FCA PS25/23 Explained: Non-Financial Misconduct, SM&CR and Fitness & Propriety for UK Financial Services Firms

The Financial Conduct Authority (FCA) has published PS25/23 on non-financial misconduct (NFM), clarifying how bullying, harassment and private conduct interact with the Senior Managers & Certification Regime (SM&CR), the Code of Conduct (COCON) and Fitness and Propriety (FIT) requirements for UK financial services firms. It has published Policy Statement PS25/23 – Tackling Non-Financial Misconduct in Financial Services, confirming amendments to the FCA Handbook. It is particularly relevant for UK FCA-authorised firms assessing conduct risk, culture, and individual accountability under SM&CR.

The policy confirms serious workplace misconduct such as bullying, harassment and sexual misconduct is no longer viewed as a purely HR issue, but as a matter that can engage regulatory accountability where it reflects integrity, culture, and governance failings.

The package is expressly designed to give firms practical clarity and confidence in applying conduct standards and is supported by worked examples, scenario tables and step-by-step FCA flow diagrams.

The guidance comes into force on 1 September 2026 and applies to all FCA-authorised firms, including insurers, brokers, MGAs, investment firms and payments businesses.

Below, we break down the FCA’s key messages and what they mean in practice for firms, senior managers and compliance functions.

Bringing Non-Financial Misconduct into Regulatory Scope (COCON & SM&CR)

Historically, firms have often struggled to determine when workplace misconduct crosses the line into regulatory territory. PS25/23 removes much of that uncertainty.

For non-bank firms, the FCA has expanded the scope of COCON so that serious non-financial misconduct between colleagues will be within scope where:

• the conduct is work-related, and

• either the perpetrator or the subject works in the financial services part of the business.

This applies to individuals in respect of both regulated and non-regulated activities, closing a gap that previously existed for non-banks.

The FCA has aligned banks and non-banks without rewriting the existing banking regime. While the new scope rule formally applies to non-banks, the FCA has adopted the same definitional approach as guidance for banks when assessing breaches of Individual Conduct Rules 1 and 2. This is intended to drive consistency across all SM&CR firms.

To support application, the FCA has introduced:

• COCON 1 Annex 2 flow diagrams addressing who, what and where COCON applies generally; and

• COCON 4 Annex 1 flow diagrams specifically guiding firms through NFM scope and breach analysis.

These tools are not limited to NFM and are likely to become standard reference points for conduct assessments more broadly.

Work-Related vs Private Life Conduct

The FCA has added scenario tables clarifying the boundary between private life and work-related conduct. While purely personal conduct remains outside COCON, behaviour connected to the following may still fall within scope:

• work events,

• conferences or training,

• business travel, or

• firm-related social settings

The guidance also includes examples for shared or group functions (such as internal audit or HR operating across financial and non-financial entities), confirming that misconduct will generally be excluded where it clearly relates only to non-financial services parts of the business.

What the FCA Means by "Serious" Non-Financial Misconduct

The FCA has deliberately avoided prescribing a rigid definition of seriousness. Instead, misconduct will be assessed by reference to whether it has the purpose or effect of:

• violating a person’s dignity, or

• creating an intimidating, hostile, degrading, humiliating or offensive environment.

In assessing seriousness, the FCA highlights factors including:

• patterns or duration of behaviour,

• impact on the subjects,

• relative seniority,

• whether the conduct could justify dismissal, and

• whether it is potentially criminal.

Minor workplace disputes, poor communication, or one-off lapses in professionalism will not normally meet this threshold. The FCA repeatedly emphasises that reasonable firm judgement will be respected, provided it is proportionate and well-evidenced.

Managers' Responsibilities and Reasonable Steps

PS25/23 reinforces that SM&CR is concerned with reasonable governance, not strict liability.

Managers are expected to take reasonable steps to protect staff from serious NFM where:

• they knew or ought reasonably to have known about the issue, and

• they had the authority to intervene.

The FCA will assess reasonableness by reference to the manager’s individual knowledge, authority and how responsibilities are allocated under firm governance arrangements. Managers will not be held accountable for misconduct they could not reasonably have been aware of or had no power to address.

This clarification responds directly to industry concerns about disproportionate personal exposure.

Fitness and Propriety Assessments: The Real Regulatory Impact of Non-Financial Misconduct

While the COCON changes are important, the most far-reaching implications sit within FIT.

Under FIT, firms must consider all relevant conduct, whether inside or outside the workplace, when assessing an individual’s honesty, integrity and reputation. This includes:

• serious workplace misconduct,

• conduct in private life,

• social media behaviour, and

• conduct outside the UK.

The FCA is clear that not everything is relevant. Private life conduct should only be considered where it presents a material (non-speculative) risk to regulatory standards or public confidence. Firms are not expected to investigate rumours, trivial allegations, or matters better left to law enforcement.

The FCA has also refined or removed problematic examples from earlier drafts and clarified that firms are not expected to apply the FCA’s statutory objectives as a stand-alone fitness criterion.

Social Media and Private Life Conduct

PS25/23 provides helpful reassurance in an area that has caused uncertainty for many firms.

The FCA confirms that firms:

• are not required to proactively monitor employees’ social media, and

• should not assume that lawful expression of views automatically affects fitness and propriety.

However, social media activity may still be relevant where it indicates a real risk of harassment, violence or other serious misconduct being repeated in the workplace, or where it could damage public confidence.

The FCA explicitly cautions against assuming that private conduct will necessarily be replicated at work.

Reporting, Allegations and Proportionality

Following strong industry feedback, the FCA has softened its position on unproven allegations.

Firms are not expected to report unsubstantiated allegations to the FCA simply because they exist. Existing notification requirements for SMFs remain, but the guidance now makes clear that firms should act proportionately and with fairness to individuals.

The FCA also confirms that the new COCON rule is not retrospective. Firms are not required to revisit historic cases or re-assess past conduct decisions.

Compliance Angle's View

PS25/23 confirms what many firms have already sensed from supervisory engagement: culture and conduct are now firmly embedded as regulatory risks, not peripheral HR concerns.

From our perspective:

• This guidance is less about creating new liabilities and more about forcing clarity and consistency in how firms assess behaviour.

• The greatest pressure point will be fitness and propriety assessments, particularly for SMFs, certified staff and senior hires.

• Firms that rely on informal judgement without documentation will struggle to evidence proportionality if challenged.

The FCA has been explicit that it will respect reasonable judgement, but only where that judgement is documented, structured and defensible.

What Firms Should Do Now

Although the guidance does not take effect until September 2026, firms should begin preparing now by:

• Reviewing Conduct Rules, disciplinary and FIT policies to ensure NFM is clearly addressed.

• Mapping applicability by entity and staff category.

• Using the FCA’s flow diagrams and scenario tables to embed consistent triage.

• Training managers on assessing seriousness and materiality, not just policy wording.

• Ensuring fitness and propriety decisions have clear rationale and audit trails.

• Briefing Boards on how NFM risk fits within governance and culture oversight.

  
  

Contact Us

If you would like support reviewing your Conduct Rules framework, FIT assessments or SM&CR governance arrangements in light of PS25/23, contact Compliance Angle at info@complianceangle.co.uk or call +44 7427 792594 to arrange an initial discussion.