๐Ÿ“‹ How-To Guide

UK AR Technology Checklist

Operational technology requirements for Appointed Representatives launching under a regulatory host โ€” updated for the 2026 regulatory environment.

Launching as an Appointed Representative under a regulatory host (Brooklands, Carne, Portman Square) gives you market access while you build track record. But the AR landscape is shifting rapidly. HM Treasury published a consultation in February 2026 proposing significant reforms including requiring principals to obtain FCA permission before appointing ARs, extending SMCR conduct rules to AR personnel, and bringing ARs within Financial Ombudsman Service jurisdiction. Regulatory hosts are responding by demanding stronger evidence of operational substance from their ARs. This checklist covers the technology infrastructure you need to demonstrate genuine operational capability.

Step-by-Step Checklist

1. Demonstrate Operational Substance

Regulatory hosts scrutinise AR operations more closely than ever. Since the FCA's enhanced AR regime took effect in December 2022, principal firms must complete annual AR reviews and self-assessments. The FCA has now tested over 270 firms on their AR oversight โ€” and found persistent weaknesses.

HM Treasury's February 2026 consultation proposes that authorised firms must obtain specific FCA permission before appointing ARs. Around 34,000 ARs currently operate under approximately 2,400 principal firms. This regime tightening means hosts will become more selective about which ARs they accept, and technology infrastructure is one of the key differentiators.

Your technology stack demonstrates genuine business substance โ€” not reliance on your host's systems for everything. An AR that uses its own deal analysis platform, document management, and communications infrastructure signals an operation that is building toward direct authorisation, not a mailbox arrangement looking for regulatory cover.

Prepare for SMCR extension to ARs. The proposed reforms would apply Senior Managers and Certification Regime conduct rules to AR personnel (other than ancillary staff). This means your team members may need to meet fitness and propriety requirements, and your technology must support the governance and record-keeping that SMCR demands.

Recommended tools
  • Independent technology stack: Your own deal analysis, document management, and communications platforms โ€” not reliance on the host's systems.
  • Governance documentation: Documented policies and procedures demonstrating independent operational capability, ready for host review and FCA inspection.
  • SMCR readiness: Prepare for potential SMCR extension โ€” document roles, responsibilities, and accountability framework for all personnel.
Regulatory references
  • Financial Services and Markets Act 2000, Section 39: Legal framework for Appointed Representatives, requiring written contract with principal and scope limitations.
  • FCA SUP 12: Supervision manual chapter on Appointed Representatives โ€” requirements for principal firm oversight, annual reviews, and self-assessments.
  • HMT AR Regime Consultation (February 2026): Proposed reforms including FCA permission requirement, SMCR extension, and FOS jurisdiction over ARs.
Verification checklist
  • Independent technology stack operational (not dependent on host systems for core functions)
  • Policies and procedures documented and available for host annual review
  • Team roles and responsibilities mapped (preparation for potential SMCR extension)
  • Annual self-assessment process established
  • Technology infrastructure narrative prepared for regulatory host due diligence
Key question

Can you demonstrate independent operational capability to your regulatory host?

2. Critical Third Party Regime Awareness

Since January 2025, the FCA, PRA, and Bank of England can directly oversee cloud providers designated as Critical Third Parties. While CTP designation primarily targets the largest providers, it creates compliance complexity and reputational risk for funds using CTP-designated infrastructure.

The CTP regime (PS24/16, November 2024) introduces six fundamental rules for designated providers, similar to the high-level principles in the FCA Handbook. HM Treasury will make designation orders specifying which providers are subject to the regime. While specific designations have not yet been announced, the largest cloud providers (AWS, Microsoft Azure, Google Cloud) are widely expected to be in scope.

For fund managers, CTP designation of your cloud provider means additional due diligence obligations, potential regulatory interest in your technology architecture, and the requirement to demonstrate that you have assessed and mitigated concentration risk. The FCA has signalled that final rules on incident reporting and third-party risk management, expected in 2026, will introduce more granular obligations for monitoring cloud provider resilience.

