How to deliver Conduct Rules training, capture attestations and meet FCA notification duties under COCON, from who is covered to REP008 reporting.

The FCA Conduct Rules sit at the heart of the Senior Managers and Certification Regime. They are a short set of enforceable standards that apply directly to individuals, not just to firms, and they reach almost everyone on the payroll. Under COCON, the FCA's Code of Conduct sourcebook, a firm must take all reasonable steps to make sure the people covered by the rules know that the rules apply to them and understand how they apply in their day to day work.
That obligation is not satisfied by a one off email or a generic slide deck. COCON 2.3 expects training that is tailored to the role, and the regime is backed by real consequences: firms must report Conduct Rule breaches that lead to disciplinary action, annually for most staff and within a tight window for senior managers. Training and attestation records are the evidence that the firm has met its duty and the starting point for any breach assessment.
This guide sets out the two tiers of individual rules, the four senior manager rules, who is covered and who is excluded, and a practical way to deliver Conduct Rules training and capture attestations that stand up to scrutiny. Every figure and deadline below is drawn from the FCA Handbook and FCA guidance.
The Conduct Rules apply far more widely than many firms assume. COCON 1.1.2R applies them to senior managers holding a Senior Management Function, to certification employees, to the non executive directors on the board of a UK SM&CR firm, and to the general population of employees of the firm. In practice this means almost all staff are conduct rules staff.
There is a narrow carve out. COCON 1.1.2R excludes employees who only perform functions the FCA regards as ancillary, that is roles with no bearing on regulated activity. The excluded roles listed include receptionists, switchboard operators, post room staff, reprographics and print room staff, property and facilities management, events management, security guards, invoice processing, audio visual technicians, vending machine staff, medical staff, archive records management, drivers, corporate social responsibility staff, cleaners, catering staff, personal assistants and secretaries, information technology helpdesk support, and human resources administrators and processors.
The timing matters for firms reviewing their population. The individual Conduct Rules applied to senior managers and certification staff first, and were then extended to almost all other staff. The FCA extended the date on which the Conduct Rules came into force for staff who are not senior managers or certification staff to 31 March 2021, having moved it from 9 December 2020 to give firms affected by the coronavirus pandemic more time. Any firm that has not revisited its conduct rules staff population since then should confirm the mapping is complete.
Illustrative composition of a firm's conduct rules staff. The first tier individual rules apply to all conduct rules staff, while the senior manager rules apply only to those holding a Senior Management Function.
The individual Conduct Rules in COCON 2.1 form the first tier and apply to all conduct rules staff. There are six of them. The first five are long standing standards of behaviour, and the sixth links directly to the Consumer Duty for firms whose activities fall within its scope. They are deliberately high level, because they are meant to describe the standard expected rather than prescribe every situation.
The FCA states the six individual rules as: act with integrity; act with due skill, care and diligence; be open and cooperative with the FCA, the PRA and other regulators; pay due regard to the interests of customers and treat them fairly; observe proper standards of market conduct; and act to deliver good outcomes for retail customers. Every conduct rules staff member should be able to recognise these six and understand how they bite on their own role.
The table below sets out the first tier individual rules alongside the four senior manager conduct rules, with a plain English reading of each. Training should give staff an awareness and broad understanding of all of the rules, and a deeper understanding of the practical application of the specific rules that are most relevant to their work, as COCON 2.3 sets out.
| Rule | Handbook wording | What it means in practice |
|---|---|---|
| Individual Rule 1 | You must act with integrity | Be honest and straight dealing; do not mislead colleagues, customers or the regulator |
| Individual Rule 2 | You must act with due skill, care and diligence | Do your job competently and carefully; do not cut corners on things that matter |
| Individual Rule 3 | You must be open and cooperative with the FCA, the PRA and other regulators | Deal with regulators honestly and share information they would reasonably expect |
| Individual Rule 4 | You must pay due regard to the interests of customers and treat them fairly | Put fair customer treatment ahead of short term gain |
| Individual Rule 5 | You must observe proper standards of market conduct | Follow market rules and avoid market abuse |
| Individual Rule 6 | You must act to deliver good outcomes for retail customers | Apply the Consumer Duty outcomes where the firm's activities are in scope |
| Senior Manager SC1 | You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively | Own the controls over your area of responsibility |
| Senior Manager SC2 | You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system | Keep your area compliant with the rules that apply to it |
| Senior Manager SC3 | You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively | Delegate to the right people and keep oversight |
| Senior Manager SC4 | You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice | Tell the regulator what it would expect to know |
The four senior manager conduct rules in COCON 2.2, known as SC1 to SC4, form a second layer that applies only to those holding a Senior Management Function. They are additional to the six individual rules, so a senior manager is subject to all ten. They focus on the reasonable steps a senior manager must take in relation to the part of the business for which they are responsible.
SC1 requires reasonable steps to ensure that the business for which the senior manager is responsible is controlled effectively. SC2 requires reasonable steps to ensure that business complies with the relevant requirements and standards of the regulatory system. SC3 requires that any delegation is to an appropriate person and that the senior manager oversees the discharge of the delegated responsibility effectively. SC4 requires the senior manager to disclose appropriately any information of which the FCA or PRA would reasonably expect notice.
Because the senior manager rules turn on reasonable steps, the evidence trail matters. Senior manager training should go beyond the wording of SC1 to SC4 and address how the individual documents decisions, oversight and delegation within their statement of responsibilities. This is also where the firm's wider governance framework and control environment come into focus, and where a joined up approach to record keeping pays off.
