Skip to content
ConductLog

FCA Non-Financial Misconduct: What Small Firms Must Do Before September 2026

From 1 September 2026, small FCA-regulated firms must be able to handle non-financial misconduct allegations under the expanded COCON conduct rules. If a staff member is accused of bullying, harassment, discrimination, or sexual misconduct, you need a documented process for investigating, assessing, and recording the outcome.

This guide explains exactly what your firm needs to do — step by step — to comply with PS25/23 before the deadline. For key dates and a preparation timeline, see our PS25/23 deadline guide.

What is non-financial misconduct under PS25/23?

Non-financial misconduct (NFM) is behaviour that is not of a clearly financial nature but that affects individuals, the firm, or confidence in the market. The FCA defines NFM as including:

  • Bullying — repeated intimidating, degrading, or offensive behaviour
  • Harassment — unwanted conduct related to a protected characteristic (age, sex, race, disability, religion, sexual orientation, gender reassignment, marriage/civil partnership, pregnancy/maternity)
  • Sexual misconduct — sexual harassment, coercion, indecent exposure, or assault
  • Violence — physical intimidation, threats, or assault
  • Discrimination — treating someone less favourably because of a protected characteristic

The misconduct must have a sufficient connection to the workplace. This includes conduct at the office, at work events, in work communications (including WhatsApp groups), during business travel, and between colleagues regardless of location.

What PS25/23 actually requires

PS25/23 does not create an entirely new regulatory obligation. It clarifies how existing COCON conduct rules apply to non-financial misconduct. The key changes:

1. A new handbook rule (COCON 1.1.7FR) — From 1 September 2026, this rule makes explicit that the individual conduct rules apply to serious non-financial misconduct at non-bank firms. Previously, this was implied but not codified.

2. Guidance on how NFM can breach conduct rules — The FCA has explained which conduct rules are most likely to be engaged:

Conduct rule How NFM can breach it
Rule 1 — Act with integrity Bullying, harassment, or discrimination demonstrates a lack of integrity
Rule 2 — Act with due skill, care, and diligence A manager who ignores or mishandles an NFM allegation may breach Rule 2
SC1 — Ensure effective control of the business A senior manager who fails to establish NFM processes breaches SC1
SC2 — Ensure compliance with regulatory requirements A senior manager who fails to ensure the firm can handle NFM allegations breaches SC2

3. F&P assessment guidance — Under FIT 2.2, serious NFM is now explicitly a relevant consideration when assessing whether someone is fit and proper to hold a regulated role.

4. Existing reporting requirements apply — NFM-related conduct rule breaches must be reported using the same mechanisms: annual REP008 for non-SMF staff, within 7 business days for SMF breaches.

What PS25/23 does NOT require

The FCA has been specific about what firms do not need to do. This matters because some compliance consultancies are overstating the requirements:

  • No retrospective review of past conduct or past F&P assessments
  • No social media monitoring or surveillance of employees' private lives
  • No investigation of trivial disagreements — the threshold is serious misconduct, not workplace friction
  • No conflict with employment law — firms should not take actions that breach data protection or employment rights
  • No mandatory software purchase — you can comply using paper records and the FCA's published flow diagrams in PS25/23 Appendix 1

Step-by-step: what your firm needs before September 2026

Step 1: Establish an NFM policy

Write a short policy (2–3 pages is sufficient for a small firm) covering:

  • What behaviour constitutes non-financial misconduct
  • How staff should report NFM concerns (including anonymously)
  • Who is responsible for handling allegations (typically the compliance officer or principal)
  • How investigations will be conducted
  • How outcomes are recorded and reported to the FCA

This does not need to be a separate document. Many small firms will add an NFM section to their existing compliance procedures manual.