Self-hosted technology infrastructure eliminates CTP designation risk entirely because no third-party cloud provider is involved in processing your fund's data. This is a meaningful differentiator in LP due diligence conversations โ€” particularly with institutional investors who are themselves managing CTP-related compliance burdens.

New third-party reporting rules take effect on 18 March 2027. Firms will be required to report material third-party arrangements to the FCA, enabling the regulator to monitor concentration risk across the sector. Start documenting your third-party arrangements now to be ready.

Recommended tools
  • Self-hosted infrastructure: DiligenceWorks provides self-hosted infrastructure that is not subject to CTP designation โ€” no third-party cloud provider involved.
  • CTP risk assessment: Framework for evaluating whether your technology providers are at risk of CTP designation and what that means for your operations.
  • Third-party arrangement register: Structured register of all material third-party arrangements, prepared for March 2027 reporting requirements.
Regulatory references
  • FCA PS24/16 (November 2024): Final rules for the Critical Third Parties regime, effective 1 January 2025. Six fundamental rules for designated CTPs.
  • FCA Reporting Rules (March 2027): New requirement to report material third-party arrangements to the FCA, including technology providers.
Verification checklist
  • Technology providers assessed for CTP designation risk
  • Concentration risk documented (single-provider dependency analysis)
  • Self-hosted alternatives evaluated for critical functions
  • Third-party arrangement register prepared (ready for March 2027 reporting)
  • LP ODD responses updated with CTP regime position
Key question

Is your cloud infrastructure provider at risk of CTP designation?

3. Deal Analysis Infrastructure

Institutional LPs evaluate your operational maturity through your technology stack. An AR using Excel for deal analysis signals a team that is not ready for institutional capital. Deploy a proper deal analysis platform with audit trails and adversarial verification.

LP operational due diligence teams specifically assess your investment analysis process. They want to see a systematic workflow: how opportunities are sourced, screened, analysed, presented to the investment committee, and monitored post-investment. A platform that produces auditable, timestamped analysis with source document links satisfies this requirement. A folder of spreadsheets does not.

Adversarial verification is particularly valuable for ARs building track record. When your deal analysis platform flags contradictions and unsubstantiated claims automatically, it demonstrates analytical rigour that differentiates you from other emerging managers. Every verified claim and every flagged contradiction becomes evidence of your investment process quality.

Your regulatory host may require visibility into your deal analysis process as part of their oversight obligations. Ensure your platform supports appropriate access controls that allow host compliance teams to review your analyses without compromising deal confidentiality.

Recommended tools
  • Adversarial deal analysis: DiligenceWorks provides systematic claim extraction and cross-referencing with audit trails, demonstrating analytical rigour to both LPs and your regulatory host.
  • Pipeline management: Deal pipeline tracking from sourcing through screening, analysis, IC, execution, and monitoring.
  • Host reporting: Configurable access controls allowing host compliance teams appropriate oversight visibility.
Regulatory references
  • FCA COBS 2.1: Client's best interests rule โ€” investment analysis must demonstrate that recommendations serve client interests.
  • FCA SYSC 6.1: Compliance arrangements โ€” firms must establish and maintain adequate policies and procedures for detecting risks.
Verification checklist
  • Deal analysis platform operational with audit trail capability
  • Investment process documented end-to-end (sourcing to monitoring)
  • Host compliance team access configured appropriately
  • Historical analyses retrievable for LP ODD review
  • IC documentation linked to underlying analysis
Key question

Would an LP operational due diligence team be satisfied with your deal analysis process?

4. UK GDPR & Data Protection

Ensure your technology stack is fully UK GDPR compliant. Data processing agreements must be in place with every technology vendor. Document your data flows and retention policies. The ICO is active in enforcement and has shown willingness to fine organisations of all sizes.

