Conduct Rules for Non-Executive Directors (NEDs)

NEDs are an important part of a firm's governance and provide independence and oversight. In addition to complying with the statutory and fiduciary duties, NEDs in financial services have regulatory obligations.

The Conduct Rules set the standard of personal conduct for everyone in financial services. NEDs are subject to higher standards and a higher level of accountability than others in the firm.

Our Conduct Rules for Non-Executive Directors (NEDs) course outlines which conduct rules apply to NEDs.

Start your trial Course details

30 Minutes
Managers
Based on UK legislation, but suitable for global audiences upon the removal of UK-specific references and translation as necessary.

Learning objectives

Understand how the Senior Managers and Certification Regime (SM&CR) applies to NEDs
Understand when a NED may become the holder of a Senior Manager Function
Recall the Conduct Rules that apply to you as a NED
Explain how the Conduct Rules apply in practice
Describe how you will comply with the Conduct Rules in your role
Describe when the Prudential Regulation Authority (PRA) or Financial Conduct Authority (FCA) might take action for non-compliance with the Conduct Rules

Welcome

What are the Conduct Rules for NEDs?

NEDs are treated differently under SMCR

The Senior Managers & Certification Regime

What are the Conduct Rules?

Individual Conduct Rule 1: Integrity

Examples of breaches
You decide: Is it a breach?
Individual Conduct Rule 1: Key takeaways

Individual Conduct Rule 2: Due skill, care & diligence

Examples of breaches
You decide: Is it a breach?
Individual Conduct Rule 2: Key takeaways

Individual Conduct Rule 3: Cooperation with regulators

Examples of breaches
You decide: Is it a breach?
Individual Conduct Rule 3: Key takeaways

Individual Conduct Rule 4: Customers' interests

Examples of breaches
You decide: Is it a breach?
Individual Conduct Rule 4: Key takeaways
Individual Conduct Rule 5: Market conduct
Examples of breaches
You decide: Is it a breach?
Individual Conduct Rule 5: Key takeaways

Individual Conduct Rule 6: Consumer Duty

Examples of breaches
You decide: Is it a breach?
Individual Conduct Rule 6: Key takeaways

Senior Manager Conduct Rule 4: Disclosures to regulators

You decide: Is it a breach?
Senior Manager Conduct Rule 4: Key takeaways
Handling breaches

Serious consequences

In the news: Regulatory repercussions

Summary

Affirmation

Assessment

Your questions, answered

SMCR

CoreCompliance

Common FAQs

What is SMCR?

There are three key parts to the SMCR: Senior Managers Regime, Certified Persons Regime and Conduct Rules.

Senior Managers Regime
This enforces a detailed and clear allocation of responsibilities between senior managers at each firm, with particular emphasis placed on key documents - 'Statements of Responsibilities' and 'Responsibilities Maps'. These help to record the distribution of responsibility to individual Senior Managers and to demonstrate to the regulators that there are no gaps or excessive overlaps.

Always bear in mind that Senior Managers have a statutory duty of responsibility "to take reasonable steps to prevent regulatory breaches in the areas of the firm for which they are responsible".
Certification Regime
This requires firms to check and confirm that employees performing roles relating to the firm's regulated activities are fit and proper, based on their qualifications, competence and personal characteristics.

Once this has been confirmed, the firm needs to issue them with a certificate that must be renewed every year.
Conduct Rules
This consists of a set of rules provided in the FCA's Code of Conduct Handbook (COCON) that covers all individuals: Senior Managers, Certified Persons and other employees.

What is the scope of the SMCR?

SMCR rollout waves
The SMCR has been rolled out in three waves:

Wave 1: Banks, building societies, credit unions and large investment firms in March 2016 (updated July 2018)
Wave 2: Extended to insurance firms (those regulated by the FCA and PRA) in December 2018
Wave 3: The remaining financial services firms (otherwise known as 'solo-regulated firms' since they are regulated only by the FCA, not the FCA and PRA) came under the scope of this regime in December 2019.

