The UK Financial Conduct Authority (FCA) is expanding the reach of its Code of Conduct (COCON) for non-bank firms and consulting on new guidance related to non-financial misconduct, with changes taking effect from September 2026 that will align requirements more closely with those already applicable to banks.
Current COCON Framework: FCA Conduct Rules and Non-Financial Misconduct Requirements
The COCON sets conduct standards for a broad constituency of individuals in the UK working for regulated businesses subject to the Senior Managers and Certification Regime (SMCR) (conduct rules staff). This includes senior managers, certified employees, and also a wide category of non-regulated individuals that are subject to COCON.
COCON runs in parallel with the requirements on regulated individuals (senior managers and certified employees) to remain “fit and proper,” and sets standards of behavior expected of those working in regulated firms. However, when it comes to non-financial misconduct (NFM), there is some divergence.
- “Fitness and propriety” may be evaluated based on any conduct, including behavior outside of work and in the private life of the relevant individual. This applies especially when the conduct is serious (for example, a serious criminal conviction involving turpitude) and if it makes the individual more likely to break FCA requirements (e.g. integrity requirements) whilst in work.
- COCON is narrower in scope. First, whilst COCON applies to NFM at work (such as bullying or harassment) it does not apply to the private life of conduct rules staff. Second, for banks, COCON applies to conduct rules staff when they are performing tasks for their regulated employer, whether or not those tasks are part of the bank’s regulated activities. However, for all other types of regulated firms subject to SMCR, COCON applies only to conduct rules staff performing tasks for a regulated employer that are part of or connected with the firm’s regulated activities.
Why does this matter?
- First, conduct that breaches COCON in a bank may not be a breach if it takes place in a non-bank SMCR firm, which is anomalous, not least as COCON breaches must be reported to the FCA and feature on regulatory references. This discrepancy in the rules’ applications also creates a lack of clarity in terms of what conduct is within the scope of the FCA’s requirements and the situations in which firms must report NFM.
- Second, where conduct falls outside of COCON’s scope, firms may only make conduct-related determinations by referring to “fitness and propriety” or referring to their own internal conduct standards. For some misconduct, the former may feel disproportionate, but the latter may be underdeveloped or lack key provisions.
- Third, an erroneous finding that COCON applies may result in a regulatory reference being completed incorrectly and/or expose a firm to employment claims.
- internal conduct-related decision makers, such as conduct committees, understand the change in COCON’s scope.
- those communicating the firm’s position on conduct, whether to the FCA in notifications or in regulatory references, understand the change.
- internal conduct documents and training materials properly reflect COCON’s new scope.
- internal conduct standards are comprehensive enough to capture conduct that still falls outside COCON’s scope.
Change in COCON’s Scope for Non-Bank SMCR Firms
With effect from 1 September 2026, the FCA will now more closely align the application of COCON in non-bank SMCR firms and banks. From that date onwards (there will be no retrospective effect) in non-bank SMCR firms, COCON will apply to certain serious conduct such as violence and bullying towards colleagues, regardless of whether it occurs in the context of regulated or unregulated tasks. The FCA will do so by creating a new COCON rule 1.1.7FR (New Rule), which will expand COCON’s scope. The only exception to the New Rule will be if the misconduct occurs in respect of a separate business of the regulated firm that is not regulated in any way.
The FCA stresses that, under the New Rule, the conduct must be serious to broaden COCON’s scope. Therefore, a proper understanding of all the facts remains key in each case. Non-bank SMCR firms should make sure their internal rules and policies are adequate in case they need to make conduct findings in circumstances where COCON does not apply.
More generally, in advance of September 2025, non-bank SMCR firms should ensure that the New Rule is appropriately embedded. Firms should consider whether:
The New Rule is also drafted to align more closely with the Equality Act 2010’s definition of harassment, referring to the same test. This requires consideration to be given to both the purpose and the effect of the conduct in question when assessing whether it violates the victim’s dignity or creates an “intimidating, hostile, degrading, humiliating or offensive environment” for that person. Violent conduct is also expressly referred to. Unlike the provisions of the Equality Act, the New Rule extends to conduct that is unrelated to a protected characteristic of the victim – such as their race, age, gender, sexuality, etc. In this sense, it goes further, although the concept of bullying and harassment unrelated to any protected characteristic is one that HR professionals and employment lawyers generally already understand.
The New Rule applies to conduct directed not only at a perpetrator’s colleagues but also other individuals with whom they may work, such as an employee of a company engaged to provide services to the regulated firm. This broad approach, designed to enhance employee protections and increase employer accountability, aligns with other recent developments in employment law. In particular, the new duty to prevent sexual harassment (which came into force last October) and the proposed employee protections against harassment by third parties contained in the Employment Rights Bill 2024 are also designed to achieve these aims.
New Guidance on COCON and Fit and Proper Test Under Consultation
In addition to the new rule on COCON’s scope, the FCA has launched a further consultation on NFM rules and guidance that would apply to all SMCR firms.
In late 2023, the FCA consulted on proposals to incorporate NFM into the FCA Handbook for all SMCR firms. It planned to include new provisions on NFM in chapters covering COCON, “fitness and propriety,” regulatory references, and the Threshold Conditions. Following consultation feedback, the FCA is only continuing with its proposals relating to COCON and “fitness and propriety.”
The further consultation will close on 10 September 2025. The new provisions remove some of the more subjective and difficult to understand language that was a feature of the old guidance, such as the phrase “good working environment.” There are also more examples to illustrate key points, such as the difference between private and personal lives and what senior managers are expected to do to protect employees from NFM.
The final provisions of the guidance may surface in early 2026. It is not expected that they will deviate much or at all from the provisions now being consulted on. SMCR firms should start to consider these forthcoming rules, mindful of the fact that (when finally implemented), they must be fully understood and embedded in conduct related training, documents, and processes. Otherwise, there is a risk of both employment claims and regulatory scrutiny.