Skip to content
ConductLog

FCA Conduct Rule Breach Reporting: REP008, SUP 15 and When Each Applies

Conduct rule breach reporting is one of the SMCR obligations small firms most often misunderstand — partly because there are two different routes depending on who breached the rule, and partly because the rules around it changed in 2025. The FCA removed the nil-return requirement for reporting periods ending on or after 31 August 2025, so a firm with nothing to report no longer files anything — but the firm still has to know whether it has anything to report, and route any actual breach correctly. Get the routing or the timing wrong and a routine obligation becomes a notification failure.

This guide covers how conduct rule breach reporting works: what REP008 is, what counts as a notifiable breach, the separate route for Senior Manager breaches, the annual deadline, and the recent nil-return change. It is written for compliance officers and principals at IFAs, mortgage brokers, insurance brokers, and small wealth managers with 1–50 staff.

For the foundational view of the conduct rules themselves, our COCON conduct rules guide is the pillar. For what conduct rules training has to cover, see our conduct rules training guide.

What has to be reported, and when?

The reporting obligation is triggered by disciplinary action taken for a conduct rule breach — not by the breach alone. The rules sit in SUP 15.11 of the FCA Handbook (Notification of COCON breaches and disciplinary action).

A "disciplinary action" for these purposes includes a formal written warning, suspension or dismissal, or a reduction or recovery of remuneration (clawback), where the reason for the action is a breach of the conduct rules. An informal word, coaching, or retraining that does not amount to formal disciplinary action does not, on its own, trigger the report.

The two things to get right are who breached the rule (which sets the route and timing) and whether disciplinary action was taken (which sets whether it is reportable at all).

REP008: conduct rules staff and certified staff

For breaches by conduct rules staff and certified staff (i.e. everyone in scope except Senior Managers), the firm reports using REP008 — Notification of Disciplinary Action, which is the FCA's version of Form H (based on the form in SUP 15 Annex 7R), submitted through the FCA's electronic systems.

The key features of REP008 for most solo-regulated (non-LPCC) firms:

  • The reporting period runs 1 September to 31 August each year.
  • Where there is something to report, the return is due by 31 October (or the next business day), submitted via RegData.
  • The nil return is no longer required. The FCA confirmed (effective for reporting periods ending on or after 31 August 2025) that a firm with nothing to report does not need to submit a nil return, and no late fee applies. If the firm has not taken disciplinary action for a conduct rule breach in the period, no action is required for that period.

This is a genuine simplification — but it does not remove the underlying obligation to assess whether anything is reportable. A firm still has to track conduct rule breaches and the disciplinary actions taken, decide whether any are reportable, and file REP008 by 31 October if so. "No nil return required" is not the same as "no breach-reporting process required."

Senior Manager breaches: a different route entirely

Conduct rule breaches by Senior Managers are not included in REP008. They follow a different route and a different timing:

  • Disciplinary action against a current Senior Manager for a conduct rule breach is reported on Connect using Form C or Form D (Form D for changes to an existing SMF's details; Form C where the individual is ceasing to perform the SMF).
  • This is not an annual cycle — it is reported as it happens, in line with the relevant notification timing, not held for the October REP008 window.

Mixing these up is a common error: a Senior Manager breach put into the annual REP008 (where it does not belong) or held back for the annual cycle (when it should have been notified promptly) are both wrong.

The wider SUP 15 notification picture

REP008 sits within the broader notification framework in SUP 15.3, which requires firms to notify the FCA of significant events affecting the firm. A serious conduct issue can engage SUP 15.3 in its own right — for example, a matter that could have a significant adverse impact on the firm's reputation or that involves significant non-compliance — separately from the conduct-rule-breach reporting in SUP 15.11.

The practical point: conduct-rule-breach reporting (SUP 15.11 / REP008) and general significant-event notification (SUP 15.3) are different obligations. A single incident can engage both. Do not assume that filing REP008 discharges a SUP 15.3 notification, or vice versa.

What counts as a conduct rule breach?

A conduct rule breach is conduct by a person in scope that falls short of the relevant COCON rule — the individual conduct rules (acting with integrity, due skill, openness with the FCA, treating customers fairly, observing market conduct) and, for Senior Managers, the additional senior manager conduct rules.

From 1 September 2026, PS25/23 expands the conduct picture to bring serious non-financial misconduct (bullying, harassment, and violence) more clearly within scope. That means a disciplinary action taken for serious NFM may become a reportable conduct-rule matter where it previously sat only in the firm's HR process. Firms should make sure their breach-assessment process accounts for the expanded scope. Our whistleblowing vs NFM guide covers how NFM and the conduct rules interact, and the PS25/23 compliance checklist covers the readiness programme.

How a small firm should run breach reporting through the year

  1. Maintain a conduct rule breach register. Log any conduct rule breach and any disciplinary action taken, as it happens. The register is the source for both REP008 and any prompt notifications.
  2. Route Senior Manager breaches promptly. A conduct breach by an SMF holder that leads to disciplinary action goes via Connect (Form C/D) at the time — not into the annual cycle.
  3. Assess SUP 15.3 in parallel. For any serious incident, ask separately whether it engages the general significant-event notification, regardless of the REP008 position.
  4. Run the annual REP008 check. After the 31 August period-end, compile the year's reportable conduct-rules-staff and certified-staff breaches. If there are any, file REP008 via RegData by 31 October. If there are none, no nil return is required (for periods ending on or after 31 August 2025) — but record that the assessment was done.

Common breach-reporting mistakes at small firms

1. Still filing a nil return out of habit. For reporting periods ending on or after 31 August 2025, the nil return is no longer required — but the firm still has to run the assessment to confirm there is genuinely nothing to report.

2. Putting Senior Manager breaches in REP008. SM breaches go via Connect (Form C/D), not the annual REP008.

3. Reporting the breach instead of the disciplinary action. The trigger is formal disciplinary action for a conduct breach — not every breach, and not informal management responses.

4. Assuming one notification covers everything. REP008 (SUP 15.11) and significant-event notification (SUP 15.3) are separate obligations; a serious incident can require both.

Where to start

  1. Stand up (or tidy) a conduct rule breach register that records breaches and disciplinary actions as they happen.
  2. Set an annual end-of-October checkpoint: assess the period's conduct rule breaches and file REP008 via RegData if there is anything to report (no nil return needed if there isn't).
  3. Use the COCON Self-Assessment to confirm who is a Senior Manager vs conduct rules / certified staff — that classification drives which reporting route applies.
  4. Build the PS25/23 NFM scope into your breach-assessment process ahead of 1 September 2026.

ConductLog is building tooling to keep a conduct rule breach register, the right reporting route per person, and the annual REP008 assessment connected at a small firm — so reportable breaches are filed correctly and Senior Manager breaches are routed to the right channel. Join the waitlist to hear when it launches.

References

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 4 June 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA Certification Regime: Annual Renewal Step-by-Step for Small Firms

How the FCA Certification Regime annual renewal works at a small firm — who needs certifying, the 12-month fitness-and-propriety cycle, what evidence to gather, and a step-by-step renewal process.

FCA Prescribed Responsibilities: The Core-Firm List and How to Allocate Them

The FCA prescribed responsibilities that apply to Core solo-regulated firms, what each one means, who to allocate them to, and how the small-firm carve-outs work under SYSC 24.

FCA Statement of Responsibilities: Worked Examples for Small Regulated Firms

What an FCA Statement of Responsibilities has to contain, how to draft one at a small solo-regulated firm, when to resubmit it, and a worked example for a sole principal holding multiple SMFs.