Non-financial misconduct in financial services

On 2 July 2025, the FCA published a new Consultation Paper and a Policy Statement including final rules in relation to tackling non-financial misconduct in financial services.

In relation to final rules, the FCA indicate the scope of COCON is already relatively wide in relation to banks. However, in non-banks it applies primarily to conduct that forms part of, or is for the purpose of, the SMCR financial activities of the firm.

COCON final rules

1. New finalised rules and guidance provisions are to be included in COCON 1.

2. The FCA emphasise that its COCON rules are distinct from employment law and employers’ internal disciplinary codes. Although they have revised the rules to align it more clearly with employment law, they think it important not to limit their rule to conduct related to a "relevant protected characteristic" and have framed it to cover a wider range of workplace misconduct that they consider relevant to our statutory objectives.

3. In terms of scope, the FCA are widening the scope of the rules for non-banks to align the approach across all SMCR firms and bringing more instances of non-financial misconduct ("NFM") into their regulatory remit.

4. The FCA acknowledge that conduct in private or personal life is entirely out of scope of their statutory power to make rules on the conduct of individuals. This is different from assessments of fitness and propriety, which can take account of any relevant matters wherever they occur.

5. The new rules applicable in relation to the scope of conduct for non-banks apply in relation to harassment. The purpose is to extend the scope of COCON to capture unwanted conduct against individuals who are employees of the firm or of its group entities, those who perform functions for the firm or its group entities or employee of service providers to either (‘B’): The misconduct is (a) conduct that has the purpose or effect of: (i) violating B’s dignity; or (ii) creating an intimidating, hostile, degrading, humiliating or offensive environment for B; or (b) conduct that is violent to B.

6. If such a firm carries on business which involves SMCR financial activities and other parts of the firm's business do not involve SMCR financial activities, conduct is not within the scope of the above rule if it only relates to the business of the firm that does not involve SMCR financial activities.

7. It appears to be the FCA's position that the new rules applicable to non-banks at paragraph 5 (above) already apply to banks because the COCON rules are not limited in their application to the banks' SMCR financial activities¹.

8. The new rules will come into effect on 1 September 2026.

The new consultation

9. The FCA are also consulting on proposed rules and guidance in relation to COCON and FIT.

COCON

10. Proposed Guidance in COCON 1.3 indicates that the application of COCON is limited to conduct that relates to a function carried out by a member of the firm's conduct rules staff where in turn that function relates to the carrying on of an activity by the firm. The firm’s activity may be a regulated activity or unregulated activity. The effect is that therefore conduct relating to the conduct rules staff member’s private or personal life is outside the scope of COCON.

11. However, this does not mean that a senior conduct rules staff member is not required to disclose information about their private or personal life under COCON 2.2.4R (Senior manager conduct rule ("SC") 4). An SC staff member should disclose such matters if they are material to an assessment of fitness and propriety under FIT.

12. Relevant factors in deciding whether conduct is within the scope of the COCON rules would include whether:

the conduct occurred when the conduct rules staff member was present on the firm’s premises;
the conduct occurred when the conduct rules staff member was working on the firm’s business;
the conduct involved a client, a professional acquaintance, another member of the firm’s staff or someone the conduct rules staff member had dealt with on behalf of their firm;
the conduct was committed using work equipment or by involving the firm’s staff;
the conduct arose in a business context, including an official or an informal event organised or supported by the firm or in which the firm participates, whether it is held at the firm’s premises or at another location;
the conduct occurred at an event that is not organised by the firm but which the firm requires the individual to attend, such as a training course;
the position of the conduct rules staff member as a conduct rules staff member of the firm helped them to carry out the conduct; or
the purpose (misguided or not) of the conduct was to benefit the firm.

13. The proposals include a caveat that whether conduct is within the scope of COCON will depend on the specific facts of each case. It is therefore said that it is not possible to set out scenarios in the FCA Handbook and say whether in all cases the conduct in question will be within the scope of COCON.

