Conduct rules breach reporting: what the FCA expects from your firm

The Notification Obligation in Plain Terms

Under the Senior Managers and Certification Regime, firms that have taken disciplinary action against an employee for a breach of the Conduct Rules must notify the FCA. This notification obligation sits within the FCA’s Supervision manual (SUP 15) and has specific requirements around timing, content and scope that many firms — particularly those without dedicated regulatory reporting expertise — do not fully understand.

The notification obligation is one of the most operationally challenging aspects of SMCR for compliance functions. The threshold for what must be reported, the definition of disciplinary action, and the timeline for notification all require careful judgement. Firms that over-notify create regulatory noise and may signal governance weakness. Firms that under-notify face enforcement risk. Getting the threshold right consistently requires a clear internal process, senior accountability, and documented decision-making.

This post explains the notification obligation in detail, sets out the FCA’s expectations based on supervisory guidance and published enforcement outcomes, and identifies the most common failures firms make in breach reporting.

Who Is Subject to the Notification Obligation

The conduct rules notification obligation applies to all FCA solo-regulated firms within scope of SMCR — which covers the vast majority of FCA-authorised firms. Banks and dual-regulated firms have equivalent obligations under the PRA’s framework.

The obligation applies where a firm takes disciplinary action against any employee in scope of the Conduct Rules — which under SMCR means almost all employees of the firm, not just Senior Managers or Certified Persons. The breadth of this scope is wider than many firms appreciate: the Conduct Rules apply to substantially the entire workforce (with limited exceptions for certain ancillary staff), so the potential population for conduct breach notifications is correspondingly large.

What Triggers the Notification Obligation

The trigger is specific: a firm must notify the FCA when it takes disciplinary action against a staff member for a conduct rules breach. Both elements of this trigger require careful analysis.

What counts as a conduct rules breach

A conduct rules breach is a failure to meet one or more of the standards in COCON (the Conduct Rules sourcebook). The key standards are:

• Rule 1: Acting with integrity
• Rule 2: Acting with due skill, care and diligence
• Rule 3: Being open and cooperative with regulators
• Rule 4: Paying due regard to customer interests
• Rule 5: Observing proper standards of market conduct

For Senior Managers, the additional Senior Manager Conduct Rules (SC1-SC4) also apply. See our Senior Manager Conduct Rules guide for full detail on these.

Not every workplace misconduct issue is a conduct rules breach. A member of staff who is disciplined for poor timekeeping has not necessarily breached Rule 2 (due skill, care and diligence) — though depending on the severity and context it could be relevant. A member of staff who is disciplined for dishonesty in their expense claims has almost certainly breached Rule 1 (integrity). The question the firm must ask is whether the disciplinary matter engages one of the COCON standards, which requires a substantive assessment rather than an automatic classification.

What counts as disciplinary action

The FCA defines disciplinary action broadly. It includes formal warnings (written or final), suspension, demotion, reduction of remuneration, and dismissal. It does not require dismissal — a formal written warning for a conduct matter is sufficient to trigger the notification obligation if it relates to a conduct rules breach.

Critically, an outcome that does not meet the technical definition of disciplinary action — for example, a performance improvement plan that does not constitute a formal disciplinary measure under the firm’s HR framework — would not trigger notification even if it relates to conduct concerns. However, firms should be careful about structuring outcomes to avoid the notification trigger where the underlying conduct genuinely warrants regulatory reporting.

The FCA has made clear in enforcement outcomes that structuring HR processes to avoid notification obligations is itself a conduct and governance concern.

The Notification Timeline

The firm must notify the FCA as soon as reasonably practicable after it becomes aware that disciplinary action has been taken for a conduct rules breach. The FCA’s guidance indicates this should typically happen within 10 business days of the disciplinary outcome — though this is not a hard statutory deadline, and the expectation of “as soon as reasonably practicable” means the threshold is substantively prompt.

Where a disciplinary process is ongoing, the notification obligation is triggered by the conclusion of that process — not by the initiation of an investigation or the point at which the firm first suspects a breach. Firms do not need to notify the FCA about ongoing investigations before a disciplinary outcome has been reached, but they should not delay notification once a disciplinary decision has been made pending internal review processes.

For Senior Managers, there is an additional notification consideration: where the firm becomes aware that a Senior Manager may have breached the Duty of Responsibility or the Senior Manager Conduct Rules in connection with a regulatory breach by the firm, the firm should consider whether a SUP 15 notification is required independently of any internal disciplinary process.