SMCR categories
The range of firms in the third wave is very diverse. Consequently, the FCA has grouped them into three categories to ensure that the regulation is proportionate to their sizes and activities:

Core: Firms that have to comply with the baseline requirements for solo-regulated firms
Limited scope: Firms that already had exemptions under the Approved Persons Regime, and are exempt from some requirements and require fewer senior management functions
Enhanced: Firms that have extra requirements - these are large, complex firms with potential impact on consumers or markets which warrant more attention from the FCA

What's needed to comply with SMCR?

Statement of Responsibilities - Set out the areas for which each Senior Manager is personally accountable
Responsibilities Map - This knits together the Statement of Responsibilities
Pre-approval for all Senior Managers - obtain this from the regulators before they carry out their roles
Duty of Responsibility - Ensure that Senior Managers understand their responsibilities and take reasonable steps to prevent regulatory breaches in their areas of responsibility
Identify all Certified Persons - These are all material risk takers
Fit and Proper Assessment - Of all Certified Persons, then re-assess on an annual basis
Training - Of all those who are subject to the Conduct Rules

SMCR Training

To stay on the right side of the FCA's guidance, all firms must ensure that all employees subject to the conduct rules are notified and provided with 'suitable' training.

Such training must result in employees gaining awareness and a broad understanding of all of the conduct rules, as well as a deeper understanding of the practical application of the specific rules which are relevant to their work.

To help with SMCR implementation, we have created a 3-step training model.

We provide a comprehensive set of SMCR training courses for all financial firms, including banking, insurance and solo-regulated firms.

Duty of Responsibility

Senior Managers have a statutory duty of responsibility "to take reasonable steps to prevent regulatory breaches in the areas of the firm for which they are responsible".

The FCA can take action against a Senior Manager (SM) where it can show that:
There was misconduct by the SM's firm,
At the time of the misconduct or during any part of it, the SM was responsible for the management of any of the firm's activities in relation to which the misconduct occurred, and the SM did not take such steps as a person in their position could reasonably have been expected to take to avoid the misconduct occurring or continuing.

The burden of proof for all these elements lies on the FCA. The SM does not need to show that they took reasonable steps - rather, it is for the FCA to prove that they did not. The defence against such action is if the senior manager can show that they took "the steps that are reasonable for a person in that position to take to prevent a regulatory breach from occurring".

Fitness and Propriety

The FCA must approve all senior managers, which assess whether they are fit and proper to perform the given function or responsibility.

Three key factors determine whether you are Fit and Proper:
Honesty, integrity and reputation
Competence and capability
Financial soundness

When determining a person's financial soundness, the FCA will not normally require a statement of assets or liabilities of the person. Limited financial means does not in itself affect the suitability of a person to perform an SMF.

When appointing a Senior Manager or Certified Person, firms must obtain a regulatory reference from all their past employers going back six years. This requirement also applies when appointing NEDs who are not Senior Managers.

For this purpose, firms need to retain records of disciplinary and fit and proper findings going back six years and not enter into arrangements that conflict with their disclosure obligations.

What are the SMCR Conduct Rules?

SMCR incorporates new high-level standards of behaviour that apply to almost all employees who carry out financial services activities in a firm. Some Conduct Rules apply to all employees, while others apply only to Senior Managers.

The Conduct Rules are intended to drive up standards of individual behaviour in financial services. By applying them to a broad range of staff, the FCA aims to improve individual accountability and awareness of conduct issues across firms.

Individual Conduct Rules (ICRs)
These apply to all employees, with the exception of ancillary staff, such as facility managers, personal assistants, receptionists, medical staff, IT and HR, who perform a purely non-financial service's role. These ICRs also apply to Non-Executive Directors.
ICR 1: You must act with integrity
ICR 2: You must act with due skill, care and diligence
ICR 3: You must be open and cooperative with the FCA, the PRA and other regulators
ICR 4: You must pay due regard to the interests of customers and treat them fairly
ICR 5: You must observe proper standards of market conduct

Senior Manager Conduct Rules (SMCRs)
These apply only to Senior Managers, including NEDs (SC 4 even applies to out of scope NEDs)
SC 1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively
SC 2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system
SC 3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively
SC 4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice

What does SMCR Best Practice look like?

