From 1 September 2026, the Financial Conduct Authority (FCA) will fundamentally shift expectations around workplace culture in financial services. For the first time, 37,000 non-banking regulated firms — from asset managers to insurers and pension funds — will face a clear, enforceable requirement to treat serious non-financial misconduct (NFM) such as bullying, sexual harassment, and violence as regulatory breaches under the FCA’s Code of Conduct (COCON).
The changes align the rules for non-banks with those long in place for banks, sending a strong message that misconduct outside the financial ledger is just as relevant to regulatory standards as fraud or market abuse. This reflects a hardening stance that toxic cultures breed poor decision-making, undermine whistleblowing, and ultimately damage consumer trust and market integrity.
Why the FCA is acting on non-financial misconduct
The FCA’s own language is clear and uncompromising: “Too often when we see problems in the market, there are cultural failings in firms,” said Sarah Pritchard, the FCA’s deputy chief executive. Unchallenged harassment or bullying signals a toxic culture, weakens whistleblowing, erodes trust, and risks even wider regulatory breaches.
After gathering extensive feedback from its 2023–24 consultations (summarised in CP25/18), the FCA concluded that a consistent standard across all regulated firms was necessary to reinforce its mission of deepening trust in financial services. Firms that allow poor workplace behaviour to fester often make poor business judgments, creating further consumer harm.
The FCA’s revised COCON rules will:
- Expand the conduct rules to explicitly define serious bullying, harassment, and violence as regulatory misconduct in non-banking firms.
- Require serious, substantiated cases of NFM to be documented and shared in regulatory references, ending the cycle of “rolling bad apples” moving between firms without consequences.
- Clarify that behavioural issues, including potentially misconduct outside of work, must be assessed when judging if someone is “fit and proper” to work in financial services.
What exactly is the FCA changing?
From 1 September 2026:
- Bullying, harassment, and violence will explicitly qualify as breaches of the conduct rules under COCON, not just for banks but across all relevant regulated firms.
- Serious, substantiated cases of NFM must be included in regulatory references, helping to stop so-called “rolling bad apples” moving undetected between employers.
- Firms will be expected to consider behavioural issues, including social media activity and misconduct outside the workplace, when assessing whether individuals remain fit and proper to work in financial services.
- Additional FCA guidance is under consultation to help firms interpret and consistently apply these new obligations, particularly around the subjective versus objective assessment of “serious” misconduct.
In effect, firms will be required to embed controls, training, reporting processes, and management expectations around NFM to the same degree they monitor financial crime or market abuse.
That means serious bullying, harassment, and violence must be treated with the same level of systems, governance and senior management oversight as anti-money laundering or insider trading.
Policies and controls will need to be proactive, not reactive. They must be designed to detect patterns of poor behaviour early, escalate concerns transparently, and apply consistent sanctions. Training will need to go beyond superficial harassment awareness and instead focus on helping staff and managers recognise subtle misconduct, challenge inappropriate behaviour, and build a speak-up culture.
Reporting processes will have to be robust and well-documented, ensuring incidents are logged, investigated thoroughly, and disclosed in regulatory references where required. Crucially, management expectations must shift: senior leaders will be personally accountable under the Senior Managers & Certification Regime (SM&CR) for ensuring that NFM controls are not paper exercises but are actively monitored, tested and improved.
In other words, culture and behaviour must now sit side by side with financial controls as a core part of firms’ compliance frameworks. The FCA has made clear that failings in culture can be just as damaging, and just as unacceptable, as failures in financial crime prevention.
What does “serious” misconduct mean?
Firms raised understandable concerns about subjectivity: what is “serious” bullying versus low-level rudeness? The FCA has responded by consulting on new guidance, which will be finalised later this year. That guidance is expected to:
- Align definitions of harassment more closely to the Equality Act, but still cover broader forms of workplace misconduct not limited to protected characteristics.
- Provide examples of when misconduct is sufficiently grave to breach COCON.
- Clarify how perceptions of the victim and the reasonableness of their perceptions will be weighed (drawing on Equality Act section 26(4)).
- Reiterate that minor workplace misbehaviour does not automatically meet the threshold of “serious” under the FCA rules.
Firms will still need to use judgment, supported by robust, consistent internal procedures.
The broader compliance landscape
These changes align with broader policy shifts in UK employment law, notably the Worker Protection Act 2023, applicable from October 2024 which placed a positive legal duty on employers to take reasonable steps to prevent sexual harassment. The forthcoming Employment Rights Act will go even further, requiring all employers to take “all reasonable steps” to prevent harassment more broadly.
The FCA rules do not replace employment tribunal routes or criminal law, but they do complement them. The regulator’s view is simple: if an employer fails to act on serious harassment, it demonstrates a failing culture and weak controls, putting the firm in breach of FCA requirements.
Taken together, the direction of travel is clear: regulators and legislators want businesses to prevent, not just punish, harassment and bullying. The FCA’s approach complements this — requiring not only proactive culture-building but also robust reporting, transparency, and accountability when things go wrong.
Why it matters for businesses
The cultural challenge is as great as the compliance one. Firms must accept that culture is a regulatory priority, and that means addressing non-financial misconduct on the same footing as money laundering or bribery. The FCA’s rationale is that toxic workplace behaviours corrode trust, deter whistleblowing, and allow deeper compliance failures to flourish.
For senior managers, the personal accountability risk is real. Under the Senior Managers & Certification Regime (SM&CR), they must demonstrate they took “reasonable steps” to prevent misconduct. That standard is about to be judged more rigorously than ever.
Moreover, reputational risk cannot be ignored. Defending an employment tribunal claim based on discrimination can cost upwards of £45,000 or more. The FCA’s new rules may add regulatory censure, publication of breaches, and long-lasting reputational scars.
What businesses should do now
Firms have until 1 September 2026, but culture change does not happen overnight. Compliance experts recommend the following immediate steps:
Review and update conduct policies: Existing codes of conduct, HR procedures, whistleblowing frameworks and staff training should be revised to explicitly include non-financial misconduct, with a clear link to regulatory expectations.
Senior manager accountability: Make sure leaders understand they will be judged on their personal role in tackling harassment and bullying. Document the steps they are taking as this is vital for future FCA or tribunal scrutiny.
Regulatory references: Strengthen record-keeping and ensure you have fair, consistent procedures for documenting NFM, so that you can meet the requirement to share this information when staff change employers.
Training and awareness: Roll out tailored training to managers and employees so they can confidently identify serious NFM and understand its regulatory implications.
Cultural integration: Build expectations about positive behaviour and anti-harassment values into performance reviews, leadership appraisals, and decision-making processes. The FCA has highlighted that psychological safety and diversity of thought are competitive advantages, not nice-to-haves.
What happens next?
The FCA is still consulting on additional guidance to support these rules, with final details due later in 2025. This will help firms navigate grey areas, for example, how to assess social media behaviour or misconduct that takes place outside work.
Nonetheless, the direction is crystal clear: serious bullying, harassment and violence will be treated as regulatory misconduct, no matter where in the sector it occurs.
Firms cannot afford to treat this as a “tick box” exercise. As the FCA and UK Parliament raise the bar with consistent demands for all reasonable steps to protect workers, businesses must move decisively to reshape their workplace culture, train their managers, and embed proactive controls.
