Skip to content
ConductLog

How to Handle a Harassment Allegation in an FCA-Regulated Firm

A harassment allegation at a regulated firm is two problems at once: an employment-law problem and a regulatory problem. The employment side is governed by the Equality Act 2010 and the ACAS Code of Practice. The regulatory side, from 1 September 2026, is governed by the PS25/23 framework — harassment is one of the named categories of non-financial misconduct that engages COCON conduct rules and F&P assessments.

This guide walks through the process step by step, from receiving the allegation to closing the regulatory record. It is written for compliance officers and principals at small FCA-regulated firms (IFAs, mortgage brokers, insurance brokers, wealth managers) with 1–50 staff.

What is harassment under UK law?

Under Section 26 of the Equality Act 2010, harassment is unwanted conduct related to a "protected characteristic" that has the purpose or effect of:

  • Violating the person's dignity, OR
  • Creating an intimidating, hostile, degrading, humiliating, or offensive environment

Protected characteristics are: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.

A separate offence — sexual harassment — covers unwanted conduct of a sexual nature with the same effects test. Since 26 October 2024, employers have a positive duty under Section 40A of the Equality Act to take reasonable steps to prevent sexual harassment at work — not just respond to it after the fact.

For FCA purposes, harassment with sufficient connection to work is now explicitly identified as a category of non-financial misconduct under PS25/23. From 1 September 2026, a finding of serious harassment may engage individual conduct rules and feed into fitness and propriety assessments.

The two parallel tracks

A harassment allegation at a regulated firm runs on two tracks simultaneously:

Track Source Aims at Outcome
Employment / HR Equality Act 2010, ACAS Code Investigating the conduct, protecting the complainant, managing the respondent Disciplinary action, no action, or settlement
Regulatory COCON, FIT, PS25/23 (from Sept 2026) Assessing conduct rule breach, F&P impact, FCA reporting Conduct rule breach record, F&P determination, REP008 / SUP 15 reporting

The two tracks run side by side. The same evidence often feeds both, but the conclusions are independent. A finding of harassment on the employment side does not automatically mean a conduct rule breach on the regulatory side, and vice versa — though in practice serious harassment usually engages both.

Step 1: Receive the allegation

Allegations come in many forms — a formal grievance, an informal report to a manager, a whistleblowing disclosure, an HR complaint, a third-party report. Whatever the channel, the first 48 hours matter.

On receipt:

  • Acknowledge promptly. Tell the complainant the report has been received and what will happen next. Include indicative timescales.
  • Identify the regimes engaged. Is this also a whistleblowing disclosure under SYSC 18? See our whistleblowing vs misconduct guide for the parallel-process logic.
  • Consider immediate safety. If the complainant is at ongoing risk, what interim steps are needed? Reasonable interim measures include reassigning duties, changing reporting lines, working from home, or in serious cases suspending the respondent on pay pending investigation.
  • Decide who handles it. The investigator must be free of conflict — not the line manager of either party, not the respondent's friend, not someone implicated in the conduct. At a very small firm, this may mean an external investigator (typically an HR consultant or employment lawyer) for serious allegations.
  • Open a case file. Date, parties, allegations, witnesses, immediate actions taken. Keep this file separate from the personnel files of either party.

What you must not do:

  • Tell the respondent the identity of the complainant before the complainant has been told the disclosure is being shared
  • Discuss the allegation with anyone who does not need to know
  • Treat the complaint as resolved if the complainant withdraws — withdrawals can themselves be a sign of fear of retaliation

Step 2: Plan the investigation

A documented plan protects everyone — it makes the process defensible if challenged later and ensures the right scope.

Define the scope:

  • What specific allegations are being investigated? Quote the words used.
  • What time period is covered?
  • Who are the relevant witnesses?
  • What documents are likely to be relevant (emails, WhatsApp messages, calendar entries, performance records)?

Decide on confidentiality:

  • Investigation interviews are confidential to the investigation team and the parties' representatives
  • Witnesses should be told what they can and cannot discuss outside the interview
  • The respondent has the right to know the substance of the allegations against them — though in some cases identifying details (e.g. the complainant's name) may be withheld initially

Set timescales. A typical small-firm investigation takes 4–8 weeks. Longer is usually a sign the process has stalled. Communicate timescales to the parties and update them if they slip.

