Since our July update, momentum on the FCA and PRA’s Senior Managers & Certification Regime (SMCR) reforms has continued to build. The regulators have signalled that final rules on the extension of non-financial misconduct provisions are expected by the end of Q4 2025, with implementation likely from mid-2026. Firms are already beginning to review culture, governance and conduct policies in anticipation.
TL;DR: The FCA has published a combined Policy Statement and Consultation Paper on non-financial misconduct ("NFM"). Broadly, it has two parts: (1) a new final rule applicable to non-bank SMCR firms which brings NFM within scope of COCON and comes into force from 1 September 2026, and (2) a consultation on proposed NFM-related Handbook Guidance, which closes on 10 September 2025. We're doing a 30 minute webinar at 1:30pm UK time on Monday 7 July covering this Paper and the key points for firms to consider. Click here to register.
1. Policy Statement and Final Rules - COCON 1.1.7F (page 51 of CP 25/18)
The FCA’s most recent speeches – including remarks from the Director of Enforcement in September – underline that addressing bullying, harassment and other non-financial misconduct remains a top supervisory priority. Consultation feedback has highlighted industry support for clearer expectations on investigation standards and governance reporting, which are expected to be reflected in the final rules.
Who does the new rule apply to? The new rule extends the scope of COCON for non-bank SMCR firms. This seems strange on the face of it; the FCA's Paper suggests that the existing rules for banks are currently broad enough to include NFM and so this is seeking to align the position between bank and non-bank SMCR firms. In all honesty, we find this distinction slightly strange given the broader contents of the rule and the wording of proposed Handbook Guidance, but we would appreciate your views on this too. Despite its application, we still think banking SMCR firms will be interested in the contents of the rule.
What is the new rule trying to achieve? The FCA has said the new rule makes it clear that "serious misconduct such as bullying, harassment and violence is a matter of regulatory concern". The new rule is expected to align the scope of COCON in relation to NFM matters across the industry to ensure consistent and robust action is taken by all relevant SMCR firms. The FCA has sought to align the rule more closely with employment law to reduce unfair outcomes, but it is keen to remind firms that the Conduct Rules are distinct from employment law and employers' internal disciplinary codes. The FCA expect an increase in reportable NFM related Conduct Rule breaches as a result of this change, albeit in the longer term they hope that the number of incidents reported falls as firms continue to take proactive steps to prevent NFM from occurring in the first place.
What does the new rule say? There are some key elements to it:
The rule extends the scope of COCON beyond the existing rules for non-banks (approximately 37,000 firms).
NFM itself is not a defined term in the final rules. However, the FCA states that "the kind of conduct" within scope of COCON is "unwanted conduct" which has "the purpose or effect of violating an individual's dignity, or creating an intimidating, hostile, degrading, humiliating or offensive environment for the individual" or is conduct that is "violent". The first limb aligns with the test for harassment in the Equality Act 2010, but is not limited to harassment in respect of protected characteristics and therefore covers any kind of harassment even where it is not related to a protected characteristic. We think the use of "the kind of conduct" suggests that these are non-exhaustive examples of misconduct that are within scope and, as per the FCA's narrative in relation to the Policy Statement, bullying could fall within scope too, but this is unclear based on the text of the rule. In any event, we refer to this misconduct as "NFM" within this SMCR+ Flash View for ease. The FCA (in Flowchart 2 on page 14 of CP 25/18) suggest that such NFM may be a breach of Individual Conduct Rule 1 (integrity) and Individual Conduct Rule 2 (due care, skill, and diligence), but this is not express in the final rules, and explicit reference to this is in the proposed Handbook Guidance being consulted on (see more below).
In summary, it expressly states that COCON will apply to misconduct (described above) by Conduct Rules staff in relation to: other employees of, or those who perform a function for, the firm or group, service providers to the firm or group, and individuals when performing an activity that forms part of the firm's activities. This scope is the same as consulted on previously.
Where firms carry on business involving both non-SMCR financial activities and SMCR financial activities (which, at a very high level, generally means a firm's regulated activities, and activities carried on in connection with them or for the purpose of them (among a few other limited scenarios)), the rule only relates to the business of the firm involving SMCR financial activities. Put more simply, this means that unregulated parts of the business which are separate from the regulated part of the business are out of scope.