14. This caveat means that the above factors are not exhaustive; and the presence or absence of one of those factors does not by itself dictate whether conduct is within the scope of COCON.

15. The proposed Guidance goes on to include a table describing types of conduct and an indication of whether it would fall within or outsider the scope of COCON. For example, misconduct by M ("M" refers to the member of a firm’s conduct rules staff carrying out the conduct in question) in relation to a fellow member of the workforce while both are on their firm’s premises, in contrast to misconduct by M in relation to a member of the public while M is commuting to their firm’s place of business for work.

16. Another result of the caveat above would be that when the table says that conduct is or is not generally within the scope of COCON, in an individual case all the other features of the case are also relevant.

17. The proposed Guidance does make clear that conduct excluded from COCON can still be relevant to fitness and propriety, as described in FIT 1.3 (Assessing fitness and propriety). More on this later.

18. The proposed scope of COCON is not limited to conduct that is authorised by the firm or carried out with a view (misguided or not) that it is for the firm’s benefit. Conduct is not excluded from the scope of COCON just because the firm forbids it (for instance in a staff handbook) or it is calculated to harm the firm. Thus, for example, the following conduct would be within the scope of COCON:

misappropriating a client’s or the firm’s assets;
providing false or inaccurate details about the member of the conduct rules staff’s training, qualifications, past employment record or experience;
misusing the assets or confidential information of a client or the firm to make a personal profit;
misconduct against a client;
harassment of a fellow member of the workforce; and
maliciously sabotaging a firm’s information technology systems or altering or erasing its data.

19. The proposed Guidance also identifies the scope of "SMCR financial activities" to which COCON applies when COCON is restricted to SMCR financial activities. It covers more than conduct involving direct dealings with counterparties and customers (and potential ones) or their assets. It can also cover matters such as:

conduct arising out of such direct dealings, such as record-keeping, valuations and reporting;
after-sale or post-transaction activities such as settlement, queries, dealing with the exercise of rights by the firm or the customer, complaints, cancellations, renewals and generally dealing with the customer or counterparty through the lifecycle of the product or relationship;
designing and operating policies and procedures relating to the conduct of the firm’s relationship with counterparties and customers; and
management and monitoring of these activities.

20. It is proposed that COCON would not be restricted to the above activities and for example, it would cover:

participation in meetings of the firm’s governing body and its committees and other management forums;
conduct in relation to internal systems, controls and operations supporting the activities at paragraph 19 (1-4) above; and
conduct in relation to acquisition and management of resources used to support those activities; and
conduct in relation to systems and controls to monitor and control risks such as liquidity, operational, solvency, market and trading risks.

21. The restriction of the scope of COCON to conduct in relation to a firm’s SMCR financial activities would not apply to harassment and similar conduct in relation to a fellow member of the workforce. Instead, such conduct is excluded if it clearly only relates to a part of the firm’s business that does not carry on regulated activities or other SMCR financial activities.

Guidance on specific COCON rules

COCON Rule 1 - Integrity

22. In the context of Rule 1 concerning integrity, it includes a proposed new example of:-

"Subjecting a fellow member of the workforce to detriment for complying with rule 3 in COCON 2.1 or rule SC4 in COCON 2.2 or for using the firm’s whistleblowing procedures. While this paragraph may in practice usually be most relevant to a manager, this kind of misconduct can be committed by any member of the workforce."

Rule 1: You must act with integrity: Misconduct in relation to fellow members of the workforce

23. It indicates that although COCON 4.1.1CG to COCON 4.1.1EG (specific guidance on individual conduct rules) do not cover every kind of misconduct between members of the workforce of a firm that might be a breach of Individual Conduct Rule 1, they do describe when behaviour that can be described as bullying or harassment will be a breach of that rule.

24. The proposed Guidance adds that although the (newly enacted) rule at paragraph 5 above does not apply to an SMCR banking firm, the guidance in COCON 4.1.1CG to COCON 4.1.1EG, which would now include the new guidance above, will apply to such firms.