Conduct a Data Protection Impact Assessment (DPIA) for any processing activity that is likely to result in a high risk to individuals. This includes systematic monitoring of publicly accessible areas (deal sourcing), automated decision-making with significant effects, and large-scale processing of special category data. Document the assessment even if you conclude the processing is low risk.

Data processing agreements are legally required under UK GDPR Article 28 for any processor handling personal data on your behalf. This includes your cloud hosting provider, email provider, CRM system, deal analysis platform (if cloud-hosted), and any other SaaS tool that processes personal data. Self-hosted infrastructure reduces the number of processor relationships you need to manage.

Data subject access requests (DSARs) must be responded to within one calendar month. Your technology must support rapid search and retrieval of personal data across all systems. If an investor, portfolio company executive, or counterparty submits a DSAR, you need to identify and produce all personal data you hold about them within the timeframe.

Recommended tools
  • DPIA framework: Standardised DPIA template with register of completed assessments. Update whenever new processing activities are introduced.
  • DPA management: Register of all data processing agreements with vendors, including expiry dates, review schedules, and sub-processor notifications.
  • DSAR response system: Process and technology for searching all systems for personal data and producing responses within one month.
Regulatory references
  • UK GDPR (Data Protection Act 2018): UK's data protection framework post-Brexit. Implements GDPR principles with UK-specific provisions.
  • UK GDPR Article 28: Requirements for data processing agreements between controllers and processors.
  • UK GDPR Article 35: Requirement to conduct DPIAs for processing likely to result in high risk to individuals.
Verification checklist
  • DPIAs conducted for all high-risk processing activities
  • DPAs in place with every vendor processing personal data
  • Data flow diagram documenting how personal data moves through your systems
  • Retention policy documented with automatic enforcement where possible
  • DSAR response process tested (can you find all data about a specific individual within days?)
  • ICO registration current
Key question

Have you completed a data protection impact assessment for your fund operations?

5. Operational Resilience

FCA requires firms to identify their important business services, set impact tolerances for disruption, and demonstrate they can remain within those tolerances during operational disruptions. The March 2025 compliance deadline has passed โ€” this is now business as usual, not a future requirement.

Important business services for a fund manager typically include: investment analysis and decision-making, trade execution, client reporting, NAV calculation (via fund administrator), regulatory reporting, and LP communications. For each, define the maximum tolerable duration of disruption before serious harm to clients or market integrity occurs.

The FCA referenced the CrowdStrike outage (July 2024) as a lesson in operational resilience, noting that firms must understand their technology dependencies and have tested alternatives. A single point of failure in your technology stack that disrupts an important business service is a regulatory deficiency, not just an operational inconvenience.

Operational resilience extends to your third-party dependencies. If your fund administrator's systems go down, can you still produce basic investor reports? If your cloud provider has a region-wide outage, how long before your operations resume? Document these dependencies and have tested alternatives.

Recommended tools
  • Business service mapping: Document all important business services with impact tolerances, technology dependencies, and alternative procedures.
  • Resilience testing: Annual scenario-based testing of operational resilience, including third-party failure scenarios.
  • Self-hosted failover: Self-hosted infrastructure provides independence from third-party cloud provider outages for core functions.
Regulatory references
  • FCA PS21/3 (March 2021): Operational resilience requirements โ€” firms must identify important business services, set impact tolerances, and remain within them.
  • FCA Operational Resilience Compliance (March 2025): Full compliance deadline has passed. Firms must now demonstrate they can remain within impact tolerances.
Verification checklist
  • Important business services identified with impact tolerances set
  • Technology dependencies mapped for each important business service
  • Alternative procedures documented for each critical dependency failure
  • Annual resilience scenario testing completed
  • Third-party failure scenarios included in resilience testing
  • Lessons from testing documented and remediation actions tracked
Key question

If your primary systems went down, how long before your fund operations resume?

