracting with an unregulated third-country entity. 

We are concerned by the risk of consumer harm presented by this misuse of registration of ARs and risks to confidence in the UK regulatory system. Affected principal firms’ due diligence and ongoing monitoring did not identify these issues.

Based on our findings, we are concerned that principals in the contracts for difference sector do not have sufficient systems and controls in place to monitor their ARs. Some principals de-registered all of their ARs as a result of our intervention. We are continuing to intervene where we identify such potentially harmful arrangements.

Our actions

We found significant weaknesses in the control and oversight of ARs by many principals in this review. These failings meant that, in some cases, retail investors did not benefit from the protections afforded by our rules and, as a result, experienced harm in the form of financial detriment. We also identified significant risk of potential harm to investors and the market.

We have intervened in relation to a number of principal firms in our sample. Interventions included agreeing the imposition of requirements on their regulatory permissions to either remove or to stop on-boarding ARs, asking principal firms to de-register their ARs and commissioning two FSMA section 166 skilled persons reports. These reports will assess whether customers suffered harm and consider the adequacy of systems and controls.

Next steps

We expect principals to assess how they are meeting our requirements in relation to their ARs, as set out in our Handbook. Principals should ensure that they identify and address any shortcomings in their firm’s risk-management frameworks, processes and practices.

We will continue to work with the principal firms included in our detailed review to address the issues identified. We will also do some additional work with some firms in the wider survey sample not previously included.


We did a thematic review on this subject in the general insurance sector in 2016 and wrote to CEOs, identifying similar findings to this review. 

We issued an alert in 2017 to all principals who have ARs or introducer ARs. We highlighted the risks to a principal of not having adequate oversight of its ARs. We also reminded principals of their responsibility for the regulated activities of their ARs. This was a follow up to a previous alert on the subject in 2016, which was issued due to an increase in cases of introducers having an inappropriate influence on business carried out by authorised firms. There is further guidance on our expectations of principal firms and ARs on our website.

On 9 January 2019, we published a Dear CEO letter to all our regulated firms, reminding them of their responsibilities when communicating and approving financial promotions. We have recently become aware of firms issuing financial promotions which suggest or imply that all the activities which they undertake are regulated by us and/or the Prudential Regulation Authority (PRA) when they are not.

On 11 April 2019, we published a Dear CEO letter to remind firms involved in the approval of financial promotions for unauthorised persons of their obligations when doing so.

Our September 2016 letter set out our Prudential approach for IFPRU investment firms. Although this letter was addressed to IFPRU firms, its contents are relevant to all firms required to prepare an ICAAP.