25. It states conduct will only breach Individual Conduct Rule 1 if it involves a lack of integrity. This means that misconduct in relation to a fellow member of the workforce falls outside the scope of rule 1 if the conduct rules staff member:

thought that there was a good and proper reason for the conduct and that the conduct and its effect were proportionate to the intended aim of the conduct; or
did not intend to have a negative impact on the subject of the misconduct, did not know that they were doing so and was not reckless about the effect of their conduct. Such a belief of the kind referred to in (a) should be reasonable.

26. Conduct excluded from Conduct Rule 1 under (1) may fall under Conduct Rule 2 instead.

Conduct Rule 2 - Acting with due skill, etc as a manager: Harassment in the workforce

27. The proposed Guidance includes that a manager should try to prevent harassment and other kinds of misconduct referred to at paragraph 5 of this article above. What a manager should do in a particular situation will depend on the exact facts. A manager will not be in breach of Conduct Rule 2 if they have acted reasonably. There will often be a number of different reasonable courses of action that can be taken in a particular case.

28. The following is a proposed non-exhaustive list of examples of conduct by a manager that would breach Conduct Rule 2:

failing to take reasonable steps to protect staff against such treatment including failing to:

(a) intervene to stop such behaviour where appropriate if the manager knows or should know of it;

(b) appropriately operate the firm’s policies, systems and controls to detect and prevent such behaviour; and

(c) (if the manager has sufficient authority to do this) set up and maintain such policies, systems and controls;
failing to take seriously or to deal appropriately with complaints of such behaviour; and
failing to take reasonable steps to provide a safe environment for people to raise concerns about such treatment.

Conduct Rule 2 - Acting with due skill, etc - Misconduct in relation to fellow members of the workforce

29. The proposed Guidance indicates behaviour that can be described as bullying or harassment will be a breach of that rule.

30. It also again adds in this context that although the (newly enacted rule at paragraph 5 of this article above) does not apply to an SMCR banking firm, the guidance in COCON 4.1.1CG to COCON 4.1.1EG, which would now include this new guidance above, apply to such firms.

whether the conduct is repeated or part of a pattern;
the duration of the conduct;
the size of the impact on the subject of the conduct (the rule applies to effects which are serious and marked, and not to those which are, though real, of lesser consequence);
the seniority of the person whose conduct is in question;
the difference in seniority between the person whose conduct is in question and the subject of the conduct and whether the person whose conduct is in question has control or influence over the other's career;
whether the subject of the misconduct has specific characteristics or vulnerabilities, particularly if this is a factor in the conduct in question;
whether the person whose conduct is in question has been warned or disciplined for similar conduct by the firm, a previous employer, the police or a regulator;
whether the person whose conduct is in question has previously undertaken not to do the act or engage in the behaviour in question; and
whether the conduct is criminal or would justify dismissal.

31. The proposals indicate that whether or not misconduct has been the subject of a formal complaint would not generally be relevant to the seriousness of that conduct. The fact that it has been the subject of such a complaint may be relevant evidence, for instance in helping to show what the effect of the conduct was.

32. The mere fact that the person whose conduct is in question has, in accordance with the firm’s general policy, undertaken to comply with the firm’s staff handbook or other internal policies for staff, and the conduct in question breaches a requirement of such policies, is unlikely to be of great significance.

33. The fact that before the misconduct in question, the firm has warned the individual in question about conduct of that type or has required the individual to undertake not to repeat conduct of that type is likely to be significant.

34. One of the factors that will always be relevant is the perception of the subject of the misconduct. The result of this subjective question is that if the subject of the conduct does not perceive their dignity to have been violated, or any of the other things referred to at paragraph 5 of this article above to have occurred, then the conduct should not be found to have had that effect. in.

35. Conduct can consist of a single incident, several incidents, or a course of conduct. Conduct also covers a wide range of behaviour. It is not limited to words, communications and gestures. For example, it can also cover physical violence.