6. Consumer Duty Alignment

The FCA Consumer Duty is now embedded and the regulator's focus is shifting from implementation to evidencing outcomes. For fund managers, this means demonstrating that your technology and processes deliver fair value and appropriate outcomes for investors.

Consumer Duty applies to all products and services offered to retail customers. For ARs operating in investment management, this typically covers fund products, advisory services, and portfolio management. Your technology must support evidence generation โ€” demonstrating that fees provide fair value, that communications are clear and not misleading, and that products are designed to meet the target market's needs.

Assessment of value requires ongoing comparison of your fees against outcomes delivered. Your reporting systems should track net-of-fee performance, fee breakdowns by component (management fees, performance fees, fund expenses), and comparisons against appropriate benchmarks. The FCA has indicated that outlier funds offering poor value relative to charges will face supervisory engagement.

Product governance under Consumer Duty requires documented target market definitions, distribution strategy alignment, and ongoing monitoring. Your technology should support tracking of whether your investor base aligns with your target market and flagging any distribution outside that market.

Recommended tools
  • Value assessment framework: Automated tracking of net-of-fee performance, fee comparisons, and value metrics for Consumer Duty reporting.
  • Investor communications: Templates and review processes ensuring all investor communications meet Consumer Duty clarity requirements.
  • Product governance: Target market definition, distribution monitoring, and ongoing suitability tracking.
Regulatory references
  • FCA PS22/9 (Consumer Duty): Overarching requirement to deliver good outcomes for retail customers, including fair value, clear communications, and suitable products.
  • FCA 2026 Supervisory Focus: Shift from implementation to outcomes evidence. Outlier funds face increased supervisory engagement.
Verification checklist
  • Value assessment process established with regular reporting
  • Fee transparency documented with component-level breakdowns
  • Target market defined and distribution monitored against it
  • Investor communications reviewed against Consumer Duty clarity standard
  • Ongoing monitoring process established to evidence good outcomes
Key question

Can you evidence to the FCA that your investors are receiving fair value?

7. Financial Crime & AML Technology

Financial crime prevention is a core FCA priority, with continued emphasis on anti-money laundering, fraud prevention, and sanctions screening. Your technology infrastructure must support robust KYC/AML processes from day one โ€” these are not areas where you can start simple and improve later.

Investor onboarding must include identity verification, source of funds documentation, sanctions screening, and PEP (Politically Exposed Persons) checks. Manual processes using spreadsheets and email create gaps that the FCA will identify during inspection. Implement a structured KYC workflow with audit trail from first LP conversation.

Ongoing monitoring is as important as onboarding. Sanctions lists change daily. Your technology must support regular rescreening of existing investors against updated sanctions lists and adverse media. The frequency should be risk-proportionate โ€” at minimum monthly for standard risk, daily for higher-risk relationships.

Suspicious Activity Reports (SARs) must be filed with the National Crime Agency (NCA) when you have knowledge or suspicion of money laundering or terrorist financing. Your technology should support confidential SAR preparation and filing without alerting the subject (tipping-off is a criminal offence).

Recommended tools
  • KYC/AML platform: Structured investor onboarding with identity verification, document collection, risk scoring, and audit trail.
  • Sanctions screening: Automated screening against UK, EU, US, and UN sanctions lists with ongoing monitoring and rescreening.
  • SAR management: Confidential SAR preparation and filing workflow with restricted access controls.
Regulatory references
  • Money Laundering Regulations 2017 (as amended): UK AML framework requiring customer due diligence, ongoing monitoring, and suspicious activity reporting.
  • FCA Financial Crime Priority: Enduring critical focus area for FCA supervision. Firms expected to maintain robust AML/KYC controls.
Verification checklist
  • KYC/AML workflow implemented with structured audit trail
  • Sanctions screening automated with daily/weekly list updates
  • Ongoing monitoring schedule established (rescreening frequency documented)
  • SAR preparation and filing process documented with restricted access
  • MLRO appointed with documented responsibilities
  • AML training delivered to all relevant personnel
Key question

If the FCA inspected your AML processes today, would they find a structured workflow with complete audit trail, or a collection of spreadsheets?

