FCA non-financial misconduct (NFM): what changes on 1 September 2026 and what financial services firms must do now

From 1 September 2026, the UK Financial Conduct Authority (FCA) is expanding how it treats non-financial misconduct (NFM). The FCA’s final policy statement confirms when NFM will breach the FCA’s Conduct Rules (COCON) and affect the Fit and Proper test (FIT) for individuals in FCA-authorised firms.

The key message for financial services firms is that serious workplace misconduct, including bullying, harassment and violence, is firmly within scope of FCA regulation. This has direct implications for conduct rule breaches, fitness and propriety assessments and regulatory references.

Key takeaways

• From 1 September 2026, serious non-financial misconduct can trigger a COCON Conduct Rules breach for a wider range of non-bank firms and individuals
• Misconduct does not need to relate to a protected characteristic (unlike Equality Act harassment), so the potential scope is wider than discrimination law
• Firms should update policies, reporting and training, and prepare for impacts on fitness and propriety decisions and regulatory references

What is non-financial misconduct (NFM)?

NFM is any misconduct that is not financial in nature. The FCA’s guidance covers bullying, harassment and violence but isn’t limited to those behaviours. The issue is whether the conduct undermines the FCA’s Conduct Rules or the fit and proper test.

Who is affected (firms and individuals under COCON and FIT)?

The changes apply to all FCA-authorised firms and individuals subject to the Code of Conduct (COCON) and the Fit and Proper test (FIT). In practice, this brings non-bank Senior Managers and Certification Regime firms, including investment firms, asset and fund managers, and insurers into much closer alignment with banks, where comparable NFM standards already apply.

New COCON rule: when serious workplace misconduct becomes a Conduct Rules breach

The FCA has added to the new COCON rule extending the circumstances in which serious NFM will constitute a conduct rules breach for non-banks. The rule captures unwanted conduct towards a member of the workforce that:

• Violates dignity
• Creates an intimidating, hostile, degrading, humiliating or offensive environment
• Is violent in nature.

Importantly, unlike harassment under the Equality Act 2010, the conduct does not need to be related to a protected characteristic (i.e. race, age, etc.) so the scope of conduct that may constitute NFM is potentially wider than discrimination law.

Only serious NFM can be a breach of COCON. In deciding whether misconduct relating to a colleague is serious enough to amount to a breach of COCON, the FCA will consider factors including: 

• Repetition of the conduct or pattern of behaviour
• Duration of the conduct (although a one off can be a breach if the matter is sufficiently serious)
• Impact on the subject of the conduct (the rule applies to effects that are serious and marked and not to those which are, though real, of lesser consequence)
• Seniority of the person accused of NFM
• Any power imbalance between the person accused and the subject of the conduct and whether the accused person has control or influence over the other’s career
• Prrior warnings or disciplinary history for similar conduct by the firm, a previous employer, the police or a regulator
• Whether the person accused has previously undertaken not to do the act or engage in the behaviour raised; and
• Criminality or conduct justifying dismissal.

The impact of the conduct in question is both subjective (the perception of the individual impacted) and objective (how a reasonable person would view it).

Which Conduct Rules are engaged? 

Serious NFM may amount to:

• Conduct Rule 1 – lack of integrity - where the person accused has acted intentionally, recklessly or deliberately avoided the issues; and /or
• Conduct Rule 2 – failure to act with due skill, care and diligence

There will not be a lack of integrity if the manager reasonably believed the conduct was appropriate and its effect was proportionate to the intended legitimate aim.

Conduct Rule 2 can also be breached where:

• A manager has not intervened to stop the behaviour (if they know of it)
• The firm’s policies have not been followed to detect and prevent bullying and harassment, or the allegation has not been taken seriously or investigated, or
• Reasonable steps have not been taken to provide a safe place of work. 

A significant new point is that witnesses to the NFM can also be impacted in a way that breaches the Conduct Rules, even if the NFM was not directed at them.

Private life and social media: what is (and isn’t) covered by the FCA Conduct Rules?

There had been a lot of speculation that firms might be required to consider the private life of individuals. The FCA has been clear that is not the case, and has confirmed:

• The Conduct Rules apply to work-related behaviour
• Someone’s purely private and personal life is outside the scope of COCON, and firms are not expected to monitor private lives or social media;
• However, conduct may still be work-related where, for example:
  • Private social-media posts are aimed at and offensive to colleagues;
  • Behaviour occurs at firm or client organised events outside of working hours. 

There is also a general warning that, while private or personal life is usually outside the scope of COCON, actions can still be reviewed where there is a material risk the individual will breach regulatory standards and requirements (e.g. dishonesty). For instance, fare evasion or theft could undermine the public’s confidence in the regulatory system, so those actions could be relevant to the individual’s work.

Not all poor behaviour in an individual’s private life will meet the seriousness threshold to merit internal disciplinary or regulatory action. We also have clarity that managers will only breach conduct rule 2 if their behaviour is unreasonable.

The FCA has confirmed that the rules are not a substitute for criminal law or employment law. It can make its own decisions, separate from employment outcomes – this will leave individuals in the uncomfortable situation where the settlement of a dispute with their employer may not resolve the issue – the FCA can still determine there is a regulatory breach.

Fit and Proper (FIT): how NFM affects fitness and propriety assessments

The FIT guidance confirms that firms are not expected to monitor employees’ private lives or social media and they should not investigate trivial or implausible allegations. It is helpful that conduct outside work is relevant only where there is a material risk of a regulatory breach or where it is sufficiently serious to undermine public confidence in the financial system or the financial services industry.

Serious breaches must be reported to the FCA and may result in enforcement action being taken against firms and / or FIT implications for individuals.

Regulatory references: the impact of expanded NFM expectations

The expansion of the NFM will be significant for firms giving references and the individuals whose careers depend on them. However, we will not see private lives being policed in the same way as behaviour at work, which offers some reassurance to all.  

For those leaving employment now, the expanded rules do not apply so there should be no change to the reference that a firm will provide. In the future, firms will need to exercise good judgement and act proportionally to the behaviour concerned, so not all issues will impact a regulatory reference. It will be increasingly important for an individual (or their advisers) to dispute any concerns in future, so that they contextualise any reference and minimise the impact on their career.

When will the changes take effect?

 The rule comes into force on 1 September 2026. This means that firms have time to implement changes to their policies and train their staff in advance. The rules do not apply retrospectively.