The Five Rules That Apply to Every Employee in an FCA-Regulated Firm
The Individual Conduct Rules — Tier 1 of the FCA’s Conduct Rules framework — apply to virtually every employee of an FCA-regulated firm. These five rules, set out in COCON 2.1, establish the minimum standard of personal conduct expected of anyone working in UK financial services, from a graduate trainee to a senior trader to a back-office administrator. Breach of any of these rules can result in personal disciplinary action, regulatory referral, and adverse information that follows the individual to any future regulated firm employment under the Regulatory References regime.
This guide explains the five Tier 1 Conduct Rules in detail, with practical examples of how they apply, what breach reporting actually involves, and how firms integrate the rules into their HR and disciplinary frameworks. It also covers the recruitment dimension — how Conduct Rules history affects the candidate’s reference position, what hiring firms need to evaluate, and the cultural angle that distinguishes firms with strong conduct cultures from firms where the rules are administrative.
What’s missing from most online explanations of the Tier 1 Conduct Rules is the operational reality — how breach reporting actually happens, what good conduct culture looks like, and the HR/legal integration challenges firms encounter. That’s the gap this guide fills.
Who Is Subject to Tier 1 Conduct Rules
The Tier 1 rules apply broadly. Specifically, COCON applies to:
- All Senior Management Function holders (who are also subject to additional Tier 2 rules)
- All certified persons performing Significant Harm Functions
- All other employees of FCA-regulated firms, with limited exceptions for purely ancillary staff
The “all other employees” scope was a substantial expansion when SM&CR rolled out for solo-regulated firms in December 2019. In practice, every individual who carries out activities for the firm — whether on a permanent contract, fixed term, or many forms of contracted services — is within scope. Limited exceptions apply for purely ancillary staff (cleaners, security, receptionists who don’t engage with regulated activity) but the default is that the rules apply.
This means that for an Enhanced firm of 1,000 employees, the Conduct Rules typically apply to 950+ individuals. The training, breach reporting and disciplinary integration burden is substantial.
The Five Individual Conduct Rules
The Tier 1 rules are set out in COCON 2.1. Each is short, but the practical implications are extensive.
Rule 1: You must act with integrity
The most fundamental of the rules. “Integrity” is not exhaustively defined by the FCA but encompasses honesty, ethical conduct, and acting consistently with the firm’s stated values and policies. Breaches typically involve dishonesty, deliberate concealment of information, falsification of records, conflicts of interest not properly managed, or other conduct that a reasonable person would identify as not acting with integrity.
Practical examples of breach include: falsifying expense claims, misrepresenting work performed, concealing personal trading activity, entering inaccurate data into firm systems with knowledge of the inaccuracy, and material breaches of personal account dealing rules.
Rule 2: You must act with due skill, care and diligence
Captures the standard of competence and care expected of a reasonable employee performing the relevant role. The standard is contextual — what is “due” skill depends on the role, seniority and circumstances. A junior employee is not held to the standard of a senior specialist; a senior specialist is held to a higher standard.
Practical examples of breach include: failing to perform required checks on a transaction, missing material errors in work that should have been identified through reasonable care, inadequate research or analysis underpinning material decisions, and similar competence-related failures.
Rule 3: You must be open and cooperative with the FCA, the PRA and other regulators
Imposes a positive obligation to cooperate with regulator inquiries, investigations and information requests. The rule applies to interactions at all levels — from formal regulator interviews to routine information requests via the firm’s compliance function.
Practical examples of breach include: providing incomplete or misleading responses to regulator inquiries, withholding information that the regulator has not specifically asked for but that is clearly relevant, attempting to influence colleagues’ responses to regulator questions, and similar.
Rule 4: You must pay due regard to the interests of customers and treat them fairly
The customer-focused conduct rule. Captures Treating Customers Fairly principles and, since 2023, intersects with the Consumer Duty obligations. The rule applies to all employees who could affect customer outcomes — including front-office staff, but also operations, technology, and others whose work affects customer service quality.
Practical examples of breach include: deliberately misleading customers about products or services, knowingly recommending unsuitable products, hiding fees or terms, prioritising firm interests over customer interests in advice contexts, and conduct that demonstrably treats customers unfairly. The Consumer Duty has elevated the practical implications of this rule substantially. See our Consumer Duty Guide for detail.
Rule 5: You must observe proper standards of market conduct
Applies to employees engaged in market-facing activity — trading, market-making, dealing, and similar. Captures market abuse, manipulation, insider dealing, improper market practices, and other conduct affecting market integrity.
Practical examples of breach include: market manipulation, insider dealing, improper communication of inside information, manipulative trading practices (spoofing, layering, etc.), and breach of market conduct rules in trading activity.
