Skip to content
ConductLog

FCA COCON Rules: Individual Conduct Requirements for Certified Staff

If you run a small FCA-regulated firm, the FCA's individual conduct rules in COCON 2 set the day-to-day behavioural standards every certified person at your firm must meet. The senior conduct rules in COCON 3 sit on top of those for SMF holders. From 1 September 2026, the same individual rules expand to cover serious non-financial misconduct — and that changes how certified-staff supervisors at small firms need to assess conduct each year.

This guide unpacks the individual conduct rules from a certification-regime angle: who in your firm is "certified staff", what each rule requires of them, how they are trained and supervised, and how the PS25/23 changes feed into the annual certification cycle. It is written for compliance officers and principals at IFAs, mortgage brokers, insurance brokers, and small wealth management firms with 1–50 staff.

If you want the foundational view of all six individual rules and the senior rules in one place, our COCON conduct rules guide is the pillar — this post drills into how the individual rules land specifically on certified staff.

Who counts as "certified staff" at a small firm?

The Senior Managers and Certification Regime divides individuals at regulated firms into three groups: senior managers (SMFs), certification staff, and conduct rules staff. The middle group — certification staff — is where the individual conduct rules matter most.

Certification staff are people performing a "certification function" — broadly, roles that involve dealing with clients, advising on or arranging investments, or making decisions that could cause significant harm to the firm or its customers. The full list is defined in the FCA Handbook under SUP 10C and the related certification sections.

For most small firms, certification staff include:

  • Customer-facing advisers (CF30-equivalent in the old approved persons regime)
  • Investment managers and discretionary portfolio managers
  • Anyone designated as a "material risk taker" under the firm's remuneration code, where applicable
  • Staff with proprietary trading authority

The firm — not the FCA — issues the certificate. Certification has to be renewed at least once every 12 months following an assessment of the person's fitness and propriety, recorded by the firm and made available on the FCA Directory.

Conduct rules staff is a broader category that covers almost everyone else at the firm except a narrow list of ancillary roles (see COCON 1.1 for the exclusions). The individual conduct rules apply to all conduct rules staff and to certified staff — so for most small firms, "individual conduct rules" effectively means "everyone".

The six individual conduct rules — what they require of certified staff

The individual conduct rules in COCON 2.1 are six rules of behaviour that apply equally to a senior manager, a certified adviser, and a back-office conduct-rules staff member. The wording is identical for all of them; what differs is how they are tested in practice and what evidence supervisors look for.

Rule 1: Act with integrity

For certified staff this means: do not mislead clients about charges, performance, or risk; do not sign off suitability reports without reviewing them; do not backdate records; do not misrepresent qualifications or capability. Integrity breaches are the most-cited rule in FCA enforcement actions against individuals.

Rule 2: Act with due skill, care, and diligence

For certified staff, "due skill" is benchmarked against the qualifications and experience the firm certified them as having. An adviser certified to recommend pensions is expected to know current pension tax rules. A discretionary manager is expected to know how their model portfolios actually behave in stressed markets. Continuous Professional Development (CPD) is a major evidence source — the firm uses it to demonstrate skill is current.

Rule 3: Be open and cooperative with the FCA, PRA, and other regulators

Certified staff must answer the FCA's questions truthfully and provide information the regulator reasonably requires. The firm has its own reporting duty under SUP 15.3, but the individual rule sits alongside that — an adviser interviewed in an FCA investigation cannot duck the question.

Rule 4: Pay due regard to the interests of customers and treat them fairly

This is the conduct-rules echo of the FCA's Consumer Duty. For certified staff, the practical tests are around suitability, charge transparency, and the appropriateness of products sold to the customer base the adviser deals with.

Rule 5: Observe proper standards of market conduct

For certified staff who deal in or arrange investments, this is the conduct-rules version of the Market Abuse Regulation obligations — no insider dealing, no market manipulation, no improper disclosure.

Rule 6: Act to deliver good outcomes for retail customers

Added by the Consumer Duty in 2023, Rule 6 puts the outcomes language directly into the conduct rules. Certified staff dealing with retail customers must consider not just whether the recommendation is suitable on a point-in-time test, but whether the actual customer journey and product outcome will be good for that customer.

How PS25/23 reshapes individual conduct rules from September 2026

The headline change in PS25/23 for individual rules is that serious instances of non-financial misconduct (NFM) — bullying, harassment, discrimination, sexual misconduct — are now explicitly within scope of the conduct rules where they occur in a work setting. The FCA has been clear that this is a clarification of existing scope, not a wholly new obligation, but the guidance makes the scope explicit and removes the ambiguity firms previously relied on.

The mechanism is a new explanatory rule, COCON 1.1.7FR, plus extensive guidance in the FCA's non-financial misconduct guidance page (published 23 March 2026). The substance is that for certified staff, conduct rules now bite on NFM in the workplace as well as conduct toward customers.

For small firms, the practical consequence is that the annual certification assessment now needs to look at NFM evidence — internal grievances, HR investigations, witness statements — alongside the traditional skill/qualifications/customer-feedback evidence. If a certified adviser has a substantiated harassment finding against them, that has to feed the F&P assessment under FIT 2.2, not be filtered out as "an HR matter".

Our F&P guide covers the assessment mechanics in detail; our whistleblowing vs NFM guide covers the channel question (which kinds of conduct-rule breach trigger the SYSC 18 whistleblowing protections).

