FCOFair Conduct Office
DisclosureWhere serious regulatory risk is identified, the Fair Conduct Office may refer findings to the appropriate regulatory authority in accordance with its responsible disclosure policy.
Legal

Terms of engagement

These terms govern all engagements between the Fair Conduct Office and its clients, and the use of this website. By instructing the Fair Conduct Office or by using this website, you agree to the terms set out below.

1. Definitions

“The Fair Conduct Office”, “FCO”, “we”, “us”, and “our” refer to the Fair Conduct Office, a trading name operated by Aren Webb as a sole trader registered with HMRC for self-assessment.

“Client”, “you”, and “your” refer to the individual or organisation engaging the Fair Conduct Office for services.

“Engagement” refers to any agreed instruction to provide services, confirmed by a signed engagement contract or documented written agreement.

“Report” or “deliverable” refers to any written output produced by the Fair Conduct Office in the course of an engagement, including risk snapshots, full risk assessments, and remediation plans.

2. Scope of services

The Fair Conduct Office provides regulatory compliance risk assessments and digital security audits for UK businesses. Our services include risk snapshots, full risk assessments, remediation plans, and retained advisory arrangements.

The specific scope, deliverables, and timelines for each engagement are defined in the signed engagement contract. Work outside the agreed scope requires a separate written agreement.

Our compliance assessments are conducted against the regulatory frameworks applicable to the client’s sector, including but not limited to UK GDPR and the Data Protection Act 2018, the Money Laundering Regulations 2017, FCA rules and guidance (including COBS, SYSC, SM&CR, and the Consumer Duty), the Consumer Rights Act 2015, the Consumer Protection from Unfair Trading Regulations 2008, PECR, and sector-specific legislation as identified during the engagement.

3. Professional disclaimers

Not legal advice. The Fair Conduct Office is not a law firm, and our reports do not constitute legal advice. Our findings are based on our assessment of publicly observable information against applicable regulatory frameworks. We recommend that clients consult a qualified solicitor for formal legal interpretation, regulatory applications, and compliance sign-off.

Not penetration testing. Our digital security assessments are based exclusively on passive, publicly observable analysis. We do not perform authenticated testing, attempt to exploit vulnerabilities, access systems without authorisation, or conduct any activity that would constitute penetration testing under the Computer Misuse Act 1990. Our security findings are limited to what is observable from publicly accessible sources.

No guarantee of completeness. While we take reasonable care to ensure the accuracy and thoroughness of our assessments, we do not guarantee that every regulatory gap or security vulnerability has been identified. Regulatory landscapes change, and our reports reflect the position at the date of assessment.

4. Engagement process

All paid engagements are governed by a signed engagement contract specifying the scope, deliverables, fees, and timeline. The engagement contract, together with these terms, constitutes the entire agreement between the parties.

Risk snapshots provided on a complimentary basis are not subject to a signed contract but remain subject to these terms of engagement.

5. Payment terms

Payment is due as follows: 50% of the agreed fee upon signing the engagement contract, and 50% upon delivery of the final report. Work will not commence until the initial payment has been received and confirmed.

For retained advisory arrangements, fees are invoiced monthly in advance. The retained arrangement may be terminated by either party with 30 days’ written notice.

All invoices are payable within 14 days of issue. We reserve the right to charge interest on overdue invoices at the rate of 8% above the Bank of England base rate, in accordance with the Late Payment of Commercial Debts (Interest) Act 1998.

All fees are quoted exclusive of VAT. The Fair Conduct Office is not currently registered for VAT. Should VAT registration become applicable, VAT will be added to all fees at the prevailing rate.

6. Deliverables

Reports are delivered in PDF format via email to the address specified in the engagement contract. Delivery timelines are agreed in the engagement contract and are typically within 5 working days of the initial payment being received.

Each report includes an executive summary, detailed findings with severity scoring (Critical, High, Medium, Low), specific regulatory citations, and evidence descriptions. Remediation plans additionally include prioritised action items, policy templates where applicable, and implementation timelines.

