PS25/23 Compliance Checklist: Your 4-Month Countdown to 1 September 2026
If you run a small FCA-regulated firm, PS25/23 takes effect on 1 September 2026 and there is no transitional period. With around four months to go, the work needed to be ready is bounded but real — and the firms that leave it to August will discover that policy drafting, training, and supervisor sign-off do not compress well.
This is a structured checklist for what to have in place by deadline day. It is organised as a four-month countdown — what to ship in May, June, July, and August — for the typical small firm: 1–50 staff, FCA-regulated, no in-house regulatory lawyer. Tick the items off, use it as the basis for a board-level update, and pair it with the PS25/23 Readiness Pack for the underlying templates.
For the policy-statement context — what PS25/23 actually is and why September matters — read our FCA PS25/23 deadline guide first. For the conduct-rules detail underneath the checklist, see our COCON conduct rules guide.
What is in an FCA compliance plan for PS25/23?
An FCA compliance plan for PS25/23 covers five working areas at a small firm. Every checklist item below sits in one of these:
- Policy — written documentation of how the firm handles serious non-financial misconduct (NFM): allegation handling, investigation, escalation, decision-making, sanctions, recording, reporting
- Training — how staff (conduct rules staff and certified staff) are taught what conduct rules now cover and what to do if they see something
- Investigation capability — having a workable, documented investigation process that can run when an allegation lands
- F&P integration — making sure NFM evidence feeds the annual fitness-and-propriety assessment for certified staff and SMFs
- Reporting — REP008 conduct rule breach reporting, SUP 15.3 notifications, and the FCA Directory updates that follow
You don't need a 100-page policy. You do need clear answers to "how does this work at our firm" in each of the five areas, evidenced in writing.
How often must firms review FCA compliance?
For most small firms, the practical cadence is:
- Annually — full review of policies, training records, F&P assessments, and breach reporting (typically tied to year-end or the firm's accounting reference date)
- On trigger — when rules change materially (PS25/23 is itself a trigger), when an enforcement action lands in a peer firm, when an allegation surfaces internally
- Monthly — for the conduct-rule breach register and any open NFM investigations, reviewed by the SMF16 compliance oversight role
PS25/23 doesn't change the cadence requirement, but the September 2026 effective date means the next annual review post-1 September has to include the new scope.
The 4-month countdown
The dates below assume the firm has not started PS25/23 work yet. If you are further along, skip ahead — but use the per-area checklist to verify nothing has been missed.
May 2026: Foundation (4 months to go)
| # | Action | Owner | Done? |
|---|---|---|---|
| 1 | Read PS25/23 in full | Compliance officer (SMF16) | ☐ |
| 2 | Read the FCA NFM guidance page in full | Compliance officer (SMF16) | ☐ |
| 3 | Confirm firm's SMCR category (Limited Scope / Core / Enhanced) | Compliance officer | ☐ |
| 4 | List every individual at the firm and classify them: SMF / certified / conduct rules staff / excluded | Compliance officer | ☐ |
| 5 | Identify the SMF holder who will own NFM oversight (typically SMF16) | Principal / Board | ☐ |
| 6 | Brief the principal and any board members on PS25/23 scope and timeline | Compliance officer | ☐ |
| 7 | Inventory existing HR investigation, grievance, and disciplinary policies | HR lead / Compliance | ☐ |
| 8 | Identify gaps where existing HR policies don't meet PS25/23 evidence requirements | Compliance | ☐ |
Pair items 4–8 with our COCON Conduct Rules Self-Assessment — it walks through the staff-mapping step systematically.
June 2026: Policy and process (3 months to go)
| # | Action | Owner | Done? |
|---|---|---|---|
| 9 | Draft NFM allegation-handling policy: how an allegation is received, recorded, triaged | Compliance | ☐ |
| 10 | Draft NFM investigation policy: scope, timelines, evidence handling, witness statements, confidentiality | Compliance + HR | ☐ |
| 11 | Define escalation thresholds: which allegations trigger external investigator, which trigger immediate suspension, which are SUP 15.3 reportable | Compliance | ☐ |
| 12 | Define sanctions framework: dismissal, retraining, formal warning, certification withdrawal | Compliance + HR + Principal | ☐ |
| 13 | Update the firm's whistleblowing policy to align with the SYSC 18 framework and reference the new NFM scope | Compliance | ☐ |
| 14 | Update the firm's certification handbook (or equivalent) to confirm F&P assessments will include NFM evidence | Compliance | ☐ |
| 15 | Update the conduct rule breach register template to capture NFM-specific fields (allegation date, category, outcome, F&P implication) | Compliance | ☐ |
| 16 | Brief the SMF16 (and the SMF holders generally) on the new policies | Compliance | ☐ |
Our whistleblowing vs NFM guide covers the SYSC 18 framework in detail.