Document the plan in writing. The investigation plan is part of the audit trail.

Step 3: Conduct the investigation

The ACAS guidance on disciplinary and grievance procedures sets out best practice. Apply it.

Interview the complainant. Open questions, neutral tone. Allow them to bring a companion (statutory right for a formal disciplinary or grievance hearing; best practice for investigation interviews too). Take detailed notes — typed up the same day, signed off by the complainant.

Interview witnesses. Same approach. Ask only about what the witness directly saw or heard. Avoid leading questions.

Review documents. Emails, messages, calendar entries, performance records, prior complaints. Maintain a document log.

Interview the respondent. Tell them in advance: what the allegations are, what witnesses have been interviewed, what documents have been gathered. Give them a reasonable opportunity to respond. Allow a companion. Take notes.

Assess credibility. Where accounts conflict, what does the contemporaneous documentation show? Are there independent witnesses? Is one account internally consistent and the other not?

Apply the test. For Equality Act harassment, the test is: did the conduct happen, and on the balance of probabilities did it have the purpose or effect required by Section 26? For sexual harassment, the same test on Section 40 (or Section 26 if sex-based). The threshold is balance of probabilities — not "beyond reasonable doubt."

Reach a documented finding. "Substantiated", "partly substantiated", "not substantiated", "no finding (insufficient evidence)". Each finding should be supported by the evidence cited.

Step 4: Conduct rule assessment (regulatory track)

If the conduct is substantiated, assess whether it engages the conduct rules. Use a structured assessment:

Question Answer
Does the substantiated conduct meet the seriousness threshold for COCON? (Trivial workplace friction is excluded.) Yes / No
Which individual conduct rule(s) does it engage? (Rule 1 integrity; Rule 2 skill, care, diligence; others as relevant) List
For senior managers: does it engage SC1 / SC2 / SC3 / SC4? List
Was the breach deliberate, reckless, or negligent? Determine
Is it a single incident or part of a pattern? Determine
Does it have sufficient connection to work? (Office, work events, work communications, business travel, between colleagues — yes by default for harassment in scope.) Yes / No

For a substantiated serious harassment finding, the answer to "engages the conduct rules" will almost always be yes — typically Rule 1 (integrity) and often Rule 2 (skill, care, diligence) for managers. Use our COCON Conduct Rules Self-Assessment to walk through the mapping.

Step 5: F&P impact assessment

If a conduct rule breach is identified, assess whether it affects the respondent's fitness and propriety to hold their regulated role. The framework is FIT 2.2 — the relevant factors include any breach of conduct rules (which by definition has now been recorded above).

For each respondent who is an SMF holder or certified person:

  1. Document the conduct rule breach
  2. Apply the FIT 2.2 considerations (honesty, integrity, reputation)
  3. Reach a conclusion: F&P unaffected, F&P affected with conditions, F&P withdrawn
  4. Get senior manager sign-off on the conclusion
  5. Update the F&P record

Our F&P assessment guide walks through the FIT 2 considerations in detail. For the practical decision-tree, use the F&P Decision Tree tool.

For conduct rules staff who are not SMF or certified, F&P does not apply directly — but the conduct rule breach is recorded and reportable.

Step 6: Outcomes and disciplinary action

The investigation finding does not dictate the disciplinary outcome — that is a separate decision. Possible outcomes:

Outcome When appropriate
No further action Allegation not substantiated, or substantiated but at very low severity with no recurrence risk
Informal action Documented warning, training, mediation
Formal disciplinary action Formal warning, final warning, demotion, dismissal — follow ACAS Code procedures
F&P withdrawal For SMF / certified staff where F&P is no longer met
Settlement / agreed exit Where the respondent leaves under agreed terms

The disciplinary process must follow the ACAS Code. Failure to do so can lead an Employment Tribunal to adjust any compensation award upwards if the case reaches that stage — the precise uplift is at the tribunal's discretion, with a statutory cap.

If dismissal results from a serious harassment finding, ensure all the procedural steps are documented: investigation, hearing, written reasons, right to appeal, appeal hearing, appeal outcome.

Step 7: FCA reporting

For FCA-regulated firms, the regulatory reporting obligations are:

Conduct rule breaches by SMF holders — notify the FCA within 7 business days under SUP 15.3. The notification covers the breach itself, the firm's response, and any F&P consequences.

