FCA CP25/18: Tackling Non-Financial Misconduct in Financial Services 

Executive summary

The FCA published CP25/18 Tackling non-financial misconduct in financial services (“CP 25/18”)  on 2 July 2025, introducing long awaited rules on the thorny matter of non-financial misconduct (NFM). In short, the rules extend the scope of Code of Conduct (COCON) to cover serious NFM in non-bank firms and clarifies the FCA’s expectations in treating workplace misconduct such as bullying, harassment, and violence as regulatory breaches rather than purely matters of employment. The FCA is also consulting on additional guidance to support its rules here, in both CONCON and the Fit and Proper (FIT) chapters of the FCA handbook. 

Background 

Regulatory Inconsistency Between Banks and Non-Banks

The FCA has been wrestling with the question of how to address NFM in the round – including following criticism and indeed pressure from certain quarters. In CP25/18 it, amongst other things, identified a misalignment in how NFM is treated across different types of financial firms and, further, was concerned about preventing “rolling bad apples” – individuals with a history of serious NFM who move between firms without their past misconduct being disclosed.

As Sarah Pritchard, the FCA’s deputy chief executive, stated: “Too often when we see problems in the market, there are cultural failings in firms. Behaviour like bullying or harassment going unchallenged is one of the reddest flags – a culture where this occurs can raise questions about a firm’s decision making and risk management”.

Industry Feedback and Regulatory Clarity

Following the FCA’s 2023 consultation (CP23/20), there was reportedly support for addressing NFM as a regulatory issue though greater clarity was required on when it would constitute a breach of FCA rules. The small issue of how the rules sat with employment and equality laws also required clarification. 

Proposed changes

1. New Rule: COCON 1.1.7FR (Effective 1 September 2026)

The FCA has confirmed a final rule extending the scope of COCON to non-banks and defines NFM as unwanted conduct that has the purpose or effect of:

• Violating a person’s dignity
• Creating an intimidating, hostile, degrading, humiliating or offensive environment
• Conduct that is violent towards a colleague

2. Enhanced regulatory references

Serious, substantiated cases of poor personal behaviour will now need to be shared through regulatory references; similar to how financial misconduct is currently reported. This aims to mitigate the rolling bad apple risk.

3. Consultation on additional guidance

COCON

The FCA is consulting on draft guidance to help firms interpret and apply consistently the new rules, covering:

Boundary between work and private life

CONCON proposals to include guidance in clarifying relevant NFM, including:

• Whether misconduct occurred on firm premises or during work-related activities
• The involvement of colleagues, clients, or professional contacts
• The use of work equipment or systems
• Whether incidents occurred at business events (formal or informal)

Severity Assessment

The proposed guidance emphasizes that not all misconduct will breach COCON – it must be “serious”. Firms need objective criteria to assess:

• The impact on workplace culture and psychological safety
• Whether the conduct was reasonable in the circumstances
• The individual’s position and responsibilities within the firm
• Any mitigating or aggravating factors

Reasonable steps – Manager Obligations

Under Individual Conduct Rule 2, managers may breach their obligations by failing to prevent harassment or misconduct. This creates specific responsibilities for:

• Managers of perpetrators to take appropriate preventive action
• Managers of victims to provide adequate support and protection
• Senior managers to ensure effective systems and controls are in place

FIT  

Whilst the rules do not require firms to monitor the private lives of staff, firms may need to do so where there is a good reason; for example, in investigating an allegation related to matters of fitness and propriety. 

Similarly, conduct in personal or private life may be relevant if it demonstrates a willingness to disregard ethical or legal obligations, abuse a position of trust, or exploit vulnerability of others and is sufficiently serious that it could undermine public confidence in the regulatory system. 

Proposed FIT guidance also includes specific consideration of social media activity by employees where exhibited behaviour is likely to be relevant (to FIT) if it indicates a “real risk the person will breach the requirements of standards of the regulatory system”. 

Proposals discarded 

The FCA has decided not to proceed with several originally proposed measures:

• Broader Diversity & Inclusion reforms (dropped in March 2025)
• Amendments to Threshold Conditions (COND) – which had proposed to include considerations of NFM in the FCA’s assessment of a firm’s suitability to conduct regulated activities
• Changes to Senior Management Arrangements, Systems and Controls (SYSC) which updated guidance on regulatory references. IN the final analysis the FCA considered the current rule-making addressed sufficiently firm obligations here, including the very broad requirement to share any other information of relevance (Question G) which will mean, in effect, that the disclosure of serious NFM will be required. 
• Mandatory D&I data reporting

Scope and timeline

The changes will:

• Apply to all FSMA firms with Part 4A permission 
• Come into force on 1 September 2026
• Not apply retrospectively

The consultation on additional guidance remains open until 10 September 2025, with the FCA planning to set out its final regulatory approach by the end of 2025. 

Actions for firms

1. Near term 

• Consider the review existing policies and procedures ahead of the formal implementation date, so that they align with new NFM expectations. The material change sought here a cultural one, not merely one of process or procedure
• Review internal conduct policies, to ensure they explicitly address bullying, harassment, and violence
• Train staff, particularly managers, on new accountability requirements

2. Ongoing obligations

• Prepare process and policies to allow the reporting of disciplinary actions arising from NFM breaches to the FCA
• Include NFM in regulatory references when recruiting or promoting staff
• Assess fitness and propriety considering NFM, including conduct outside the workplace

3. Manager accountability

The proposed guidance emphasises that managers can breach Individual Conduct Rule 2 (acting with due skill, care, and diligence) for failures including:

• Failing to intervene when aware of misconduct
• Not taking complaints seriously or failing to deal with them appropriately
• Failing to operate firm policies designed to prevent misconduct

As such, apprising the governing body of the new rules in addition to a formal programme of training is recommended. Setting the right tone from the top, including creating a environment where staff feel safe to raise concerns remains a key cultural objective for the FCA. 

Closing remarks

The FCA’s efforts here are laudable but not without complication, and not only because of the sensitivity of the topic. The ambition is to affect genuine cultural change rather than just meeting minimum compliance requirements, as the FCA has made clear that failures in this area will be treated as seriously as any other regulatory breach. However, the lengthy, overlapping gules and guidance laid out between CONCON and FIT give compliance teams much to consider. The FCA is encouraging the industry to engage on the topic and firms should take advantage of the consultation period to influence the final guidance by responding to it directly or via industry body forums.