What the FCA's new non-financial misconduct rules mean in practice for financial services employers, employment lawyers and regulated firms from September 2026. The regulatory landscape has shifted and financial services employers need to be ready.

For years, non-financial misconduct (NFM) occupied an uneasy space in financial services regulation. Workplace bullying, sexual harassment and other forms of serious interpersonal wrongdoing were plainly matters of employment law concern, but their status within the Financial Conduct Authority's (FCA) conduct framework remained ambiguous, particularly for firms outside the banking sector. That ambiguity is now, to a considerable degree, resolved.

In December 2025, the FCA published its final Policy Statement (PS25/23) setting out how serious NFM will be treated under both the Code of Conduct sourcebook (COCON) and the Fit and Proper (FIT) regime. The changes will take effect on 1 September 2026. For employment lawyers advising clients in the financial sector, the implications are significant. The guidance does not merely clarify regulatory expectations; it materially reshapes how firms must approach investigations, documentation, manager accountability and the intersection between employment law and regulatory compliance.

From banks to the broader sector: What has actually changed

Prior to these developments, the scope of COCON in relation to NFM for non-bank firms was limited to conduct connected to regulated activities. The FCA's new rule in COCON 1.1.7FR, made in July 2025 but taking effect on 1 September 2026, changes this, bringing non-banks into alignment with the position long applied to the banking sector. It will extend the scope of the conduct rules in non-banking firms to cover bullying, harassment (including but not limited to Equality Act 2010 harassment) or violence against colleagues, where it relates to an individual’s role. From 1 September 2026, serious 'work-related' NFM will be explicitly capable of amounting to a breach of the Conduct Rules for employees and senior managers across a much wider range of regulated firms.

Critically, NFM does not create a new standalone conduct rule. Rather, it expands the range of behaviour that may breach existing rules - in particular Individual Conduct Rule 1 (acting with integrity) and Individual Conduct Rule 2 (acting with due skill, care and diligence), as well as the Senior Manager Conduct Rules. In addition, depending on the circumstances, other Conduct Rules may also be engaged - including the Senior Manager Conduct Rules SC1 (taking reasonable steps to ensure the business is controlled effectively) and SC2, which may be particularly relevant where serious NFM occurs within a senior manager’s area of responsibility. The FCA has also confirmed that the new rules will not operate retrospectively, applying only to conduct occurring from 1 September 2026 onwards.

Defining the scope: What is ‘work-related’?

One of the most practically important aspects of the guidance is its treatment of what makes conduct 'work-related' for the purposes of COCON. The guidance sets out a non-exhaustive list of relevant factors, including behaviour occurring on firm premises, during working hours, at work-related social events, training courses or industry events, or situations in which an individual's role or seniority enabled the misconduct to occur. Social media activity may also fall within scope where there is a sufficient connection to work - for example, where posts target colleagues or form part of a broader pattern of workplace misconduct.

The FCA has included scenario tables and flow diagrams in the guidance to assist firms in drawing the line between work-related and private conduct. In practice, however, this boundary will continue to generate difficult judgment calls. Importantly, only 'serious' NFM will cross the threshold for a Conduct Rules breach - but firms must exercise and carefully document their judgement in reaching that assessment. Firms that make and document a reasoned, evidence-based assessment will be better placed in the event of subsequent FCA scrutiny.

The threshold of seriousness: A framework, not a bright line

The Final Guidance sets out a non-exhaustive framework for assessing whether conduct reaches the required regulatory threshold. Firms are expected to consider three principal dimensions:

1. seriousness (including frequency, duration, the seniority of the perpetrator and the impact on the subject),
2. effect (focusing on the overall impact and whether it was reasonable for the behaviour to have produced that effect), and 
3. purpose (including whether the conduct was intended to violate dignity or create an adverse environment, with attempted conduct also potentially within scope).

Single incidents, physical violence and conduct not directed at a specific individual may each be relevant depending on the circumstances. Misconduct may constitute a breach even where no formal complaint has been made or where the intended effect did not ultimately occur - a point that will surprise employers who have historically - and often incorrectly - treated the absence of a formal grievance as insulating them from regulatory exposure.

Manager accountability: A personal regulatory risk

Employment lawyers will be well-versed in the concept of vicarious liability and the importance of management action in harassment cases. The FCA's guidance introduces a parallel - and in some respects more personal - accountability framework.

Senior managers and people managers carry particular responsibilities under the guidance. Failing to take reasonable steps to prevent, address or escalate serious NFM, or to operate effective policies and controls, may itself constitute a breach of Senior Manager Conduct Rule SC2. The FCA has, however, offered some comfort: managers will not be held responsible where they could not reasonably have known about NFM or where they lacked the authority to act.

This regulatory obligation sits alongside - and does not replace - the duty on employers to proactively take reasonable steps to prevent sexual harassment, which came into force in October 2024 under the Worker Protection (Amendment of Equality Act 2010) Act 2023, and which is expected to be strengthened to a duty to take 'all reasonable steps' from October 2026. The practical consequence is that firms must now navigate multiple overlapping accountability frameworks when addressing serious workplace incidents.

Firms should also be alert to the Government's ongoing reform agenda in this space. The Employment Rights Act 2025 has extended whistleblowing protections to cover disclosures about sexual harassment, meaning that employees who report such conduct may now qualify for protection as whistleblowers. This adds a further layer of complexity - and risk - to how firms handle complaints and any subsequent treatment of the individuals involved.

