Skip to content
ConductLog

FCA Whistleblowing vs Non-Financial Misconduct: Key Differences

Whistleblowing and non-financial misconduct (NFM) are often confused at small FCA-regulated firms. They can overlap — a whistleblowing report can be about NFM, and an NFM investigation can produce a whistleblowing concern — but they sit in different parts of the FCA Handbook, follow different processes, and protect different people.

This guide explains the difference, where each regime lives in the rules, and what your firm must have in place under each. It is written for IFAs, mortgage brokers, insurance brokers, and wealth managers with 1–50 staff.

The short answer

Whistleblowing is a person raising a concern about wrongdoing at the firm. The whistleblower is the person reporting, and they have legal protection from retaliation. The regime is in SYSC 18 and the Public Interest Disclosure Act 1998 (PIDA).

Non-financial misconduct is the wrongdoing itself — bullying, harassment, sexual misconduct, discrimination, violence — when it has sufficient connection to work. The regime sits in COCON conduct rules and the new PS25/23 framework from 1 September 2026.

Question Whistleblowing Non-financial misconduct
Who is the focus? The person making the disclosure (the whistleblower) The person whose behaviour is being assessed (the alleged respondent)
Source of the rules SYSC 18 + PIDA 1998 COCON + PS25/23
Trigger Someone reports a concern An incident, allegation, or complaint about behaviour
Output Investigation of the concern raised Investigation of the alleged conduct
Protection The whistleblower is protected from detriment None for the respondent — they're being assessed
FCA reporting Annual whistleblowing report (firms with 200+ staff) + ad hoc Conduct rule breaches via REP008 / 7-day notification
Effective date Existing 1 September 2026 (PS25/23)

A single incident can engage both. Example: an employee reports that a colleague has been harassing them. The report itself is a whistleblowing disclosure (the employee is raising a concern about wrongdoing). The harassment is NFM. The two processes run in parallel — one protects the reporter, the other investigates the conduct.

What counts as whistleblowing?

Under SYSC 18.3, a whistleblowing disclosure is a "reportable concern" — broadly, information the worker reasonably believes shows one or more of:

  • A criminal offence
  • A failure to comply with a legal obligation
  • A miscarriage of justice
  • Health and safety being endangered
  • Damage to the environment
  • Deliberate concealment of any of the above

For FCA-regulated firms, the FCA expands this to include:

  • A breach of any FCA rule, including conduct rules
  • A breach of any PRA rule (for dual-regulated firms)
  • Behaviour that has, or is likely to have, an adverse effect on the firm's reputation or financial well-being

That last point is wide. An employee reporting that a colleague is bullying junior staff can be a whistleblowing disclosure if they reasonably believe the behaviour breaches a conduct rule, harms colleagues' welfare, or damages the firm's reputation.

What counts as non-financial misconduct?

Under PS25/23 and the new COCON 1.1.7FR rule effective 1 September 2026, NFM is behaviour by an individual at the firm that is not of a clearly financial nature but affects individuals, the firm, or confidence in the market. The FCA's published examples include:

  • Bullying
  • Harassment (including on grounds of a protected characteristic)
  • Sexual misconduct
  • Violence
  • Discrimination
  • Conduct affecting workplace safety or psychological well-being

The conduct must have sufficient connection to the workplace: at the office, at work events, in work communications (including WhatsApp groups), during business travel, and between colleagues regardless of physical location.

Where whistleblowing focuses on the act of reporting wrongdoing, NFM focuses on the behaviour itself. They cover the same incident from different angles.

Who is a whistleblower at an FCA firm?

Under SYSC 18 and PIDA, a "worker" includes:

  • Employees (current and former)
  • Contractors
  • Agency staff
  • Consultants
  • Workers performing services for the firm under a contract

This is broader than employees alone. An external compliance consultant who reports concerns is a whistleblower. A self-employed adviser working under your firm's regulatory permissions is a whistleblower.

The person being complained about is not protected — they are the respondent in the conduct process and have a separate set of rights and procedures (typically a workplace investigation under your disciplinary process).

What protections does a whistleblower get?

PIDA gives whistleblowers protection from being subjected to a "detriment" because they made a protected disclosure. Detriment includes:

  • Dismissal
  • Disciplinary action
  • Demotion or removal of duties
  • Withholding pay or training
  • Bullying, ostracism, or any other adverse treatment

If a worker is dismissed because they made a protected disclosure, the dismissal is automatically unfair regardless of length of service. The compensation cap that normally applies to unfair dismissal does not apply to whistleblowing dismissals.

Anonymity is not a legal right but a practical one. Firms must allow concerns to be raised confidentially via a designated whistleblowing channel, and the identity of the reporter must not be disclosed beyond those who genuinely need to know to investigate.

