CONC: What It Requires and Who It Applies To

What is CONC?

The FCA Consumer Credit Sourcebook (CONC) is the part of the FCA Handbook governing conduct standards for firms carrying on consumer credit activities in the United Kingdom. The Financial Conduct Authority brought CONC into force on 1 April 2014, the date consumer credit regulation transferred from the Office of Fair Trading under the Financial Services Act 2012. The full rulebook is published at handbook.fca.org.uk/handbook/CONC.

Before that transfer, consumer credit was supervised under the Consumer Credit Act 1974 through a firm licensing system managed by the OFT. That regime reviewed licences periodically, which meant problem lenders could operate for years between reviews. The FCA replaced it with continuous authorisation and ongoing supervision. CONC is the rulebook that defines what responsible conduct means day to day.

CONC is structured across 13 chapters. The ones drawing the most supervisory attention are CONC 3 (financial promotions), CONC 4 (pre-contractual requirements), CONC 5 (responsible lending and creditworthiness assessment), CONC 6 (post-contractual requirements), and CONC 7 (arrears, default, and recovery). CONC 5 alone accounts for the majority of enforcement actions since 2016.

The FCA introduced CONC because its own research had found serious, widespread consumer harm. The FCA's 2014 review of the payday lending market identified 1.6 million UK borrowers who couldn't repay and rolled their loans over repeatedly, generating an estimated £450 million in additional interest charges. That was the market the FCA stepped into. CONC is its direct response: binding obligations that couldn't be gamed through the old licensing loopholes.

The Consumer Credit Act 1974 remains the primary statute. CONC layers FCA conduct requirements on top of it. Firms need both.

Who does CONC apply to?

CONC applies to every FCA-authorised firm carrying on "regulated credit activities" in the UK, as defined in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001. That covers more firm types than most compliance functions expect.

Covered entities include:

• Consumer lenders: banks, building societies, credit unions, and specialist lenders offering personal loans, overdrafts, credit cards, home credit, and buy-now-pay-later products currently within FCA scope
• Second charge mortgage lenders: specific CONC provisions apply where credit is secured on residential property
• Credit brokers: firms that introduce consumers to lenders for fees, including price comparison websites and introducer services
• Debt collectors and debt purchasers: firms collecting on regulated credit agreements or buying those agreements on the secondary market
• Debt management firms: firms providing debt counselling, debt adjusting, or credit information services under CONC 8
• Credit reference agencies: limited provisions under CONC 12 apply where agencies operate within the retail lending chain

There's no minimum firm size. A sole trader running a small brokerage faces the same CONC obligations as a major bank's consumer lending division.

The FCA Consumer Duty (PRIN 2A), fully effective from July 2023, layers outcomes-based obligations on top of CONC's specific rules for most of these firm types. The two regimes run in parallel. A firm can follow every CONC procedure and still breach Consumer Duty if actual customer outcomes are poor.

Jurisdictionally, CONC applies to regulated credit activity targeting UK consumers. Post-Brexit, EEA firms can't rely on passporting rights to avoid FCA authorisation. The test is whether the firm is carrying on regulated activities in the UK, not where it's incorporated.

What does CONC require?

CONC's obligations span the full credit lifecycle, from advertising to debt recovery. The core requirements are:

1. Creditworthiness assessment (CONC 5.2A): Before entering a regulated credit agreement, firms must assess whether the customer can afford repayments without undue hardship. The assessment must consider income, essential expenditure, and existing credit commitments. Relying solely on a credit bureau score isn't sufficient. The FCA expects documented records of each assessment, including the specific data inputs used.

2. Financial promotions (CONC 3): All credit advertisements must be fair, clear, and not misleading. Representative APR must appear in at least as prominent a position as any other interest rate figure. Where fewer than 51% of accepted customers receive the headline rate, the representative example must reflect the rate actually available to the majority.

