A few months ago, we explored how non-financial misconduct (NFM) had moved firmly from an HR issue to a core regulatory priority. We noted that the Financial Conduct Authority (FCA) was signalling a shift in focus, viewing behaviours such as bullying and harassment as critical indicators of firm culture and potential precursors to wider harm. At the time, the industry was awaiting the final rules stemming from the FCA's consultation paper, CP23/20.
That wait is now over!
With the release of its combined Policy Statement and Consultation Paper (CP25/18) on the 26th of June, the FCA has moved from discussion to decision. The package is considerably more focused than the 2023 consultation, but it locks the concept of NFM firmly into the Conduct Rules (COCON) and Fitness & Propriety (FIT) tests. In short, the FCA has moved from “direction of travel” to “rules with an implementation date”. This is no longer a matter of interpretation or future planning; it is a concrete compliance obligation with direct accountability for firms and individuals.
This follow-up blog unpacks the crucial updates from this 80+ page document, helping your preparation for this new area of regulatory scrutiny.
For our readers who prefer a deeper-dive, we have published an accompanying piece that goes through the entire publication, chapter-by-chapter, verse-by-verse.
Key Takeaways
Ongoing Guidance
The FCA is making a final rule to align the scope of its Code of Conduct (COCON) for non-banking firms with that of banks when it comes to NFM. However, it is launching a new consultation on the detailed Handbook guidance for both COCON and the Fit and Proper Test (FIT), seeking further views on whether it is needed and what form it should take. This shows the FCA is committed to the principle but cautious about being overly prescriptive.
Narrower Scope
The FCA is not proceeding with its original proposals to amend the Threshold Conditions (COND) or to add new guidance to the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook regarding regulatory references. This, combined with the earlier decision to drop the wider Diversity & Inclusion data reporting proposals, results in a more targeted and less burdensome framework than initially conceived.
The Deadline!
The new rule will come into force on 1 September 2026, and the rules will not apply retrospectively.
Tackling "Rolling Bad Apples" Remains a Priority
As Sarah Pritchard, Deputy Chief Executive, states in the paper's foreword: “Failure to tackle toxic behaviours drives away good people, prevents staff from speaking up and undermines performance. It damages growth and enables financial misconduct.”
A consistent theme throughout the paper is the regulatory focus on preventing individuals who commit serious misconduct from moving between firms without proper disclosure. While the specific SYSC changes were dropped, the FCA makes it clear that the existing rules on regulatory references are sufficient and expects firms to use them to share relevant NFM information.
Headline changes since our original blog
| Area |
2023 Consultation (what we reported) |
2025 Final / Updated Position |
| Scope of COCON |
Serious NFM already in scope for banks; extension proposed for non‑banks |
Confirmed. From 1 Sep 2026 bullying, harassment & violence between colleagues are Conduct‑Rule breaches in all SMCR firms. |
| Additional Handbook text |
Extensive new material across COCON, FIT, COND & SYSC |
Scaled‑back. Only COCON & FIT guidance is still on the table (consultation closes 10 Sep 2025). Proposals to amend COND & SYSC have been dropped. |
| Private‑life conduct |
FCA proposed that serious misconduct outside work could affect FIT |
Clarified & toughened. Draft FIT guidance says private‑life conduct that risks “damaging public confidence” – including certain social‑media abuse, sexual or violent offences – is likely to make an individual unfit, even if not repeatable at work. Custodial sentences (even suspended) are flagged as presumptively disqualifying. |
| Manager liability |
High‑level statements only |
New examples spell out what reasonable steps look like (e.g., intervening, operating whistle‑blowing channels, ensuring investigations are impartial). Failure can breach Individual Conduct Rule 2. |
| COCON Rule 1 vs Rule 2 |
Grey area |
Guidance now separates lack of integrity (Rule 1) from lack of due skill, care & diligence (Rule 2) and explains when each applies to NFM. |
| Cost / Implementation |
Industry cost modelled at £303 m (implementation) |
Reset to £25 m for the new rule alone; £75 m if guidance is adopted – a 75 % reduction. FCA cites a narrower scope and firms’ existing maturity. |
What Has Actually Changed?
The core of the policy statement is the confirmation of a new rule that expands the scope of COCON for non-banking firms. The immediate impact of this final rule is the creation of a level playing field. Non-banks no longer have a different, narrower scope for NFM and can now act with the same regulatory certainty as banks.
Currently, COCON rules in non-banks primarily apply to conduct related to a firm's SMCR financial activities. The new rule will expand this to explicitly cover serious non-financial misconduct, such as bullying, harassment, and violence, directed at colleagues and other workforce members, matching the wider scope that already exists for banks.
This change is designed to give firms greater confidence in what is in scope and strengthen their ability to take decisive action when NFM is identified.
What’s Still Under Debate?
While the rule is set, the detailed "how-to" is not. The FCA heard industry concerns that the original draft guidance could diverge from employment law and be difficult to apply consistently. In response, the FCA is now consulting on a revised, more streamlined set of guidance for both COCON and FIT. It is explicitly asking firms whether this guidance is needed at all. The consultation period is open until 10 September 2025.
