Developing Secure Applications

The way companies build software and technology systems is evolving very rapidly. It is becoming increasingly automated and integrated. Our Developing Secure Applications course explains the principles behind ensuring secure software development and deployment are in place.

Start your trial Course details

45 Minutes
For all staff

Learning objectives

Recognise the importance of developing and deploying software securely
Understand the major principles of secure development
Identify areas of your development process that could be vulnerable or made more secure
Take steps to improve the security of your development process
Know what our regulators consider to be key risk areas when developing secure applications
Understand the importance of compliance with the Senior Managers and Certification Regime (SM&CR) when developing secure applications

Your questions, answered

FCA Handbook

Common FAQs

Which principle is most important in an insurance contract?

Utmost good faith is the most critical, requiring both parties to disclose all material facts. Without it, contracts risk being invalidated under UK insurance law.

What is proximate cause in insurance?

It is the dominant, effective cause of loss, not merely the last or nearest event. Courts use proximate cause to determine whether a peril covered by the policy actually triggered the claim.

How does the principle of indemnity work in real-life claims?

The principle of indemnity ensures you’re restored to your pre-loss financial state, not profiting from claims. For example, if your insured car repair costs £9,000, the insurer pays that amount, not the full policy limit.

What types of firms are regulated under CONC?

Under the Consumer Credit sourcebook (CONC), firms engaged in consumer credit activities, including lenders, credit brokers, debt management firms, and credit information services, are regulated by the Financial Conduct Authority (FCA). This encompasses a broad spectrum of consumer finance services, such as personal loans, hire purchase agreements, and credit broking.

How often should firms review their CONC compliance policies?

Firms are required to review their CONC compliance policies regularly to ensure they remain effective and up to date. While the FCA does not prescribe a specific review frequency, it is generally expected that firms assess their compliance arrangements periodically, taking into account changes in business operations, regulatory updates, and market conditions.

What triggers an FCA investigation into CONC breaches?

The FCA may initiate an investigation into potential breaches of CONC if there is evidence of widespread or repeated failures that could harm consumers. Triggers include patterns of non-compliance, consumer complaints, or findings from supervisory activities that suggest systemic issues.

What kind of staff training is required to meet CONC standards?

To meet CONC standards, firms must ensure that their staff receive appropriate training and supervision. This includes providing relevant training before employees work with reduced supervision and ensuring supervisors have the necessary technical knowledge and coaching skills.

How does insider trading affect businesses and investors?

Insider trading damages market fairness, giving some investors an unfair advantage and undermining trust. For businesses, it risks reputational harm and FCA penalties, even without personal gain. Investors face distorted prices and reduced confidence, with the FCA finding signs of insider dealing in nearly a third of UK takeovers.

What tools are used to detect insider trading?

The FCA relies on surveillance systems, transaction data, and Suspicious Transaction and Order Reports (STORs). Firms must keep insider lists and use internal trade monitoring, pre-clearance systems, and staff training.

How does the FCA regulate insider trading?

The FCA regulates insider trading under the Financial Services and Markets Act 2000, the Criminal Justice Act 1993, and UK MAR, reinforced by the Financial Services Act 2021. Sanctions include unlimited fines, injunctions, public censures, and up to 10 years’ imprisonment.

What is a Recognised Investment Exchange (RIE) and how is it regulated?

A Recognised Investment Exchange (RIE) is a UK exchange authorised by the FCA to trade securities or derivatives. RIEs must maintain orderly markets, monitor for abuse, and ensure member compliance, with the FCA supervising their operations and enforcing rules as needed.

What steps can firms take to avoid FCA penalties?

Firms can mitigate the risk of FCA penalties by establishing comprehensive compliance frameworks. This includes implementing clear policies on market abuse, conducting regular staff training, maintaining accurate insider lists, and ensuring timely submission of Suspicious Transaction and Order Reports (STORs). Additionally, firms should regularly audit their surveillance systems to detect and address any potential issues promptly.

How does the FCA monitor and detect market abuse?

The FCA employs advanced surveillance tools to monitor trading activities, including the analysis of transaction reports and order books. Firms are required to submit STORs when they suspect market abuse, and issuers must maintain insider lists. The FCA also collaborates with other regulators and uses data analytics to identify and investigate potential instances of market abuse, ensuring the integrity of UK financial markets.

What does FCA COBS stand for?

FCA COBS stands for the Financial Conduct Authority’s Conduct of Business Sourcebook, which sets out rules and guidance for how regulated firms must interact with clients, market products, and provide advice.

What is the main purpose of COBS?

Its goal is to ensure firms act honestly, fairly, and professionally in the best interests of clients, with clear, fair, and not misleading communications.

Where can I find the full COBS rules?

The complete COBS section is available in the FCA Handbook, which is updated frequently.

Who needs to comply with COBS rules?

Any FCA‑regulated firm carrying out designated investment business, ancillary services, or insurance‑related activities in the UK, including advisers, brokers, wealth managers, and investment platforms must comply.

Who do the FCA Principles apply to?

They apply to all FCA‑regulated firms and individuals performing controlled functions, regardless of size or sector.

How are the FCA Principles enforced?

The FCA enforces the Principles through regulatory, civil, and criminal powers, including fines, public censures, and prohibitions. Their approach is detailed in the FCA Enforcement Guide.