3. Pre-contractual information (CONC 4): Firms must provide a Standard European Consumer Credit Information (SECCI) form before any credit agreement is executed. It must include total cost of credit, APR, repayment schedule, and the right to withdraw. Firms must also give customers an adequate explanation of the product's key features, adjusted for any characteristics that indicate vulnerability.

4. Arrears and default treatment (CONC 7): When a customer falls into arrears, firms must contact them promptly, provide a statutory arrears information sheet, and refer them to free debt advice services. Default fees must be a genuine pre-estimate of the loss caused by the default; they can't function as a revenue stream.

5. Debt collection conduct (CONC 7.9 to 7.15): Firms cannot use misleading or aggressive tactics. Misrepresenting the legal status of a debt, threatening action the firm isn't prepared to take, and ignoring written requests to stop contact are all prohibited.

6. Vulnerable customer treatment: Firms must identify and appropriately treat customers who may be vulnerable due to mental health conditions, recent life events, or low financial resilience. A note in the file isn't enough. The firm must demonstrate it adjusted its approach.

7. Record retention (CONC 5.3): Creditworthiness assessment records must be retained for a minimum of 3 years. For firms using automated or algorithmic models, the FCA expects documentation of model logic, validation testing, and any material changes over time.

What evidence do regulators expect?

FCA examiners arrive with a document request list. The firms that struggle most are those whose policies look good on paper but aren't reflected in operational records. Examiners consistently request:

• Creditworthiness assessment files: A statistically representative sample showing the input data used (income, expenditure, existing debts), the decision output, and any overrides or exceptions. For automated models, documentation of the model logic and evidence of outcome-based validation.

• Training and competence records: Logs showing which staff were trained on CONC 5, 6, and 7, on what dates, and with what assessment outcomes. Refresher training records following regulatory changes. This applies to frontline staff, credit analysts, and collections teams.

• Complaints analysis: CONC-related complaint volumes broken down by product and category, root cause analysis reports, and remediation outcomes with timelines. Handling individual complaints well isn't enough; examiners want evidence the firm identifies and addresses systemic issues.

• Financial promotions approvals: A documented process showing who approved each credit advertisement before publication, their sign-off authority, and monitoring records for digital campaigns after they go live.

• Vulnerable customer logs: Records showing how vulnerability flags were raised, what action was taken, and whether the outcome was appropriate. Flagged customers without evidence of follow-through are a clear warning sign for examiners.

• Collections monitoring records: Call recordings or transcripts sampled for CONC 7 compliance. Scripts used by collections agents and evidence those scripts have been reviewed against current requirements.

• Third-party oversight records: Where debt collection is outsourced, contracts binding the third party to CONC standards, plus monitoring records showing how their performance is being assessed.

Common failure modes

The FCA's enforcement record on CONC shows the same problems repeatedly.

• Inadequate affordability assessments: Approving loans based on stated income without verification, or ignoring essential outgoings in the calculation. This was central to the FCA's action against Instant Cash Loans Ltd (The Money Shop and Payday Express). The June 2019 final notice found the firm approved more than 4.3 million loans without adequate creditworthiness assessments, resulting in a £15.4 million financial penalty.

• Poor arrears treatment: BrightHouse, the rent-to-own retailer, was required to pay £14.8 million in customer redress in 2017 after the FCA found widespread failures: excessive fees for customers in financial difficulty and no referral to free debt advice services.

• Algorithmic models without governance: Using machine learning for credit decisions without model validation, bias testing, or decision audit trails. The FCA has flagged this pattern across multiple firms. A model that can't explain its decisions creates both a CONC 5.2A problem and a Consumer Duty vulnerability. Firms using AI in credit decisioning should read why black box models are a compliance risk before their next supervisory visit.

• Misleading promotions: Advertising headline rates unavailable to most applicants, or displaying representative APR less prominently than other interest rate figures used in the same ad.