COCON 2.3 places two linked duties on the firm. First, it must ensure that all persons subject to the rules in COCON are notified of the rules that apply to them. Second, it must take all reasonable steps to ensure that those persons understand how the rules in COCON apply to them. Notification alone is not enough; the firm must build genuine understanding.
COCON 2.3 also indicates what suitable training looks like. Staff should have an awareness and broad understanding of all of the rules in COCON, together with a deeper understanding of the practical application of the specific rules that are relevant to their work. That points firmly towards role based content rather than a single generic module. A trader, a claims handler and a compliance officer face different rules in their daily decisions, and their training should reflect that.
The FCA has been clear that senior managers themselves are expected to make sure Conduct Rules training is effective, so that staff are aware of the rules and understand how they apply to them in their jobs. Effective, in the regulator's language, is not about attendance figures. It is about whether people can recognise a conduct issue and act on it. Scenario based learning, refresher cycles and links to real cases from the firm's own experience all help demonstrate effectiveness. A structured control and governance platform can help schedule, deliver and evidence this at scale; see the control framework tools on Nasara Connect for how firms operationalise it.
An attestation is the individual's confirmation that they have received the training, understood the rules that apply to them, and understand their obligation to comply. It is not a substitute for training, but it is important evidence. If a breach later occurs, the firm will want to show that the person was told the rules applied to them and was given the means to understand them, which is exactly what COCON 2.3 requires.
The steps below set out a repeatable cycle for delivering Conduct Rules training and capturing attestations. The aim is a clean audit trail that maps each conduct rules staff member to the version of training they received, the date, and their signed confirmation. Firms bringing new senior managers or certification staff through approval will want to fold this into onboarding from day one, alongside the wider fitness and propriety work covered by their authorisation and approvals tooling.
Training and attestations are the front end of the regime; breach notification is the back end. Under SUP 15.11, a firm must notify the FCA when it takes disciplinary action against conduct rules staff for a Conduct Rule breach. SUP 15.11 describes disciplinary action as the issuing of a formal written warning, the suspension or dismissal of a person, or the reduction or recovery of any of that person's remuneration.
For staff who are not senior managers, notification is annual. SUP 15.11.13R requires the notification to be made annually. The FCA's REP008 return is the mechanism, submitted through RegData. For most solo regulated firms the reporting period runs from 1 September to 31 August, with the return due within two months of the end of the reporting period. The FCA has confirmed that, for reporting periods ending on or after 31 August 2025, a firm no longer needs to submit a nil return if it has nothing to report.
Senior managers are treated differently. Where the individual holds a Senior Management Function, the firm reports the breach and disciplinary action on Connect using Form D, or Form C where the senior manager is leaving the firm, within seven business days of the firm becoming aware of the relevant matter, rather than waiting for the annual cycle. Breaches by senior managers are not included in REP008. If disciplinary action is subject to an appeal, the firm should still report it and update the FCA on the outcome in the next REP008 submission or, for a senior manager, using Form D.
| Population | Where to report | When to report |
|---|---|---|
| Non senior manager conduct rules staff | REP008 via RegData | Annually, within two months of the end of the reporting period |
| Senior managers (SMF holders) | Form D on Connect (Form C if leaving) | Within seven business days of the firm becoming aware |
Conduct Rules training is one of the few SM&CR obligations that touches almost every person in a regulated firm, from the board to the front line, and the FCA has set a clear expectation that it be genuinely effective rather than a compliance formality. Getting the population right, tailoring the content to the role, and capturing clean attestations gives the firm the evidence it needs to show it has met its COCON 2.3 duty to notify staff of the rules and help them understand how the rules apply.
The same discipline pays off when something goes wrong. A firm that can trace each individual to the training they received and the attestation they signed is far better placed to assess a potential breach and meet its notification duties, whether that is the annual REP008 return for most staff or the seven business day Form D notification for senior managers. Treating training, attestation and breach reporting as a single connected workflow, rather than three separate tasks, is what turns the Conduct Rules from a box tick into a working control.
Almost all staff. Under COCON 1.1.2R the rules apply to senior managers, certification employees, non executive directors of a UK SM&CR firm and general employees. Only staff performing purely ancillary roles, such as receptionists, security guards, cleaners, catering staff and IT helpdesk support, are excluded.
There is one set of six individual conduct rules in COCON 2.1 that applies to all conduct rules staff, covering integrity, due skill care and diligence, openness with regulators, treating customers fairly, proper market conduct and delivering good outcomes for retail customers. Senior managers are additionally subject to four senior manager conduct rules, SC1 to SC4, in COCON 2.2.
COCON 2.3 requires a firm to ensure that all persons subject to the rules are notified of them, and to take all reasonable steps to ensure those persons understand how the rules apply to them. Suitable training gives staff a broad understanding of all the rules and a deeper understanding of the rules most relevant to their work.
There is no standalone attestation form prescribed by the FCA, but attestations are strong evidence that the firm met its COCON 2.3 duty to notify staff and build understanding. Recording the training version, date and a signed confirmation against each individual creates the audit trail you will need if a breach is later assessed.
For staff who are not senior managers, disciplinary action for a breach is reported annually on the REP008 return in RegData, due within two months of the end of the reporting period. For senior managers holding a Senior Management Function, the breach is reported on Connect using Form D, or Form C if they are leaving, within seven business days of the firm becoming aware.
No. The FCA has confirmed that, for reporting periods ending on or after 31 August 2025, a firm no longer needs to submit a nil return if it has nothing to report.
Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.