1. What’s new in a nutshell?

On 2 July 2025, the FCA issued its latest paper on non-financial misconduct (NFM) – CP25/18 – which includes both:

  1. a Policy Statement regarding a change to its Code of Conduct (COCON); and
  2. a Consultation on additional guidance in the COCON and the Fit and Proper Test for Employees and Senior Personnel (FIT) sourcebooks.

The paper reinforces the FCA’s expectation that all firms must embrace and evidence strong cultural values to avoid disciplinary sanction. Headlines are as follows:

  • The FCA is expanding the scope of COCON in non-banks with effect from 1 September 2026.
  • The FCA is consulting on new guidance for banks and non-banks to assist in applying COCON and FIT in relation to NFM with responses due by 10 September 2025. 

We summarise the key points from the paper below.

2. What is the new rule?

The FCA previously consulted on making a change to COCON to more closely align the rules on NFM in banks and non-banks on the basis that, as matters stand, the range of circumstances in which NFM in non-banks amounts to a breach of COCON is narrower than for banks. The reason for this is that the scope of COCON is relatively wide in banks applying to the performance of any functions relating to any activities carried on by the firm. However, in non-banks, COCON applies primarily to conduct which is part of or for the purpose of the firm’s regulated activities. The Policy Statement confirms that the proposed expanded scope of COCON for non-banks in the case of “harassment and similar conduct” will apply from 1 September 2026 in a new rule at COCON 1.1.7FR. This will make clear that serious misconduct such as bullying, harassment and violence towards a colleague which violates their dignity or creates an offensive environment is a matter of regulatory concern in both banks and non-banks.

The FCA expects the rule change to increase notifications of conduct rule breaches for NFM because more NFM incidents in non-banks will come within scope of the rules. However, the FCA recognises some limitations on the application of COCON:

  1. conduct is excluded if it “clearly only” relates to “a part of the firm’s business” that does not carry on regulated activities or other SMCR financial activities (which includes activities connected with or for the purpose of a regulated activity). This appears to seek to create a distinction between how NFM will be treated in firms which are structured to separate their regulated and unregulated activities into different parts of the business and those where regulated and unregulated activities are more mingled.  The guidance provides an example scenario involving the HR team.  If the HR team covers the entire workforce “without separating the parts that deal with the firm’s financial services business and its other business” then a member of that team will be in scope. However, if the firm separates its HR function with one team dealing only with those working in its financial services business and another team dealing with those in the other parts of the business, then those in the team that only cover the non-financial services business “may” be outside scope;
  2. conduct in private or personal life is outside scope of COCON (unlike FIT). The guidance on which the FCA is consulting seeks to provide some assistance for firms in drawing the boundary between the work and personal / private realms.

3. Is there any new guidance on the application of the Code of Conduct?

The paper sets out proposals for some new Handbook guidance on NFM in relation to (i) the application of COCON; and (ii) assessing fitness and propriety (in the FIT sourcebook). The new guidance, which is amended from the version on which the FCA previously consulted in CP23/20, would be relevant to both banks and non-banks. The deadline for responses is 10 September 2025.

The paper notes that there was strong support for the FCA’s proposals to provide Handbook guidance on how NFM can be a breach of the conduct rules and that most respondents said that this would lead to a more consistent approach across industry. In terms of changes from the previous draft, the proposed COCON guidance has been: (a) more clearly aligned with employment law; and (b) updated with new material and additional examples, incorporating many suggestions from respondents. The guidance covers, amongst other things:

