Non-Financial Misconduct in Financial Services: Nothing is ‘Plain and Simple’

• The UK FCA is extending the application of the non-financial misconduct rules to a broader scope of conduct, aligning the scope for employees of banks and non-banks from 1 September 2026. In addition, the FCA has issued another consultation on further rules and guidance, which it expects to finalise by the end of the year.
• Proposed guidance includes scenario-based examples on the scope of COCON. The guidance seeks to clarify the boundary between work and private or personal life, conduct outside the SMCR financial activities, factors to assist in the determination of whether an instance of non-financial misconduct should be considered serious, and examples of reasonable steps for managers.
• In practice, when a firm becomes aware of an instance of potential or alleged non-financial misconduct, it will need to assess whether there has been a breach of the Conduct Rules, if any notifications to the FCA are needed, determine whether the misconduct would need to feature in a regulatory reference, and consider the potential involvement of the firm’s management, including any need to address broader conduct or cultural issues at the firm.
• It will also be necessary to determine whether non-financial misconduct, whether or not it falls within the scope of COCON, may cause an individual to no longer meet the appropriate standard of fitness and properness required under the FCA’s rules and guidance.

Introduction

Back in 2018, a senior member of the Financial Conduct Authority (FCA) stated that “non-financial misconduct is misconduct, plain and simple”.¹ Since then, the FCA has issued multiple discussion and consultation papers,²  letters to industry³ and surveys.⁴ The recent policy statement (and further consultation) is a welcome step towards clarity, though there remain a number of open questions and issues. Ultimately, in tension with previous comments, very little about this area of regulation or what has been more recently communicated by the FCA is either plain or simple.

In the following three sections, we set out (i) what the FCA’s Policy Statement has now clarified, (ii) what may become clear, once the FCA’s new Consultation comes to fruition, and finally (iii) what firms need to do.

The New Rules – What is Confirmed?

The new rules and guidance will come into effect on 1 September 2026, and will not apply retrospectively. They deal with the circumstances when non-financial misconduct will constitute a breach of the FCA’s “Code of Conduct” (in the FCA’s Code of Conduct Sourcebook, or COCON).

The new rules align the rules for non-bank Senior Managers and Certification Regime (SMCR) firms with those that currently apply to banks, expanding the cases when non-financial misconduct will constitute a breach of COCON. Currently, COCON applies to conduct that forms part of, or is for the purpose of “SMCR financial activities”, broadly, regulated activities or activities carried on for the purposes of or in connection with regulated activities.

Under the new rules, non-bank firms will become subject to new rule COCON 1.1.7F R, the purpose of which is to “extend the scope of COCON” so that it covers “harassment” by a member of staff of certain other people associated with the firm or a group company, typically another member of staff or someone who provides services for or to the firm or its group.⁵ This means that non-bank firms’ employees must comply with COCON also with respect to their conduct in work-related social events, as well as in carrying out their professional obligations.

Many of the most difficult questions for firms in how to deal with non-financial misconduct arise in determining whether something is in an individual’s private or their professional life. By restricting breaches of COCON to conduct which is “in relation to” individuals associated with the firm, it might be hoped that these difficult line drawing questions can be avoided at least for the purposes of COCON. Indeed, if the Guidance (as discussed in the next section) is brought into force, this may be even easier, with newly proposed COCON 1.3.2 G to 1.3.9 G being entitled, “COCON does not cover private or personal life,” with detailed guidance and examples.

Failing to notify the FCA of a breach of COCON can itself be a breach of the FCA’s rules for firms. As such, having clarity about when it is necessary to notify is important. Similarly, when a firm gives a regulatory reference, breaches of COCON may need to be included, and so understanding and recording whether a breach has or has not been committed is of great importance.

The FCA has specified that the intention is for these rules to be aligned with employment law obligations. Whilst the regulator notes that there will still be cases where regulatory requirements and employment law obligations diverge, the aim is for there to be consonance between the two regimes.

The New Consultation – What is to be Finalised?

There are two parts to the new consultation: first, consultation on new guidance on what type of conduct would be within COCON 1.1.7F R. This would expand on the new rules described above.