8. Cybersecurity & Access Controls

Implement cybersecurity controls proportionate to your fund operations. The FCA's operational resilience guidance specifically references cyber attacks as a key scenario, and the July 2024 CrowdStrike outage demonstrated the cascading impact of technology failures across financial services.

NCSC Cyber Essentials certification provides a baseline cybersecurity standard recognised across UK government and financial services. Cyber Essentials Plus includes independent verification of your controls. For an AR building credibility, Cyber Essentials Plus certification is a tangible, verifiable credential to present in LP ODD reviews.

At minimum, implement MFA on all systems, full-disk encryption on all devices, regular patching (within 14 days of release for critical patches per Cyber Essentials), network segmentation between fund operations and general office, and incident response procedures tested annually.

Penetration testing should be conducted annually by an independent assessor. Consider CREST-accredited testers for maximum credibility with institutional LPs and regulatory hosts. Document findings and track remediation actions to demonstrate continuous improvement.

Recommended tools
  • Cyber Essentials certification: NCSC Cyber Essentials Plus certification as a baseline, verifiable cybersecurity credential.
  • Endpoint protection: Full-disk encryption, EDR (endpoint detection and response), and mobile device management across all fund devices.
  • Penetration testing: Annual independent penetration test by CREST-accredited assessor.
Regulatory references
  • FCA PS21/3 (Operational Resilience): Cyber attacks are a key scenario for operational resilience testing. Firms must demonstrate resilience within defined impact tolerances.
  • NCSC Cyber Essentials: UK government-backed cybersecurity certification scheme. Cyber Essentials Plus includes independent verification.
Verification checklist
  • MFA enabled on all systems
  • Full-disk encryption on all devices
  • Critical patches applied within 14 days of release
  • Cyber Essentials (Plus) certification obtained or in progress
  • Annual penetration test completed by independent assessor
  • Incident response plan documented and tested
  • Network segmentation between fund operations and general office
Key question

Do you have Cyber Essentials certification, and when was your last independent penetration test?

9. Third-Party & Outsourcing Management

The FCA's new rules on third-party and incident reporting take effect on 18 March 2027. Firms will be required to report material third-party arrangements and technology incidents. Start building your third-party oversight framework now โ€” the reporting deadline is less than a year away.

Under the existing regime (SYSC 8.1.12 and SYSC 13.9.2), firms must already notify the FCA of critical, important, or material outsourcing arrangements. The March 2027 rules formalise and expand this into a structured reporting framework. Your third-party register should already be in place.

For each material third-party arrangement, document: what service they provide, what data they access, their geographic location, your contractual protections (SLAs, data processing agreements, liability provisions, exit clauses), your fallback if the provider fails, and when the arrangement was last reviewed. The FCA webinar on 29 April 2026 provided detailed guidance on these requirements.

Incident reporting rules will require timely notification of significant technology incidents to the FCA. Define what constitutes a reportable incident for your firm, establish notification templates, and designate responsible individuals before the rules take effect.

Recommended tools
  • Third-party register: Structured register of all material third-party arrangements with contract details, risk assessments, and review schedules.
  • Incident management: Incident detection, assessment, and notification workflow with pre-drafted FCA notification templates.
  • Contract management: Tracking of SLA performance, DPA compliance, and contract renewal dates for all technology vendors.
Regulatory references
  • FCA Third-Party Reporting Rules (March 2027): New structured reporting requirements for material third-party arrangements and technology incidents.
  • FCA SYSC 8.1.12: Existing requirement to notify FCA of critical, important, or material outsourcing arrangements.
  • FCA SYSC 13.9.2: Existing requirement to notify FCA of operational events that could have a significant impact.
Verification checklist
  • Third-party register created with all material arrangements
  • DPAs in place with all vendors processing personal data
  • SLA monitoring established for critical providers
  • Incident classification framework defined (what is reportable to FCA)
  • Incident notification templates pre-drafted
  • Exit plans documented for each critical provider
  • Annual third-party review schedule established
Key question

Are you ready for the March 2027 third-party reporting requirements?