Conduct Rules Training — The Annual Cycle
Firms are required to train all in-scope employees on the Conduct Rules. The training must be appropriate to the employee’s role, refreshed periodically, and documented. Most firms run Conduct Rules training annually, often integrated with broader regulatory training (AML, financial crime, market abuse, etc.).
Effective training typically covers:
- The five Tier 1 rules with role-relevant examples
- The breach reporting framework and how to escalate concerns
- The interaction with disciplinary processes
- Recent FCA enforcement examples relevant to the firm’s sector
- The cultural expectation — that the rules describe minimum behaviour, not aspirational standards
For SMFs, training also covers the four additional Tier 2 rules. See our Tier 2 Conduct Rules Guide for detail.
Conduct Rules Breach Reporting
One of the most operationally significant aspects of the Conduct Rules regime is the breach reporting framework. Where a firm concludes that a Conduct Rules breach has occurred, it must report the breach to the FCA via Form D.
The reporting framework operates on different timelines depending on who breached:
| Individual category | Reporting timeline | Reporting mechanism |
|---|---|---|
| SMFs | Within seven business days of conclusion | Form D via Connect, individual notification |
| Certified persons | Within seven business days of conclusion | Form D via Connect, individual notification |
| Other employees | Annually, in batch | Annual notification covering the prior year’s breaches |
The “conclusion” trigger is important — the deadline runs from when the firm has concluded a breach occurred, not from when the underlying conduct occurred. For SMFs and certified persons, this means the firm needs efficient processes for completing breach investigations and reaching firm conclusions.
What constitutes a “conclusion of breach”
The FCA expects firms to apply judgment on a balance-of-probabilities basis. Firms should not delay conclusion indefinitely while investigating, but equally should not rush to conclusion without sufficient investigation. Most firms have a formal Conduct Rules breach process involving:
- Initial flagging — through HR processes, compliance monitoring, or other channels
- Investigation — by HR, compliance, or both
- Determination — by a panel or designated decision-maker that the breach has or has not occurred
- Action — disciplinary, regulatory reporting, and any appropriate remediation
The whole process needs to operate at a pace that supports the seven-business-day reporting timeline for SMFs and certified persons.
HR and Legal Integration
The Conduct Rules sit at the intersection of regulatory compliance and employment law — which creates practical integration challenges:
Disciplinary process alignment
Firm disciplinary processes need to capture Conduct Rules breaches consistently. Typically this means:
- Disciplinary investigations consider whether a Conduct Rules breach has occurred alongside any breach of firm policy
- Disciplinary outcomes record the Conduct Rules conclusion (breach occurred / did not occur)
- HR systems capture the Conduct Rules conclusion for ongoing reference
- The Regulatory Reference for the individual reflects any breach finding
Settlement agreements
Settlement agreements with departing employees cannot prevent disclosure of Conduct Rules breaches in subsequent Regulatory References. Standard settlement language needs careful drafting to comply with the regime — and the firm must disclose breach findings even where the departing employee disagrees with the firm’s conclusion.
Tribunal and litigation considerations
Where employees challenge Conduct Rules findings via employment tribunal or other litigation, the firm must continue to apply the regulatory framework. A successful tribunal claim does not automatically reverse a Conduct Rules breach finding for regulatory purposes. The interaction between the two frameworks is nuanced and typically requires careful legal advice.
Mental health and wellbeing
The FCA has been increasingly explicit that Conduct Rules processes must be operated with appropriate sensitivity to employee wellbeing. The 2024 FCA Diversity & Inclusion proposals reinforced this — Conduct Rules investigations should not be conducted in ways that exacerbate mental health issues, and firms need to provide appropriate support during investigations.
The Conduct Rules describe minimum behaviour expected of every employee. Firms that treat the rules as compliance training to be ticked off annually frequently find that conduct issues cluster in specific business areas, supervisory chains, or under specific commercial pressures. Firms with strong conduct cultures use Conduct Rules data — breach rates by team, themes in disclosures, near-miss reporting — as a leading indicator of cultural health. The FCA increasingly examines this dimension during supervisory dialogue. “Good conduct culture” is now genuinely material to how firms are perceived by their regulator.
The Recruitment Dimension
For recruiters and hiring firms, Conduct Rules history matters in three specific ways:
Regulatory References disclose breach findings
Where a candidate has a Conduct Rules breach finding from a previous role, this is disclosed in the mandatory Regulatory Reference. The receiving firm must consider the disclosure as part of the Fit & Proper assessment. A breach finding does not automatically disqualify the candidate but requires substantive consideration.
Breach findings vs breach allegations
The reference position distinguishes between findings (the firm concluded a breach occurred) and allegations or investigations that did not result in findings. Allegations that were investigated and not concluded as breaches are typically not reported, but the underlying conduct may still factor into the firm’s fitness assessment if discovered during reference work.