• Collections pressure on vulnerable customers: Using standard scripted calls on customers who disclosed mental health difficulties or bereavement, with no adjustment to approach. This fails both CONC 7 and Consumer Duty simultaneously.

• Outsourced debt collection without oversight: Delegating collections work to a third party and taking no steps to verify CONC compliance. The FCA treats this as the firm's failure, not the third party's.

Penalties for non-compliance

The FCA has broad sanctioning powers under FSMA 2000.

Financial penalties: The FCA's methodology (DEPP 6) bases fines on a percentage of relevant revenue from the affected business line. For deliberate or reckless conduct, the starting point is 20% of relevant revenue before mitigating factors are applied. A consumer lender with £100 million in annual credit income faces a potential starting point of £20 million. The Instant Cash Loans penalty of £15.4 million in 2019, and the redress programmes at Provident Financial (£172 million, 2021) and Amigo Loans (£97 million, 2022), show what enforcement at scale looks like.

Consumer redress: Separate from fines, the FCA can require firms to compensate all affected customers. The Provident Financial scheme covered claims going back years and cost far more than any fine in isolation would have reached.

Permission restrictions: Under FSMA 2000 s.55J, the FCA can restrict, vary, or cancel a firm's authorisation. For serious or ongoing CONC breaches, it can bar a firm from entering new credit agreements while an investigation is live.

Skilled persons reviews (s.166 FSMA): The FCA can appoint an independent reviewer at the firm's own expense. These engagements typically cost between £500,000 and £3 million in professional fees, and the FCA then acts on what the reviewer finds.

Senior Manager liability: Under SM&CR, the individual responsible for the failed function can face personal fines, prohibition from working in regulated financial services, or criminal prosecution under FSMA 2000 s.398.

Related regulations and frameworks

CONC doesn't sit alone.

The Consumer Credit Act 1974 is the primary statute. CONC layers FCA conduct requirements on top of it, but CCA 1974 rights around withdrawal, early repayment, and unfair relationship challenges apply directly. In many circumstances they're more consumer-favourable than CONC's specific provisions.

The FCA Consumer Duty (PRIN 2A), effective July 2023, adds an outcomes lens to CONC's process-based rules. The two regimes run simultaneously. Following every CONC procedure isn't a defence against a Consumer Duty finding if actual customer outcomes are poor.

SYSC 6.3 governs the systems and controls that underpin CONC obligations. Creditworthiness model governance, financial promotions approval, and complaints management are fundamentally SYSC responsibilities. CONC failures in examination almost always have a SYSC weakness underneath.

The UK Money Laundering Regulations 2017 apply to consumer credit firms for AML and counter-terrorist financing purposes. Identity verification for a credit application and Customer Due Diligence for AML draw on much of the same data, but they serve different purposes and carry different retention requirements. Compliance teams that treat them as the same exercise create gaps in both regimes.

Open banking data from PSD2 (and its proposed UK successor) has changed how firms conduct affordability assessments in practice. With customer consent, firms can now verify income and expenditure claims directly from transaction account data rather than relying on self-reported figures. That's a more defensible evidence base under CONC 5.2A.

The FCA AI Discussion Paper (2024) addresses AI in regulated activities, including credit decisioning. Firms using machine learning for creditworthiness assessments need to read it alongside CONC 5. Explainability and bias testing aren't optional extras; the FCA is treating them as part of what responsible lending requires.

How FluxForce supports CONC compliance

FluxForce's AI agents automate the evidence capture CONC examiners demand. Nova Sentinel monitors credit decisions in real time and flags cases where the creditworthiness assessment logic deviates from documented policy. Aiden Flux tracks vulnerable customer flags across the customer lifecycle, so they're acted on rather than recorded and forgotten. Every decision produces a full, readable audit trail. For arrears management, automated workflows enforce the statutory information sheet and free debt advice referral at the point they're required. See how FluxForce maps to your CONC obligations in a live demo at FluxForce Regulatory Compliance Automation.