Training, attestation, and supervision for individual conduct rules

Conduct rules training is not optional. Under COCON 2.1, the firm must ensure each conduct rules staff member understands how the rules apply to their role. For certified staff, the firm is also relying on conduct-rule familiarity as part of demonstrating fitness and propriety.

A small-firm conduct rules training cycle typically covers:

  • Initial training within the first few weeks of joining or moving into a conduct rules role
  • Annual refreshers, timed to coincide with the F&P review window where possible
  • Trigger-based training when rules or guidance change materially — PS25/23 is exactly that kind of trigger
  • Attestation capturing the individual's confirmation that they have completed training and understand how the rules apply

The training must be specific enough that an individual could explain how each rule applies to their job. Generic "watch this video and tick the box" training is not what the FCA expects, and supervisors should be able to evidence that the training was tailored. The Training and Competence sourcebook (TC 2.1) provides the broader framework that conduct rules training plugs into for certified staff.

For a structured way to test conduct-rule understanding against specific scenarios, use our COCON Conduct Rules Self-Assessment — it walks through individual rules and senior rules with worked examples drawn from FCA enforcement notices. For more on cadence, content, and attestation, see our FCA conduct rules training guide.

Recording, reporting, and supervising conduct rule breaches

When a conduct rules staff member breaches an individual rule and the firm has taken or is taking disciplinary action, the firm must report it to the FCA. The mechanics are:

  • REP008 under SUP 15.11: the conduct rules breach return for conduct rules and certified staff (not Senior Managers). For most solo-regulated firms the reporting period is 1 September to 31 August, with a 31 October deadline via RegData where there is something to report. See our conduct rule breach reporting guide for the full routing
  • Form C under SUP 10C: required where a senior manager leaves, including where conduct issues contributed; Senior Manager conduct breaches are reported via Connect (Form C/D), not REP008
  • SUP 15.3 notifications: required where the breach is material and ongoing — don't wait for REP008

For small firms, the supervisory pattern that works is:

  1. A named SMF holder (typically the SMF16 compliance oversight role) owns the conduct-rule breach register
  2. Each manager records concerns or breaches as they arise, with a brief factual note and a date
  3. The compliance oversight SMF reviews entries monthly and flags any that meet the SUP 15.3 threshold
  4. The register feeds into the annual F&P assessment for each certified individual
  5. REP008 is compiled from the register, not reconstructed from memory at year-end

Our NFM investigation checklist walks through the investigation steps for NFM specifically; the underlying recording and reporting mechanics apply to any individual conduct rule breach.

Common mistakes small firms make on individual conduct rules

1. Treating conduct rules as a senior-manager concern. The individual rules in COCON 2 apply to certified staff and conduct rules staff — not just SMFs. The senior rules in COCON 3 are additional, not a substitute.

2. Assuming NFM is an HR matter, not a conduct-rule matter. Post-PS25/23 this is no longer defensible. Serious NFM evidence has to feed the conduct-rule and F&P workflow, not sit in a parallel HR file with no regulatory consequence.

3. Not evidencing how rules apply to a specific role. Generic training documents that talk in the abstract are weak evidence. The supervisor should be able to point to role-specific scenarios for each conduct rules staff member.

4. Forgetting the senior-manager rules. SMF holders are subject to both individual rules (COCON 2) and senior rules (COCON 3). The senior rules are typically where Duty of Responsibility cases arise. Our SMCR plain-English guide covers the senior rules in context.

5. Mishandling REP008. The conduct rules breach return sits under SUP 15.11 (not the general SUP 15.3 notification rule). For reporting periods ending on or after 31 August 2025 the firm no longer files a nil return when there is nothing to report — but it must still run the annual assessment and file REP008 where a reportable breach occurred.

What to do next

If you are setting up or refreshing how your firm handles the individual conduct rules:

  1. Map every staff member to a category (SMF, certified, conduct rules staff, excluded) and record the mapping. The COCON self-assessment walks through this.
  2. Confirm your conduct rules training cycle covers initial + annual + trigger-based, with attestation evidence captured for each round.
  3. Update your conduct-rule breach register to include NFM evidence post-1 September 2026.
  4. Review your F&P assessment template to confirm NFM evidence is treated as conduct-rule evidence — see our F&P guide for the assessment mechanics.
  5. Use the PS25/23 deadline guide to plot the implementation milestones between now and 1 September 2026.

The individual conduct rules are deliberately broad — they're framed as principles, not detailed prescriptions. That means the work of applying them sits with the firm and the supervisor for each conduct rules staff member. Done well, the rules support a consistent firm-wide standard. Done poorly, they become a checklist that nobody can actually use when a real conduct issue arises.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 4 June 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

COCON Conduct Rules Explained: The Complete Guide for Small FCA Firms

A practical guide to the FCA's COCON conduct rules for small regulated firms. Covers all six individual conduct rules, senior manager rules, and PS25/23 changes.

FCA Certification Regime: Annual Renewal Step-by-Step for Small Firms

How the FCA Certification Regime annual renewal works at a small firm — who needs certifying, the 12-month fitness-and-propriety cycle, what evidence to gather, and a step-by-step renewal process.

FCA Conduct Rule Breach Reporting: REP008, SUP 15 and When Each Applies

How FCA conduct rule breach reporting works at a small firm — REP008 for conduct rules and certified staff, the separate route for Senior Managers, the annual deadline, and what counts as a notifiable breach.