July 2026: Training and dry-run (2 months to go)
| # | Action | Owner | Done? |
|---|---|---|---|
| 17 | Deliver PS25/23 trigger training to all conduct rules staff (covers new scope, examples, where to report) | Compliance / external trainer | ☐ |
| 18 | Capture attestation from each conduct rules staff member confirming they have completed the training | Compliance | ☐ |
| 19 | Deliver supervisor-specific training: how to receive an allegation, what to do in the first 24 hours, when to escalate | Compliance / HR | ☐ |
| 20 | Run a tabletop exercise: a hypothetical NFM allegation, walked through end-to-end against the new policy | Compliance + named supervisors | ☐ |
| 21 | Identify any external investigator(s) the firm would engage for serious allegations; record their contact details and rates | Compliance | ☐ |
| 22 | Identify external legal support for employment-law angles; record contact details | Compliance | ☐ |
| 23 | Update intranet / staff handbook with the new procedures and the reporting channels | Compliance + HR | ☐ |
| 24 | Test the whistleblowing channel: confirm the SYSC 18 channel is reachable, monitored, and treats reports confidentially | Compliance | ☐ |
For the investigation workflow specifically, our NFM investigation checklist is the step-by-step companion.
August 2026: Pre-deadline verification (1 month to go)
| # | Action | Owner | Done? |
|---|---|---|---|
| 25 | Complete the PS25/23 Readiness Scorecard — confirm score in each area | Compliance | ☐ |
| 26 | Verify every certified individual has had F&P assessment in the past 12 months with NFM evidence consideration documented | Compliance | ☐ |
| 27 | Verify the breach register is live and the SMF16 reviews it at least monthly | Compliance | ☐ |
| 28 | Confirm the REP008 process is set up so the firm can compile the return from the register for the 1 Sep–31 Aug period and file via RegData by 31 October where there is anything to report | Compliance | ☐ |
| 29 | Final board (or principal) briefing: state of readiness, residual risks, any escalation routes | Compliance / Principal | ☐ |
| 30 | Document the firm's "1 September 2026 readiness statement" — short, dated, signed, kept on file | Compliance / Principal | ☐ |
| 31 | Diary-mark the first post-deadline cadence reviews: monthly register, quarterly F&P, annual REP008 | Compliance | ☐ |
After 1 September 2026 the obligations are continuous. Item 31 is what stops the firm slipping back into pre-deadline thinking once the date has passed.
Risks to plan around
A short-list of the things that catch small firms out:
- Treating PS25/23 as an HR matter. It is a conduct-rule matter that uses HR-style mechanics. The compliance oversight SMF, not the HR lead alone, owns it.
- Assuming small size means low scrutiny. Enforcement actions against principals at small firms have happened repeatedly. Size is not protection.
- Leaving training to the last fortnight. Training has to be specific to roles and attested individually — that takes weeks, not days, at any meaningful staff size.
- Skipping the tabletop exercise. The first time you handle a real allegation should not be when one lands. Run a dry-run in July.
- Conflating whistleblowing and NFM channels. They overlap but they are not the same. The whistleblowing vs NFM guide covers the distinction.
Tools and downloads that pair with this checklist
- PS25/23 Readiness Pack — the underlying policy templates, allegation-handling flow, and certification framework
- F&P Assessment Worksheet — the annual F&P assessment template, with NFM tracking fields
- COCON Self-Assessment — interactive conduct-rule mapping for individuals
- NFM Investigation Checklist — interactive investigation step-by-step
- F&P Decision Tree — quick determination of whether misconduct affects F&P
- PS25/23 Readiness Scorecard — quick assessment of overall readiness with per-area gap scoring
What to do next
Three actions, this week:
- Walk through this checklist with your principal or board — agree owners and dates against each item
- Download the PS25/23 Readiness Pack for the underlying templates
- Diary-mark a monthly readiness review between now and 1 September 2026
Treat this checklist as a board-reviewable document. Print it, sign off completed items, and keep the marked-up version on file. The audit-trail value at year-one review is significant.
Sources
- PS25/23 — Tackling non-financial misconduct in financial services
- FCA non-financial misconduct guidance page
- CP25/18 — Consultation paper preceding PS25/23
- COCON — Code of Conduct sourcebook (FCA Handbook PDF)
- SUP 15.3 — Notification requirements (FCA Handbook)
- SUP 10C — Senior management arrangements (FCA Handbook)
- FIT 2.2 — Fitness and propriety assessment (FCA Handbook)
- FCA Directory of certified persons
This guide is for general information only and does not constitute legal or regulatory advice. Last reviewed: 4 June 2026.