The 12-month clock
never stops.
COBS 9.5 sets the 12-month clock for every ongoing advisory client. Across hundreds of clients and multiple advisers, tracking the windows manually is where breaches accumulate. One missed reminder is one regulator-visible failure.
What must be completed and documented.
A conducted review with no documentation trail is a breach. The FCA expects a complete paper record, not just a note that a meeting happened.
Annual Suitability Report
An updated suitability report reflecting any changes in the client's circumstances, risk profile, and financial position since the last review (COBS 9.4). Must be on file and retrievable. Where firms fail: the meeting happened; the suitability letter never got updated to reflect what was discussed.
Refreshed Fact Find
Client circumstances, objectives, and financial position must be updated at each review, not carried forward from prior years (SYSC 9 record-keeping). Where firms fail: the fact find gets copy-pasted from last year because there was no time to re-run the client conversation.
Portfolio & Performance Review
A documented review of the client's portfolio valuation and performance against their agreed objectives. Must be prepared and discussed, not just generated by the platform. Where firms fail: the platform-generated report exists; there's no record the adviser walked the client through it.
Client Acknowledgement
A signed or confirmed client acknowledgement that the review took place and the advice was understood. Without this, the review cannot be evidenced as complete. Where firms fail: the email was sent; the client never replied, so the audit trail has no proof the review was acknowledged.
Why reviews slip through
The most-repeated causes of missed annual reviews across the 27 compliance officers we interviewed in 2025.
- ✕ No firm-wide view of upcoming review dates; each adviser manages their own list in a spreadsheet or CRM
- ✕ Review conducted but suitability letter not updated; partial completion still counts as a breach
- ✕ High-value clients deprioritise lower-value clients; without escalation, the most overdue clients stay invisible
- ✕ No alert sent when a client crosses 10 or 11 months; the breach only becomes visible after 12 months have elapsed
Amaea runs the COBS 9.5 sweep nightly. The first time you see an overdue review is months before it becomes one.
Book a demoThe annual review sweep, in detail.
A nightly cron, a sufficiency test against COBS 9.5's actual wording, and a SHA-hashed audit trail on every AI decision. Built to survive interruption.
A nightly cron evaluates every overdue review. If no reason is recorded → flag raised. If a reason is recorded → an FCA-trained AI assesses it against the rule's actual sufficiency test (bereavement, illness, documented unavailability) and either resolves the flag or escalates it. The decision goes to the audit trail with the reasoning attached.
The sweep paginates through every overdue client with a cursor. If a run is interrupted halfway through (cold start, deploy, anything), the next run picks up where it left off: never re-processes flags, never silently skips clients.
Each AI sufficiency assessment writes prompt_sha256, response_sha256, model version, and timestamp to the flag's audit trail. If the FCA asks "what did the AI actually decide on this client", you can show them. Bit-for-bit reproducible.
Overdue reviews broken down by adviser, filtered by weeks overdue, vulnerability status, or whether a reason has been recorded. Sortable. The compliance team knows exactly who to chase and which client to mention first.