10. Business Continuity & Change Management

The FCA expects firms to maintain robust governance and resourcing for regulatory change programmes, alongside traditional business continuity planning. With the sustained volume of UK financial services reforms in 2026, the regulator has expressed concern that some firms lack adequate governance to implement change effectively.

Business continuity planning for an AR covers the same scenarios as any fund manager: loss of office, loss of personnel, technology failure, and service provider failure. Document response procedures, responsible individuals, and recovery timelines for each. Test the plan annually with a tabletop exercise.

Change management is receiving increased FCA attention. With reforms covering the AR regime itself, Consumer Duty evolution, third-party reporting, CTP regime, fund regulatory overhaul, and operational resilience โ€” all active in 2026 โ€” the FCA expects boards to oversee structured change management with clear ownership, appropriate budgeting, and regular progress reporting.

For an AR, demonstrating mature change management signals to your host that you can absorb regulatory change without creating compliance gaps. Document how you identify upcoming regulatory changes, assess their impact on your operations, plan implementation, allocate resources, and verify completion.

Recommended tools
  • BCP documentation: Structured BCP template covering all scenario categories with contact trees, escalation procedures, and recovery steps.
  • Regulatory change tracker: Calendar of upcoming regulatory changes with impact assessments, implementation plans, and assigned owners.
  • Change governance framework: Structured approach to managing regulatory and technology changes with board reporting and progress tracking.
Regulatory references
  • FCA SYSC 4: General organisational requirements including adequate governance arrangements and internal control mechanisms.
  • FCA 2026 Supervisory Expectations: Concern over firms' capacity to manage sustained regulatory change. Boards expected to oversee structured change management.
Verification checklist
  • BCP document covers all four scenario categories
  • BCP tabletop exercise completed within the last 12 months
  • Regulatory change tracker maintained with upcoming deadlines
  • Impact assessments completed for all active 2026 regulatory changes
  • Change management responsibilities assigned with board reporting
  • Resource adequacy assessed for concurrent change programmes
Key question

Does your board oversee a structured change management programme, or are regulatory changes handled reactively?

Frequently Asked Questions

What technology does a UK AR need?

Deal analysis platform with audit trail, document management, secure communications, compliance infrastructure (AML/KYC, Consumer Duty), and cybersecurity aligned with NCSC Cyber Essentials. Self-hosted options avoid Critical Third Party regime risk and demonstrate operational substance to your regulatory host.

How does the CTP regime affect fund technology choices?

The Critical Third Parties regime (effective January 2025, PS24/16) gives the FCA, PRA, and Bank of England oversight over designated cloud providers. Self-hosted infrastructure like DiligenceWorks is not subject to CTP designation because no third-party cloud provider is involved. New third-party reporting rules take effect March 2027.

What is changing with the AR regime in 2026?

HM Treasury's February 2026 consultation proposes requiring FCA permission for firms to appoint ARs, extending SMCR conduct rules to AR personnel, and bringing ARs within Financial Ombudsman Service jurisdiction. These reforms, if implemented, materially strengthen regulatory accountability for ARs and their principals.

When do the new third-party reporting rules take effect?

The FCA's new third-party arrangement and incident reporting rules take effect on 18 March 2027. Firms should start documenting their material third-party arrangements now. The FCA held a guidance webinar on 29 April 2026 with detailed information on reporting requirements.

Ready to See DiligenceWorks in Action?

DiligenceWorks provides self-hosted infrastructure that eliminates CTP risk, demonstrates operational substance to your regulatory host, and gives LPs confidence in your operational maturity. Book a discovery call.

Book a Discovery Call

Content ID: G03.I01.T06.L01 ยท Last updated: