From 1 September 2026, serious bullying, harassment, and violence in FCA-regulated firms will constitute a breach of the Code of Conduct (COCON) — making non-financial misconduct a direct regulatory accountability event for senior managers. For UK boards, this is not an HR matter. It is a governance, fitness and propriety, and regulatory risk matter that requires board-level attention before the deadline.

What Exactly Changes on 1 September 2026?

The FCA’s updated COCON rules, confirmed in PS25/23, extend the Code of Conduct to cover non-financial misconduct (NFM) across a significantly wider population of regulated firms — including hedge funds, insurers, pension companies, and all other entities where the Senior Managers and Certification Regime (SMCR) applies. Previously, NFM rules applied primarily to banks and building societies. From September, they apply to the entire SMCR-regulated universe.

Under the new rules, conduct that violates an individual’s dignity, creates an intimidating, hostile, degrading, humiliating or offensive environment, or involves violence, can constitute a COCON breach — provided it is sufficiently serious and connected to the regulated role or workplace. That connection extends further than most executives assume: private social media posts directed at colleagues, and behaviour at firm or client events outside working hours, can qualify as work-related conduct under the FCA’s guidance.

According to FCA data, non-financial misconduct reports from regulated firms increased by over 70% between 2021 and 2024 — yet regulatory action remained limited because the rulebook had not kept pace. PS25/23 closes that gap, and the FCA has been explicit that it will use its supervisory powers to examine how firms implement these obligations from the September effective date.

Executive Action

• Confirm whether your firm falls within the extended SMCR population now subject to the new COCON rules — if you operate under any FCA authorisation, you almost certainly do.
• Brief your Board and ExCo on the September 1 effective date and the specific expansion of COCON to include NFM as a regulatory conduct breach.
• Review your current workplace misconduct policy against the FCA’s new Handbook guidance to identify gaps before the deadline.

Why Does This Land on the Board’s Desk — Not Just HR’s?

The FCA’s framing of NFM as a conduct rule issue — rather than purely an employment law matter — means the accountability chains of SMCR apply directly. Where a senior manager is involved in or aware of serious misconduct and fails to act appropriately, this may constitute a breach of their own COCON obligations, specifically the requirement to act with integrity and to take reasonable steps to ensure the business for which they are responsible complies with relevant regulatory requirements.

Even where the misconduct does not technically trigger a COCON breach — because, for example, it occurs entirely outside any work-related context — the FCA has made clear it remains relevant to a firm’s fitness and propriety assessment of that individual under FIT. Senior managers who engage in serious personal misconduct, or who tolerate it in those they supervise, face scrutiny not just from HR but from regulators who can remove their approval to perform senior management functions.

For NEDs and board members specifically, the obligation is one of oversight. Boards that lack visibility into how NFM allegations are being handled — or that have not assured themselves that the firm’s reporting, investigation, and escalation processes are fit for purpose — are exposed. The FCA’s 2025–2030 strategy committed to lighter-touch supervision for firms “demonstrably seeking to do the right thing.” Culture and conduct governance is a primary signal the regulator uses to make that assessment. INFORMD has tracked the FCA’s culture agenda throughout 2026, and the consistent message is that board ownership of conduct risk is non-negotiable.

Executive Action

• Ensure your board receives a specific briefing on NFM governance before September — not a general HR update, but a structured view of your reporting pipeline, open cases, and escalation thresholds.
• Review whether your Statements of Responsibilities for relevant SMF holders are updated to reflect accountability for NFM processes and culture obligations.
• Ask your Chief People Officer and General Counsel to confirm jointly, in writing, that your investigation and escalation processes for misconduct allegations meet the FCA’s PS25/23 guidance.

How Should Regulated Firms Prepare Their Processes Before the Deadline?

The practical compliance challenge is that most regulated firms already have HR-owned grievance and disciplinary processes — but those processes were not designed with COCON in mind. They may not capture the regulatory significance of an allegation, route it to compliance as well as HR, or apply the “serious misconduct” threshold the FCA uses to determine whether a COCON breach has occurred.