Fitness and propriety: When private life becomes a regulatory matter

COCON is by nature confined to work-related conduct. FIT already allows firms to consider any relevant misconduct, wherever it occurs, when assessing fitness and propriety. Assessments under the FIT sourcebook are broader, concerned with whether an individual is a person of integrity and suitable to hold a regulated role. The FCA published its Policy Statement PS25/23 to help firms apply COCON and FIT with greater clarity and confidence, though specialist advice will remain important in applying the guidance to specific factual scenarios, particularly in investigation and enforcement contexts. Serious misconduct in an individual's private or personal life may therefore be relevant for senior managers and certified staff where it demonstrates a material risk of future regulatory breaches.

Private life conduct - including social media use - is relevant where it demonstrates a material (meaning more than remote or speculative) risk that the individual will breach regulatory standards in a professional context, or where it is so serious that it carries a material risk of damaging public confidence in the UK financial system. Criminal convictions, particularly where a custodial sentence is imposed, may be especially significant in this regard.

The FCA has confirmed that firms are not required to proactively monitor employees' personal social media activity, and should not automatically assume that private conduct will be repeated at work. The challenge for employers lies in building proportionate processes to capture credible information when it does come to light, without overreaching into employees' personal lives in a way that creates its own legal and reputational risks.

The intersection with employment law: A dual-track challenge

The questions that arise under the NFM framework are not purely regulatory. They intersect with whistleblowing protections, unfair dismissal risk, discrimination law and regulatory reference obligations. The FCA has reiterated that COCON operates separately from employment and equality law, even though the Final Guidance has been refined to better align with those regimes. Regulatory assessments are not intended to replace employment processes but rather to assess conduct through a financial services lens, particularly where behaviour raises concerns about integrity.

The guidance also makes clear that disadvantaging a colleague for engaging with regulators or using whistleblowing channels will generally amount to a breach of the duty to act with integrity - regardless of whether the retaliation comes from a manager or a peer. Employment lawyers will recognise the overlap with protected disclosure law, but the regulatory consequence adds a further dimension of personal liability.

Notification, references and lasting consequences

Where NFM results in disciplinary action constituting a Conduct Rules breach - including formal warnings, suspension, dismissal or remuneration adjustments - firms must notify the FCA via the annual REP008 return, or via FCA Connect for Senior Manager breaches. In more serious or systemic cases, immediate notification obligations under SUP 15 may arise. The distinction between these two regimes is important: the annual REP008 return captures Conduct Rules breaches in the ordinary course, whereas the immediate notification obligation under SUP15.3 is triggered where a matter is significant and unexpected - a trigger that firms frequently misapply. Firms should be aware that a failure to make timely notifications where required may itself constitute a separate breach of regulatory obligations and attract supervisory or enforcement consequences.

Findings of serious NFM may also have lasting consequences for individuals through regulatory references and ongoing fitness assessments. The FCA's longstanding concern about 'rolling bad apples' - individuals moving between firms without their misconduct being disclosed - sits directly behind this aspect of the framework, and firms must ensure their reference processes are both legally sound and consistent.

What firms should be doing now

With September 2026 approaching, the focus must be on operational readiness. Firms and their employment lawyers should be prioritising the following:

• Policy alignment: Updating codes of conduct, dignity at work policies, whistleblowing frameworks, social media policies and disciplinary procedures to ensure NFM is expressly within scope and that seriousness thresholds are clearly articulated.
• Manager training: Providing targeted training for senior managers, HR and compliance teams on their individual obligations and what reasonable steps look like in practice.
• Investigation protocols: Developing robust frameworks capable of navigating the overlapping employment, regulatory and potentially criminal dimensions of serious NFM cases, with clear and consistent decision-making.
• Documentation: Building strong decision logs and audit trails, particularly where disciplinary outcomes may trigger regulatory notification obligations.
• Regulatory references: Reviewing reference processes to ensure NFM is considered consistently, lawfully and with clear justification for what is and is not disclosed.

Firms must also factor in the significant changes to unfair dismissal law introduced by the Employment Rights Act 2025. Two changes are particularly relevant in the context of NFM:

1. First, the qualifying period for unfair dismissal protection will be reduced from two years to six months -- meaning that employees dismissed following NFM-related disciplinary processes will far more readily be able to bring tribunal claims, even where they are relatively new to the business.
2. Second, the removal of the statutory cap on compensatory awards for unfair dismissal awards has fundamentally altered the financial risk profile of poorly handled dismissals. It is worth noting that the same evidence base gathered during an NFM investigation is likely to face scrutiny in both any employment tribunal proceedings and any FCA enforcement context - reinforcing the importance of rigorous and contemporaneous documentation from the outset.

Together, these reforms significantly raise the stakes of getting NFM investigations and disciplinary decisions wrong, and reinforce the importance of consistent, well-documented process.

Conclusion

The FCA's Final Guidance marks a genuine shift in how financial services regulation treats workplace culture and behaviour. What was once handled quietly - through informal departures, absent references and undisclosed warnings - is now subject to a framework that attaches personal regulatory consequences to serious NFM and to the managers who fail to address it.

The framework is also deliberately joined up. The extension of COCON to non-bank firms, the alignment of fitness and propriety assessments with conduct at and beyond the workplace, and the reinforcement of notification and reference obligations together close gaps that have historically allowed serious misconduct to go unaddressed and undisclosed.

For employment lawyers, the practical challenge is navigating a landscape where regulatory obligations and employment law do not always point in the same direction. Getting that navigation wrong - whether through inconsistent decision-making, inadequate documentation or poorly handled investigations - carries consequences on both tracks simultaneously.

The firms that will fare best under this framework are not necessarily those with the most detailed policies, but those that have genuinely embedded the right standards into how their managers think and act when things go wrong. That is a harder thing to build than a policy document, and September 2026 is closer than it looks.