36. Conduct only breaches Individual Conduct Rule 2 if it involves lack of due skill, care and diligence. For example, a conduct rules staff member carrying out such conduct will not breach the rule if:

they thought that the conduct would have no ill effects on the subject of the conduct; and
a reasonable person with the skills that the conduct rules staff member carrying out the conduct has and ought to have:

(a) would have thought the same; and

(b) would have thought that the conduct was justified

Proposed changes to the Fit and Proper test

Breaches of requirements of the regulatory system

37. Apart from the Conduct Rule draft guidance, the proposal states breaches (or the risk of future breaches) of the requirements of the regulatory system are obviously relevant to fitness and propriety under the regulatory system and thus to FIT because they are part of the regime under which fitness and propriety is assessed. Such breaches will often take place in an individual’s work life but, such conduct may also occur outside work.

38. A breach of the requirements of the regulatory system does not automatically mean that a member of the staff being assessed under FIT is not fit and proper. An assessment should be made on a case-by-case basis. In the case of COCON, relevant factors include, among others, the seriousness of the breach, how recent the breach was, steps (including training) taken since the breach to address the behaviours involved in the breach or otherwise to address the causes of the misconduct; and evidence of rehabilitation or remorse.

39. The proposed changes state breaches of the requirements of the regulatory system are relevant to fitness and propriety even if they take place outside work. Maintaining public confidence in the financial system and financial services industry in the United Kingdom is part of the FCA’s statutory objectives. Therefore, conduct of a type that is likely to damage such public confidence is likely to mean that the person concerned is not fit and proper.

40. Misconduct may mean that a person is not fit and proper even if that misconduct does not have such great effects that it measurably prejudices the FCA’s statutory objectives by itself. For example, fraud is inconsistent with the FCA’s statutory objectives and is likely to mean that the person committing it is not fit and proper even if it is small-scale.

Conduct connected to work

41. Breaches of the law or of requirements not forming part of the regulatory system committed during the course of work carried out by a member of staff for their firm or a previous employer may mean that the person concerned is not fit and proper. Such requirements may include requirements of other regulatory authorities (including a previous regulator), clearing houses and exchanges, professional bodies, or government bodies or agencies.

Relevance of behaviour in private or personal life

42. These are likely to be some of the more controversial changes. The proposals note that COCON is limited to conduct related to a firm’s activities and sometimes only to a part of its activities, However, an assessment of fitness and propriety should not be limited in that way. That means that conduct is potentially relevant to an assessment of fitness and propriety even if (i) it relates to the person’s private or personal life; or (ii) it does not have a sufficient connection with SMCR financial activities or other activities of the firm in question.

43. It indicates conduct that: (a) takes place in the private or personal life or other activities outside the regulatory system of a member of staff; and (b) shows that there is a risk that the person will breach the standards and requirements in FIT 1.3.6G (Breaches of requirements of the regulatory system), may show that the member of the staff being assessed under FIT is not fit and proper.

44. Misconduct that: (a) takes place in the private or personal life or other activities outside the regulatory system of a member of the staff being assessed under FIT; and (b) if repeated in the role for which they are being assessed, would breach the standards and requirements in FIT may show that they are not fit and proper because of the risk it will be repeated in that role.

45. Two examples are dishonesty and lack of integrity. Honesty and integrity are both key qualities that staff being assessed under FIT should have. Thus, conduct outside the regulatory system that is dishonest or shows a lack of integrity is always relevant to fitness and propriety under FIT.

46. Similarly, violence or sexual misconduct against an individual by a member of the staff being assessed under FIT in their private or personal life or in work outside the regulatory system may show that there is a risk of similar misconduct in relation to: (a) customers or counterparties of their firm; or (b) people working for their firm, which is a breach of the rules in COCON.

47. Likewise, a breach of standards or requirements that are similar to ones applying under the regulatory system is relevant to fitness and propriety under FIT.

