Skip to content
ConductLog

COCON Conduct Rules Explained: The Complete Guide for Small FCA Firms

If you run a small FCA-regulated firm, the COCON conduct rules set the minimum behavioural standards every person at your firm must meet. From 1 September 2026, those rules expand to cover non-financial misconduct — and that changes what compliance officers at small firms need to track.

This guide breaks down every individual conduct rule, explains who they apply to, and covers the PS25/23 changes arriving in September 2026. It is written for compliance officers and principals at IFAs, mortgage brokers, insurance brokers, and small wealth management firms with 1–50 staff.

What is COCON?

COCON is the Code of Conduct sourcebook in the FCA Handbook. It sits within the Senior Managers and Certification Regime (SMCR) and defines the rules of behaviour for individuals working at FCA-regulated firms.

COCON applies to almost everyone at your firm — not just senior managers. If a person holds a senior management function (SMF), a certification function, or is classified as conduct rules staff, COCON applies to them.

For most small firms, that means every employee.

The six individual conduct rules (COCON 2.1)

The individual conduct rules in COCON 2.1 apply to all conduct rules staff. There are six:

Rule 1: You must act with integrity

This is the broadest rule and the one most frequently cited in FCA enforcement actions. Acting with integrity means being honest, paying regard to the spirit as well as the letter of regulations, and not misleading clients, colleagues, or the regulator.

What it means in practice: Do not sign off client suitability reports you have not reviewed. Do not backdate compliance records. Do not misrepresent your firm's capabilities to clients.

Rule 2: You must act with due skill, care, and diligence

You are expected to perform your role competently. For a compliance officer, that means keeping your regulatory knowledge current and applying it properly. For an adviser, it means giving suitable advice based on adequate research.

What it means in practice: A mortgage broker who recommends a product without checking the client's affordability is breaching Rule 2. A compliance officer who fails to update policies after a regulatory change is breaching Rule 2.

Rule 3: You must be open and cooperative with the FCA, the PRA, and other regulators

When the FCA asks questions, you answer them fully and honestly. This applies during routine supervision, thematic reviews, and enforcement investigations.

What it means in practice: Do not withhold documents from an FCA information request. Do not coach staff on what to say during a supervisory visit. If you discover a breach, disclose it promptly.

Rule 4: You must pay due regard to the interests of customers and treat them fairly

This rule reinforces the Treating Customers Fairly (TCF) outcomes and now intersects with the Consumer Duty. You must consider the customer's perspective at every stage of the advice process.

What it means in practice: Do not recommend higher-charging products when a cheaper alternative meets the client's needs. Do not use jargon to obscure fees or risks in client communications.

Rule 5: You must observe proper standards of market conduct

This covers market abuse, insider dealing, and market manipulation. It is most relevant to firms involved in securities trading, but applies broadly to anyone with access to inside information.

What it means in practice: Do not trade on information obtained through your compliance role. Do not share client portfolio information with third parties who might use it to trade.

Rule 6: You must act to deliver good outcomes for retail customers

Added to reflect the Consumer Duty, Rule 6 requires all conduct rules staff to actively consider whether their actions deliver good outcomes. This goes beyond not causing harm — it requires positive action.

What it means in practice: If you identify that a group of clients holds unsuitable products, Rule 6 requires you to act on that finding, not merely note it.

Senior manager conduct rules (COCON 3.1)

Senior managers holding SMFs face four additional rules under COCON 3.1:

  • SC1: You must take reasonable steps to ensure the business of the firm for which you are responsible is controlled effectively.
  • SC2: You must take reasonable steps to ensure the business of the firm for which you are responsible complies with relevant requirements and standards of the regulatory system.
  • SC3: You must take reasonable steps to ensure any delegation of your responsibilities is to an appropriate person and you oversee the discharge of the delegated responsibility effectively.
  • SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

For a small firm where the principal holds the SMF responsibilities, these rules mean you are personally accountable for the compliance framework. "I delegated it to my compliance consultant" is not a defence if you failed to oversee their work.

Who do the conduct rules apply to?

Category Rules that apply Examples at a small firm
Senior management function holders (SMFs) All 6 individual rules + 4 senior manager rules Principal, compliance oversight SMF16/17
Certification function holders All 6 individual rules Advisers, appointed representatives
Other conduct rules staff All 6 individual rules Paraplanners, administrators with client contact

The SMCR applies to solo-regulated firms (FCA-only) and dual-regulated firms (FCA and PRA). Most small IFAs, mortgage brokers, and insurance brokers are solo-regulated.

Key point for small firms: At a 5-person IFA, typically everyone is conduct rules staff. The principal holds the SMFs. Advisers hold certification functions. Even admin staff with client-facing roles fall under the conduct rules.

What changed with PS25/23: non-financial misconduct

PS25/23, published in December 2025, introduces a new rule — COCON 1.1.7FR — that takes effect on 1 September 2026. This rule extends the conduct rules framework to cover serious non-financial misconduct (NFM) at non-bank firms. For a detailed look at the deadline and preparation timeline, see our guide to the FCA PS25/23 deadline.

