Skip to content
ConductLog

FCA Conduct Rules Training: Requirements for Small Regulated Firms

If you run a small FCA-regulated firm, conduct rules training is one of the SMCR obligations that catches more firms out than it should. The rule itself is short — conduct rules staff need to be trained on how the rules apply to their role — but the surrounding requirements (attestation, role-specificity, trigger-based refreshers, recordkeeping) get missed at small firms more often than they get hit cleanly.

This guide covers what the FCA actually expects: who needs conduct rules training, how often, what content has to be in it, what evidence the firm has to keep, and how the PS25/23 changes from 1 September 2026 reshape the picture. It is written for compliance officers and principals at IFAs, mortgage brokers, insurance brokers, and small wealth managers with 1–50 staff.

For the foundational view of the rules themselves, our COCON conduct rules guide is the pillar. For the certified-staff specifics, see our individual conduct rules guide.

Who needs FCA conduct rules training?

Almost everyone at a small FCA-regulated firm needs conduct rules training. Specifically:

  • Senior managers (SMF holders) — trained on both the individual conduct rules (COCON 2) and the senior manager rules (COCON 3)
  • Certified staff — trained on the individual conduct rules
  • Conduct rules staff — trained on the individual conduct rules
  • Ancillary staff excluded under COCON 1.1 — not subject to the rules and therefore not required to undergo conduct rules training

For most small firms (1–50 staff), the third category includes almost everyone who isn't strictly back-office (cleaning, catering, building maintenance). Customer-facing administrators, paraplanners, IT staff working on client systems — all of them are conduct rules staff.

This is where small firms most often get the scope wrong. A common (and incorrect) assumption is that conduct rules training is only for advisers and senior managers. Under the regime, it is broader than that. If in doubt, train them.

How often does FCA conduct rules training need to be done?

There is no single mandated frequency in the rules. The expectation is that training is sufficient to ensure each conduct rules staff member understands how the rules apply to their role — which in practice means a cycle that combines:

Initial training on joining or moving into a conduct rules role. Should happen within the first few weeks. Should be role-specific (different content for an adviser vs an administrator vs an IT operations staff member).

Annual refreshers. Aligned to the F&P assessment cycle where possible (typically March–April for many small firms). The refresher confirms understanding and incorporates any rule changes that landed in the previous year.

Trigger-based training when rules change materially. PS25/23 is the current major trigger — every firm needs a PS25/23-specific training round before 1 September 2026 covering the new scope on non-financial misconduct. The Consumer Duty in 2023 was a similar trigger.

Event-based training when something goes wrong. A conduct issue or near-miss at the firm — or in a peer firm where the same exposure exists — is a reason to revisit the relevant rules with specifically affected staff.

The combination of initial + annual + trigger + event is the realistic cadence at a small firm. It is also what the FCA's supervisory teams expect to see when they ask for training records.

What FCA conduct rules training has to cover

Training must enable each conduct rules staff member to understand how the rules apply to their role. The minimum content for any conduct rules training:

  1. The six individual conduct rules in COCON 2.1 — what each rule requires, with examples relevant to the staff member's role
  2. The four senior manager rules in COCON 3.1 — for SMF holders only
  3. How to recognise a potential breach in day-to-day work
  4. How to report a concern — the firm's internal channels and the protections available
  5. The connection to F&P — how a substantiated breach can feed the fitness-and-propriety assessment for certified staff
  6. The PS25/23 scope from 1 September 2026 — explicit treatment of how serious non-financial misconduct now sits within the conduct rules

For a checklist-driven way to test understanding against worked scenarios, use our COCON Self-Assessment — it can sit alongside the training as a knowledge-check tool.

Role-specific training: what good looks like

Generic "watch-the-video-and-tick-the-box" training is weak evidence. The FCA's expectation is that training is tailored enough that an individual could explain how each rule applies to their actual job. For a small firm, "role-specific" doesn't have to mean writing different training from scratch for every employee — it means walking through scenarios that match the kinds of decisions each staff group actually makes.

A practical small-firm pattern:

  • Adviser training — focus on suitability, charge transparency, treating customers fairly, market conduct around investment decisions, the Consumer Duty Rule 6
  • Administrator / paraplanner training — focus on integrity in record-keeping, data accuracy, escalation when client-facing concerns arise
  • Compliance / risk training — focus on openness with the regulator (Rule 3), conduct rule breach handling, and REP008 breach-reporting mechanics
  • Operations / IT training — focus on data confidentiality, security incident reporting, the proper escalation chain

The Training and Competence sourcebook (TC 2.1) provides the broader framework that conduct rules training sits alongside for certified roles.

