Increasingly regulators are asking firms to improve their ‘conduct’. Conduct regulation has become a hot topic but does anyone really understand what activities it will encompass?

What is meant by ‘conduct’ in the context of regulation?

There is no definition in any legislation, policy or commentary as to what is meant by ‘conduct regulation’. In most markets conduct regulation means at least consumer protection, market conduct rules and some minimal ethical codes of conduct. However, in more developed regulatory markets such as that in the UK conduct regulation also extends to corporate governance and incentives, organisational systems, competition and anti-trust, ‘fit and proper’ requirements and professionalism and, more recently also to what is known as ‘product governance’.

Conduct regulation looks at three main areas in each firm:

  • the firm and its organisation
  • the individuals in the firm
  • the impact of either the first two elements outside the firm.

Conduct regulation considers both behaviours and outcomes. It considers the behaviour of both individuals and organisations as well as the expected behaviour of organisations in a wider social context. It also looks at the impact of individual, organisational and social behaviour on outcomes for customers. Depending on the context, customers can be consumers and, increasingly, also commercial clients.

The potential scope of conduct regulation

Click here to view table.

The above is a heat map of the scope of ‘conduct regulation’ with red being those areas which are most developed in regulatory terms.

Conduct regulation means different things depending on the context and the type of business being regulated. The following note focuses only on the regulation of conduct in the insurance sector but draws on resources which consider conduct in the wider financial services’ context.

The growing emphasis upon conduct in insurance regulation

The fall-out from the global financial crisis can be seen to have had two main outcomes in terms of regulation:

  • greater scrutiny of whether firms have sufficient capital and can be wound-down in an orderly manner
  • greater scrutiny of how and why transactions are undertaken and their impact on customers and wider financial markets.

During 2008-2009 the regulatory emphasis for financial services was upon ensuring the first outcome could be met. However, since 2010 there has been a shift towards looking at how transactions are undertaken, by whom and to what effect. This is essentially what conduct regulation involves. With this scrutiny has come greater appetite for regulation.

‘A lot of work since the crisis has focussed on strengthening the resilience of our institutions and infrastructure. As this work nears completion, the spotlight is shifting. It is shifting towards market policies, industry culture, and individual behaviour’ (Speech by Martin Wheatley, Chief Executive, FCA, Modelling integrity through culture, November 19, 2013).

Much of the reasoning for the change in emphasis has come about in the light of the failures to prevent the mis-selling of consumer financial products which has taken place over the past twenty years. In the US it is understood that failures in conduct of business resulted in the widespread mis-selling of retail mortgages. In the UK, the payment of redress to customers of mis-sold payment protection insurance since April 2011 has now reached £13.3 billion. This mis-selling scandal took place at the same time that UK financial services’ rules were considered to be amongst the most sophisticated consumer protection regimes in the world.

In response to what is perceived to be a failure on the part of the Financial Conduct Authority’s (FCA) predecessor, (the Financial Services Authority (FSA)), the FCA has taken a more intrusive approach to supervising firms than was undertaken by the FSA.

Much of the current dialogue around conduct regulation has moved beyond the application of codes of conduct towards being able to demonstrate that firms (as organisations) and their executive (as individuals) can make ‘ethical decisions’. Essentially therefore, conduct regulation, at least in the UK, has moved from objective decisions on whether rules have been breached to subjective decisions about how firms and their staff operate.

‘firms need to ask themselves the question: “should we” carry out a certain activity as well as “could we” do it.’ (Speech by Clive Adamson, Trust and confidence – ensuring firms’ ethics are built around their customers, November 12, 2013).

From the above statement from the FCA it is clear that much of the conversation around financial regulation has shifted from what might be described as the prudential protections against failure (capital requirements and market structures) towards the conduct of both firms and individuals. Conduct regulation has moved in many respects ‘beyond law’ (meaning both statutory and regulatory codes) towards monitoring and challenging corporate culture.

This briefing considers the approach in the UK. However the drivers towards greater conduct regulation are also global. Accordingly, some of the issues we cover will have wider application beyond the UK.

The origins of the conduct discussion

In 2008 the European Commission requested that a report be made into the origins of the financial crisis. The de Larosière report was published in 2009. It found that:

‘Failures in risk assessment and risk management were aggravated by the fact that the checks and balances of corporate governance also failed’ and ‘Remuneration and incentive schemes within financial institutions contributed to excessive risk-taking’1.