48. It is proposed that even if a breach of a law or standards and requirements by a member of the staff being assessed under FIT would not otherwise be relevant to their fitness and propriety, repeated breaches may raise doubts as to whether they will follow the requirements of the regulatory system. Thus, for example, a minor driving offence will not normally be relevant to fitness and propriety, but frequently repeated such offences may be.

49. Furthermore, it is proposed that misconduct in a person’s private or personal life or in their working life outside the regulatory system may be relevant to their fitness and propriety even if there is little or no risk of it being repeated in their work for their firm. Conduct in an individual’s personal or private life may be relevant if: (a) it demonstrates a willingness to: (i) disregard ethical or legal obligations; (ii) abuse a position of trust; or (iii) exploit the vulnerabilities of others; and/or (b) it is sufficiently serious such that, were the person permitted to work at a firm, it could undermine public confidence in the regulatory system (or any part thereof) or otherwise impact the FCA’s statutory objectives.

50. It provides that a custodial sentence imposed by the court (even if suspended) is likely to mean that the matter is sufficiently serious, but this is subject to consideration of other relevant matters including how old the offence is and rehabilitation since the date of the offence. The reason for this is that the person working in the role for which they are being assessed may damage public confidence in the financial system and financial services industry in the UK and consequently be inconsistent with the FCA’s statutory objectives. Secondly, if the regulatory system allows persons to carry on working in those circumstances it would reflect negatively on the rigour and quality of the standards expected of those working in such positions and in turn on the quality of those who work in such positions. The regulatory standards that apply to a person working for one firm are likely to reflect on the regulatory standards applying generally.

51. In the FCA’s view, misconduct of the type above can mean that the person concerned is not fit and proper even if it cannot be shown that the misconduct will by itself cause direct and discernible damage to public confidence in the financial system and financial services industry in the United Kingdom or to confidence in their firm on the part of customers or those who deal with the firm.

52. As with other kinds of misconduct, it is sufficient if the misconduct is of a type that is inconsistent with the FCA’s statutory objectives.

53. In addition, the fact that a person only works for a small firm and that their misconduct does not significantly damage the confidence of the firm’s clients or those who deal with the firm, or itself damage confidence in the financial services industry more generally, would not prevent this reflection on the standards of the regulatory system.

54. It is proposed that generally, a firm need not monitor the private lives of its staff who are subject to the standards in FIT to see whether there is something that is relevant to fitness under FIT. A firm need only look into the private life of a member of the staff being assessed under FIT if there is a good reason to do so, for instance if the firm becomes aware of an allegation which, if true, would call into question their fitness under FIT.

55. It provides that even if a firm is aware of an allegation against a member of the staff being assessed under FIT relating to their private life, the firm may have a limited ability to investigate. In any case, it is likely that it will be more appropriate for the relevant law enforcement or other authorities to investigate. Therefore, the FCA accepts that it is likely that a firm will often rely on:

matters going to honesty, integrity and reputation;
criminal convictions; or
the findings of a court, tribunal, regulator, arbitrator, public enquiry.

56. Nevertheless, a firm should consider what steps it can reasonably take to investigate and assess the possible impact on the fitness and propriety of a member of the staff being assessed under FIT above. For example, the firm should, where appropriate, ask for an explanation from the member of the staff being assessed under FIT concerned.

57. Firms would also be reminded of their obligations under SUP 10C.14.18R (Notifications about fitness, disciplinary action and breaches of COCON).

58. The fact that a firm has not been able to establish the truth of an allegation does not mean that the firm should not report it to the FCA if, were it established to be true, it would reasonably be material to an assessment of fitness and propriety.

Social media

59. In relation to the use of social media (including any messaging apps) by a member of the staff being assessed under FIT, it is proposed that if a person’s social media activity in their private life indicates a real risk that the person will breach the requirements and standards of the regulatory system, such activity will be relevant to their fitness and propriety. Examples could include threats of violence or clear involvement in criminal activities.