Stay up to date with SMCR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech by subscribing to the Skillcast Compliance Bulletin.

3-Step SMCR Training Model
Whether you're new to the SMCR or benchmarking existing processes, our training model will help get your compliance training on track.

FCA Conduct Rules Training Aid
Our desk aid has ten tips on how to ensure your staff fully understand and adhere to conduct rules.

FCA COCON Breaches Desk Aid
Our desk aid reminds all of your staff fully of the ten easiest ways to breach the FCA Code of Conduct.

Operational Resilience Implementation Checklist
Ensure your firm follows the FCA guidelines for a compliant operational resilience programme.

Fit and Proper Training Presentation
Firms need to assess the Fitness and Propriety (F&P) of Senior Managers and Certified Persons when they are appointed and on an ongoing basis. Our F&P training presentation uses scenarios to help explain this further.

SMCR & Non-financial Misconduct
A lack of public confidence and some damaging press stories have renewed the FCA's focus on conduct, including non-financial misconduct. Find out more, including a free training module and a desk aid.

SMCR Solo-Regulated Firms Key Questions Answered
We answer the questions every solo-regulated firm has been asking.

SMCR Insurance Firms Key Questions Answered
We also answer the questions every insurance firm has been asking.

How to Evidence your SMCR Competence
If you cannot articulate what is adequate and competent within your firm, you simply won't be able to evidence SMCR compliance when the FCA comes knocking!

How to Prevent SMCR Training Damaging Staff Motivation
SMCR created a step-change in personal accountability, causing a headache, especially when dealing with those who've never been accountable before. That's why it's important to take steps to address any issues before they spiral out of control.

What are the SMCR Functions?

The Senior Managers Regime (SMR) applies to those who perform a Senior Management Function (SMF). The FCA has classified specific functions as SMFs, so that it knows who a firm's senior decision-makers are, and to make sure that firms clearly allocate specific responsibilities to those key individuals.

In certain circumstances, firms can have more than one individual performing a single SMF. However, the FCA expects that SMFs are only shared where it is justified and appropriate.

The list of SMFs that apply depends on the type of firm.

5.1 Governing Function SMFs

SMF1	Chief Executive	Core and Enhanced firms
SMF3	Executive	Core and Enhanced firms
SMF7	Group Entity Senior Manager	Enhanced firms only
SMF 9	Chair (non-executive)	Core and Enhanced firms
SMF10	Chair of the Risk Committee	Enhanced firms only
SMF11	Chair of the Audit Committee	Enhanced firms only
SMF12	Chair of the Remuneration Committee	Enhanced firms only
SMF13	Chair of the Nominations Committee	Enhanced firms only
SMF14	Senior Independent Director	Enhanced firms only
SMF27	Partner	Core and Enhanced firms

5.2 Required Function SMFs

SMF16	Compliance oversight	Core and Enhanced firms (and sole traders, authorised professional firms and oil market participants)
SMF17	Money Laundering Reporting officer	Core and Enhanced firms and (and sole traders and oil market participants)
SMF18	Other Overall Responsibility	Enhanced firms only
SMF29	Limited Scope Function	Limited Scope firms (e.g. limited permission consumer credit firms, authorised professional firms, firms that intermediate insurance without this being principal business)

The Overall Responsibility requirement means that an Enhanced firm will need to make sure that every activity, business area and management function has a Senior Manager with overall responsibility for it. This is to prevent an unclear allocation of responsibilities.

Overall Responsibility means that a Senior Manager:

Has ultimate responsibility for managing or supervising a function
Briefs and reports to the governing body about their area of responsibility
Puts matters requiring decisions about their area of responsibility to the governing body

5.3 Systems and Control SMFs

SMF2	Chief Finance Function	Enhanced firms only
SMF4	Chief Risk Function	Enhanced firms only
SMF5	Head of Internal Audit	Enhanced firms only
SMF24	Chief Operations Function	Enhanced firms only

What are the required responsibilities under the SMCR Responsibilities

You need to be aware that there are more responsibilities for Senior Managers than just the ones found within each SMF's definition. The regulators have listed certain 'Prescribed Responsibilities' (PRs) that each firm is required to allocate between Senior Managers.