Since the publication of the report, European Union initiatives have sought to focus attention on risk assessment and management in companies and to tackle the conflicts of interest posed by certain incentives schemes.

The development of conduct regulation in the UK

In 2013, the FSA ceased to operate and was replaced by two regulators: a prudential regulator (the Prudential Regulation Authority) and a separate conduct regulator (the FCA). The UK is not the first jurisdiction to separate regulation into these two strands, known as Twin-Peaks regulation. Australia moved to a Twin-Peaks model in 1996, the Netherlands in 2002. One of the main reasons given for the UK adopting a Twin Peaks regulatory model was to create two ‘centres of expertise’, one of which would focus on conduct regulation.

The main areas which could be included within the scope of conduct regulation in the UK are set out below.

Conduct of business requirements

The UK’s FCA has been given four conduct objectives. A strategic objective to ensure that ‘the relevant markets function well’. And three operational objectives: consumer protection; market integrity; and competition.

The conduct of business requirements fall into the Principles for Businesses (PRIN), Statements of Principle and Code of Practice for Approved Persons (APER), Senior Management Arrangements Systems and Controls (SYSC), the Conduct of Business Sourcebook (COBS) and the Insurance Conduct of Business Sourcebook (ICOBS).

The conduct rules and guidance which form the basis upon which the FCA regulates insurance firms are largely made up from conduct standards introduced through European Single Market Directives (for example the Insurance Mediation Directive, the Distance Marketing Directive and the Markets in Financial Instruments Directive). In addition, the current conduct standards incorporate a number of rules which have been inherited from the Codes of Conduct of the former Self-Regulatory Organisations and trade bodies. For example, the Insurance Conduct of Business Sourcebook (ICOBS) is made up of rules derived from the Insurance Mediation Directive, the Distance Marketing Directive, the E-Commerce Directive and the inherited ABI Statement of General Insurance Practice and the ABI Statement of Long-term Insurance Practice, developed to redress the balance of the legal requirements upon the insured to disclose information to the insurer.

In the UK financial services’ market conduct regulation has been structured on the basis of:

  • Primary legislation (e.g. The Financial Services and Markets Act 2000, the Unfair Terms in Consumer Contracts Regulation,1999, etc).
  • Regulatory rules and guidance (e.g. the various conduct of business sourcebook contained in the FCA Handbook).
  • Regulatory interpretation of the rules and guidance – including the interpretation and enforcement of the Principles for Businesses (e.g. the FSA/FCA’s Treating Customers Fairly initiative).
  • The outcomes of decisions made by the Financial Ombudsman Service (FOS).

However, as the scope of conduct regulation has developed in the past few years there is a need to refine the above structure and to re-assess the basis upon which regulatory decisions on conduct are made.

The FCA uses what is describes as ‘judgement-based’ supervision which means the regulator will not simply look at whether firms have complied with rules and guidance but will consider the issue at hand in a wider context. Since the decision of the court in British Bankers Association v Financial Services Authority and Financial Ombudsman Service [2011] EWHC 999, the regulator is able to enforce a breach of a Principle, even where there was no relevant rule governing how something should be done (or not done). Accordingly, conduct regulation enables the regulator to apply their judgement on the application of one of the Principles. Essentially, this has the outcome that firms (and their advisers) cannot navigate their conduct obligations on the basis of their adherence to the rules alone. They must now pre-empt the judgement of the regulator on what is the ‘right thing to do’. The Principles, the argument from the regulator goes, will guide you towards the right outcome.

The role of the Financial Ombudsman Service (FOS) has also changed. When resolving complaints for mis-sold payment protection insurance (PPI) the FOS has been able to make redress payments in relation to policies mis-sold prior to it being given statutory authority to resolve consumer complaints. Accordingly, it has decided that where an insurance intermediary who mis-sold PPI has gone out of business it can require the underwriter of the policy to make the redress payment. There is no statutory authority for it to do so. The strict legal jurisdiction of the FOS is therefore superseded by judgements about the ‘right outcome’ for consumers. The result is that the conduct of business rules in the UK should be followed in addition to behaviour that meets the outcome in the Principles. Effectively, rules are now supplemented by largely unwritten standards of ethical behaviour:

‘The more one places a reliance on the law as a substitute for taking responsible decisions, the more one devalues ethics as it then becomes a question about what is required, rather than what is the right thing to do’.2

‘Fit and proper’ requirements

As soon as the financial crisis took place the FSA undertook a programme of ‘credible deterrence’ which had the effect of taking robust enforcement action against individual and firms which have breached FSA rules and caused customer detriment.