The proposals for the Handbook Guidance suggest that the FCA intends this to be relevant to firms which have a "mixed" business model (e.g., the firm sells products and has consumer credit permissions so that the products can be sold on credit, or the firm sells cars and has permission for insurance distribution so it can sell connected insurance policies). In these scenarios, NFM in relation to the unregulated part of the business (e.g., stealing inventory or committing a serious driving offence when moving the firm's cars) would not be within scope of COCON (albeit it could be within scope of FIT). This, together with the proposed example in relation to HR at COCON 1.3.15G, suggests that HR and other functions supporting a firm's "financial services business" will be within scope regardless of whether they are directly involved in regulated activities or not, and even if they support other business areas. It is only if these functions do not cover or support the "financial services business" that they could be de-scoped. While the additional guidance given by the FCA is still in draft, we think it's helpful for understanding the FCA's thinking in relation to this element of the rule and we generally do not think that the FCA is expecting firms to rely on this in relation to support functions, such as HR, Finance, Legal, Compliance, Tax etc., which support the financial services provided by firms.
What about territoriality of COCON? The territorial scope of COCON is not changing (both under the final rules, and the proposed Handbook Guidance).
When does it apply from? It applies from 1 September 2026 and will not have retrospective effect.
What do firms need to do? Firms should continue to review the robustness of their culture frameworks and disciplinary processes ahead of the anticipated finalisation of the rules. We are seeing increased regulatory scrutiny of how firms document decision-making and escalate non-financial misconduct concerns, so ensuring clear oversight lines and board visibility now will make implementation smoother in 2026.
The FCA has explicitly said that it does not expect firms to carry out retrospective analysis of any NFM-related Conduct Rule breach findings, but it has said that if a firm becomes aware that it has previously interpreted the current rules incorrectly and it has found Conduct Rule breaches in respect of NFM when the underlying conduct is not within scope of COCON, then it should seek to rectify this. While the FCA's statement regarding retrospective analysis is helpful, we expect that some firms who have made Conduct Rule breach findings in relation to NFM may see some challenge from previous employees.
2. Consultation Paper - NFM Handbook Guidance for Conduct Rules and F&P
The FCA is seeking views on whether additional guidance to COCON and FIT is needed, and if so, what form this guidance should take. The FCA has made it clear that it will only take the proposed Handbook Guidance forward if there is clear support from firms for it to do so. So, the key questions for firms are (1) whether firms want Handbook Guidance, and (2) if so, what this Handbook Guidance looks like. You've got until the 10 September 2025 to respond, and you can do so via the FCA's dedicated online survey, in email or in writing. We'll likely respond to the FCA's Consultation Paper, so if you would like us to feed in your thoughts, please let us know.
The draft Handbook Guidance has been meaningfully amended by the FCA, and includes a number of positive changes and simplifications which demonstrate that the FCA has clearly taken on board some of the comments made by us, industry, and other stakeholders. This second consultation may be indicative of the FCA's scars following the fallout of its "naming and shaming" proposals (see here).
We've highlighted some of the key changes below:
Private vs personal life: The FCA has clarified that COCON does not cover an individual's "private or personal" life (although private life may well be relevant to fitness and propriety ("F&P")), and included new guidance illustrating the boundary between work and private or personal life. There is also new guidance which states that SMFs and non-SMF non-executive directors ("Non-SMF NEDs") who are subject to Senior Manager Conduct Rule 4 would still be required to disclose information about their private or personal lives under this Conduct Rule if the matter is material to an assessment of their F&P.
There has always been a blurred line between an individual's private and professional life from a COCON (and employment law) perspective. The FCA sought to provide (non-definitive) guidance to firms in its initial consultation as to where this line is and what conduct is out of scope of COCON. The FCA has expanded on these previous examples (e.g., it now includes attendance of individuals at training, round tables, and awards ceremonies organised by third parties, such as regulators, or industry bodies where they represent their firm), and new examples of when NFM may be within scope of COCON (e.g., the party after the work party, and whether publication of material on a personal social media account could be in scope).