Step 2: Build an investigation process

This is the critical gap for most small firms. When an allegation arrives, you need a clear process:

  1. Receive and log the allegation — Record who reported it, what is alleged, who is involved, and when it allegedly occurred. Accept anonymous reports.
  2. Assess severity — Is this serious enough to engage the conduct rules? Trivial disagreements are excluded. Bullying, harassment, discrimination, sexual misconduct, and violence are in scope.
  3. Investigate — Gather evidence: interview the complainant, the accused, and witnesses. Collect relevant documents and communications. Maintain a timeline.
  4. Assess against COCON rules — Map the findings to specific conduct rules. Which rules were breached? Was the breach deliberate? Was there harm?
  5. Determine F&P impact — Does this finding affect the individual's fitness and propriety? Use the FIT 2.2 criteria.
  6. Record the outcome — Document the investigation findings, COCON assessment, F&P determination, and any disciplinary or remedial action.
  7. Report — If a conduct rule breach is confirmed, report via REP008 (non-SMF) or within 7 business days (SMF).

Use our free NFM Investigation Checklist to walk through this process step by step.

Step 3: Update your F&P assessment process

Your annual certification process for certification function holders should now include:

  • A question about whether any NFM allegations have been made against the individual
  • A step to check whether any NFM findings affect their F&P status
  • Documentation of the assessment and outcome

For initial applications (new hires into certification roles), include NFM in your due diligence checks.

Step 4: Train your staff

Staff need to understand three things:

  1. Non-financial misconduct can now have regulatory consequences — not just HR consequences
  2. How to report NFM concerns at your firm
  3. What happens when an allegation is received (so they cooperate with investigations)

Training does not need to be elaborate. A 30-minute briefing covering the policy, the reporting process, and practical examples is sufficient for most small firms.

Step 5: Brief your senior managers

Senior managers holding SMFs face personal accountability under SC1 (effective control) and SC2 (regulatory compliance). They need to understand:

  • They are personally responsible for ensuring the firm can handle NFM allegations
  • They must oversee the investigation process, not delegate it without oversight
  • Failure to act on a credible allegation is itself a potential conduct rule breach

Step 6: Test your process

Before September 2026, run a tabletop exercise. Create a realistic (but hypothetical) NFM scenario and walk through your investigation process end to end:

  • Can you log the allegation properly?
  • Can you conduct a structured investigation?
  • Can you map findings to specific COCON rules?
  • Can you assess F&P impact?
  • Can you produce an audit-ready record?

If any step fails, you know where to strengthen your process. Our free COCON Conduct Rules Self-Assessment can help you test individual scenarios.

Common questions

Does this apply to my firm? If your firm has Part 4A permission from the FCA and is not a bank, building society, or credit union, then yes — PS25/23 applies from 1 September 2026. This covers IFAs, mortgage brokers, insurance brokers, wealth managers, and other small regulated firms.

What if we only have 3 staff? Firm size does not affect the obligation. A 3-person IFA needs the same process as a 50-person wealth manager. The process can be simpler and shorter for a smaller firm, but it must exist and be documented.

What if we already have an HR process for handling complaints? Your HR process is a starting point, but it is not sufficient on its own. The regulatory assessment — mapping to COCON rules, assessing F&P impact, and reporting to the FCA — sits on top of whatever HR process you use.

Can we outsource investigations? You can use an external investigator or compliance consultant. However, the senior manager with oversight responsibility must still review and approve the investigation outcome. You cannot outsource accountability.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 24 March 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA PS25/23: The September 2026 Deadline Every Small Firm Should Know

What FCA PS25/23 means for small regulated firms. Key dates, obligations, and a practical timeline to prepare for the 1 September 2026 non-financial misconduct deadline.

SMCR Compliance Software for Small Firms: What to Look For

How to evaluate SMCR compliance software as a small FCA-regulated firm. Covers must-have features, pricing considerations, and what to avoid.

COCON Conduct Rules Explained: The Complete Guide for Small FCA Firms

A practical guide to the FCA's COCON conduct rules for small regulated firms. Covers all six individual conduct rules, senior manager rules, and PS25/23 changes.