Credible deterrence is ‘about making people realise that they can suffer meaningful consequences if they break the law and if they don’t improve their standards of behaviour.’3

Credible deterrence was developed by the FSA in order to ensure that firms that had breached rules or caused consumer detriment would suffer sufficient financial and reputational damage to deter others from doing similar. It worked on the basis of ‘name and shame’.

Following the financial crisis both the FCA and PRA have reformed the approved person requirements. Those individuals wishing to take up significant-influence functions (i.e. senior board and executive positions) in firms must meet rigorous requirements and may be expected to be interviewed by FCA staff in order to determine whether the individual is truly competent for the role. Since 2009, there has been greater disciplinary action taken against the employees of authorised firms. This is clearly being done with the aim of attaching personal responsibility to senior roles.

In many of the reports following the financial crisis the competence and conduct of the individuals leading organisations was criticised.

‘There are clear signs that, alongside public pressure for reform, these next few years will see a much greater focus by regulators on the conduct and behaviour of individuals and firms’4.

Indeed, reports such as the Parliamentary Committee of Banking Standards is highly critical of the individual competence of those who were in charge of the UK banks that failed:

‘The non-executives on the Board lacked the experience of expertise to identify many of the core risks that the bank was running’5.

In revising its overarching principles into Fundamental Rules, the PRA has proposed changing the inherited FSA Principle ‘A firm must conduct its business with integrity’ to ‘A firm must act with integrity.’ The wording change from ‘conduct its business’ to ‘act’ attempts to capture all behaviour within the firm. According to the PRA, firms must show adherence to this standard in the everyday course of its business and when making business-related decisions. The greater scope of responsibility will be applicable to individuals working within the firm as well.

Subsequent to the financial crisis, the Chartered Insurance Institute has produced guidance on ethical culture which is ‘intended to help CII members promote a culture of integrity within their organisation’6.

Although there have not been any fundamental changes to the fit and proper requirements for individuals in firms there has certainly been a change in terms of the FCA’s willingness to enforce those requirements. Individuals will be expected to meet the standards in APER and this will extend to their competence to do the role they are assigned.

In the HomeServe fine (FCA Final Notice 2014: HomeServe Membership Limited, 13 February 201) the FCA found that HomeServe had:

‘… failed to ensure that its senior management undertook adequate regulatory training, which led to a lack of regulatory knowledge and a failure adequately to identify and address issues that created a risk that customers may not be treated fairly and contributed to a culture that placed more importance on generating profits’7.

Incentives and remuneration

The de Larosière report identified that: ‘Remuneration and incentive schemes within financial institutions contributed to excessive risk-taking’8. Further, the Liikanen report on banking concluded that: ‘One essential step to rebuild trust between the public and bankers is to reform banks’ remuneration schemes, so that they are proportionate to long-term sustainable performance.’9

Both CRD IV and Solvency II address the impact of remuneration on inappropriate risk taking.

Solvency II imposes requirements in relation to remuneration which, unlike the FSA’s remuneration code, will apply to insurers. It requires the fixed element of remuneration to be sufficiently high in relation to any discretionary elements (e.g. bonus payments) and that the majority of bonus payments be deferred over a period which reflects the nature and time horizon of the underlying business. Any bonus should also be made up of both individual and collective performance elements.

The proposals to revise the Insurance Mediation Directive also address the use of inappropriate staff sales incentives. The recitals state that:

‘Member States should require that remuneration policies of insurance intermediaries and insurance undertakings in relation to their employees or representatives do not impair the ability to act in the best interests of customers’10.

Further, in September 2012 the FSA consulted on guidance on the risks to consumers from financial incentives. In January 2013 the FSA published its findings.11 The report states that the FSA found that ‘most firms have incentive schemes that can drive mis-selling, but do not have effective systems and controls to adequately manage the risks.’

Furthermore, firms ‘had not properly identified the risks posed by their incentive schemes to ensure effective controls were in place. Some schemes were so complex that management did not understand them.’

It is clear that the FCA has turned its attention to how remuneration and incentives will have an impact on customer experiences and may increase the risks of mis-selling. Accordingly, firms are expected to structure their businesses with appropriate incentive schemes that do not increase the risks of mis-selling.