This presents a critical, final opportunity for the industry to shape the practical application of these rules. The FCA is explicitly asking whether detailed guidance would be helpful or a hindrance, and firms should consider responding to the consultation to make their views known.
If adopted, the new guidance would aim to clarify:
-
The boundary between work and private life, with examples of in-scope and out-of-scope scenarios.
-
Factors for determining if NFM is 'serious' enough to breach the rules.
-
The distinction between a breach of Rule 1 (integrity) and Rule 2 (due skill, care, and diligence), noting that only deliberate or reckless misconduct would typically breach Rule 1.
-
How NFM in an individual's private life can be relevant to their fitness and propriety, even if it falls outside the scope of COCON rules. The guidance clarifies that firms are not expected to monitor employees' private lives but should act on information that comes to their attention.
What’s Been Dropped?
The following are not being taken forward:
-
The proposal to explicitly link NFM and discriminatory practices to a firm's suitability to be authorised has been dropped.
-
The plan to update guidance on regulatory references has also been shelved, with the FCA stating that the existing rules in SYSC 22 are sufficient to ensure firms disclose relevant NFM.
The FCA has very clearly listened to industry feedback. Dropping the D&I data reporting, COND, and SYSC proposals and reconsulting on guidance demonstrates a pragmatic and proportionate approach. Highlighting this demonstrates that the regulator is willing to engage and refine its approach, which is an important message for the market. It shows this isn't regulatory overreach, but a targeted intervention.
Who Bears the Brunt?
One of the most significant operational impacts of this framework is how it moves non-financial misconduct from a centralised HR or Compliance issue into direct line-management accountability. The draft guidance places a huge emphasis on the role of managers, who are now effectively on the regulatory frontline for preventing and responding to NFM. The paper makes it clear that a manager could breach Individual Conduct Rule 2 ("acting with due skill, care, and diligence") for failures in this area. The draft guidance provides a non-exhaustive list of what this means in practice, outlining that managers can be held accountable for:
-
Failing to take reasonable steps to protect staff from misconduct, including not intervening when they know or should know about it.
-
Incorrectly operating the firm's own policies and controls designed to prevent such behaviour.
-
Not taking complaints of NFM seriously or failing to deal with them appropriately.
-
Failing to take reasonable steps to foster a safe environment for staff to raise concerns.
This creates a clear and personal regulatory risk for managers themselves.
Revisiting Our Three-Pronged Approach
In our original blog, we advocated a framework of Culture, Proactive Strategies, and Reactive Controls. This update reinforces the need for all three, but with a sharper focus.
-
Culture: The FCA's foreword states, "One of the clearest warning signs of a failing culture is non-financial misconduct...going unchallenged". The final rule provides senior leadership with a stronger mandate than ever to embed a zero-tolerance culture.
-
Proactive Strategies: While the rules are clearer, the expectation for proactive detection remains. Your communications surveillance and HR analytics should be geared toward identifying the specific behaviours the FCA has now codified as being in scope: bullying, harassment, and discrimination.
-
Reactive Controls: This is where the update provides the most clarity. The FCA has included two helpful flowcharts to guide firms in determining whether a conduct rule breach has occurred and whether it is reportable. Your investigation framework should be benchmarked against this process. The final rule gives firms, especially non-banks, a more solid and defensible basis for taking consistent disciplinary action.
Key Questions for Your Firm Now
Instead of a full scorecard, here are five critical questions your firm should be asking in light of CP25/18:
-
Are we ready for September 2026? Do our policies, training, and internal controls for non-banking entities reflect the newly aligned COCON scope for serious NFM?
-
Will we respond to the new consultation? Do we believe the proposed COCON and FIT guidance is helpful and proportionate, or would it add unnecessary complexity? The deadline to provide feedback is 10 September 2025.
-
Is our investigation process aligned? Does our framework for identifying, investigating, and determining a conduct rule breach align with the logic and factors outlined in the FCA's new rule and flowcharts?
-
Are our regulatory references fit for purpose? Even though the SYSC changes were dropped, the FCA expects firms to use existing rules to stop 'rolling bad apples'. Are we confident that our process for sharing NFM information is robust and defensible?
-
Have we revised our budget? The FCA's new cost estimate is over 75% lower than the original projection. Have we adjusted our compliance project budgets to reflect this new, more proportionate reality?
What happens next?
| Date |
Milestone |
| 10 Sep 2025 |
Consultation on COCON / FIT guidance closes |
| Q4 2025 |
FCA publishes final guidance (if proceeding) |
| 1 Sep 2026 |
New COCON rule for non‑banks comes into force; first reportable NFM disciplinary actions under SUP 15.11 |
Conclusion
The FCA has moved from abstract principles to concrete rules. By finalising the COCON rule change, the regulator has provided the certainty the industry needed to act. At the same time, by narrowing the overall package and consulting again on the guidance, it has shown that it is listening to concerns about proportionality.
The focus for firms now shifts from "if" to "how." With a clear deadline of 1 September 2026, the task is to operationalise these requirements, ensuring that culture, controls, and consequences are all aligned to meet the FCA's heightened expectations for conduct and integrity.
Stay tuned as we expect further clarity to follow in the months ahead!
