From 1 September 2026 the Financial Conduct Authority will introduce changes to its regulatory framework by formalising non-financial misconduct rules in the regulated financial sector. Victoria Sena, ex-regulator and Founder of Cherrybank Consulting, has put together this exclusive FAQ exclusively to help you with your compliance journey.
In this article:
- What are the new FCA non-financial misconduct rules?
- How can you meet the FCA's expectations when it comes to non-financial misconduct?
- What happens if you breach the FCA's non-financial misconduct rules?
- Simplify compliance with FCA non-financial misconduct rules with Ciphr eLearning
- About the author
What are the new FCA non-financial misconduct rules? Who do they apply to?
Why has the FCA turned its attention to non-financial misconduct?
In 2024 the FCA ran a survey on culture and non-financial misconduct (NFM), which examined how firms detect and handle non-financial misconduct incidents. With a response rate of 96%, it was clear that firms were keen to engage on this issue.
Key findings included:
- The number of reported non-financial misconduct incidents increased over the three years covered in the survey (2021-2023 inclusive)
- Bullying and harassment (26%) and discrimination (23%) were the most reported types of non-financial misconduct
- Disciplinary actions were taken in 43% of cases
The FCA believes that addressing non-financial misconduct will have a positive effect on workplace culture, help to attract and retain talent, and reduce rates of financial misconduct. Sarah Pritchard, the FCA’s deputy chief executive, has previously warned that “failure to tackle toxic behaviour drives away good people, prevents staff from speaking up and undermines performance. It damages growth and enables financial misconduct.”
What are the new FCA non-financial misconduct rules?
In essence, the new FCA rules require firms to recognise, react to, and report on misconduct that is not related to financial activity. This includes bullying, harassment, and violence. The rules are the first step in an initiative, set to run between 2025 and 2030, aimed at raising standards, increasing accountability and rebuilding trust across the financial industry.
The conduct in question must be sufficiently serious to fall within scope of the rules. Specifically, it must:
- Violate another person’s dignity
- Create hostile, intimidating or degrading environments, or
- Involve violent acts towards another individual
This definition aligns closely with the wording of the Equality Act 2010 to ensure clarity and legal coherence.
The rules are supported by draft FCA guidance, which was consulted on until 10 September 2025. The FCA stresses that the rules and requirements are in additional to firms’ responsibilities under employment law, including under the Employment Rights Act 1996 and Equality Act 2010, including the Worker Protection (Amendment of the Equality Act 2010) Act that came into effect in October 2024.
Where and when do the non-financial misconduct rules apply?
The new rules have been extended beyond banks to include over 37,000 other regulated firms where the Senior Mangers & Certification Regime (SM&CR) already applies, including fund managers, FinTechs, insurers, brokers and intermediaries. Within these firms, the rules apply to employees, contractors, and service providers connected to the firm. However, the application of rules varies according to location and an individual’s job role:
- For UK-based firms, conduct is in scope if it occurs on UK premises, during work-related activities, and/or involving UK clients
- For Senior Management Functions (SMFs) and Material Risk Takers (MRTs), conduct is in scope of the rules regardless of location
- For other conduct rules staff, conduct would be in scope if it occurs in a UK workplace
This means that all the following scenarios are in scope of the rules:
- Interactions between employees on firm premises
- Remote working environments
- Internal and external meetings with clients and suppliers
- Social events organised by the firm or related business entities
Are the rules limited to activities within the workplace?
The draft guidance extends scrutiny beyond workplace conduct include an individual’s personal or private life when relevant, especially if their behaviour demonstrates:
- Dishonesty or lack of integrity
- Violence or sexual misconduct
- Patterns of repeated minor misbehaviours
- Abuse of power or disregard for ethical standards
Example one
A few colleagues decide to go for more drinks following a Christmas lunch organised by their workplace. They drink all afternoon and evening. At one point, two colleagues get into a fight over a recent football derby and punches are thrown.
Example two
An employee sets up a fundraiser for their child claiming that they are suffering from cancer and need urgent treatment in the United States. People from their workplace and members of the public contribute to the fundraiser. It later comes to light that their child does not actually have cancer, and the money was spent on a trip to Disney World Resort in Florida.
Example three
An employee has a popular YouTube account that posts ‘happy slap’ videos, where members of the innocent public are slapped by the perpetrators for entertainment. They decide to show off their page to their colleagues and make jokes about creating videos at work.
The draft guidance therefore recognises that the behaviour of an individual outside of work can materially impact a person’s suitability for undertaking a regulated role.
Who is responsible for implementing the NFM rules?
Senior managers hold direct accountability under the SM&CR to:
- Take reasonable steps to prevent and address non-financial misconduct
- Act diligently upon complaints or indications of misconduct
- Foster safe, inclusive environments where concerns can be raised without fear
How can you meet the FCA’s expectations when it comes to non-financial misconduct?