For sales of investment business in the UK the measures introduced by the Retail Distribution Review also address the ways by which remuneration and incentives impact outcomes for customers.

The 2013 FCA Risk Outlook identifies incentives as one of the significant drivers of conduct risk: ‘Firm culture and incentive structures often enable conflicts of interest to become profitable and entrenched in firms’ businesses and processes’12.

Beyond corporate governance and towards culture

Corporate governance encompasses a broad range of issues. In its narrow sense, it is concerned with the way in which companies are directed and controlled, including the systems and processes for ensuring proper accountability, openness and probity. However, it is also concerned with the wider issue of protecting and advancing shareholders’ interests through setting the strategic direction of a company and appointing competent management to achieve this.

For companies operating in the financial services sector in the UK, the Companies Act 2006 provides the basic statutory corporate governance framework. This is complemented by the UK Corporate Governance Code (Code), which is overseen and maintained by the Financial Reporting Council (FRC), and by financial regulation under the Financial Services and Markets Act 2000 (FSMA). Companies may also be affected by the UK Stewardship Code, which sets out good practice for institutional investors when engaging with UK listed companies.

Since the crisis the FCA has looked beyond how firms adhere to the Code and will investigate firms’ culture. This is clearly an area which has developed as part of ‘judgement-based’ supervision. The following is from a speech given by Clive Adamson, Director of Supervision at the FCA in April 2013:

‘Our approach today is to draw conclusions about culture from what we observe about a firm – in other words, joining the dots rather than assessing culture directly. This can be through a range of different measures such as how a firm responds to, and deals with, regulatory issues; what customers are actually experiencing when they buy a product or service from front-line staff; how a firm runs its product approval process and the considerations around these; the manner in which decisions are made or escalated; the behaviour of that firm on certain markets; and even the remuneration structures.

We also look at how a board engages in those issues, including whether it probes high return products or business lines, and whether it understands strategies for cross-selling products, how fast growth is obtained and whether products are being sold to markets they are designed for.’

Clearly, the FCA is looking for something more subtle than adherence to the corporate governance code in looking at culture. They are essentially looking at the attitude of senior managers towards customers and their regulatory responsibilities.

The Parliamentary Committee of Banking Standards report on the failure of HBOS concluded that ‘Banks whose board-level governance arrangements could be described on paper as approximating to best practice have run into serious governance problems’13. Clearly, therefore, adherence to the governance code or best practice standards will do little to avoid scrutiny where a firm fails to get its ‘culture’ right.

Organisational structures

As is evident from the extract from the speech given by Clive Adamson in April 2013, conduct regulation will extend to consideration of the organisational structure of the firm and how it may impact upon customers. The regulator has in many enforcement notices since the financial crisis determined that, in addition to certain specific rule breaches, the business did not have adequate systems and controls appropriate to the business (Principle 3 of the Principles for Businesses).

Product governance

Product governance has been a key focus of the new conduct regulator since it took over from the FSA in April 2013 and firms can expect scrutiny of product development, distribution agreements and post-sale issues such as claims handling and complaints practices.

Consumer protection is at the heart of the FCA’s approach and looks likely to remain so for the foreseeable future. The insurance sector has been subject to a number of thematic reviews since the FCA took charge. Figures suggest that the market is firmly on the regulator’s agenda with increased focus on consumer outcomes, value for money and conflicts of interest. FCA intervention can be expected if any stage of the product lifespan threatens to lead to consumer detriment.

A particularly costly lesson that has been learned following the FSA’s approach to conduct supervision has been the need to tackle issues when they emerge, thus preventing widespread detriment to consumers. The FCA will pay greater heed to whistle-blowers and the warnings of consumer organisations in order to understand better what risks exist.

The FCA aims to intervene much earlier in products that it considers to pose risks to customers. Firms can expect greater scrutiny of product governance - how a product is designed to go to market, how it will operate and the means of distribution. The FCA will consider whether the product has been designed around a target customer’s needs; whether there is monitoring of customer outcomes; whether information reaches the board or those who can address issues promptly. Distribution strategies will be subject to review to ensure that they are appropriate for the product.

In particular, firms will be expected to have procedures in place to assess their target market. Products should be stress-tested and potential risks for consumers identified before the product reaches the market.

What is evident following the scandal of payment protection insurance mis-selling is that products are often sold to customers outside their target market. What might be a perfectly sound product for one market may be utterly inappropriate for another. Firms will be expected to identify accurately who will benefit from different products and, perhaps more importantly, who should not be sold a particular product.