Each PR would generally be allocated to the Senior Manager who performs the SMF most closely linked to the given responsibility. PRs can be shared but not split between Senior Managers. Where responsibility is shared, it is recorded identically in each of the Senior Manager's Statements of Responsibilities.

If there is a breach, all Senior Managers sharing that responsibility may be required to demonstrate that they took reasonable steps to prevent or stop the breach.

The list of PRs that applies depends on the type of firm. Responsibilities (a), (b), (b-1), (d) below cannot be allocated to SMF 18 (Other Overall Responsibility) and responsibilities (j), (k), (l) below should be performed by a non-executive director if possible.

(a)	Performance by the firm of its obligations under the SMR, including implementation and oversight	All firms
(b)	Performance by the firm of its obligations under the Certification Regime	All firms
(b-1)	Performance by the firm of its obligations in respect of notifications and training of the Conduct Rules	All firms
(d)	Responsibility for the firm's policies and procedures for countering the risk that the firm might be used to further financial crime	All firms
(z)	Responsibility for the firm's compliance with CASS (if applicable)	All firms
(c)	Compliance with the rules relating to the firm's Responsibilities Map	Enhanced firms only
(j)	Safeguarding and overseeing the independence and performance of the internal audit function (in accordance with SYSC 6.2)	Enhanced firms only
(k)	Safeguarding and overseeing the independence and performance of the compliance function (in accordance with SYSC 6.1)	Enhanced firms only
(l)	Safeguarding and overseeing the independence and performance of the risk function (in accordance with SYSC 7.1.21R and SYSC 7.1.22R)	Enhanced firms only
(j -3)	If the firm outsources its internal audit function, taking reasonable steps to ensure that every person involved in the performance of the service is independent from the persons who perform external audit, including supervision and management of the work of outsourced internal auditors, and management of potential conflicts of interest between the provision of external audit and internal audit services	Enhanced firms only
(t)	Developing and maintaining the firm's business model	Enhanced firms only
(s)	Managing the firm's internal stress tests and ensuring the accuracy and timeliness of information provided to the FCA for the purposes of stress-testing	Enhanced firms only
(za)	Responsibility for an AFM's assessments of value, independent director representation and acting in investors' best interests	Authorised Fund Managers

Which courses are included in CoreCompliance?

All users get access to courses on popular compliance topics, such as: bribery, cybersecurity, equality, health and safety. In addition, you can get courses specific to your business sector.

There are over 150 courses included within the CoreCompliance package. The actual courses provided depend on the sector chosen for the subscription.

Are CoreCompliance courses only intended for use by those based in the UK?

Most of our courses are non-jurisdiction-specific and informed by global standards. However, some of them are specifically about UK law. We currently only recommend CoreCompliance outside the UK for courses on common standards. This includes Modern Slavery, Money Laundering, and Bribery.

Do the courses bookmark my progress?

Yes, all the courses have automatic bookmarking. If you close a course without completing it, you can return to where you left off or restart the course. However, if the course features a video, your progress through the video will not be bookmarked, and you'll need to start the video afresh upon your return.

What are in-depth courses?

Your subscription includes in-depth e-learning courses on bribery, money laundering, data protection, and equality. This is ideal for annual compliance training. Each course takes 30-45 minutes and provides comprehensive foundational knowledge. They can evidence that with a certificate and CPD points.

What are microlearning courses?

The CoreCompliance includes microlearning courses on most topics that you need for employee compliance training. These are typically 2-3 minutes long and illustrate the compliance topic using engaging visuals and storylines. For each course, employees can download a certificate evidencing their completion.

Can we use a Skillcast certificate to evidence training to regulators, courts, etc?

Yes, you can present a Skillcast certificate to evidence training. Skillcast can verify its validity, i.e., when and on which account the training was done, the time spent, etc. But of course, we can't prevent one person from sitting in place of another to do the training. That's up to the client company to ensure. Also, Skillcast is not an accredited certification body. Therefore, the certificates are only proof of training completion, not a legal document.

What is "mandatory training"?