Second, consultation on new guidance for the Fit and Proper test for Employees and Senior Personnel sourcebook (FIT). FIT explains how firms (and indeed the FCA) assess whether an individual is “fit and proper” to perform their function. Whilst breaches of the COCON can be relevant to this, the test can be broader, and generally encompasses more, including (for example) an individual’s skills and competences.

1. COCON Guidance

Private or Personal Life

As noted above, the new COCON rules try to carve out actions in someone’s “private or personal life”. The distinction between someone’s private or personal life and their professional life is not always clear, however. It seems settled, now, that (for example) work Christmas parties are generally to be treated as forming part of ‘professional life’, as would client entertainment. Harder cases are not too difficult to generate however: what about colleagues who always meet on their commute? What about people who meet at work, but then pursue a romantic relationship?

The delineation between private/personal life and professional life is not something where the FCA has entirely free rein. As the High Court determined in Beckwith v. Solicitors Regulation Authority [2020] EWHC 3231 (Admin)⁶ at [50], “It is one thing to accept that any person who exercises a profession may need, for the purposes of the proper regulation of that profession in the public interest, to permit some scrutiny of his private affairs; to suggest that any or all aspects of that person’s private life must be subject to regulatory scrutiny is something of an entirely different order.” In order for the FCA’s rules and guidance on non-financial misconduct to refer to an individual’s private life, the rules and guidance must be compliant with Article 8 of the European Convention on Human Rights (respect for private and family life), including that the rules and guidance are sufficiently clear and precise and proportionate to the public interest.

The proposed new guidance on COCON is welcome in this regard. For example, newly proposed COCON 1.3.4 G would set out “[r]elevant factors” on deciding whether something is personal or professional, including whether the conduct took place on the firm’s premises, at events organised by the firm, supported by the firm or which the individual is required by the firm to attend. Whilst there would still be a need for firms to consider “the specific facts of each case” (per proposed COCON 1.3.5 G), the Guidance would likely make it much clearer for firms in making the personal/private v. professional determination required by COCON.

There are still going to be potentially difficult cases, but from a firm’s perspective, the critical issue is likely to be analysing the connection to someone’s professional life. If a firm can easily identify the connection to the individual’s profession or work, then it will likely fall on the professional side of the line; if they cannot, or any such connection requires a strained interpretation, then it seems more likely that it would be personal. Documenting these determinations will be very important to ensure that the firm can justify its approach.

Seriousness

The new guidance also proposes to make clear that non-financial misconduct would only be a breach of COCON if it is “serious”. In newly proposed COCON 4.1.8E G, the FCA lists several factors which would go into its assessment of seriousness, including whether the conduct is repeated, the duration, the impact, the seniority of the perpetrator (including as compared to the complainant) and whether it is criminal or otherwise would be grounds for dismissal. Also to be considered would be whether or not the person who has been subjected to the potential misconduct thinks that the behaviour violated their dignity (COCON 4.1.8I G (1)), which will require great care and attention for firms to assess and consider, as well as adding a further level of subjectivity into the assessment.

The difficulty with this test is that the FCA has proposed it almost as binary: conduct is either serious, or it is not. As their multiple factors indicate, however, that seems unrealistic. The seriousness of the conduct will be on a spectrum, and firms will almost certainly find it hard to assess what the FCA’s apparent binary test in fact means.

As such, the proposed COCON Guidance betrays that this will be a difficult assessment for firms. Whilst having guidance would be helpful—not least, as it gives firms something substantive to ‘hang their hats on’ when making a determination—it will almost certainly not give the answer in many difficult cases. As discussed more below, as a result, firms need to prepare their procedures well before the new rules and guidance take effect, to ensure that whatever they do is defensible, even if ultimately the regulator or another firm might come to a different decision in a particular case.

This said, it is at least preferable that in this new version of the proposed guidance, the FCA has taken on board feedback that it should not rely on overly vague ethical standards such as those based on “moral soundness” or requiring firms to assess whether someone has engaged in “disgraceful or morally reprehensible behaviour”, but rather using more neutral language. As such, whilst there will be difficulties in application, these will be preferable over what was first proposed.

2.  FIT Guidance

All individuals working in the regulated sector must be “fit and proper”. There are additional formal requirements for more senior individuals: for “senior managers”, the FCA must assess their fitness and propriety initially; and for senior managers thereafter, and for all “certified staff”, firms must assess and certify each individual’s fitness and propriety at least annually.