The FCA will also examine whether products are good value for money – a huge change to the approach taken by the FSA. Charging structures must therefore deliver good consumer outcomes.

Early intervention in the product ‘life-cycle’ will enable the FCA to prevent harm to customers. One of the powers granted under the Financial Services Act 2012 allows the FCA to ban temporarily products that pose an unacceptable risk to consumers. Examples of when such bans can be imposed are:

  • the widespread selling of products outside their target market
  • products that are made unacceptable by the inclusion of terms or conditions that make them inappropriate for a significant number of customers
  • products where incentives encourage inappropriate sales
  • cases where a product is considered inherently flawed due to its poor value or disadvantageous features.

Conduct regulation’s development in an international context

European Insurance and Occupational Pension Authority (EIOPA)

At a European level, there has been a change in shift towards the European Supervisory Authorities (ESA) taking responsibility for matters which have historically (and indeed, legally) been perceived as something to be determined by national markets.

The creation of the ESA in the wake of the crisis and following a recommendation from the de Larosière report effectively set up Euro-regulators which were given the objective of consumer protection. The insurance ESA, EIOPA’s website states that one of its goals is to ‘Better protecting consumers, rebuilding trust in the financial system.’

Since its establishment EIOPA has made consumer protection and ‘conduct regulation’ part of its remit. Historically, the European Union has broadly allowed Member States to determine their own conduct requirements within the boundaries of several high-level directives (see above).

EIOPA’s mandate in the area of consumer protection and financial innovation is broad, and some of EIOPA’s tasks include:

  • Collecting, analysing and reporting on consumer trends.
  • Reviewing and coordinating financial literacy and education initiatives by competent authorities.
  • Developing training standards for the industry.
  • Contributing to the development of common disclosure rules.
  • Adopting guidelines and recommendations to promote safety and soundness of markets and convergence of regulatory practice.
  • Issuing warnings in case a financial activity poses a serious threat to EIOPA’s core objectives.
  • Within specific parameters, temporarily prohibiting or restricting certain types of financial activities that threaten the orderly functioning of financial markets or the stability of the whole or part of the EU’s financial system.

Since 2012, EIOPA has produced two sets of Guidelines on complaints handling and numerous publications of such issues as good practices for comparison websites, the knowledge and ability of insurance intermediaries and financial literacy.


The International Association of Insurance Supervisors (IAIS) has developed Insurance Core Principles that should be applied by national supervisors. There are five main conduct requirements: suitability of persons, corporate governance, risk management and internal controls and conduct of business.

The Insurance Core Principles (ICPs) provide a globally accepted framework for the supervision of the insurance sector. The ICPs prescribe the essential elements that must be present in the national supervisory regime in order to promote a financially sound insurance sector and provide an adequate level of policyholder protection. There are 26 ICPs. ICPs 5, 7, 8 and 19 feature elements of conduct.

ICP 5 Suitability of Persons

The supervisor requires board members, senior management, key persons in control functions and significant owners of an insurer to be and remain suitable to fulfil their respective roles.

ICP 7 Corporate Governance

The supervisor requires insurers to establish and implement a corporate governance framework which provides for sound and prudent management and oversight of the insurer’s business and adequately recognises and protects the interests of policyholders.

ICP 8 Risk Management and Internal Controls

The supervisor requires an insurer to have, as part of its overall corporate governance framework, effective systems of risk management and internal controls, including effective functions for risk management, compliance, actuarial matters and internal audit.

ICP 19 Conduct of Business

The supervisor sets requirements for the conduct of the business of insurance to ensure customers are treated fairly, both before a contract is entered into and through to the point at which all obligations under a contract have been satisfied.


There is no definition of conduct regulation. The term has a fluid meaning which has enabled regulators, and in particular, the FCA to approach a number of issues under the banner of conduct regulation. Conduct regulation can be how firms comply with the various rules and guidance that address how the firm undertakes business with its customers. Increasingly, however conduct regulation has a wider meaning and will encompass not just compliance with the traditional conduct rules, but also systems and controls, board competence and oversight, whether products provide good value to customers and the extent to which firms meet whatever ethical standards are expected in the economic and political climate. In this briefing we have considered how discussion about conduct regulation has evolved since the financial crisis and have identified certain issues which are likely to be caught in the current UK regulatory regime.