All users in your account can see all the courses available for your business sector. You can set any of these courses as "mandatory training" for one or more users. Doing this assigns the courses to them with a deadline and sends them notification emails. If they don't complete the course within the deadline, they get reminder emails to complete the assignment.

How do I check my mandatory training?

The "Mandatory Training" box on the homepage shows the percentage of completed, incomplete, and overdue mandatory training. Select the box to access your incomplete mandatory training. The date (shown in the DD/MM/YYYY format) is your deadline for completing the course.

What is in my training record?

Your training record shows a list of the courses that you've started and completed. You can select each entry to see more details, such as your passing score and your certificate. You can access your training record by selecting "Certificates" at the top of the screen.

Can I get certificates for courses I've completed?

Yes, you can download a course completion certificate after you've completed a course. To do this, select "Certificates" at the top of your screen, and then choose the relevant course from the list of those that you've completed.

How do I update my details?

Select "My Profile" at the top of the screen to change your details.

Do I get a dashboard to manage my employees?

Yes, CoreCompliance provides you with an admin dashboard where you can manage and monitor your learners. It enables you to check whether your employees have completed the mandatory training you have assigned to them. You can also download a report showing the completed, pending or overdue assignments for all your users.

How do I start a subscription?

Subscribing to the CoreCompliance is easy. You are already registered for a trial. Select "Purchase" at the top of the screen and select the number of seats you need (you will need a seat for yourself). You can pay using a credit or debit card, which will be processed by Stripe.

Can I change the number of seats in my subscription?

Yes, you can upgrade your subscription to a higher number of seats at any point during your subscription. This will be at a pro-rata charge by selecting "Billing" at the top of the page. You can also reduce the number of seats at any point, but this change will take effect from the next renewal date.

Can I get monthly or annual subscriptions?

All subscriptions are on an annual basis. We don't offer monthly subscriptions.

Can I get an invoice for the subscription?

Yes, you will receive your invoice and payment receipt by email. After the purchase, you can also log in to Stripe to download your invoice and receipt.

How long do I have to wait to assign training after making the payment?

After your payment has been processed successfully, you and your employees will have immediate access to all the e-learning. You will need to add their names and email addresses to give them access.

How do I purchase more seats?

Your admin dashboard shows the number of seats you currently have available. You can purchase more seats at any point during your subscription. To do this, select "Billing" at the top of the page, allowing you to add more users to your Portal. You can have a maximum of 50 seats in total.

Can I reuse the seats of employees who have left my company?

Yes, you can free up seats by archiving users who have left your company and assigning them to others in your company.

Can I add more than 50 users to my subscription?

CoreCompliance is only available for up to 50 users. If you require more than 50 seats, you will need to upgrade to our Standard Plan. You can contact our Sales team via our website.

Can I get a refund if I terminate my subscription partway through the year?

Unfortunately, not. CoreCompliance subscriptions are for a whole year. If you terminate your subscription partway through the year, we will not renew it, but we can't give you any refunds.

Are Skillcast courses SCORM-compliant?

Yes. This means they can be delivered via the Skillcast Portal or any other SCORM-compliant Learning Management System.

What other tools are needed beyond training?

A comprehensive compliance solution often needs more than just training. Alongside e-learning, tools like declarations, surveys, and registers that track compliance tasks are usually essential. Skillcast provides full support to help you set up these additional tools.

Is our training content still compliant with the latest legislation?

You can check the latest course content updates in our library updates page: https://www.skillcast.com/compliance-course-library-updates
For major legislative changes, we:
- Will send you email alerts to ensure you are notified
- Offer you a free trial of newly created or updated content
- Host webinars with compliance experts to explain the changes and how our training supports your ongoing compliance

Can you translate our content into other languages?

Yes, we offer translations in a wide range of languages. Let us know your needs, and we’ll confirm availability or work with you to plan translations for your selected modules.

How can I give employees a secure way to record suspicious activity so we can act quickly?

Our Suspicious Activity Register allows staff to log concerns or irregularities they observe, helping you detect potential issues early. The secure register can be reviewed by compliance teams, enabling prompt investigation and action.