7. Client obligations

The client agrees to provide accurate and complete information as reasonably requested to support the engagement. Delays caused by the client’s failure to provide requested information may result in extended delivery timelines.

The client is responsible for acting on the findings of any report. The Fair Conduct Office is not responsible for the client’s decision to implement, partially implement, or disregard any recommendation.

8. Intellectual property

Upon receipt of full payment, the client receives a non-exclusive, non-transferable licence to use the deliverables for their own internal business purposes. Reports may not be reproduced, distributed, or disclosed to third parties without our prior written consent, except as required by law or regulatory obligation.

The Fair Conduct Office retains all intellectual property rights in its methodologies, process frameworks, templates, and assessment tools. Nothing in these terms transfers ownership of our proprietary processes to the client.

9. Confidentiality

All client data, findings, and engagement details are treated as confidential and will not be disclosed to third parties except as required by law, regulatory obligation, or as set out in the responsible disclosure clause below.

We may use anonymised, non-attributable information from engagements for the purpose of general commentary, case studies, or marketing materials. No client will be identifiable from such use without their express written permission.

10. Limitation of liability

The Fair Conduct Office’s total liability to the client for any claim arising out of or in connection with an engagement shall not exceed the total fees paid by the client for that engagement.

We shall not be liable for any indirect, consequential, or incidental loss or damage, including but not limited to loss of profit, loss of business, regulatory fines, or reputational damage, howsoever arising.

Nothing in these terms excludes or limits liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be excluded or limited by law.

11. Responsible disclosure

The Fair Conduct Office operates a responsible disclosure policy. Where we identify compliance gaps or security vulnerabilities that pose a serious and ongoing risk of material consumer harm, we may report relevant findings to the appropriate regulatory body. This applies only to matters of critical severity involving demonstrable risk to consumers or the public.

Before any such disclosure, the affected organisation will be notified of the findings and given a reasonable period to remediate. Disclosure will only proceed where the organisation fails to take corrective action within the agreed timeframe and the risk to consumers or the public remains material and ongoing.

This policy does not apply to findings identified during paid engagements unless explicitly agreed in the engagement contract. Client confidentiality is maintained at all times within the bounds of the law and regulatory obligation.

12. Data handling

In the course of providing our services, we may collect and process business contact details (names, email addresses, telephone numbers, and company information) and publicly available information about businesses. Our assessments are based on publicly observable information and do not require access to personal data beyond business contact details necessary for the engagement.

Where we process personal data, we do so on the basis of legitimate interest for business-to-business communications (Article 6(1)(f) UK GDPR) or for the performance of a contract (Article 6(1)(b) UK GDPR). We do not use cookies for tracking or analytics on this website.

Engagement data is retained for 6 years from the date of the final deliverable in accordance with HMRC record-keeping requirements for sole traders. Enquiry data from parties who do not proceed to engagement is deleted within 12 months of last contact.

Reports submitted through the “Report a company” function on this website are anonymous. We do not collect or store the identity of the person submitting the report. Submitted information (company name, sector, and concerns) is used solely for the purpose of regulatory assessment and is handled in accordance with the confidentiality provisions of these terms.

You may exercise your rights under UK GDPR — including the right to access, rectification, erasure, restriction, objection, and data portability — by contacting us at remediation@fairconductoffice.co.uk. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

13. Cancellation and refunds

Either party may cancel an engagement by giving written notice. Where cancellation occurs before work has commenced, the initial payment will be refunded in full within 14 days.

Where work has commenced, fees for work already completed will be retained and any remaining balance refunded on a pro-rata basis. If the completed work exceeds the initial payment received, the outstanding balance remains payable.

14. Complaints

If you are dissatisfied with any aspect of our service, please contact us in writing at remediation@fairconductoffice.co.uk. We will acknowledge your complaint within 5 working days and provide a full response within 20 working days.

15. Governing law

These terms and any engagement entered into under them are governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any dispute arising from or in connection with these terms.

16. Amendments

We reserve the right to update these terms at any time. The date of the most recent revision is shown below. Existing engagements are governed by the terms in force at the date the engagement contract was signed.

Last updated: March 2026