Recordkeeping and attestation

Every conduct rules training event must be evidenced. The standard records:

  • Training content — what was delivered (slides, video link, or written material), kept for at least six years
  • Date and duration — when training happened, how long it took
  • Attendees — who attended (named, not just headcount)
  • Attestation — each attendee signs (paper or electronic) confirming they completed the training, understand the rules as they apply to their role, and know how to escalate concerns. Attestation is the single most important record — without it, the firm cannot easily evidence that any individual was trained.
  • Trainer / source — who delivered the training; if external, the trainer's credentials

For a small firm, this can be kept in spreadsheets and a shared drive. The records have to be reachable on FCA request — the supervisory team will want to see them within a working day or two if they ask.

How PS25/23 changes conduct rules training from September 2026

The September 2026 PS25/23 changes add a specific training requirement: every conduct rules staff member needs to understand that serious non-financial misconduct — bullying, harassment, discrimination, sexual misconduct — is within the scope of the conduct rules where it occurs in a work setting.

In practice, this means:

  • A trigger-training event before 1 September 2026 specifically covering the PS25/23 scope. Most small firms should plan to deliver this in July or early August 2026.
  • Updated training material for the ongoing annual cycle, integrating PS25/23 into the standard content rather than treating it as a one-off.
  • Investigation-handling training for line managers and supervisors — separately from the conduct rules training itself — covering what to do if an NFM allegation lands. Our harassment allegation how-to sets out the process.
  • Documented attestation from every conduct rules staff member confirming they have been trained on the new scope.

Our PS25/23 compliance checklist covers the broader implementation timeline; the training-specific items typically land in July 2026 of that timeline.

Common mistakes small firms make with conduct rules training

1. Training only the SMF holders. Conduct rules training applies to all conduct rules staff. Limiting training to senior managers is one of the most common scope failures at small firms.

2. Generic content that could apply to any firm. The FCA expects role-specific evidence. A 30-minute "introduction to SMCR" video, while useful as an introduction, is not enough on its own — the firm needs to evidence that staff understand how the rules apply to their role.

3. No attestation. Without each attendee's confirmation that they completed and understood the training, the firm cannot easily prove individual completion. Group sign-in sheets are weak evidence; individual attestation forms (paper or electronic) are the standard.

4. Treating PS25/23 as part of the standard 2026 refresher. It is also a trigger event in its own right — most firms should deliver dedicated PS25/23 training before 1 September 2026, separate from the annual refresher.

5. Letting external trainers' material drift out of date. If using an external trainer, verify their content covers the current FCA Handbook position — particularly PS25/23, the Consumer Duty, and any recent enforcement-action themes the FCA has signalled. External training providers vary in how quickly they update.

6. No record of training-trigger events. The firm needs a documented reason for each training round (initial, annual, PS25/23 trigger, event-based) so the cadence is auditable.

What to do next

If you are reviewing or rebuilding your firm's conduct rules training:

  1. List every staff member and confirm classification (SMF / certified / conduct rules staff / excluded). The COCON Self-Assessment walks through this.
  2. Inventory current training records — initial, annual refreshers, any trigger events. Identify any conduct rules staff member without a recent (within the last 12 months) attested training record.
  3. Plan the PS25/23 trigger-training round for July or early August 2026.
  4. Confirm role-specific content is tailored to each staff group (or document why a single piece of training is sufficient for staff who effectively share a role).
  5. Refresh the attestation template if it doesn't capture the elements above (date, content, individual confirmation).

Conduct rules training, done well, takes a small firm 1–2 days a year of compliance officer time plus 1–2 hours per staff member. Done badly, it doesn't matter how much time you spend — the absence of role-specific content and attested records is what the FCA scrutinises.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 18 May 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA Certification Regime: Annual Renewal Step-by-Step for Small Firms

How the FCA Certification Regime annual renewal works at a small firm — who needs certifying, the 12-month fitness-and-propriety cycle, what evidence to gather, and a step-by-step renewal process.

FCA Conduct Rule Breach Reporting: REP008, SUP 15 and When Each Applies

How FCA conduct rule breach reporting works at a small firm — REP008 for conduct rules and certified staff, the separate route for Senior Managers, the annual deadline, and what counts as a notifiable breach.

FCA Prescribed Responsibilities: The Core-Firm List and How to Allocate Them

The FCA prescribed responsibilities that apply to Core solo-regulated firms, what each one means, who to allocate them to, and how the small-firm carve-outs work under SYSC 24.