Summary
Introduction
The principles are not new, but we now have a more consistent approach to non-financial misconduct has been delivered by the FCA with PS 25-23, Tackling Non-Financial Misconduct in Financial Services (the “Policy”).
While the industry has operated under SMCR for years, most firms have relied on reactive processes rather than building governance and controls that proactively surface behavioural risk. That has principally been down to a lack of guidance and therefore a lack of consistency of approach. With the new COCON rule and accompanying guidance, the FCA has finally clarified what “appropriateness” means in practice, including an array of flow diagrams and examples. The guidance especially will give SM&CR firms a workable definition of serious misconduct and the ability to create clearer frameworks to act decisively.
The progress around non-financial misconduct (“NFM”) sits squarely within the FCA’s broader priorities: strengthening psychological safety, improving speak-up cultures, and ensuring workplace conduct supports sound decision-making. Notably, the alignment of expectations between banks and non-banks removes historic inconsistency and gives individuals moving across the sector a single, coherent conduct standard. Despite further guidance, this is an area which will still require high levels of judgement in application.
For firms in scope of the policy, we’d encourage you to think about implementation as more than a compliance exercise. Strong conduct cultures correlate with higher retention, more resilient teams and measurably better commercial outcomes. Elira Solutions’ approach treats regulatory change like this as a strategic advantage: an opportunity to reduce behavioural risk, sharpen operational discipline, and build environments where early challenge prevents costly failures later.
Scope
The Policy Statement will be relevant to all firms with a Part 4A permission under the Financial Services and Markets Act 2000 (“FSMA”) and employees and individuals subject to COCON and FIT. The Policy amends COCON and publishes guidance for COCON and FIT through:
- Amendment to the Code of Conduct (“COCON”) sourcebook to explain how non-financial misconduct can be a breach of the conduct rules and make it easier for SM&CR firms to interpret and consistently apply the rules.
- Explains how NFM forms part of the Fit and Proper test for Employees and Senior Personnel (“FIT”) sourcebook.
Challenges from July’s Consultation Paper (CP 25-18) that had to be addressed
- Employment Law:
Further alignment has been established in COCON with employment law. The FCA has explicitly aligned COCON tests with Equality Act s.26(4), requiring both subjective perception and reasonableness preventing over-enforcement risk and setting a defensible assessment framework. - ‘Seriousness’ as a concept:
PS 25/23 tightens the definition and provides examples to assist triaging and clarifies what might need reporting. - Manager accountability:
Scope is narrower than initially indicated, prevents firms from having to create overly punitive managerial liability frameworks. - Private life relevance:
Potentially broader than the initial consultation, firms must maintain more structured FIT triage tests incorporating “material risk of breach” and “public confidence impact”.
Actions at a glance
- Policy and procedure updates
- Staff and manager training
- System changes and compliance monitoring
- HR technology and analytics
- Investigations, consultancy and tribunal defence
- Record-keeping, reporting and ongoing compliance
PS 25-23 Implications on COCON
Scope of misconduct
The updated COCON rules brings non-bank firms into the same framework as banks by making serious work-related NFM (bullying, harassment and violence) explicitly in scope wherever either the perpetrator or the affected colleague works in the financial-services part of the business. Crucially, the FCA has removed the previous limitation that conduct must form part of financial-services activities (regulated or unregulated): if the behaviour occurs in connection with the individual’s role, it can breach Conduct Rules 1 or 2.
The change materially widens firms’ responsibilities. Misconduct between colleagues that affects dignity, creates a hostile environment, or undermines integrity and professionalism now falls firmly within regulatory expectations, regardless of whether it happens during a “regulated activity” in the narrow sense.
Action: The new COCON rule and accompanying FCA guidance take effect on 1 September 2026. Under section 64B FSMA, firms must update and notify conduct-rules staff, and ensure training clearly explains how the revised scope applies in practice.
Managers
The FCA confirms that managers remain individually accountable where they fail to take reasonable steps to prevent or address material non-financial misconduct. However, the final guidance narrows the scope: accountability applies only where a manager knew or could reasonably have been expected to know about the behaviour, and where it sat within their actual remit and authority. The FCA deliberately avoids defining “manager,” leaving firms to determine this based on their own governance structures.
Action: Firms should explicitly define managerial accountability in their internal frameworks, ensure managers understand where their regulatory responsibilities begin and end, and strengthen escalation channels that allow concerns to surface early. This may require updates to whistleblowing procedures, reporting lines and training for all people-leaders.
Definition
The FCA clarifies that references to “bullying” and “harassment” are shorthand for any unwanted behaviour that has the purpose or effect of violating a colleague’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment. This definition underpins the seriousness threshold for NFM under COCON and frames how firms should assess the impact of behaviour, not just intent.
Action: Align HR, conduct and investigation policies to this definition and ensure employment contracts, including for contractors within SMCR scope, reflect the behavioural standards expected under the updated rules.
The FCA has aligned the test for seriousness with the Equality Act definition of harassment, but removed the earlier list of specific characteristics and vulnerabilities after respondents argued it was too prescriptive. Instead, firms are expected to apply context and judgement in assessing whether behaviour meets the threshold, focusing on impact, reasonableness and circumstances rather than fixed categories.
Action: Build a structured contextual assessment into all investigation processes, ensuring investigators consider relevant factors case by case rather than applying blanket assumptions tied to particular characteristics.
Private or Personal Life
The FCA has expressly stated that; “private or personal life is entirely out of scope of our power to make and enforce conduct rules for individuals. Our guidance does not seek to change this position.” However, behaviour that occurs outside the office may still fall within COCON if it is sufficiently connected to work, for example, at client events, training sessions, award ceremonies or any setting where the individual is acting on behalf of the firm, whether in a regulated or unregulated capacity. Work-related misconduct towards clients also remains in scope under the existing rules.