  1. the scope of COCON, with examples of scenarios illustrating the boundary between work and private or personal life, for example:
    • misconduct towards a colleague at a social occasion organised by the firm would be in scope but if the occasion was organised by a staff member in a personal capacity it would not unless the organiser was a manager or it was a continuation of a firm event);
    • the extent to which a social media post may be relevant will depend on a number of factors such as whether it is directed at a colleague; whether there is another connection with work; whether a work device or the firm’s systems are used (although uploading at work is not a strong indicator of being in scope);
  2. the application of COCON in non-banking firms with both regulated and unregulated activities confirming that conduct is not in scope of COCON just because it is carried on in relation to an activity which is connected with a regulated activity (one of the examples given of a scenario involving conduct outside the scope of COCON (but not FIT) involves a firm whose main business is selling cars but which also has permission for insurance distribution activities where an employee commits a serious driving offence while moving a car);
  3. guidance on the distinction between breaches of Individual Conduct Rules 1 (integrity) (ICR1) and 2 (due skill, care and diligence):
    • a new example has been added to the list of types of conduct that would be a breach of ICR1 involving subjecting a fellow member of the workforce to detriment for making a regulatory notification or using the firm’s whistleblowing procedures; conduct will only be a breach of ICR1 if it involves a lack of integrity; some guidance has been provided on certain circumstances such as where the person did not intend to have a negative impact on their colleague; and
    • a manager could be in breach of ICR2 if they don’t take reasonable steps to try to prevent harassment and certain other kinds of misconduct and examples of conduct that would be a breach of ICR2 include failing to intervene to stop such behaviour; detection failures; failing to deal appropriately with complaints; failing to provide a safe environment for raising concerns (taking into account factors such as what is reasonable and the firm’s policies and procedures);
  4. material about the factors for determining whether NFM is serious enough to amount to a breach which includes taking account of the impact on the subject of the conduct and whether it was “serious and marked” and the characteristics and perceptions of the relevant individuals including the extent to which the perpetrator has control or influence over the subject’s career and vulnerabilities of the subject.

4. What about assessing fitness and propriety of employees?

The draft guidance also explains in more detail how NFM forms part of FIT, including that conduct that takes place in private or personal life and other activities outside the regulatory system can be potentially relevant to an assessment of fitness and propriety where it shows there is a risk that the person will not comply with regulatory requirements or where it would breach regulatory requirements if repeated in the workforce such as conduct that is dishonest or lacks integrity, violence or sexual misconduct.  Repeated minor breaches of law/ standards may also be relevant.  For example, a minor driving offence will not normally be relevant to fitness and propriety but repeated offences may be. 

Firms would need to consider whether conduct outside work demonstrates a willingness to disregard ethical or legal obligations, abuse a position of trust or exploit the vulnerabilities of others or whether it could undermine public confidence in the regulatory system if the person was permitted to work at the firm.

The FCA confirms that it does not expect firms to generally monitor employees’ private lives.  A firm need only look into private life of staff being assessed if there is good reason (such as if there have been allegations). The FCA also accepts that, where a firm is aware of an allegation relating to private life, it may be more appropriate for authorities to investigate and that it is likely firm will often rely on formal findings such as any criminal convictions or other judicial outcomes.  However, the FCA reminds firms that they should consider what steps they can reasonably take to investigate potential impacts on fitness and propriety such as asking staff members for an explanation and notifications to the FCA may be required even if the firm has not been able to determine whether misconduct has occurred.

Guidance is also provided in relation to the use of social media in private life and suggests that this will be relevant where it indicates a real risk that the person will not comply with regulatory requirements such as threats of violence or clear involvement in regulatory activities although a person can lawfully express controversial or offensive views without impacting their fitness and propriety even if this upsets colleagues and monitoring of employees’ social media by firms is not necessary.

5. What should firms do?

Considerations for firms are likely to include:

  1. How best to integrate the new rule into existing policies and procedures and how it will apply to the firm taking into account its internal organisation and any separation of regulated and unregulated activities;
  2. Whether to respond to the consultation and what points to make. Given the high stakes involved in making mistakes in this area, firms have a clear interest in ensuring that any guidance is as clear as possible and provides sufficient assistance without unduly fettering the firm to deal with incidents on a case by case basis. One useful exercise may be to consider how the guidance would have applied to real life scenarios of which the firm has experience particularly in more complex areas such as bullying, conduct outside work and conduct which may not have a clear connection with regulated activities.  Also consider how this guidance would impact on existing policies and procedures and whether there are any inconsistencies or gaps;  
  3. The extent to which any enhancements to the firm’s existing guidance and support framework or training could be implemented at this stage given the draft guidance may be viewed as reflecting the FCA’s current expectations.  As part of this exercise firms may want to reflect not only on mitigating the risk of NFM occurring but also on how they could evidence that they have in place adequate arrangements around the escalation and detection of concerns; appropriate investigation of any incidents and determining outcomes in accordance with regulatory expectations including from a governance and record-keeping perspective.

Please do reach out to any of the authors if you would like to discuss the paper or NFM more broadly.