The Content of the Notification

The FCA’s prescribed form for conduct rules notifications is SUP 15 Annex 4R. The notification must include:

• The identity of the individual
• Their role and Senior Management Function or Certified Function (if applicable)
• The conduct rules provision breached
• The nature of the breach
• The disciplinary action taken
• The date of the disciplinary action
• Any relevant context the firm considers material

The quality of the notification content matters as much as the fact of notification. Notifications that describe the breach in vague terms — “employee failed to meet expected standards” — are less informative than notifications that clearly identify the specific conduct rule breached, describe the underlying conduct, and explain the disciplinary outcome. The FCA uses notification data both for individual supervision and for thematic analysis of conduct patterns across the industry.

The Annual Report Requirement

In addition to individual breach notifications, firms must submit an annual report to the FCA summarising conduct rules breaches and disciplinary actions in the preceding year. This report is submitted via the FCA’s RegData system (formerly Gabriel) and covers:

• The number of conduct rules breaches reported
• The conduct rules provisions involved
• The disciplinary outcomes
• Whether any individuals were Senior Managers or Certified Persons

The annual report serves a different supervisory function from individual breach notifications: it enables the FCA to assess the overall conduct profile of a firm and to identify patterns that individual notifications might not reveal. A firm with a significant number of conduct breach notifications that are all classified as Rule 2 (skill, care and diligence) raises different supervisory questions than a firm with a similar number classified across all five rules.

What the FCA Actually Scrutinises

Based on FCA supervisory dialogue and published enforcement outcomes, the aspects of conduct breach reporting that draw the most supervisory attention are:

Under-reporting

The most common failure is firms that take disciplinary action for conduct that clearly engages the Conduct Rules without making the required notification. This sometimes reflects a genuine misunderstanding of the threshold. More often it reflects an internal process where the HR function manages the disciplinary outcome and the compliance function is not consistently involved in the classification decision.

The FCA has found in thematic reviews that many firms have weaker processes for identifying and reporting lower-level conduct breaches (written warnings, performance-related outcomes) than for reporting serious matters such as dismissals. The notification obligation applies equally to both.

Notification quality

Vague or incomplete notifications — those that identify the individual and outcome but do not clearly describe the conduct or the rule breached — are less useful to the FCA and may attract follow-up queries. Firms that invest in clear, substantive notification drafting avoid this friction.

Process consistency

The FCA expects the notification decision to be consistent — applying the same threshold across similar cases. Inconsistency in whether similar conduct is classified as a notifiable breach suggests that the classification process lacks rigour. Documenting the rationale for notification decisions (and for decisions not to notify) provides a defensible record in the event of supervisory challenge.

Senior Manager involvement

Where a conduct breach involves a Senior Manager — whether as the subject of the disciplinary action or as a manager who failed to identify or prevent a breach within their area — the FCA expects the notification to clearly identify the Senior Manager Conduct Rules dimension. A notification that characterises a Senior Manager’s failure to oversee a conduct issue as a Rule 2 breach when it could more accurately be characterised as an SC1 or SC2 breach may attract scrutiny.

Building a Robust Notification Process

Firms that manage this well typically have the following in place:

• A clear ownership model — the compliance function (typically the SMF16 holder’s team) owns the classification decision and the notification, not HR
• A trigger mechanism — HR-initiated disciplinary processes automatically route through compliance for conduct rules classification before conclusion
• A documented decision framework — a written framework setting out the threshold for notification, worked examples, and an escalation path for borderline cases
• A record of non-notification decisions — documenting cases where a disciplinary matter was assessed and found not to meet the notification threshold, with the rationale
• Regular review against the annual report — using the annual report cycle to audit whether the year’s notifications and non-notification decisions are consistent and complete

The SMF16 holder carries personal accountability for the firm’s compliance function, including the adequacy of its breach notification process. Where the process is weak, the accountability sits with whoever holds that function. See our SMF16 guide for the full scope of the Compliance Oversight function.

Interaction with Regulatory References

Conduct rules breach notifications interact with the regulatory reference framework. Where a firm has notified the FCA of a conduct breach by an individual, that information must be disclosed in the regulatory reference provided to future regulated employers when that individual applies for an SMF or Certified Function role. Firms must retain records of conduct breach notifications for at least six years specifically to enable accurate regulatory reference disclosure.

This creates a practical governance requirement: the compliance function must maintain conduct breach records in a format accessible for regulatory reference purposes, not just for internal disciplinary records. See our post on SMCR vs the Approved Persons Regime for context on why the regulatory reference requirement was introduced and how it operates.

Related Reading

Further reading on conduct obligations and SMCR: FCA Conduct Rules Guide | Individual Conduct Rules | Senior Manager Conduct Rules | Conduct Rules Training: How to Change Behaviour | SMCR Guide | SMF16 Compliance Oversight Guide | SMCR vs the Approved Persons Regime | SMCR Reform 2026 | SMCR for Limited Scope Firms | Regulatory Reporting Guide | FCA Regulated Firm Recruitment