COCON – Code of Conduct

The Code of Conduct is an FCA Regulatory cornerstone which clearly details the expectations regarding the professional conduct of all staff working within the insurance sector unless employed in a very limited scope of roles.

receptionists; switchboard operators; post room staff; reprographics/print room staff; property/facilities management; events management; security guards; invoice processing; audio visual technicians; vending machine staff; medical staff; archive records management; drivers; corporate social responsibility staff; taking part in following activities of the firm: the firm’s activities as a data controller; or the firm’s activities of data processing; as defined in the data protection legislation; cleaners; catering staff; personal assistant or secretary; information technology support (ie, helpdesk);  and human resources administrators/processors.

The Rules

There are five basic Conduct rules that apply to all employees and management:

There are four additional Conduct rules that only apply to Senior Management and Directors:

Adherence Guidance

The rules may seem relatively obvious and even unnecessary to most people, as they are quite simply just common sense and professional standards which most would already aim for. Below we will look more in depth at the caveats and nuance of each rule and better understand how to avoid breaches.

Examples of breaches of this rule include:

  • Misleading (or attempting to mislead) by act or omission, either a client, Connect Insurance, the FCA or the PRA.
  • Falsifying documents.
  • Providing false or inaccurate documentation or information, including details of training, qualifications, past employment record or experience.
  • Providing false or inaccurate information to: (a) the firm (or to the firm’s auditors); or (b) the FCA or the PRA.
  • Destroying, or causing the destruction of, documents (including falsified documentation), or tapes or their contents, relevant to misleading (or attempting to mislead) a client, Connect Insurance, or the FCA or the PRA.

  • Failing to disclose dealings where disclosure is required by the firm’s personal account dealing rules.

  • Misleading others in the firm about the nature of risks being accepted.

  • Designing transactions to disguise breaches of requirements and standards of the regulatory system.

  • Not paying due regard to the interests of a customer.

  • Acts, omissions or business practices that could be reasonably expected to cause customer detriment.

Examples of breaches of this rule include:

  • Failing to inform: a customer; or their firm (or its auditors); of material information in circumstances where the member of conduct rules staff was aware, or ought to have been aware, of such information, and of the fact that they should provide it.

It is important for a manager to understand the business for which they are responsible. A manager is unlikely to be an expert in all aspects of a complex financial services business. However, they should understand and inform themselves about the business sufficiently to understand the risks of its trading, credit or other business activities. It is important for a manager to understand the risks of expanding the business into new areas and, before approving the expansion, they should investigate and satisfy themselves, on reasonable grounds, about the risks, if any, to the business. Where unusually profitable business is undertaken, or where the profits are particularly volatile or the business involves funding requirements on the firm beyond those reasonably anticipated, a manager should require explanations from those who report to them. Where those explanations are implausible or unsatisfactory, they should take steps to test the veracity of those explanations. Where a manager is not an expert in a business area, they should consider whether they (or those with whom they work) have the necessary expertise to provide an adequate explanation of issues within that business area. If not, they should seek an independent opinion from elsewhere, within or outside the firm.

Examples of Manager’s breaches of this rule include:

  • Failing to take reasonable steps to ensure that the business of the firm for which the manager has responsibility: is controlled effectively; complies with the relevant requirements and standards of the regulatory system applicable to that area of the business; and is conducted in such a way to ensure that any delegation of responsibilities is to an appropriate person and is overseen effectively.

  • Failing to take reasonable steps to adequately inform themselves about the affairs of the business for which they are responsible, including: permitting expansion of the business without reasonably assessing the potential risks of that expansion; inadequately monitoring highly profitable transactions or business practices, or unusual transactions or business practices; accepting implausible or unsatisfactory explanations from subordinates without testing the veracity of those explanations; and failing to obtain independent, expert opinion where appropriate.

  • Failing to take reasonable steps to maintain an appropriate level of understanding about an issue or part of the business that the manager has delegated to an individual or individuals (whether inhouse or outside contractors).

Best practice is to cooperate and assist with a regulators enquiry such as those from the FCA, PRA, FOS, ICO and H&SE. Do not fail to answer questions, be evasive or hide important facts from the FCA or FOS. Do not cover up serious breaches of regulation. Do not mislead the ICO about a data protection breach.

Examples of breaches of this rule include:

  • Failing to report promptly in accordance with their firm’s internal procedures (or, if none exist, direct to the regulator concerned), information in response to questions from the FCA, the PRA, or both the PRA and the FCA.

  • Failing without good reason to: inform a regulator of information of which the approved person was aware in response to questions from that regulator; attend an interview or answer questions put by a regulator, despite a request or demand having been made; and supply a regulator with appropriate documents or information when requested or required to do so and within the time limits attaching to that request or requirement.

This applies to all conduct rules staff, regardless of whether that person has direct contact or dealings with customers of the firm. Persons subject to the rules in COCON should consider how their actions (or their failure to act) can affect the interests of customers or result in customers being treated unfairly.