The FCA expects a firm to take reasonable care to organise and control its affairs responsibly and effectively. The FCA has emphasised that non-financial misconduct is not merely an internal HR issue, but a regulatory concern with implications for market integrity and consumer protection. It follows, then, that this new piece of regulation should be integrated within a firm’s existing risk management systems. Here’s how to do it in practice.
Set the tone from the top
The board of a regulated firm sets and is ultimately responsible for the objectives of the business. This includes objectives around business growth, as well as risk management, systems and controls. As such, the board must set the tone from the top when it comes to managing the risks of non-financial misconduct. It must ensure that the expectations of the regulator and clients are continually exceeded. This topic should be discussed at the quarterly board meetings, or at relevant sub-committee. A member of the board, such as the chief risk officer, should be responsible for delivery and oversight of non-financial misconduct.
Here are some examples of risk management commitments that firms should make:
- The board and staff should understand what non-financial misconduct is
Educating staff on the new regulation is important to ensuring that the consideration of risks to the firm will be at the forefront of everything it does
- There should be an open dialogue, with a ‘speak up’ culture towards non-financial misconduct
Staff should feel comfortable talking about non-financial misconduct, however small or inconsequential
- The process of identifying and escalating non-financial misconduct should be easy to follow
A clear and efficient process will aid identification and escalation
- Non-financial misconduct is considered when related decisions are made
An individual’s behaviour must be fully integrated into the firm’s decision-making process, for example around promotions
- Staff understand that they will be held accountable for non-financial misconduct
Responsibility extends beyond the directors to all staff, whether full or part time, contracted or directly employed
Add non-financial misconduct to the firm’s risk register
Firms must have in place a forward-looking risks and controls register that adequately documents their risk management approach. The register’s goal is to identify and classify risks to the firm, assess the controls in place, and determine and record the mitigation plans.
Non-financial misconduct should be added to the register alongside a list of controls and further mitigation action to be completed so that the risk is adequately managed on an ongoing basis to keep it within the firm’s risk appetite.
Update policies and procedures to include non-financial misconduct
Firms must have an inventory of policies and procedures to ensure that risk management is undertaken in a logical and efficient manner. These policies and procedures should be updated to include non-financial misconduct. It can either be incorporated into an existing policy, or create a new policy. For example, the requirement to disclose serious substantiated misconduct in regulatory references could be added to an existing policy for completing this specific document.
Remember to use a consistent template for all your policies and procedures, and cross-reference them where relevant. Documentation ownership must be clearly defined, and their format and language should be standardised to ensure they are user-friendly.
Ongoing learning and development for all
Learning and development (L&D) should be embedded throughout a person’s time at a firm. Using a learning management system (LMS) such as Ciphr’s will make it easier to you to issue and monitor individuals’ continuous professional development (CPD).
Ciphr has built a new training course for non-financial misconduct that brings people up to speed with the new rules and guidance. Alongside this course, we recommend that you check out our Senior Managers & Certification Regime elearning, Diversity & Inclusion elearning, and our suite of FCA compliance courses.
Want practical tips on building an effective training programme for your financial services firm? Download our free guide now
Report on and share management information
Adequate and appropriate management information (MI) is a key tool in risk management. Information on non-financial misconduct should be added to the existing MI. Responsibility for the provision of information and its accuracy is vested in senior management. The chief risk officer should oversee the flow of information on risks and controls, and challenge the business to confirm that appropriate mitigating actions are being taken to keep risk within the board’s risk appetite.
What happens if you breach the FCA’s non-financial misconduct rules?
Firms will face regulatory consequences for failures to act on non-financial misconduct, reinforcing the imperative of proactive leadership on culture and conduct matters.
Poor risk management has a multiplier effect. First, firms are likely to have operational, financial and conduct risks crystallise in the form of customer or staff detriment and monetary loss. However, their losses will be multiplied should the regulator discover their failings. This is known as regulatory risk.
As the non-financial misconduct rules have not yet come into force, no related fines have been issued. However, the FCA has a significant enforcement history of fining firms for serious misconduct and poor culture, which conceptually overlaps with the forthcoming rules.
Simplify compliance with FCA non-financial misconduct rules with Ciphr eLearning
We’re here to help you get FCA risk management right with effective eLearning courses that make an impact. Created together with the author of this article, Victoria Sena, founder of Cherrybank Consulting, our suite of FCA compliance courses is designed for organisations that are regulated by the FCA. They’ll make sure that your firm remains up to date with the latest legislation and regulatory requirements. These off-the-shelf eLearning courses can be deployed in weeks – helping your teams get up to speed, fast. Or if you prefer a more tailored approach, we can work with you to customise our content or develop bespoke eLearning courses that deliver on your precise requirements. Speak with one of our expert advisors today to find out what’s right for you.
About the author
Victoria Sena is founder of Cherrybank Consulting, an innovative consultancy founded in 2019 with a wealth of experience in growing regulated financial businesses in the UK and internationally. Specialising in governance, operations, risk, and compliance, Cherrybank has worked with start-ups and scale-ups across the financial spectrum including banks, asset managers, funds, corporate finance advisers and open banking platforms. You can get in touch here.