Redrawing the lines: the FCA's plan to tackle non-financial misconduct

What matters

The FCA has unveiled updated Code of Conduct rules which mark a significant shift in how non-financial misconduct is regulated across the financial services sector. Whilst subject to consultation, the accompanying draft guidances provides some clarity on the intended scope of the rules and how firms should interpret and apply them in practice.

What matters next

With the new rules taking effect from 1 September 2026, firms must act now to ensure they are ready. This will mean reviewing internal policies, updating training programmes, and equipping managers with the tools to identify and address non-financial misconduct.

The Financial Conduct Authority (FCA) has finally revealed its highly anticipated update to its Code of Conduct rules to better address non-financial misconduct across the financial sector. What changes have been made and what impact will they have?

Key changes to COCON

The revised Code of Conduct (COCON) rules will have effect from 1 September 2026 and have been launched alongside a consultation on draft guidance to complement the rules, which is open until 10 September 2025.

We have known for some time that the FCA consider that non-financial misconduct (NFM) is misconduct but, until now, it has been unclear what specific types of behaviour might amount to a breach of the conduct rules. Under the updated COCON rules, serious bullying, harassment and violence will now be reportable, and the rules will be extended to capture non-banks where the Senior Managers and Certificate Regime applies. This includes hedge funds, insurers and pension companies and means that more companies then ever will be required to report NFM.

With language reminiscent of harassment provisions under the Equality Act 2010 (EqA 2010), where the conduct of an individual subject to COCON against another person working for the firm:

  • has the purpose or effect of violating the other person’s dignity, or 
  • has the purpose or effect of creating an intimidating, degrading, humiliating or offensive environment for the other person, or
  • is violent towards another individual,

it will be a NFM issue. However, unlike the EqA 2010, this will not be limited to conduct relating to a relevant protected characteristic, meaning bullying on any grounds will be captured, albeit if an individual subject to such behaviour has a protected characteristic, this will likely have a bearing on how seriously the conduct is viewed.

Two factors will be relevant in determining whether an individual’s conduct has violated another person’s dignity: the perception of the subject of the misconduct and whether it was reasonable for the conduct to have had that effect. No breach will therefore occur if the individual did not feel their dignity was violated, or if it was unreasonable to conclude that it was.

New guidance on COCON

As part of CP25/18: Tackling non-financial misconduct in financial services, the FCA has proposed draft guidance on NFM which, if adopted, would take effect alongside the COCON changes and assist firms in interpreting the updated framework. In particular:

Scope of COCON

The draft guidance confirms that COCON only captures “serious” NFM and sets out various factors which will be relevant to deciding what behaviour is in scope. This includes (but is not limited to) whether the conduct occurred on the firm’s premises, whether the conduct was committed using work equipment, whether the conduct arose in a business context (e.g., an official or informal event organised or supported by the firm, whether held at the firm’s premises or another location) and the individual’s position.

Work versus personal life

It has been made clear that conduct in an individual’s private or personal life is generally out of scope. However, the guidance provides illustrative examples to assist firms with interpretation. While not exhaustive, the table highlights that the following acts would generally be out of scope:

  1. misconduct by an individual in relation to a family member while they are remotely working for the firm;
  2. misconduct by an individual in relation to a member of the public while the individual is commuting to their place of work;
  3. misconduct by an individual in relation to a fellow member of the workforce at a social occasion organised by the individual or another member of the workforce in their personal capacity. However, firms should approach such scenarios with caution as the conduct may still be captured where the social event is a “continuation” of a firm event, meaning the two are “connected”, an area likely to present interpretive challenges for firms.

Notwithstanding the above, individuals should understand that such conduct may still be relevant to an assessment of their fitness and propriety.

Integrity and due skill

The draft guidance clarifies how bullying, harassment or violence will constitute a breach of Rule 1 (you must act with integrity). However, such behaviour will be outside of scope if the individual thought there was a good and proper reason for the conduct, that the conduct and its effect were proportionate to the intended aim of the conduct, and if they did not intend to have a negative impact, did not know they were doing so and were not reckless about the effect of their conduct.

There is also an increased expectation on managers under the draft guidance, who will be in breach of Rule 2 (acting with due care, skill and diligence) where they fail to take reasonable steps to protect staff against bullying, harassment and violence. This includes where they fail to properly operate the firm’s policies, systems and controls, or fail to take seriously, intervene or deal appropriately with complaints of bullying and harassment, reflecting a greater emphasis on individual managerial accountability.

Fit and Proper Assessment

Where firms are required to carry out fit and proper assessments (FIT) in respect of senior managers and certified staff, the guidance indicates that the scope of conduct considered as part of this assessment would be wider than for COCON breaches, meaning matters concerning an individual’s personal life may be captured. However, the guidance suggests this will be considered on a case-by-case basis and that factors like the seriousness of the breach, the vulnerability  of those affected by the breach, whether the breach involved dishonesty, the individual’s seniority, evidence of rehabilitation, patterns and the relevance of the breach to the individual’s role would all be considered in determining if a person is fit and proper.

The following examples of NFL will also be relevant to FIT:

  • whether the individual is dishonest or shows a lack of integrity;
  • violence or sexual misconduct;
  • criminal offences result in a custodial sentence;
  • where an individual demonstrates a willingness to disregard ethical or legal obligations, abuse a position of trust, or exploit the vulnerability of others;
  • where an individual’s conduct is sufficiently serious such that, were that person permitted to work at a firm, it could undermine public confidence in the regulatory system;
  • social media activity – while an individual can, in principle, express controversial personal views without calling into question their fitness, if such activities indicate a real risk that the individual would be in breach of regulatory requirements, this will be relevant. Examples include  threats of violence or having clear involvement in criminal activities

Despite this, the guidance makes clear that firms are not expected to monitor the private lives of its staff subject to FIT and that in most cases where concerns arise, it will likely be more appropriate for the relevant law enforcement to investigate. However, where a firm does become aware of an allegation, it should consider what steps it can reasonably take to investigate and assess the possible impact on the individual’s fitness and propriety.

What can firms be doing?

Sarah Pritchard, the FCA’s Deputy Chief Executive, warned how a “failure to tackle toxic behaviour drives away good people, prevents staff from speaking up and undermines performance. It damages growth and enables financial misconduct”. It is hoped that tackling NFM will, amongst other things, help prevent the development of workplace cultures that facilitate wrongdoing and regulatory breaches, attract and retain a wider and more diverse range of talent in financial services, foster psychologically safe workplaces, and uphold regulatory standards and public confidence in the financial sector.

With the new COCON rule taking effect on 1 September 2026, firms should ensure they are prepared. The rule is not intended to apply retrospectively but it remains to be seen how historic misconduct uncovered after implementation will be treated.

Key preparatory steps include:

  • reviewing and updating existing policies and procedures, including any DEI and anti-bullying and harassment policies;
  • notifying conduct rules staff about the updated rules;
  • providing updated training on anti-bullying, harassment and COCON obligations;
  • delivering bespoke training to managers on preventing and addressing NFM.

As the boundaries of misconduct in financial services are redrawn, firms should ensure they are actively cultivating cultures of integrity and accountability, ensuring they are prepared, not exposed, when regulatory scrutiny intensifies.

Disclaimer

This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2025.

 

Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.