What file types are supported by the Skillcast system?

Features	Supported file types and details
File Exchange	File types: PDF, Excel spreadsheets, Word documents, SCORM and xAPI files, and compressed zip files. Max file size: Default is 1GB, can be increased to a max of 2GB
SCORM files	Versions: SCORM 1.2, SCORM 1.2 for Moodle, SCORM 2004 2nd, 3rd and 4th Edition. Max file size: 1024MB
xAPI file	Max file size: 2GB
Videos	File types: MP4 or MOV. Videos must be optimised, with a max file size of 100MB. If the file is bigger, our Design Team can help
Images	File types: jpg, png and gif. The file size should ideally be 100KB, but it can be up to 250KB
CPD evidence	File types: Word, PDF, Excel and CSV. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Policy documents	PDF or Word File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Offline activities evidence	File types: PDF, DOC, DOCX, XLS, XLSX, CSV, PNG, GIF, JPEG, JPG, PPTX and MSG. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Client logo files	File types provided by client: EPS, PDF, AI and SVG
Registers	PDF, DOC, DOCX, XLS, XLSX, CSV, PPT, PPTX, POT, PPA, PPS, JPG, JPEG, PJEPG, PNG, BMP, GIF, MP4, MOV, WMV, CPTX, CP, TXT, ZIP and MSG files
Declarations	JPG, JPEG, PNG, GIF, XLS and XLSX files

Conduct Rules for Non-Executive Directors (NEDs)

Learning objectives

What can you expect your employees to learn?

Welcome

What are the Conduct Rules for NEDs?

The Senior Managers & Certification Regime

Individual Conduct Rule 1: Integrity

Individual Conduct Rule 2: Due skill, care & diligence

Individual Conduct Rule 3: Cooperation with regulators

Individual Conduct Rule 4: Customers' interests

Individual Conduct Rule 6: Consumer Duty

Senior Manager Conduct Rule 4: Disclosures to regulators

Serious consequences

Summary

Affirmation

Assessment

Start your compliance e-learning journey with a free trial

Your questions, answered

What is SMCR?

What is the scope of the SMCR?

What's needed to comply with SMCR?

SMCR Training

Duty of Responsibility

Fitness and Propriety

What are the SMCR Conduct Rules?

What does SMCR Best Practice look like?

What are the SMCR Functions?

What are the required responsibilities under the SMCR Responsibilities

Which courses are included in CoreCompliance?

Are CoreCompliance courses only intended for use by those based in the UK?

Do the courses bookmark my progress?

What are in-depth courses?

What are microlearning courses?

Can we use a Skillcast certificate to evidence training to regulators, courts, etc?

What is "mandatory training"?

How do I check my mandatory training?

What is in my training record?

Can I get certificates for courses I've completed?

How do I update my details?

Do I get a dashboard to manage my employees?

How do I start a subscription?

Can I change the number of seats in my subscription?

Can I get monthly or annual subscriptions?

Can I get an invoice for the subscription?

How long do I have to wait to assign training after making the payment?

How do I purchase more seats?

Can I reuse the seats of employees who have left my company?

Can I add more than 50 users to my subscription?

Can I get a refund if I terminate my subscription partway through the year?

Are Skillcast courses SCORM-compliant?

What other tools are needed beyond training?

Is our training content still compliant with the latest legislation?

Can you translate our content into other languages?

How can I give employees a secure way to record suspicious activity so we can act quickly?

What file types are supported by the Skillcast system?

Features

Supported file types and details

Related courses

Data Protection

Preventing Sexual Harassment

Anti-Bribery Training

Equality and Diversity in the Workplace

Anti-Money Laundering & Counter-Terrorist Financing

Information Security

Modern Slavery

Fraud Prevention

Anti-Money Laundering

Cybersecurity

Bribery Prevention

Working Safely

Preventing the Facilitation of Tax Evasion

Financial Sanctions

Market Abuse Regulation

Bribery Prevention

Phishing

Fire Safety

Preventing the Facilitation of Tax Evasion

Healthy Working

Gifts and Hospitality

Digital Operational Resilience Act (DORA)