In December 2025, the Financial Conduct Authority released one of the most consequential policy statements on workplace conduct in years. Policy Statement PS25/23 finalises the FCA’s guidance on non-financial misconduct, closing a consultation that drew intense interest from across financial services.
At 83 pages, this is not light reading. Yet behind the detail sits a clear shift in regulatory thinking. Non-financial misconduct cannot be treated as a peripheral cultural issue or a matter for HR alone. It is now firmly positioned as a regulatory risk that goes to trust, integrity, and the credibility of the UK financial system.
For compliance teams, the real question is how firms operationalise the FCA’s clarified expectations without drifting into over-reach, privacy intrusion, or inconsistent decision-making. The policy comes into effect 1 September 2026.
From culture to conduct: why the FCA has acted now
The FCA is explicit about its motivation. Unchecked misconduct damages individuals, corrodes culture, and ultimately undermines confidence in markets. The regulator sees non-financial misconduct as a leading indicator of wider governance failure, not a distraction from financial risk.
The final guidance is designed to give firms confidence to act decisively where standards are breached, while also pulling back from areas where firms feared regulatory over-reach. That balance matters.
During consultation, respondents raised real concerns about moral policing, speculative investigations into private lives, and disproportionate compliance burdens. The FCA listened and adjusted. The result is guidance that narrows some risks while sharpening others.
The single most important clarification: “material risk”
The most consequential change in the final guidance is the FCA’s clarification of when conduct outside work becomes relevant to fitness and propriety.
Private conduct only matters where it creates a material risk that an individual will breach regulatory standards. The FCA is clear that material risk means not remote or speculative. This is a critical threshold.
In practice, this does several things at once:
- It limits when firms must investigate private life conduct
- It reduces the risk of reacting to rumours, gossip, or trivial allegations
- It shifts the focus back to regulatory outcomes rather than moral judgement
A weekend behaviour that never manifests at work is unlikely to raise regulatory concerns. The FCA even spells this out. Someone who behaves irresponsibly in their private life, yet remains professional, compliant, and trustworthy at work, does not automatically fail the fitness and propriety test.
This clarification should materially change how firms train managers and investigators. The question is noT longer “Is this behaviour objectionable?” The question is “Does this create a real risk to regulatory standards?”
Firms are not private investigators
Another concern addressed head-on is the fear that firms would be expected to investigate every allegation about an employee’s private life.
The FCA now states explicitly that firms are not expected to investigate:
- Trivial allegations
- Implausible claims
- Matters better handled by law enforcement or other authorities
- Conduct that would not be relevant to fitness and propriety even if proven
This matters for training. Managers need confidence to decide when not to escalate. Compliance teams need frameworks that support proportionate judgement rather than reflexive investigation.
At the same time, the FCA reinforces that when conduct does raise a material regulatory risk, firms cannot simply look away.
Repetition is not automatically material risk
Earlier drafts of the guidance worried many firms by implying that private misconduct might simply be assumed to repeat at work. That assumption has now been explicitly rejected.
Private conduct only becomes relevant where:
- The behaviour would breach regulatory standards if repeated at work
- There is a material risk that such repetition will occur
This two-step test matters. It protects against lazy equivalence between private and professional behaviour. It also reinforces that firms must assess context, patterns, and evidence rather than acting on instinct or optics.
Ethics, integrity, and the limits of moral judgement
One of the most controversial elements of the consultation was the reference to “ethical obligations”. Respondents warned that firms could be pushed into subjective assessments of personal morality.
The FCA’s final position walks a careful line. Firms are not required to decide whether someone is an ethical person. Instead, repeated misconduct can indicate a failure to act with integrity, which remains a core regulatory concept.
This shifts training away from abstract ethics and towards observable behaviour. Decisions must be grounded in objective evidence, patterns, and impact. Beliefs, opinions, and lawful personal views remain protected unless they create a material regulatory risk. That distinction will be critical for investigators, HR teams, and senior managers alike.
Social media: lawful expression still protected
Social media remains one of the most sensitive areas for firms. The FCA’s final guidance offers reassurance, with caveats.
Firms are not required to monitor employees’ social media accounts. Lawful expression of controversial views does not, by itself, undermine fitness and propriety.
However, social media activity can become relevant where it indicates a material risk of regulatory breach. Examples include threats of violence, clear criminal involvement, or behaviour suggesting a real risk of bullying or harassment at work.
This is an area where training must be especially careful. Managers need to understand both regulatory thresholds and employment law protections, including human rights and discrimination law.
The Higgs decision: how to measure proportionality
The FCA’s clarified approach also lands against an important backdrop in employment law. In Higgs v Farmor’s School, the Court of Appeal held that dismissing an employee for expressing a protected belief outside work will be unlawful unless the employer can show a legitimate aim and a proportionate response. Reputational concern alone was not enough. There had to be clear evidence that the manner of expression caused, or was likely to cause, real harm. This maps closely onto the FCA’s insistence on material risk rather than speculative concern.
For firms navigating non-financial misconduct, the combined effect is significant. A lawful expression of belief, including on social media, will rarely justify dismissal or regulatory escalation unless it crosses into harassment, exploitation of power, or creates a demonstrable risk to regulatory standards. Training therefore needs to focus less on suppressing controversial views and more on helping managers assess impact, repetition, evidence, and proportionality before acting. Knee-jerk responses now carry legal and regulatory risk in equal measure.
Minor breaches, repeated patterns, and common sense
The FCA has removed its earlier example of repeated minor driving offences, acknowledging that it caused confusion and risked disproportionate monitoring.
The underlying principle remains. Repeated minor breaches of the law can be relevant where they demonstrate disregard for compliance. Yet firms are expected to apply common sense, context, and proportionality.
This reinforces a broader theme running through the guidance: judgement cannot be automated. It must be trained.
Reporting and self-disclosure: uncomfortable clarity
One area where the FCA did not soften its stance is reporting. While an explicit reference to reporting unproven allegations has been removed from the guidance, the underlying obligation remains. Where information may be material to a senior manager’s fitness and propriety, firms are still expected to notify the FCA promptly.
Senior managers also face a clearer self-reporting obligation. Matters relating to their own conduct, including outside work, may need to be disclosed where material to fitness and propriety. This significantly raises the stakes for training at senior levels. Silence or delay is no longer a safe default.
Banks, non-banks, and a levelled playing field
The final guidance confirms that the clarified approach to non-financial misconduct applies across banks and non-banks. While the mechanism is technically complex, the practical message is simple: expectations are aligned. Harassment, bullying, and violence are regulatory issues wherever they occur within the scope of regulated activity.
What this means for training and compliance programmes
With the guidance taking effect on 1 September 2026, firms have time. They also have work to do.
At a minimum, firms should be reviewing:
- Fitness and propriety assessment frameworks
- Investigation thresholds and decision trees
- Manager training on material risk and proportionality
- Senior manager self-reporting obligations
- Social media and conduct policies
- Alignment between HR processes and regulatory expectations
Most importantly, training needs to move beyond awareness. Staff must understand how judgement is applied, when issues escalate, and when restraint is appropriate.