Individual Conduct Rule 1 (integrity): The FCA has removed the non-exhaustive list of examples of conduct which would result in an Individual Conduct Rule 1 breach initially included in its proposals, as well as the guidance around what is considered to be a "good working environment", following feedback that these were unhelpful and / or confusing. The FCA has now framed NFM under the heading of misconduct in relation to "fellow members of the workforce" (which is undefined) in relation to "behaviour which can be described as bullying or harassment". However, conduct will only breach Individual Conduct Rule 1 if it involves a lack of integrity, which means that bullying and harassment will generally not amount to an Individual Conduct Rule 1 breach if the person reasonably thought there was a good reason for the conduct or did not intend to have a negative impact on the subject of the misconduct. The language adopted is borrowed from employment law tests and we think is likely to lead to employees running specific defences to NFM-related disciplinary processes to minimise the risk of an Individual Conduct Rule 1 breach finding.
The FCA has proposed a new example of an Individual Conduct Rule 1 breach where a person subjects a fellow member of the workforce to detriment for complying with Individual Conduct Rule 3 (e.g., cooperating with the FCA or other regulators), or Senior Manager Conduct Rule 4, where applicable (e.g., blowing the whistle). The FCA has also confirmed that not all misconduct for which a firm might reasonably take disciplinary action under its own disciplinary policy will amount to a breach of COCON.
Individual Conduct Rule 2 (due care, skill, and diligence): NFM which does not fall within Individual Conduct Rule 1 may be a breach of Individual Conduct Rule 2 (although it's worth noting that under the new proposals, firms would also need to take into account whether the NFM is "serious" to be a breach of Individual Conduct Rule 2). In addition, there is specific detailed guidance as to when "managers" may be in breach of Individual Conduct Rule 2 for failing to take reasonable steps, for example, failing to protect staff against NFM by not intervening where appropriate, not operating the firm's policies and controls where appropriate, and not setting up or maintaining such policies and controls (where they have sufficient authority). In addition, managers may also be in breach of Individual Conduct Rule 2 if they fail to take reasonable steps to provide a "safe environment for people to raise concerns" about NFM. This is potentially very broad, and it's also worth noting that the term "manager" is not defined by the FCA.
F&P: The guidance in relation to F&P included in this Consultation Paper has changed quite significantly since the initial consultation. The headlines are similar in that conduct outside of work may be relevant to an individual's F&P, but the FCA has sought to clarify that conduct outside of work which involves dishonesty or a lack of integrity will always be relevant to F&P. Violence or sexual misconduct outside of work may also be relevant because there may be a risk of this misconduct being repeated in the workplace. The FCA has also confirmed that it does not expect firms to monitor an individual's private life, but that if there is a good reason to (e.g., the firm becomes aware of an allegation relevant to someone's F&P), then they should consider what steps they can reasonably take to assess the possible impact (whilst noting that firms will often rely on the examples given in the FCA Handbook, criminal convictions and other court, regulatory, etc., findings in deciding whether someone's conduct in their personal life amounts to a lack of F&P).
The FCA has also suggested an interesting new addition which would clarify that although breaches of laws or standards (e.g., minor driving offences / fines) will not generally be relevant to an individual's F&P, if there are repeated offences of this nature then this may raise doubts as to whether the individual will follow the requirements of the regulatory system.
There's also a whole new section on factors to consider when establishing whether social media activity is relevant to F&P, which confirms that lawfully expressed views on social media will not necessarily amount to an F&P issue, even if colleagues are upset by those views. Firms also do not need to monitor the personal social media activity of their staff. You will no doubt be aware that the question of free speech and social media has been the subject of multiple high profile Employment Tribunal cases and that taking action against members of staff in connection with social media posts gives rise to significant risk from an employment law perspective which should be front of mind in any situation where this arises.
3. Abandoned Proposals
The FCA is dropping its proposals for further Handbook Guidance in relation to regulatory references and the FCA's "Suitability" Threshold Condition. Instead, it has provided commentary in CP 25/18 on its existing expectations.
We will publish a further update once the final rules are confirmed, but now is the time for firms to benchmark their governance and conduct arrangements against likely expectations
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