What counts as NFM under PS25/23:

  • Bullying — repeated intimidating or offensive behaviour
  • Harassment — unwanted conduct related to protected characteristics
  • Sexual misconduct — sexual harassment, coercion, or assault
  • Violence — physical intimidation or assault
  • Discrimination — less favourable treatment linked to protected characteristics

The FCA has stated that the misconduct must have a sufficient connection to the workplace to fall within scope. Purely private conduct with no work nexus is generally excluded — but the boundary is fact-specific, and the FCA's guidance on NFM makes clear that conduct at work social events, in work communications, or involving colleagues can qualify regardless of location.

What PS25/23 requires from your firm

  1. Recognise that NFM can breach conduct rules. Bullying, harassment, or discrimination by a staff member may constitute a breach of Rule 1 (integrity), Rule 2 (skill, care, diligence), or both.
  2. Assess NFM in fitness and propriety decisions. Under FIT 2.2, serious NFM is a relevant factor when assessing whether someone is fit and proper to hold a regulated role.
  3. Report conduct rule breaches involving NFM. The existing breach reporting requirements (annual REP008 for non-SMF staff, 7 business days for SMF breaches) apply to NFM-related breaches.
  4. Update your policies and training. Staff need to understand that non-financial misconduct can have regulatory consequences, not just HR consequences.

For a step-by-step guide to preparing your firm, see what small firms must do before September 2026.

What PS25/23 does NOT require

The FCA has been explicit that firms do not need to:

  • Retrospectively review past conduct or past F&P assessments
  • Monitor employees' private lives or social media
  • Investigate trivial workplace disagreements
  • Take actions that conflict with data protection or employment law

How to assess a COCON breach

When a potential breach arises — whether financial or non-financial — you need a structured assessment process. The guidance in COCON 4.1 sets out factors the FCA considers relevant.

A practical assessment framework:

  1. Identify the allegation. What behaviour is alleged? Who is involved? When and where did it occur?
  2. Map to specific conduct rules. Which of the six individual rules (or four senior manager rules) could this breach? Be specific — "Rule 1 (integrity)" not just "conduct rules breach."
  3. Gather evidence. Interview witnesses, collect documents, review communications. Maintain a clear timeline.
  4. Assess severity. Was it deliberate? Was there harm? Is this a pattern or an isolated incident?
  5. Determine F&P impact. Does the finding affect the individual's fitness and propriety to hold a regulated role? This is mandatory under FIT 2.2 for serious matters.
  6. Record and report. Document the investigation, assessment, and outcome. Report via REP008 (non-SMF) or within 7 business days (SMF).

Common mistakes small firms make with conduct rules

Mistake 1: Treating conduct rules as a tick-box exercise. Annual training with a sign-off sheet is not enough. Staff need to understand what the rules mean for their specific role, with practical examples.

Mistake 2: No investigation process for breaches. When an allegation arises, most small firms improvise. Without a structured process, you risk inconsistent outcomes and poor documentation — both of which attract FCA scrutiny.

Mistake 3: Ignoring the F&P connection. A conduct rule breach does not automatically make someone unfit, but you must assess the question. Failing to assess F&P impact is itself a gap in your compliance framework.

Mistake 4: Assuming NFM is an HR matter only. From September 2026, serious non-financial misconduct is a regulatory matter. Your HR process and your conduct rules process need to connect.

What you should do now

If you are a compliance officer at a small FCA-regulated firm, here is what to do before 1 September 2026:

  1. Review your conduct rules training. Does it cover NFM? Does it explain the connection between workplace behaviour and regulatory status?
  2. Check your investigation process. Do you have a documented process for handling conduct rule breach allegations? If not, build one.
  3. Update your F&P assessment framework. Your annual certification process should include a step for assessing whether any misconduct (financial or non-financial) affects fitness and propriety.
  4. Brief your senior managers. Under SC1 and SC2, they are personally accountable for the firm's compliance with the extended conduct rules.
  5. Test your readiness. Use our free COCON Conduct Rules Self-Assessment to identify which rules apply to a specific scenario at your firm.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 24 March 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA PS25/23: The September 2026 Deadline Every Small Firm Should Know

What FCA PS25/23 means for small regulated firms. Key dates, obligations, and a practical timeline to prepare for the 1 September 2026 non-financial misconduct deadline.

SMCR Compliance Software for Small Firms: What to Look For

How to evaluate SMCR compliance software as a small FCA-regulated firm. Covers must-have features, pricing considerations, and what to avoid.

FCA Non-Financial Misconduct: What Small Firms Must Do Before September 2026

Step-by-step guide for small FCA-regulated firms preparing for PS25/23 non-financial misconduct requirements. Covers investigation processes, COCON assessment, and F&P impact.