Separately, the updated guidance confirms that Senior Managers may be required to disclose private-life matters under SC4 if those matters are material to assessing their fitness and propriety. This does not expand the conduct rules into personal life but reinforces SMF disclosure obligations where integrity or judgement may be in question.
Action: Review and update policies, procedures and training to reflect the clarified scope, including when outside-work behaviour becomes work-related and when private-life issues may trigger SC4 disclosure.
Territorial Scope
A few respondents asked for further clarification on territorial scope. The new rule at COCON 1.1.7FR does not change the geographical scope of COCON.
Action: Global firms should ensure their policies clearly articulate the existing COCON nexus and apply it consistently across locations, particularly where overseas offices interact with UK-regulated entities or UK SMCR staff.
Reporting obligations
The reporting obligations for conduct rule breaches has not changed per se. Under section 64C FSMA, an authorised firm must notify us if it takes disciplinary action against a member of conduct rules staff for a breach of our rules. ‘Disciplinary action’ means: the issuing of a formal written warning, suspension or dismissal of the person, reduction or recovery of any of the person’s remuneration. Given the changes to COCON however, the frequency of reports may change, or the determination or assessment of reporting under REP008 might change.
Action: Align compliance, HR and training processes so that REP008 reporting thresholds match the FCA’s definition of disciplinary action and the updated seriousness guidance, ensuring consistent triage and escalation across the firm.
Retrospective Application
The FCA confirms there is no retrospective application of the new NFM rule. Any misconduct that occurred before 1 September 2026 must be assessed under the version of COCON that applied at the time, even if the behaviour is discovered or investigated after the new rules take effect.
Action: Ensure investigation teams and governance forums apply the correct rulebook when determining outcomes. Outcomes reports and decision rationales should explicitly state which rule version was applied and why, to maintain auditability and regulatory defensibility.
PS 25-23 Implications on the FIT test
Scope
FIT operates to a broader territorial and behavioural scope than COCON. While the new NFM rule limits COCON to work-related misconduct within its existing geographical reach, FIT assessments must consider conduct inside and outside the workplace, inside and outside the UK, and any behaviour relevant to honesty, integrity, reputation or judgement. The standard applied is therefore higher and wider than the conduct-rules threshold.
Action: Clearly distinguish FIT considerations from COCON breaches within HR, conduct and employment processes. Ensure assessment frameworks, investigation templates and decision-making protocols reflect the broader scope of FIT so that individuals subject to both regimes are evaluated consistently and defensibly.
Private Life Conduct
The most complex judgement calls can arise when considering private-life conduct under FIT. The FIT guidance sets out a structured set of principles: private behaviour is relevant only where it creates a material, not remote or speculative, risk that an individual may breach regulatory standards. Conduct that would clearly be unacceptable if repeated at work (e.g., violence or sexual misconduct) may be relevant if there is a credible risk of recurrence. Separately, some conduct may be so serious that it risks damaging public confidence in the financial system, making it relevant even without a likelihood of repetition. Criminal convictions, particularly those resulting in custodial sentences, also require careful assessment alongside factors such as age of the offence and evidence of rehabilitation.
Importantly, firms must not assume that private-life conduct will automatically translate into workplace behaviour; judgement and proportionality remain essential.
Action: Update FIT questionnaires and assessment tools to reflect these principles, including clear prompts on material risk, public confidence impact and contextual factors. Consider adding a short cover sheet to guide assessors. Reinforce that firms should not monitor private life proactively, FIT considerations apply only when relevant information arises through an investigation or credible disclosure.
Social media
The FCA confirms that firms are not required to proactively monitor social media for COCON or FIT purposes. However, if relevant information comes to light, through a report, complaint or public visibility, as with any private life associated conduct, firms must assess whether it creates a material risk of breaching regulatory standards.
Action: Build clear thresholds into conduct and FIT procedures to guide when social-media activity, once identified, triggers a regulatory investigation. Ensure teams understand the distinction between no proactive monitoring and the obligation to act where credible information becomes available.
Practical Integration
A phased integration could look like:
Quick wins (0–3 months)
- Rewrite conduct & HR policies to reflect PS25/23 final language.
- Incorporate FCA examples + flow diagrams into training packs.
- Create COCON vs FIT triage tools with aligned tests.
Pre-implementation (3–6 months)
- Redraft investigation procedures with:
- seriousness dual-limb test
- proportionality & contextual assessment
- manager knowledge/authority boundaries
- Update whistleblowing & escalation frameworks.
Final stretch (6–8 months)
- Conduct rules staff training.
- Stress-test REP008 alignment with new breach thresholds.
- Review onboarding + regulatory reference templates.
Operational considerations for ongoing conduct risk management (ongoing)
- Introduce behavioural-risk MI.
- Run thematic review of psychological safety and proactive reporting/speak-up culture.
- Develop board dashboard for NFM risks and trend analysis.
For proactive firms that already started the workstream, remember:
- Review any workstreams that have already begun from the CP to ensure alignment with PS e.g. where overly burdensome requirements were removed ( “Good working environment” definition, non-exhaustive list of serious misconduct, over-prescriptive factors for seriousness).
How ELIRA Can Support
🛡️ BAU: Embed the new NFM rules into daily conduct, HR and reporting processes so firms stay compliant without adding friction.
🔍 Framework Review: Test existing policies, escalation routes and accountability frameworks against the final rules and close the gaps fast.
📈 Future Planning & Tech: Build a forward-looking conduct roadmap and integrate tools that strengthen behavioural monitoring, speak-up visibility and cultural resilience.
