Culture is at the heart of how the FCA authorises and supervises firms and equally at the heart of how firms behave, make decisions and treat their customers.
Although culture comes in many guises, poor workplace culture consistently leads to similar outcomes – consumer harm, regulatory breaches, damage to market integrity and lasting reputational harm for firms.
Tackling poor culture and misconduct has been high on the FCA’s radar for many years and has now been reinforced through PS25/23: Tackling non‑financial misconduct in financial services, the FCA provides final guidance on how serious non-financial misconduct such as violence, harassment and bullying may constitute a regulatory breach (COCON 1.1.7FR). The policy applies to non-bank SMCR firms from 1 September 2026 and does not have to be applied retrospectively.
The FCA’s approach reflects a broader shift towards holding individuals accountable for behaviour that undermines trust, integrity and market confidence. This policy should be viewed as both a compliance obligation and a cultural risk management tool, ensuring that governance, escalation and oversight arrangements are robust ahead of the 2026 implementation date.
This policy provides welcome clarity for firms on how the new rules will operate in practice, including whether an employee’s conduct outside of the workplace, including in an individual’s personal life and on social media, might impact their fitness and propriety. It also explains how non-financial misconduct forms part of the Fit and Proper test for employees and senior management (FIT).
Under the new requirements, an employee’s conduct outside of the office could fall within scope, if there is a close connection to their work such as their behaviour at a firm or industry event, client meeting, or social function related to work. The FCA has also said that conduct in private life may be relevant if it creates a material risk that the individual will breach regulatory standards and requirements, or damage public confidence in the UK’s financial system and financial services industry.
Breaches of COCON will only relate to serious incidents. Firms should assess issues appropriately, taking into consideration whether the incident is isolated or repeated, the impact of those involved in the matter and the seniority of the individual committing the alleged misconduct.
Firms will be obliged to consider non-financial misconduct as part of FIT assessments and disclose instances of serious and confirmed misconduct in regulatory references for individuals. While a senior manager or certified individual’s conduct in their private or personal life may not be a COCON breach, it could be relevant to their fitness and propriety assessment and be reportable in a regulatory reference, for example if they were dishonest, displayed a lack of integrity or disregard for legal requirements, or exploited others who are vulnerable or trusted them.
Where disciplinary action is taken for a non-financial misconduct breach the FCA must be advised.
Firms should also update their policies, fit and proper assessment templates and disciplinary procedures to incorporate the new requirements. They should also ensure that conduct staff are informed of the new requirements and that they understand how to apply them. Boards should maintain clear oversight over breaches and the culture of their firms.
If you would like support or guidance on the new requirements, please don’t hesitate to get in touch.