Candidate disclosure obligations
Candidates have an interest in disclosing adverse history proactively to the recruiting firm — discovery during reference checking after offer typically derails placements that might have been workable with earlier disclosure. Experienced recruiters guide candidates through this disclosure carefully.
Conduct Rules in Different Sectors
The Tier 1 rules apply uniformly across all FCA-regulated firms, but the practical application varies by sector:
- Wealth management and advice firms: Customer fairness (Rule 4) is dominant. Suitability findings, fee disclosure failures and similar are common breach categories
- Asset management firms: Market conduct (Rule 5) is dominant. Trading conduct, conflicts of interest and similar are common areas
- Payments and e-money firms: Integrity (Rule 1) and skill/care (Rule 2) issues commonly arise around AML compliance, transaction processing accuracy, and customer service
- Consumer credit firms: Customer fairness (Rule 4) is dominant. Affordability assessment failures, fee transparency and similar arise frequently
- Banks and insurers: All five rules are commonly invoked across different functions
Common Pitfalls in Conduct Rules Implementation
Treating training as enough. Annual training is necessary but not sufficient. Conduct culture requires ongoing reinforcement through performance management, supervision, and visible enforcement of standards.
Slow breach investigation processes. Where breach investigations take 8-12 weeks routinely, the seven-business-day reporting deadline for SMFs and certified persons becomes hard to meet.
Inconsistent application across business units. Where different divisions apply different standards (e.g., front-office held to lower standard than operations), the framework loses credibility.
Settlement agreements that breach disclosure rules. Standard non-disparagement clauses can conflict with the Regulatory Reference disclosure requirements. Legal review of settlement language is necessary.
Inadequate near-miss reporting. Strong cultures encourage reporting of conduct concerns before they escalate to breach. Firms that focus only on confirmed breaches miss leading indicators.
Annual reporting failures. The annual breach reporting for non-SMF/non-certified employees is sometimes overlooked or treated as a single batch with weak supporting documentation.
A Note from Our Founder — Adrian Lawrence FCA
The Tier 1 Conduct Rules are the foundation of personal accountability in regulated firms. They apply to virtually every employee — finance, operations, compliance, technology, sales, advice — and they describe the minimum standard of conduct expected of anyone working in financial services. The firms that get the framework right treat it as cultural, not administrative — they integrate it into performance management, use breach data as a leading indicator of cultural health, and demonstrate visibly through senior management behaviour that the rules describe the floor of expected conduct, not aspirational standards.
The recruitment dimension that comes up regularly in our placements is the candidate disclosure question. Candidates with adverse Conduct Rules history sometimes try to manage it by avoiding disclosure during interview, hoping the matter won’t surface during reference checks. This rarely works — Regulatory References are mandatory and substantive, and discovery of undisclosed history during the reference stage typically derails placements that might have been workable with earlier honest disclosure. The advice I give candidates with adverse history is to disclose proactively at first interview, with context — most hiring firms can accommodate disclosed history if the candidate has demonstrably learned from the experience and the underlying issues are not repeated patterns.
For hiring firms, the question is what weight to place on disclosed Conduct Rules findings during fitness assessment. The honest answer is that context matters substantially — the nature of the conduct, the firm’s response, what the candidate has done since, and whether the issue would be a concern for the new role. Mechanical disqualification on the basis of any disclosed finding is rarely appropriate, but equally, ignoring substantive findings creates regulatory exposure for the new firm.
At FD Capital we work with candidates and firms across the FCA-regulated population. If you are recruiting for a regulated firm role and want to discuss how to approach reference checking, candidate disclosure, or the broader fitness assessment process, I’m happy to have a direct conversation.
Speak to Adrian about regulated firm recruitment →
Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383
Hire for FCA-Regulated Firms with Conduct Rules Awareness
FD Capital’s recruiters understand the Conduct Rules framework, the Regulatory References regime, and the substantive disclosure obligations that affect candidate-firm matching in regulated firms. We place senior finance, compliance, risk and operations leaders with appropriate fitness assessment.
020 3287 9501
Further Reading and Authoritative Sources
For the FCA’s authoritative guidance on Conduct Rules, see COCON, with the Tier 1 rules at COCON 2.1. For breach reporting, see SUP 15. For Regulatory References, see SYSC 22. For the broader SMCR framework, see the FCA’s SMCR pages.
Related Guides: SMCR and SMF Functions
Part of FD Capital’s series of practical guides for FCA-regulated firms: SMCR — The Complete UK Guide | The Senior Managers Regime | The Certification Regime | Senior Manager Conduct Rules (Tier 2) | ‘Reasonable Steps’ Under SMCR | Statement of Responsibilities & MRM | FCA Conduct Rules — Pillar Guide | Consumer Duty Guide
Accredited Member of GBC 
Accredited Member of LWF 
Carbon Offset via TreeNation