Research by law firm Freeths published in 2026 found that fewer than 40% of SMCR-regulated firms outside the banking sector had updated their misconduct policies and procedures to reflect the incoming NFM rules — leaving a substantial majority exposed as the September deadline approaches. The remediation required is not trivial: it involves updating policies, retraining managers and HR business partners, revising investigation protocols, and building regulatory reporting triggers into misconduct workflows.

Firms should pay particular attention to three operational areas. First, the classification of incoming allegations: not every grievance is a potential COCON breach, but the process for making that determination must be documented and consistent. Second, the regulatory reporting obligation: where a COCON breach is found or suspected involving a certified person or senior manager, the FCA expects timely notification. Third, the fitness and propriety review cycle: if an individual’s conduct becomes relevant under the new rules, their FIT assessment must be revisited without waiting for the annual review cycle. Explore the INFORMD resources library for further guidance on regulatory compliance obligations affecting UK boards, or speak to our team about your specific position.

Executive Action

• Map your current misconduct reporting and investigation process against the FCA’s PS25/23 guidance — specifically the “serious misconduct” threshold and work-related conduct scope — and document any gaps by end of July 2026.
• Establish a compliance sign-off requirement for any misconduct allegation that could potentially involve a COCON-regulated individual, so that regulatory significance is assessed alongside the employment law position.
• Run a targeted awareness session for your people managers and HR teams on what constitutes work-related conduct under the new rules — the social media and out-of-hours scope surprises most firms.

What Are the Regulatory Consequences of Getting This Wrong?

The FCA has multiple levers available once the September rules are in force. At the individual level, a confirmed COCON breach can lead to a public censure, financial penalty, or — in serious cases — withdrawal of approval to perform a senior management function. At the firm level, systemic failures in culture and conduct governance are a supervisory red flag that can trigger a Section 166 skilled person review, place the firm in a higher-risk supervision category, or feature in FCA enforcement action framed around the firm’s overall fitness to be authorised.

The reputational dimension is equally material. The FCA publishes details of regulatory action, and misconduct-related enforcement against senior managers tends to generate significant media coverage in the financial and business press. For listed firms, investor relations and ESG ratings are increasingly sensitive to governance failures of this type. Boards that can demonstrate proactive, documented preparation for the September changes are materially better positioned — both with the regulator and with stakeholders — than those responding reactively after an allegation surfaces.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Frequently Asked Questions

Which firms are affected by the FCA’s new non-financial misconduct rules from September 2026?

The extended COCON obligations apply to all firms subject to the Senior Managers and Certification Regime — including banks, insurers, asset managers, hedge funds, pension providers, and most other FCA-authorised firms. The September 2026 expansion brings non-bank SMCR firms fully into scope for the first time, meaning the vast majority of regulated UK financial services businesses are now covered.

Does conduct outside of work count as non-financial misconduct under COCON?

It can. The FCA’s guidance under PS25/23 sets out that conduct is work-related — and therefore potentially within COCON scope — where it occurs at firm or client organised events outside working hours, or where private social media posts are directed at and offensive to colleagues. Even where conduct is genuinely outside any work connection and does not trigger a COCON breach, it may still be relevant to the firm’s assessment of fitness and propriety under FIT for senior or certified individuals.

What must senior managers do personally to comply with the new rules?

Senior managers must ensure that the parts of the business for which they hold responsibility have adequate processes to identify, escalate, investigate, and report serious misconduct. They must also ensure that their own conduct — including how they respond when they become aware of allegations against those they supervise — meets the COCON standards of integrity and compliance. Passivity in the face of known misconduct is itself a potential conduct breach under the regime.

How is non-financial misconduct different from financial misconduct under FCA rules?

Financial misconduct typically involves market abuse, dishonesty, or breaches of specific prudential or conduct-of-business rules in the course of regulated activities. Non-financial misconduct covers behaviour such as bullying, harassment, discrimination, and violence that is not directly connected to financial activities but is serious enough — and sufficiently work-related — to undermine the integrity of the individual or the firm’s culture. From September 2026, both categories sit within the same COCON framework and can result in the same range of regulatory consequences.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

---

Related Tools & Templates: Apply a structured framework to your board agenda — assess your capital approval process or use the Project Review Tool. Explore all INFORMD executive tools and assessments →