Connect Insurance must:

  • Ensure the recruitment, training and employment of competent staff to provide acceptable service.
  • Consider the interests and rights of customers when making/changing business plans.
  • Not unfairly overcharge customers or take advantage/exploit them through pricing practices/fees.
  • Not provide a product or service which is unsuitable or not required by the customer.
  • Not take advantage of vulnerable customers.
  • Ensure customers understand what they are buying, and avoid using unsuitable documents.
  • Not use pressure sales techniques.
  • Not mislead a customer with regards to the risks they are running by financial promotions or adverts.

Examples of breaches of this rule include:

  • Failing to inform a customer of material information in circumstances where they were aware, or ought to have been aware, of such information and of the fact that they should provide it.

  • Undertaking, recommending or providing advice on transactions without a reasonable understanding of the risk exposure of the transaction to a customer.

  • Providing a customer with a product which is different to the one applied for by that customer, unless the customer understands the differences and understands the product they have purchased.

  • Failing to acknowledge, or seek to resolve, mistakes in dealing with customers.

  • Failing to provide terms and conditions to which a product or service is subject in a way which is clear and easy for the customer to understand.

A general consideration about whether or not a person’s conduct complies with the relevant requirements and standards of the market, is whether they, or the firm, comply with relevant market codes and exchange rules. Compliance with relevant market codes and exchange rules will tend to show compliance.

Examples of breaches of this rule include:

  • Not acting professionally and displaying poor behaviour when dealing with other companies.

  • Not following accepted market practice.

  • Giving a level of service significantly lower than the customers expects/is entitled to receive.

  • Not obeying the letter of the law, or the spirit.

  • Employing aggressive sales techniques that bring the insurance market into disrepute.

  • Providing insufficient or poor product design.

  • Providing inadequate standards of claims handling.

  • Holding a low opinion of customers or claimants.
  • Have clear reporting lines.
  • Where staff have dual reporting lines, responsibility & accountability must be clear.
  • Have clear levels of authorisation throughout the business, and job descriptions where required.
  • Have appropriate policies and procedures for reviewing competence, skill and knowledge of all staff.
  • Have performance reviews to deal with unsatisfactory behaviour or work.
  • Ensure Senior Managers who leave enable their replacement to take over smoothly.
  • Pay attention to any temporary vacancies or absences that occur; assess the risk to compliance of an absence, and either fill temporary vacancies or suspend the activity if necessary.
  • Do not give undue weight to financial performance when conducting staff reviews for compliance issues.
  • Investigate issues when concerns are raised including issues such as bullying or social misconduct.
  • Have adequate compliance and monitoring procedures.
  • Investigate and correct compliance failures.
  • Ensure compliance function has necessary resources, authority, expertise and information.
  • Inform yourself of serious compliance breaches.
  • Assure yourself that procedures are being followed.
  • Have evidence that the delegate has the competence, skill, knowledge and time necessary.
  • Never disregard an issue or part of the business after it has been delegated.
  • Acquire adequate reports on issues delegated.
  • Monitor or supervise individuals where you have delegated responsibility.
  • Take personal action when progress is unreasonably slow.
  • Do not accept implausible or unsatisfactory explanations without testing their accuracy.
  • Allocate adequate resources to those carrying out delegation.
  • Always monitor outsourced activities.
  • Ensure each Senior Manager is responsible for their own area of the business.
  • Tell the FCA of anything they would expect to know and for which you are responsible.
  • Whistle blow on other Senior Managers only when it is obvious that they are acting irresponsibly.
  • Make enquires rather than disregard the matter if you have any doubts about compliance breaches.


A firm must monitor their staff to identify breaches of COCON. This can include approaches such as call checks, or monitoring customer engagement. If you breach the rules, then the firm must take action, and must tell the FCA within 7 days if disciplinary action has been taken against you such as issuing a formal written warning, suspension/dismissal, reduction/recovery of remuneration.

If you are appointed as a Senior Manager/Certified Staff member at another firm, your new employer must obtain a Regulatory Reference for your last 6 years of employment which must include any breaches of the Code of Conduct including any disciplinary action taken against you. NDA’s are now banned. If you are the Senior Manager responsible for the Code of Conduct, you must obtain a Regulatory Reference for each Senior Manager/Certified Staff Member that you appoint.

Applying for a Regulatory Reference is mandatory, as is supplying one when requested. The FCA Regulatory Reference template must be used.

A company is also responsible for informing the FCA of any breaches that involve disciplinary action by all of their staff members on an annual basis.


Employees must be aware that they can be subject to external monitoring by third parties if a complaint is filed against them by a customer regarding their behaviour/attitude or general conduct for example.

COCON will require collaboration across all areas of your business. HR and Training & Compliance teams must understand the new regulations. It will impact on all areas including job roles, competency frameworks, contracts, recruitment policies, inductions, disciplinary procedure, breach definitions and more.

Regulatory training is necessary and reporting is expected.