Register to get free articles
Want unlimited access? View Plans
Already have an account? Sign in
The Financial Conduct Authority is drawing a new regulatory threshold. From September 2026, serious bullying, harassment, and violence will be treated as regulatory misconduct across the regulated financial services firms – not just banks. The move brings 37,000 more firms under stricter rules and signals a broader shift in how culture is policed in the industry.
Until now, the rules around non-financial misconduct have been vague. The FCA says these behaviours are not just HR issues, but warning signs of deeper risk. At the time of the announcement, the FCA’s deputy chief executive Sarah Pritchard said, “Too often when we see problems in the market, there are cultural failings in firms. Behaviour like bullying or harassment going unchallenged is one of the reddest flags.” Trust, the FCA has made clear, starts inside the workplace.
The move follows a sharp rise in reported incidents of non-financial misconduct (NFM), with the FCA citing a 67% increase in reports – from 4.2 to 7.2 per 1,000 employees – between 2021 and 2023. The regulator is consulting on draft guidance to help firms assess whether an individual is “fit and proper” to work in financial services, taking into account behaviours on social media and in private life.
The implications are significant. Substantiated misconduct will now be included in regulatory references, effectively following individuals throughout their careers. “By including misconduct in regulatory references, the FCA is ensuring that serious personal conduct issues follow individuals between firms – just as failures of competence would,” Katharine Leaman, advisory board member at Skillcast, explains. “This is a way of holding people accountable and closing the loopholes of someone moving on quietly after serious misconduct.”
Pregeshni Maduramuthu, senior compliance professional at Arbor Law, adds that, since this misconduct can (and will) follow individuals across roles, this is the time for firms to implement “defensible, evidence-based processes” if they haven’t already done so. In a legal context, ‘defensible’ means that a claim, action, or position can be reasonably supported or justified under the law, based on facts, evidence, and legal principles. While it doesn’t guarantee success in court, it indicates that there is a legitimate, arguable basis for the stance taken.
The FCA is currently consulting on the supporting guidance, with feedback open until 10 September 2025. If there is clear support, the guidance will accompany the rule change when it comes into force in September 2026. The guidance is expected to set out how firms should build clear policies, investigate allegations promptly, reflect serious misconduct in fitness and propriety assessments, and include relevant findings in regulatory references – placing accountability squarely on senior management to create cultures where such behaviour is not tolerated. Firms are being encouraged to act now, well ahead of the deadline.
There is no single trigger for this shift, but mounting scrutiny over toxic workplace cultures and their links to broader governance failings has pushed the issue to the fore. Public expectations are rising, and evidence increasingly shows non-financial misconduct undermines effective governance.
“The FCA is increasingly interested in how cultural factors impact risk controls – from whistleblowing breakdowns to regulatory blind spots,” says Maduramuthu. “While high-profile sexual misconduct allegations, particularly involving senior managers, have amplified attention, the focus is much broader.”
The FCA’s decision to explicitly define serious bullying, harassment and violence as regulatory misconduct is a clear warning: cultural risk is compliance risk.
The FCA’s move also mirrors parallel actions by other professional bodies. The Solicitors Regulation Authority (SRA) has stepped up disciplinary activity against sexual misconduct, while the Institute of Chartered Accountants in England and Wales (ICAEW) recently consulted on new disciplinary guidance. In parallel, ICAEW’s new sanctions guidance proposes a structured six‑step framework to assess misconduct (including sexual harassment), introduces graduated seriousness levels with clear sections on non‑financial wrongdoing, tightens penalty bands, and reinforces members’ duty to report harassment and misconduct — all designed to drive greater clarity, consistency and accountability under its disciplinary regime. These developments complement the FCA’s increased emphasis on individual accountability under the Senior Managers and Certification Regime (SMCR).
Recent legal reforms such as the Worker Protection Act and Employment Rights Bill have sharpened employers’ duties to protect staff from harassment, and regulators are taking note.
Nick Henderson-Mayo, head of compliance at VinciWorks, summed it up, saying, “The FCA’s decision to explicitly define serious bullying, harassment and violence as regulatory misconduct is a clear warning: cultural risk is compliance risk. Poor behaviour can undermine whistleblowing, enable bad decision-making, and damage market integrity.”
Ambition alone won’t ensure success; turning principle-based rules into consistent practice presents challenges. The new regulations place a heavy burden on firms to investigate, report and act, but what happens when they fall short?
Justin Murray, employment and litigation partner at Spencer West LLP, has concerns about enforcement. “The new rules place the burden on firms to investigate thoroughly, but the FCA still lacks clear enforcement powers when things go wrong internally,” he says. “That creates a compliance blind spot.”