The proposed FIT Guidance is perhaps the thorniest issue for firms. Under the proposed new FIT Guidance, the FCA would make clear that breaches of COCON (including non-financial misconduct with a professional connection) will always be relevant to an individual’s fitness and propriety, even if such a breach would not be determinative that an individual is not fit and proper. This type of balancing test is inherently difficult, not least given the problems in defining what constitutes “serious” misconduct discussed above. As such, all of the difficulties in the new COCON Guidance would become relevant to FIT as well.

The problem goes wider than this, however, because the newly proposed FIT Guidance would also make clear (in proposed FIT 1.3.6 G(2)), that conduct from “outside work” may also be relevant to the fitness and propriety test.

The FCA’s proposed guidance starts in familiar territory, that “dishonesty and lack of integrity” outside of work will be relevant to FIT: proposed FIT 1.3.16 G (3). This would seem to be uncontroversial. Thereafter, however, the examples become immediately difficult. The FCA proposes, for example, that “violence or sexual misconduct” will be relevant to FIT, even if it is clearly in someone’s personal life, as this “may show that there is a risk of similar misconduct in relation to (a) customers or counterparties of their firm; or (b) people working for their firm”: proposed FIT 1.3.16 G (4). This would appear both over- and under-inclusive with serious crimes that are essentially impossible to engage in at work perhaps excluded, and relatively minor or out-of-character incidents which could have taken place at work, but did not, made relevant. It is possible that the FCA thinks that this is the necessary corollary of the court judgments which have been given, and the “minor” offences will then be screened out by firms on the basis of the seriousness balancing test.

This said, the FCA is also proposing in its guidance to provide that misconduct in a private life may still be relevant even if there is “little or no risk” of it being repeated in a professional context, if it “demonstrates a willingness to: (i) disregard ethical or legal obligations; (ii) abuse a position of trust; or (iii) exploit the vulnerabilities of others”, and that as a result it could undermine public confidence in the regulatory system or otherwise impact the FCA’s objectives to permit them to work at the firm.⁷

One helpful clarification from the FCA is that they do not expect that firms will have to actively monitor employees’ private lives, including their social media accounts, even if their private life and what is on someone’s social media account might be relevant to the assessment. The proposed rules would make clear, however, that if drawn to the firm’s attention, the firm must be alive to the potential that a person’s social media presence could be pertinent to their fitness and propriety, and to treat this accordingly.

What Next?

• The best actions for firms to take at the moment are to be familiar with the FCA’s guidance, and document their policies, processes and procedures, in a logical, clear, and fair manner.
• Whilst the FCA has tried to align employment law and regulatory obligations, firms need to be aware of the importance of making sure that their actions are consistent with both sets of requirements. Sometimes taking an action in accordance with employment law will inevitably have a knock-on effect for the purposes of a firm’s regulatory obligations, and these cannot be considered independently in siloes.
• Firms will want to make sure that their regular training programmes suitably cover non-financial misconduct. As well as training on the seriousness of bullying and harassment, firms would be well-advised to warn their staff about the potential relevance of any misconduct in their personal lives, as well as their professional lives.
• In due course, firms will need to update their policies and procedures to ensure that they are compliant with the new guidance, including in relation to record keeping and in relation to their human resources policies.

^{1 https://www.fca.org.uk/news/speeches/opening-and-speaking-out-diversity-financial-services-and-challenge-to-be-met.}

^{2 https://www.fca.org.uk/publication/discussion/dp21-2.pdf; https://www.fca.org.uk/publication/consultation/cp23-20.pdf.}

^{3 https://www.fca.org.uk/publication/dear-ceo-letters/dear-ceo-letter-non-financial-misconduct-wholesale-general-insurance-firms.pdf.}

^{4 https://www.fca.org.uk/data/culture-non-financial-misconduct-survey-findings.}

^{5 The FCA has defined this type of “harassment” in COCON 1.1.7F R (4) as being conduct which “has the purpose or effect of: (i) violating [the other person’s] dignity; or (ii) creating an intimidating, hostile, degrading, humiliating or offensive environment” for them, or conduct which is “violent” towards them.}

^{6 https://www.bailii.org/ew/cases/EWHC/Admin/2020/3231.html.}

^{7 See proposed FIT 1.3.17 G (1).}