FCA guidance on non-financial misconduct; a new headache for firms?

Our top twelve takeaways from CP25/18

On 2 July 2025, the FCA published CP 25/18 announcing major changes to its conduct rules. 

The paper was eagerly awaited by industry who had sought greater clarity around how non-financial misconduct (NFM) in firms should be treated under existing Conduct Rules (COCON) and fitness and propriety assessments. (The FCA’s mantra that ‘non-financial misconduct is misconduct plain and simple’ is just not reflected in its rules and guidance.)

The paper was announced with a fanfare around how the FCA was aligning the scope of rules for non-banks with the rules for banks. In our view, this was a non-story; arguably a quick win for the FCA that won’t shift the dial much for firms. 

The proposed consultation of the new COCON and FIT guidance is however where the real interest lies. Here’s our key takeaways from the paper that we do think are noteworthy. 

1. Bullying or harassment can constitute a breach of IC1 (acting with integrity) (and IC2 discussed below).  We knew this clarification was coming. But the key issue here is whether such bullying or harassment reflects a lack of integrity. The FCA considers that behaviour will not meet this threshold if the staff member thought there was a good and proper reason for the conduct and the conduct was proportionate to the intended aim or did not intend to have a negative impact (or the conduct rule staff did not know they were doing so).   This is going to get tricky. The FCA goes on to say that unreasonable belief that conduct is justifiable could itself be indicative of a lack of integrity.

2. Harassment is an issue for managers as well as perpetrators. The FCA gives guidance on what managers should do to try and prevent harassment in the workplace. Failure to do so could amount to a breach of IC2 (acting with due skill care and diligence) by the manager.  The clear defence for any manager is acting reasonably. But the FCA gives examples of potential breaches where a manager doesn't intervene to stop such behaviour, follow firm policies appropriately or deal with complaints.

3. The bar has just been lifted for all managers; this guidance isn’t limited to managers who are upper case Senior Managers or Certified Persons, but any manager who is a conduct rule staff. This is made clear when the FCA says that a firm can allocate responsibility for fair treatment of staff to a particular senior manager but other managers still have responsibility for developing and embedding healthy cultures.

4. IC2 (due skill, care and diligence) can also be breached by a perpetrator of NFM. The seriousness of the conduct should be taken into account. Factors to be taken into account include:

• whether the conduct is repeated or a pattern of behaviour,
• the duration of the conduct, 
• the size of the impact on the subject), 
• the seniority of the person (and any difference in seniority of those involved), 
• any vulnerable characteristics of the person subjected to the misconduct, 
• any previous warnings for similar conduct,
• whether the conduct is criminal or would justify dismissal.
  
  

5. NFM does not need to be the subject of a formal complaint for such conduct to be serious. (Although a complaint may be relevant evidence to show such seriousness.)

6. Subjective tests create challenges for firms. A staff member will not breach a rule if they thought the conduct would have no ‘ill effects’ on the subject of the conduct and a reasonable person with the same skills as such person would have thought the same and would have thought the conduct was justified.  This means that the process to be followed in assessing a breach of a conduct rule is much more onerous if this has to be taken into account.

7. Guidance on FIT has been given that clarifies that a person's conduct in their personal life is relevant to a firm's assessment of an individual's fitness and propriety (but not conduct rule breaches). The FCA justifies this by saying that breaches - or the risk of future breaches - of the requirements of the regulatory system are relevant to fitness and propriety and therefore are part of the regime under which fitness and propriety is assessed (?!). The FCA has made it clear that such breach will often take place in an individual's work life but it may occur outside of work.

8. A breach of COCON does not necessarily amount to a lack of fitness and propriety of an individual, although it may be.  Factors to be taken into account by a firm include:

• seriousness of the breach of COCON;
• how recent the breach was;
• steps taken by the person to address the cause of the NFM;
• training taken to address a lack of competence that caused the breach;
• other evidence of rehabilitation;
• remorse and insight into the seriousness of the breach;
• absence of mitigating factors (including life events that may have caused them to act out of character) and past record;
• likelihood of recurrence and relevance to the role.

9. Misconduct that occurred in a person's private or personal life which if repeated in the role for which they are being assessed would breach the standards expected may show that they are not fit and proper (because of the risk it will be repeated).  The FCA gives the example where conduct outside of the regulatory system that is dishonest or lacks integrity will always be relevant to fitness and propriety under FIT. The FCA goes on to say that, 'even if a breach of a law or standards and requirements would not otherwise be relevant to a person's fitness and propriety repeated breaches may raise doubts as to whether they will follow the requirements of a regulatory system', for example repeated minor driving offences. We are yet to see firms withdraw their assessment of individual's fitness and propriety on the basis of a few speeding tickets but this looks like it could be on the horizon...  

10. The FCA is not expecting proactive monitoring of individuals' private lives (which is a relief for everyone) but they do consider that firms only need to look into private life if there is good reason to. I.e. the firm becomes aware of an allegation which if true would call into question a person's fitness and propriety. The FCA acknowledges that firms have limited ability to investigate such allegations but suggests that firms should still take some reasonable steps to investigate (such as asking the person for their explanation). 

11. Social media adds another dimension to the problem. There is a proposed express carve out in relation to a firm's monitoring of a person's use of social media. The FCA also acknowledge that a person can still be fit and proper where they lawfully express views that may be controversial even if work colleagues are upset by those views.

12. This all matters because the process for determining a conduct rule breach or assessing a person's fitness and propriety is governed carefully in firms and these conclusions have a significant impact on a person's future (consider, for example, what regulatory references will look like under these rules). As a side note, the FCA produced two flowcharts for the expected processes that firms should follow and which make clear that there is a distinction between conduct rule breach determinations and notifiable conduct rule breaches, which is an area Ashurst has previously highlighted in the past as disproportionate and challenging for firms.

This paper is clearly important. But not for the reasons the FCA has given.  Instead the proposed guidance is sufficiently detailed to give firms pause for thought.  If the proposed text is adopted in this way, firms will need to bolster their governance, compliance and HR teams. Conduct just got serious.