Non-Financial Misconduct – latest update from the FCA

In December 2025, the FCA published its final plans for regulation of NFM, including the final form of the new rules and accompanying guidance. The result is that from 1 September 2026, there will be no further ambiguity: non-banking SMCR firms will need to appropriately manage incidents of Non-Financial Misconduct; the “…primary responsibility for preventing NFM, and dealing with it when it occurs, rests with firms themselves.”  

We previously explained how in July 2025, the FCA had published its consultation paper setting out its plans Non-Financial Misconduct (NFM) focussed on raising standards, increasing accountability and building trust in the industry.  The FCA asked for views on whether additional guidance would be helpful and 95% of respondents asked for additional guidance to be provided. 

To put this into effect, the FCA has updated its Code of Conduct (COCON) COCON 1.1.7FR and Fitness and Propriety (FIT) provisions and provided guidance to make it easier for SMCR firms to interpret and consistently apply the new rules.

Here are 5 key points employers should be aware of:

1. Outline: 

• The new rules and guidance apply to all SMCR firms – so that’s 37,000 financial services firms, plus banks
• The updates mean that incidents of work related NFM in non banks will be within scope of COCON if either the individual responsible or the subject of the misconduct works in the financial services part of the business
• The updated rules and guidance come into force from 1 September 2026 and will not apply retrospectively

2. Scope:

Serious unwanted bullying, harassment or violence towards a colleague are capable of being a COCON breach. Remember that:  

• a person will only be in breach where they are ‘personally culpable’ (COCON 3.1.3) i.e. their conduct was deliberate, or the standard of conduct was below that which would be reasonable in the circumstances
• disciplinary action for NFM where an accompanying breach of COCON is determined is reportable to the FCA for all SMCR firms

3. Work versus private life and seriousness: 

• Work versus private life: conduct outside the office can trigger regulatory consequences if there is a sufficiently close connection to work that COCON would apply to. So, for example, misconduct at client events, training days, work-related social functions, client or industry events and even whilst on work-related travel is likely to be caught. Misconduct towards family whilst working from home or misconduct at a private party is unlikely to be a COCON breach. Firms will need to consider the conduct on a case-by-case basis and use the FCA guidance to support decision-making.
  
  Note that conduct in an employee’s private life might not be relevant to a COCON breach but could still be relevant to a Certified employee’s or Senior Manager’s fitness and propriety / regulatory reference.
   
• Seriousness: only ‘serious’ incidents of NFM will breach COCON.  When assessing this, firms should weigh factors such as whether the conduct is part of a pattern, its duration, impact on the subject, any seniority/power imbalance, and any other aggravating features.  
  
  Whether or not the misconduct has been the subject of a formal complaint will not be generally relevant to seriousness, but it may be indicative of the effect of the misconduct. 

4. Manager duties: Senior managers are expected to:

• protect staff from NFM and will hold personal accountability for the incident, although this is limited to the level of knowledge that they actually or ought reasonably to have held
• notify staff of the updated standards and take all reasonable steps to ensure that staff both understand and comply with these rules (including warning individuals about their behaviour)
• disclose any information of which the FCA or PRA would reasonably expect notice

5. Regulatory References, FIT and Reporting

Serious, substantiated NFM must be considered in FIT assessments and included in regulatory references.

Remember that not every NFM incident will be a COCON breach so firms must triage and document decisions carefully, with the issue being that NFM which does not breach COCON (e.g. incidents in an employee’s private life or sexual harassment which breaches employment law alone) may still be relevant to an employee’s FIT and regulatory reference.

Related to this, the FCA has confirmed that firms will not be required to proactively monitor employees’ social media accounts.  However, social media interactions and posts will be relevant to any FIT assessment, including where this indicates a material risk that the person will breach regulatory requirements and standards - for example in the form of threats of violence or harassment.

What next?

• Update your policies: clarify the lack of tolerance for bullying, harassment or violence.  For details on how we can help you with this click here
• Make sure staff understand that COCON breaches for NFM resulting in disciplinary action will be reported to the FCA
• Prioritise activities that support a positive and inclusive workplace culture and use employee engagement surveys and HR tracking to monitor progress
• Ensure that grievance and whistleblowing policies are well advertised and a ‘speak-up’ culture is promoted so that conduct issues can be dealt with promptly
• Review annual re-certification processes and the provision of regulatory references, to ensure that these are appropriately adapted to respond to the revised rules