In December 2025, the UK Financial Conduct Authority (‘FCA’), the country’s independent regulator of financial services businesses, published a Policy Statement (PS25/23) on non-financial misconduct (NFM). The guidance will come into force on 1 September 2026, which leaves affected firms with just under seven months to familiarise themselves with the new guidance and the FCA’s new Code of Conduct (COCON) requirements and definitions.
In this article, Ana Pereu, an Associate Director at S-RM focusing on internal investigations, shares her thoughts on how the statement marks an explicit regulatory recognition that culture is no longer just an HR concern, leaving firms to make difficult judgments at the boundary between the private, professional and regulatory spheres.
What the guidance really asks of firms
The Policy Statement confirms that COCON will be amended so that addressing serious work-related bullying, harassment and violence between colleagues clearly falls within scope for all Senior Managers and Certification Regime (SMCR) firms, not just banks. For non-banks, the FCA emphasises that this conduct is in scope where it relates to “the performance of the individual’s role”, including shared service environments where only one of the individuals needs be in the financial services part of the business for COCON to apply.
However, the apparently narrow extension has wide operational consequences. Firms are told explicitly that the “primary responsibility for preventing NFM, and dealing with it when it occurs, rests with firms themselves,” and that the FCA will not provide an exhaustive catalogue of examples. Instead, firms must build replicable decision-making frameworks, supported by credible evidence gathering, to demonstrate that their judgments on whether conduct is “serious” are reasonable in context, for example by weighing factors such as pattern, duration, impact and any criminal element. This inevitably pushes regulated entities toward more systematic culture assessments and investigative capabilities, whether developed in house or by partnering with counsel or specialist investigative firms that can bring independent, defensible methodologies to these judgments.
When private life becomes regulatory risk
The FCA is careful to restate that private or personal life is “entirely out of scope” for conduct rules under section 64A of the Financial Services and Markets Act 2000 (FSMA), and COCON 1.3 starts from that premise. Yet the same section introduces a table of examples where conduct outside the office – at client events, training, social functions, award ceremonies or on social media – may be “closely enough connected to work” to fall within COCON if linked to the performance of qualifying functions. The message is clear: that an incident “happened off site and out of hours” no longer provides any real shield if the context is work related.
The Fit and Proper (FIT) guidance goes further, recognising that conduct in private life may be relevant even where COCON does not apply at all. The FCA explains that violence or sexual misconduct in private life will be relevant where there is a “material risk” that similar behaviour could occur at work, and that exceptionally serious conduct may matter purely because of the risk to public confidence in the UK’s financial system and financial services industry. At the same time, PS25/23 accepts that firms are “not expected to investigate trivial or implausible allegations” and must not breach privacy or other applicable laws when they do investigate. This balancing act – between a regulatory expectation to consider private behaviour, and legal limits on intrusiveness – is precisely where objective, proportionate investigative frameworks become critical, calibrating “material risk” and necessity on a case by case basis.
Equality Act overlap – alignment without duplication
The guidance sits deliberately alongside, rather than on top of, the Equality Act 2010 and the Worker Protection (Amendment of Equality Act 2010) Act 2023. The FCA stresses its duty as a public sector body to have due regard to eliminating discrimination and harassment and to advancing equality of opportunity, and it explicitly frames NFM guidance as a way of supporting those objectives. Crucially, however, the new COCON rule does not extend regulatory scope to all conduct prohibited by the Equality Act; the Policy Statement states that while the rule captures bullying and harassment (including sexual harassment), it “does not expand the scope of COCON… to cover other forms of conduct prohibited by the Equality Act, such as discrimination and victimisation.”
This creates a layered compliance picture. An act of discrimination may trigger employer liability under the Equality Act, but only be a COCON issue if it falls within scope and reveals a failure to act with integrity, or breaches other conduct rules. At the same time, the FCA deliberately aligns its “seriousness” threshold for harassment with the Equality Act test, using the familiar language of conduct that has the purpose or effect of ‘violating dignity,’ ‘degrading’ and ‘humiliating’ or creating an “intimidating, hostile, degrading, humiliating or offensive environment”. For firms, this overlap means that equality, HR and regulatory considerations can no longer be viewed through separate lenses: investigations have to be designed so that the same underlying evidence can support employment decisions, Equality Act risk management and COCON/FIT assessments. This is an area where multi-disciplinary investigative teams – combining regulatory, employment and equality expertise – are particularly well placed to help firms avoid inconsistent outcomes.
Dealing with harassment as the core, and what is not in scope
One striking feature of the Policy Statement is its narrow focus: in the COCON context, the FCA explicitly defines NFM as bullying, harassment and violence between colleagues, with sexual harassment clearly included. The regulator expressly declines to treat all Equality Act breaches as automatically within scope, and has withdrawn earlier proposals to anchor on protected characteristics or “specific characteristics or vulnerabilities” because respondents found these formulations vague and operationally difficult. This cautious approach respects the limits of regulatory remit and avoids turning firms into quasi tribunals on discrimination law, but it inevitably leaves gaps where corrosive behaviour does not meet the legal threshold for harassment or is not clearly linked to a protected characteristic.
The Policy Statement also underlines that not all poor behaviour is a conduct rule breach, and that minor misconduct dealt with informally will not be reportable. That boundary is both a strength and a limitation. It protects against regulatory overreach and disproportionate reporting, but it may also encourage firms to view culture purely through the lens of binary “breach/no breach” analysis. A more sophisticated approach would view harassment cases as the visible tip of a cultural iceberg: patterns of incivility, microaggressions and exclusion that never quite meet the COCON threshold but cumulatively signal cultural fragility. Proactive culture assessment work – through staff surveys, behavioural analytics, benchmarking, thematic reviews and deep dive interviews – can help firms understand those emerging risks before they crystallise into reportable misconduct.
From guidance to practice – why investigations matter more
The Policy Statement explicitly recognises that no guidance can be exhaustive and that firms “will always need to exercise judgement”, even as it provides decision trees, examples and clearer statements on issues such as manager accountability and seriousness. The FCA has also clarified that accountability of managers is “relative to their knowledge and authority” and that it would not expect managers to be held responsible for failing to stop NFM they could not reasonably know about or influence. This places a premium on the quality of internal information flows, speak up mechanisms and the credibility of investigation processes: without robust fact finding, it is difficult to demonstrate who knew what, when, and what steps were reasonable in response.
The FIT guidance mirrors this by acknowledging the costs, legal risk and difficulty of investigating unproven allegations about private life, and by stating that firms are not expected to pursue trivial, implausible or clearly irrelevant claims. At the same time, firms must still decide when an allegation does pose a “material risk” to fitness and propriety, and if it concerns senior managers they must honour their reporting obligations within seven business days. In practice, this drives demand for investigations that are procedurally fair, proportionate and well documented, and for independent investigators who can deal with sensitive allegations – particularly those involving senior individuals or cross border elements – while respecting data protection, employment and equality law constraints.
For regulated entities, the real message of the Policy Statement is that culture and conduct investigations have become part of the regulatory control framework, not an optional HR add-on. Firms that combine rigorous, independent culture diagnostics with credible, specialist investigations into harassment and related NFM are likely to be better placed to demonstrate reasonable judgments to the FCA, reassure boards and stakeholders, and maintain the trust on which their regulatory permissions ultimately depend.