What happens if a firm fails to notify the FCA of an issue?

Firms are required to notify the FCA promptly of any matters that could have a significant adverse impact on their ability to meet regulatory requirements. Failure to do so can result in enforcement action, including fines or other sanctions.

How can firms ensure compliance with the FCA Principles?

Firms can ensure compliance with the FCA Principles by implementing robust governance frameworks, conducting regular risk assessments, and maintaining effective internal controls. This includes establishing clear policies and procedures, providing ongoing staff training, and fostering a culture of compliance throughout the organisation.

How often should FCA Code of Conduct training be refreshed to remain effective?

Firms should refresh Code of Conduct training at least annually, or more frequently if there are significant regulatory updates, changes in business processes, or lessons learned from compliance breaches. Regular refreshers help maintain awareness and reinforce the expected behaviours across the organisation.

How can firms tailor Code of Conduct training for high‑risk business areas?

Training should be customised to reflect the specific risks and responsibilities of high-risk areas, such as trading desks or advisory teams. This can include scenario-based exercises, role-specific guidance, and practical examples relevant to the department’s day-to-day activities, ensuring staff understand the real-world implications of the Conduct Rules.

What tools or technology can support ongoing compliance monitoring?

Firms can leverage compliance monitoring software to track employee behaviour, trade activity, and adherence to policies. This includes workflow tracking, automated alerts, data analytics, and communication surveillance systems to identify potential breaches quickly and efficiently.

What steps can be taken to rebuild trust after a breach of the Conduct Rules?

Rebuilding trust requires transparency, accountability, and proactive remediation. Firms should promptly investigate the breach, implement corrective measures, communicate clearly with stakeholders, and enhance training and oversight to prevent recurrence. Demonstrating a strong culture of compliance and ethical behaviour is key to restoring confidence among clients, staff, and regulators.

Who needs to comply with CASS rules?

Any firm regulated by the FCA that holds or controls client money or assets must comply with CASS rules. This includes investment firms, asset managers, and certain insurance intermediaries.

How often should firms review their CASS compliance procedures?

Firms should review their procedures at least annually, or whenever there are changes in regulation, business structure, or risk exposure. Regular internal audits and gap analyses are recommended.

What role does staff training play in CASS compliance?

Training is critical. Staff must understand their responsibilities under CASS, know how to handle client money and assets correctly, and be able to identify and escalate potential breaches.

Are Skillcast courses SCORM-compliant?

Yes. This means they can be delivered via the Skillcast Portal or any other SCORM-compliant Learning Management System.

What other tools are needed beyond training?

A comprehensive compliance solution often needs more than just training. Alongside e-learning, tools such as declarations, surveys and registers that track compliance tasks are usually essential. Skillcast provides full support to help you set up these additional tools.

Is our training content still compliant with the latest legislation?

You can check the latest course content updates in our library updates page: https://www.skillcast.com/compliance-course-library-updates
For major legislative changes, we:
- Send you email alerts to ensure you are notified
- Offer you a free trial of newly created or updated content
- Host webinars with compliance experts to explain the changes and how our training supports your ongoing compliance

Can you translate our content into other languages?

Yes, we offer translations in a wide range of languages. Let us know your needs, and we’ll confirm availability or work with you to plan translations for your selected modules.

What file types are supported by the Skillcast system?

Features	Supported file types and details
File Exchange	File types: PDF, Excel spreadsheets, Word documents, SCORM and xAPI files, and compressed zip files. Max file size: Default is 1GB, can be increased to a max of 2GB
SCORM files	Versions: SCORM 1.2, SCORM 1.2 for Moodle, SCORM 2004 2nd, 3rd and 4th Edition. Max file size: 1024MB
xAPI file	Max file size: 2GB
Videos	File types: MP4 or MOV. Videos must be optimised, with a max file size of 100MB. If the file is bigger, our Design Team can help
Images	File types: jpg, png and gif. The file size should ideally be 100KB, but it can be up to 250KB
CPD evidence	File types: Word, PDF, Excel and CSV. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Policy documents	PDF or Word File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Offline activities evidence	File types: PDF, DOC, DOCX, XLS, XLSX, CSV, PNG, GIF, JPEG, JPG, PPTX and MSG. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Client logo files	File types provided by client: EPS, PDF, AI and SVG
Registers	PDF, DOC, DOCX, XLS, XLSX, CSV, PPT, PPTX, POT, PPA, PPS, JPG, JPEG, PJEPG, PNG, BMP, GIF, MP4, MOV, WMV, CPTX, CP, TXT, ZIP and MSG files
Declarations	JPG, JPEG, PNG, GIF, XLS and XLSX files

What is Aida and how does it ensure reliable answers?

Aida is an AI tutor embedded in courses that allows learners to ask questions at any point during learning. It draws exclusively on content that has been vetted and curated by your organisation, including course materials, internal policies, approved web resources, and regulator sites. This curated approach ensures answers reflect accurate, organisation‑specific guidance.

Can administrators see what questions are asked and how Aida responds?

Yes. Reporting includes both the questions asked and Aida’s responses. For meaningful insight, questions are also categorised by topic (e.g., records management, gifts and hospitality) to reveal trends. All reporting is anonymised by default to encourage open, non‑threatening inquiry. To protect assessment integrity, Aida is disabled during assessments and is only available during the learning components of a course.