SYSC 18 requirements for small firms

Most small firms (under 200 staff) are not required to submit annual whistleblowing reports to the FCA. But all FCA-regulated firms must have:

1. A whistleblowing policy that explains:

  • What can be reported
  • How to report (named channels, confidential or anonymous)
  • What happens after a report is made
  • The protections available to the reporter

2. A whistleblowing champion — a non-executive director or senior manager who is responsible for the firm's whistleblowing arrangements. SYSC 18.4 sets out the role. For very small firms with no NEDs, this role typically sits with the principal SMF.

3. Effective channels — multiple ways for workers to raise concerns, at least one of which bypasses the immediate management chain (so a worker can report a senior manager).

4. Records of disclosures received, action taken, and outcomes. The FCA can ask to see these on supervision.

5. Training so staff and managers know what whistleblowing is, how to report, and how to handle disclosures.

You can also signpost the FCA's own whistleblowing line at fca.org.uk/firms/whistleblowing — the FCA accepts reports directly.

How the two regimes interact in practice

Most NFM cases at small firms involve some element of whistleblowing because someone has to report the conduct. That means most NFM investigations have a parallel whistleblowing dimension. Run both processes in parallel, but separately:

Step Whistleblowing track NFM track
Concern received Log in whistleblowing register; identify the disclosure; protect the reporter Log as an NFM allegation; identify the respondent
Initial assessment Is it a protected disclosure? Is the reporter at risk of detriment? Is the allegation serious? Is investigation warranted?
Investigation Investigate the concerns raised Investigate the alleged conduct
Findings Were the concerns well-founded? Is action needed against the firm? Did the conduct happen? Was it a conduct rule breach?
Outcome Update the reporter; protect from detriment Update the F&P assessment; consider disciplinary action; report breach if applicable
Records Whistleblowing register Conduct rule breach register; F&P file

The two outcomes are independent. A whistleblowing concern can be well-founded even if the NFM allegation is not substantiated (e.g., the firm's process was broken, even if the specific conduct didn't meet the threshold). Similarly, an NFM finding can be made even if the original disclosure was found to be vexatious or partly unfounded.

Common mistakes at small firms

1. Treating a whistleblowing report as an HR complaint. A complaint about a colleague's behaviour might also be a protected disclosure. If the worker reasonably believes the conduct shows a breach of regulatory rules or a risk to the firm's reputation, they have whistleblower protection. Failing to recognise this strips the protection and creates legal exposure.

2. Conflating the reporter and the respondent in records. The whistleblower's identity must be protected. The respondent's identity can be more widely known (within the investigation team and decision-makers). Mixing them up in records risks a SYSC 18 breach.

3. Letting line managers handle disclosures alone. SYSC 18 requires effective channels — at least one bypassing the immediate management chain. If your only reporting channel is "tell your manager", you don't comply.

4. Forgetting that the conduct rules apply to handling disclosures. A senior manager who fails to investigate a properly-raised concern, or who creates detriment for the whistleblower, may breach SC1 (effective control of business) or SC2 (compliance with regulatory requirements).

5. Assuming "serious" is needed before whistleblowing protection applies. It isn't. The worker needs only to reasonably believe the conduct meets the criteria. A report made in good faith is protected even if investigation finds no wrongdoing.

What to have in place by 1 September 2026

PS25/23 doesn't add new whistleblowing requirements directly, but the NFM framework increases the volume of conduct cases — which means more disclosures will engage SYSC 18. Before 1 September 2026:

  1. Update your whistleblowing policy to reference NFM explicitly as an example of reportable conduct
  2. Make sure the whistleblowing channel is independent of the NFM investigation channel — a worker shouldn't have to report through someone implicated in the conduct
  3. Train managers on the difference between the two regimes and how they run in parallel
  4. Use the NFM Investigation Checklist for the conduct track and your existing whistleblowing process for the disclosure track
  5. Make sure your conduct rule breach reporting (REP008 + 7-day SMF notification) feeds findings back into F&P assessments

A small firm doesn't need a separate whistleblowing platform. A clear policy, named channels, the SYSC 18 champion, and disciplined record-keeping are what the FCA expects to see.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 14 April 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

FCA Non-Financial Misconduct: What Small Firms Must Do Before September 2026

Step-by-step guide for small FCA-regulated firms preparing for PS25/23 non-financial misconduct requirements. Covers investigation processes, COCON assessment, and F&P impact.

How to Handle a Harassment Allegation in an FCA-Regulated Firm

Step-by-step process for handling a harassment allegation at a small FCA firm — from receiving the report to FCA conduct rule reporting. Covers Equality Act, ACAS code, and PS25/23 from September 2026.

Senior Managers and Certification Regime: A Plain-English Guide

What the Senior Managers and Certification Regime actually requires of small FCA firms — the three tiers, what each one involves, and how PS25/23 changes the picture from September 2026.