60. Subject to other points made in this context, a person can lawfully express views on social media even if they are controversial or offensive, without calling into question their fitness under FIT, and even if colleagues at work are upset by those views. Firms need not monitor the social media activity of its staff who are subject to the standards in FIT in their private lives.

Offences

61. The proposal indicates that when taking into account offences, the FCA will (and firms should) give particular consideration to offences of dishonesty, fraud, financial crime, or an offence under legislation relating to companies and a list of other institutions, consumer protection, money laundering, market manipulation and insider dealing, offences of violence, sexual offences and offences related to a person’s or a group’s demographic characteristics such as racially motivated or aggravated offences, whether or not comitted in the UK.

62. The FCA will (and firms should) take account of the effect of a conviction for a criminal offence on a person’s fitness on a case-by-case basis, taking into account the seriousness of, and circumstances surrounding, the offence, the explanation offered by the convicted person, the relevance of the offence to the role, the passage of time since the offence was committed and evidence of the individual’s rehabilitation. Offences are not just relevant if committed in a work context.

63. In relation to the main assessment criteria in respect of honesty, integrity and reputation, proposed changes include adding:-

"11A. whether the person has been asked to resign and resigned, from employment or from a position in (11). Whether the FCA considers (or a firm should consider) a resignation to be relevant will depend on the circumstances – for example, if a person is asked to resign in circumstances that cast doubt over their honesty or integrity, including where this is as a result of involvement in misconduct such as bullying, harassment, victimisation or discrimination; ..

14. whether the person has been found by a tribunal or court to have been engaged in bullying, harassment, victimisation or discrimination; and

15. whether the person has been the subject of an upheld internal complaint related to bullying, harassment, victimisation or discrimination."

Commentary

64. There is existing case law in relation to professionals which indicates that failing to act with integrity in personal life in a manner which is not relevant to how the person concerned is required to conduct themselves in their professional life should not in itself engage regulatory action (see Wingate v SRA [2018] 1 WLR 3696).

65. In Ryan Beckwith v SRA [2020] EWHC 3231 (Admin), the Court similarly held that the obligations to comply with the SRA Principles attached only to matters that touched upon professional practice as a solicitor and the facts found by the SDT did not demonstrate that to be the case.

66. In FCA v Frensham, the Upper Tribunal ("UT") held that:-

"Provisions requiring professional persons to act with integrity or to be of sufficient repute may reach into private life only when conduct that is part of a person’s private life realistically touches on their practice of the profession concerned. The conduct must be qualitatively relevant because it engages the standard of behaviour set out in the regulatory code concerned".

67. In Frensham, the UT commented on the FCA's assertion that the public are entitled to expect that approved persons are individuals of the utmost integrity and reputation. They said:-

"That simply amounts to saying that the offence must be regarded as being so awful and would be regarded as such by fair-minded members of the public ……that the only answer to the question posed must be that the person concerned must be prohibited from working in the industry. That is presumably because public confidence in the industry would be significantly harmed if such a person was allowed to continue to work in the industry. However, the FCA’s guidance did not make it clear that particular offences were considered to be so serious that without more they would automatically disqualify the person concerned from working in the industry.”

68. The FCA's new proposals now refer in the context of individuals' fitness and propriety to maintaining confidence in the UK financial system. Serious non-financial misconduct, whether inside or outside the workplace, such as sexual or racially motivated offences, is unlikely to be compatible with their statutory objectives.

69. We ask ourselves - Is the FCA overreaching in seeking to make the changes it now proposes?

Author: David Capps

¹ Existing COCON rule 1.1.7A 1) provides that where a firm is an SMCR firm other than an SMCR banking firm, the application of COCON is restricted to conduct that forms part of, or is for the purpose of, any of the following:

the SMCR financial activities of the firm; or
any activities of the firm that have, or might reasonably be regarded as likely to have, a negative effect on:

(a) the integrity of the UK financial system; or

(b) the ability of the firm to meet the “fit and proper” test; or

(c) the ability of Firm A to meet the applicable financial resources requirements and standards.

Related Expertise