Employees raising complaints may also find internal processes flawed or biased, and tribunals remain a costly, slow and stigmatising last resort. Meanwhile, accused individuals risk career-ending consequences without robust protections.
Nick Leale, partner at CM Murray, notes the FCA’s slow, cautious approach as a double-edged sword. “Discussions with the profession began in 2021. It will be at least 14 months before these rules take effect,” he explains. “While this careful validation builds confidence, it also fuels uncertainty – especially in the current political climate.”
The new framework promises consistency, but delivery depends heavily on firm-level interpretation. Without clearer guardrails, misconduct risks being mishandled or overreached, both with serious legal and reputational consequences.
Surveillance technology is expected to play a bigger part of the compliance toolkit, according to Alex Viall, chief strategy officer at Global Relay
Firms cannot afford to wait until September 2026, and experts are united on one important point: proactive compliance is a business-critical priority. Key steps include reviewing policies, ensuring clear misconduct definitions, and strengthening grievance procedures. Processes must be fair, well-documented, and capable of withstanding regulatory or legal scrutiny. Training is essential so managers can recognise and respond to concerns appropriately, especially as regulatory references will carry the weight of personal conduct issues.
RPC partner George Smith advises firms to implement robust policies and procedures. He emphasizes that while the changes are not retrospective, the FCA will expect all issues to be addressed seriously and appropriately.
Surveillance technology is expected to play a bigger part of the compliance toolkit, according to Alex Viall, chief strategy officer at Global Relay, as the FCA will look to see if firms are “setting the right ‘tone from the top’ and actively monitor and report misconduct”.
That said, smaller or non-banking firms need not overcomplicate. As Leaman advises, “Start with the basics – a clear code of conduct prohibiting bullying and harassment, and a fair, transparent process for raising and investigating concerns.”
One of the most consequential changes is that substantiated serious misconduct will be recorded in regulatory references, following employees throughout their careers.
Moving forward, Legal experts are predicting that coordination between compliance, HR and legal teams will be essential. They agree that these groups will have to work together to manage personal conduct issues in a defensible, fair and aligned manner. Maduramuthu explained the shift, saying, “Under the new rules, firms must take ‘all reasonable steps’ to protect employees. This is a significant legal and operational shift. Embedding strong controls and ensuring thorough investigations are now business essentials.”
One of the most consequential changes is that substantiated serious misconduct will be recorded in regulatory references, following employees throughout their careers. This removes a historic loophole where individuals could quietly move on after serious wrongdoing. For firms, stakes are high. Investigations must be thorough, fair and well-documented because mishandling cases risks unfair career-ending references or litigation and reputational damage.
“If an allegation is ignored or disproportionately acted upon, firms risk claims of unfair treatment, reputational damage, or litigation. Balancing seriousness with fairness and clear outcomes is essential,” Leaman cautions.
Murray, who points to lasting consequences for both parties, adds, “Those wrongly accused risk dismissal, regulatory reporting, and references that can make them unemployable for years, with limited recourse. There are no regulatory sanctions for firms failing to investigate properly or for correcting wrongful references.”
The FCA’s new approach demands investigations into non-financial misconduct be as rigorous as those for financial breaches because the outcomes can shape careers for years. Henderson-Mayo put it bluntly, saying, “The FCA expects non-financial misconduct to be treated as seriously as bribery, fraud, or AML breaches. This isn’t just about avoiding enforcement; it’s about building trustworthy organisations.”
Non-financial misconduct, far from being a private HR concern, is now a matter of regulatory fitness and, ultimately, public trust in financial services.
As Smith notes, this aligns with broader regulatory trends. “The FCA’s crackdown reflects wider moves linking personal conduct to professional standards. Inappropriate behaviour often signals broader cultural or systemic issues,” he says.
Non-financial misconduct, far from being a private HR concern, is now a matter of regulatory fitness and, ultimately, public trust in financial services.
The FCA’s expansion of misconduct rules marks a deeper evolution, not just in compliance expectations, but in what trust in financial services should look like. This is no longer about legal checklists alone. It’s about the workplaces the sector cultivates, the standards leaders uphold, and the message sent to employees, clients and markets.
“It’s about context and consistency,” Leaman concludes. “The FCA isn’t asking firms to monitor every awkward interaction, but if someone’s personal conduct shows a pattern of intimidation, discrimination or violence, it’s not just a ‘personal issue’, it’s a regulatory one.”
Firms that act early will protect themselves legally and reputationally, and help lead the cultural shift the sector urgently needs. Those that delay risk falling behind, not only in compliance but in credibility.