Conduct rule breaches by certified or conduct rules staff — report annually via REP008. The return covers all conduct rule breaches in the firm's reporting year, regardless of severity.

SMF departures — file Form C within 7 business days of the SMF holder ceasing the function. If the cessation relates to conduct, the form must explain.

Certified staff departures — update the FCA Directory.

Material concerns — if the harassment is so serious that it raises wider concerns about the firm's culture or controls, additional SUP 15.3 notification may be appropriate. The principal should consider this with input from compliance.

Step 8: Close the case and feed forward

A closed case still has work to do.

Records: keep the investigation file, conduct assessment, and F&P assessment for at least six years after the respondent's departure. The FCA can ask for these on supervision.

Lessons learned: what process gaps did the case reveal? Should the policy be updated? Was the investigation timely? Were any procedural rights compromised? Document the lessons and any remedial actions.

Pattern monitoring: is this an isolated incident or part of a pattern (multiple complaints against the same respondent, multiple complaints from the same team, recurring complaint themes)? Senior managers need this picture to discharge their SC1 / SC2 obligations.

Anti-retaliation watch: the complainant must not suffer detriment for raising the complaint. Monitor their experience for at least 12 months — performance reviews, allocation of work, social inclusion, promotion decisions. Subtle retaliation is still retaliation.

Update training: if the investigation revealed staff did not understand the boundary between robust feedback and harassment, or the difference between a personality clash and bullying, update conduct rules training accordingly.

Common mistakes at small firms

1. Letting the line manager investigate. Conflicts of interest are almost guaranteed. Use someone else internally, or an external investigator for serious cases.

2. Sloppy contemporaneous notes. Tribunal cases turn on the contemporaneous record. Hand-written notes scribbled on a Post-it are not contemporaneous notes — they need to be typed up the same day, dated, and signed off.

3. Telling the respondent before the complainant has been protected. The complainant's safety and confidentiality come first. The respondent gets due process — but not before the complainant has been told what's happening and any interim measures are in place.

4. Confusing the employment outcome with the regulatory outcome. A no-fault settlement on the employment side does not erase the regulatory record. If a conduct rule breach has been identified, it must be reported regardless of the employment terms.

5. Forgetting Section 40A. Since October 2024, employers have a duty to take reasonable steps to prevent sexual harassment. A reactive process is no longer enough — risk assessments, training, clear policies, and visible accountability are all part of the duty. The FCA expects firms to demonstrate this where harassment matters arise.

Practical pre-deadline checklist

Before 1 September 2026:

  1. Update your harassment / NFM policy to reflect PS25/23 and the duty to prevent sexual harassment under Section 40A
  2. Train all staff on what harassment is, how to report, and what protection they have
  3. Train managers on how to receive a complaint, the dual-track structure, and what they must (and must not) do
  4. Set up an independent reporting channel (a named non-line-manager contact, or external whistleblowing service)
  5. Document your investigation process — who investigates, with what timescales, with what evidence-gathering steps
  6. Practise with a tabletop exercise — walk through a hypothetical case end to end
  7. Build the regulatory steps into your existing process: COCON mapping, F&P impact, REP008 / SUP 15
  8. Sign-post staff to ACAS discrimination, bullying and harassment guidance and the early conciliation service as part of your policy

Use the NFM Investigation Checklist to walk through the steps for an active case.

Sources

This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 28 April 2026.

Ready to manage conduct rule compliance properly?

ConductLog gives small FCA firms a structured investigation workflow with built-in COCON rule mapping. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

Senior Managers and Certification Regime: A Plain-English Guide

What the Senior Managers and Certification Regime actually requires of small FCA firms — the three tiers, what each one involves, and how PS25/23 changes the picture from September 2026.

FCA Whistleblowing vs Non-Financial Misconduct: Key Differences

Whistleblowing and non-financial misconduct sit in two different parts of the FCA Handbook with different rules. This guide explains who can be a whistleblower, how the regimes interact, and what small firms must do under each.

FCA Fitness and Propriety: How Misconduct Affects F&P Assessments

How the FCA fit and proper test works for small regulated firms, what FIT 2.2 actually requires, and how non-financial misconduct now feeds into your annual F&P assessments.