FCA finalises UK non-financial misconduct rules with clearer scope and expectations for 2026

The Financial Conduct Authority (FCA) has published its final policy statement on non‑financial misconduct (NFM) that confirm FCA Handbook amendments and new guidance in the Code of Conduct for Staff sourcebook (COCON) and the Fit and Proper test for Employees and Senior Personnel (FIT). These take effect on 1 September this year, alongside the rule at COCON 1.1.7FR for non‑bank firms which was made previously but is yet to come into force.

The package is intended to give firms practical clarity and confidence in applying standards to serious workplace misconduct and is supported by worked examples and flow diagrams. 

Aligning banks and non-banks without rewriting scope

In July 2025, the FCA confirmed in its consultation paper on tackling non-financial misconduct in financial services (CP25/18) the introduction of a new "scope" rule for non‑bank Senior Managers and Certification Regime (SM&CR) firms so that serious work‑related misconduct between colleagues, such as bullying, harassment or violence can fall within COCON. (Bullying and harassment are the FCA's "shorthand" terms for any unwanted conduct with the purpose or effect of violating a colleague's dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for them.)

The rule applies to relevant individuals both in respect of their regulated activities and their non-regulated activities. The final policy statement (PS25/23) on tackling non‑financial misconduct in financial service publishes the accompanying finalised guidance to support application of the rule.

Crucially, the FCA clarifies how the framework works across firm types. While the new scope rule at COCON 1.1.7FR specifically applies to non‑banks, the FCA applies the same definitional limb describing the type of conduct to banks as guidance, so that banks can use it to determine breaches of individual conduct rules 1 and 2 in cases of bullying, harassment or violence. This is designed to drive consistency for all SM&CR firms without rewriting the existing broader scope of COCON for banks.

The FCA has introduced extensive flow diagrams in new COCON 1 annex 2 on “who, what, where” questions to determine whether COCON applies at all, not just in the context of NFM, and in COCON 4 annex 1 to determine specifically whether the new NFM COCON rule applies and to guide users step by step through scope and breach analysis.

The handbook also adds a table of private‑life versus work‑related scenarios, making it clear that the focus of COCON is in relation to role performance and new shared‑function examples (for instance, internal audit across financial and non‑financial businesses) to illustrate the exclusion for conduct that clearly only relates to non‑financial services parts of a business. For example, if neither the offending individual or the subject of the misconduct works in the part of the internal audit function that does not deal with the financial services business. 

Only 'serious' misconduct

The guidance emphasises that only "serious" misconduct meets the rule’s threshold, aligning seriousness with concepts used in the Equality Act, and sets out factors the FCA will consider, including pattern, duration, impact on the subject, relative seniority and whether conduct could justify dismissal or is criminal. Purpose matters as well as effect, and a hostile communication can breach the rule even if intercepted before receipt.

There is targeted alignment with employment law while preserving regulatory distinctions: for example, the FCA confirms that harassment of colleagues can breach individual conduct rule 1 (integrity) if it is deliberate or reckless or individual conduct rule 2 (skill, care and diligence) if it is not, and that managers’ responsibilities to try to prevent harassment are calibrated to their individual knowledge and authority, not strict liability.

The FIT guidance explains how NFM and other behaviour (at work or in private life) may be relevant to fitness and propriety. Firms are not expected to investigate trivial or implausible allegations or breach privacy law nor to proactively monitor social media. They  should not assume that private conduct will be repeated at work; however, conduct that indicates a material risk of regulatory breaches at work, or that is sufficiently serious to risk damaging public confidence or is otherwise inconsistent with the FCA's statutory objectives, can be relevant.   

The FCA has also removed or refined problematic examples, including prior references to frequently repeated minor motoring offences as a fitness example, and has clarified that firms are not expected to apply the FCA’s statutory objectives as a stand‑alone fitness criterion.

The FCA states that this publication “brings our policy work on NFM to a close,” with implementation the next focus. 

Consistency, culture and confidence in decision-making

The guidance aims to reduce uncertainty and increase consistency in how firms assess NFM under COCON and FIT, while avoiding disproportionate burdens. The FCA expects improved governance, culture and risk management, more consistent decision‑making, and better outcomes for markets and consumers.

On manager accountability, the guidance clarifies expectations and limits: managers should take reasonable steps to prevent and respond to NFM, with the FCA assessing reasonableness against factors such as their individual knowledge and authority and firm policy allocations. This is designed to avoid disproportionate personal exposure while underpinning cultural standards.

On private life and social media, the FCA sets a materiality threshold keyed to risk of breach or impact on public confidence, confirms no proactive monitoring requirement, and cautions against automatic assumptions of workplace repetition. Lawful expression of controversial views in private life does not automatically call fitness into question, though it may be relevant on the same basis as any other private conduct. 

What next?

The rule and guidance apply to all the Financial Services and Markets Act 2000 part 4A permission holders and their employees and individuals that are subject to COCON and FIT. They do not extend to firms without a part 4A permission such as certain payment services or e‑money providers and financial market infrastructures.

Firms will want to now map applicability by entity and staff category. The Prudential Regulation Authority is not taking forward any of the proposals in its 2023 consultation (CP18/23), including those on staff fitness and propriety, but will expect dual-regulated firms to consider the FCA guidance when assessing those.

By 1 September, firms will need to complete policy updates, staff training, governance calibrations and implementation planning, using the flow diagrams and scenario tables to embed consistent triage and decision‑making. Historic incidents remain governed by the rules in force at the time; no retrospective reassessment is expected.

With the FCA’s NFM policy work now complete, supervisory focus will shift to how firms implement and apply these standards in practice. 

Osborne Clarke comment

The FCA's guidance, including its scenario tables and revised examples should materially improve internal triage when incidents happen, especially on shared functions, manager responsibilities, social media and where there are questions around the boundary between work‑related and private conduct.

The FCA's flow diagrams are also useful (indeed COCON 1 annex 2 is useful for all potential COCON breaches) when it is not immediately obvious that COCON and the new COCON NFM rule might be engaged; for example, if the conduct is performed by an individual employed by a UK firm but the conduct occurs outside of the UK or if the conduct involves an individual who does not conduct regulated activities at all.

If the question under consideration is whether there has been NFM, firms should go straight to the flow diagrams in COCON 4 annex 1 and do not need first to consider the flow diagrams in COCON 1 annex 2. What the flow diagrams do not do, of course, is to determine whether the conduct is such as to amount to a breach of the new COCON NFM rule, nor whether as a result there has been a breach of rule 1 (integrity) or rule 2 (due skill, care and diligence).  Such determinations remain an exercise of judgement on the part of the firm.

We recommend that, as part of preparing for the new COCON NFM rule going live, including preparing their policies and investigation protocols and training for conduct rules staff and managers, firms test a small number of recent cases against the new guidance to validate their approach .

If you would like help navigating the new COCON and FIT guidance on non‑financial misconduct and its impact on your policies, training and case handling, please contact our team.