ResourcesMenu

Non-Financial Misconduct Rules Extending to SMCR Firms: An essential guide

With the FCA set to expand its non-financial misconduct (NFM) rules to 37,000 additional firms, we've put together an essential guide to what the changes mean, and how firms can prepare for them.

Article
27 May 2026 9 mins read
By Jennie Clarke

Written by humans

Written by a human

On September 1, 2026, around 37,000 Senior Manager and Certification (SMCR) firms will begin to fall under the FCA’s non-financial misconduct rules. This expansion, alongside updates to the guidance, reflects the FCA’s changing expectations around minimum behavior standards and how firms assess, manage, and act upon behavioral misconduct.

We’ve put together this guide to the FCA’s non-financial misconduct rules, what’s changing, and how best your firm can prepare.

What is non-financial misconduct?

Non-financial misconduct (NFM) is any form of malpractice performed by a regulated person or entity that is unrelated to financial activities. For example, NFM includes bullying, harassment, and demographic offenses like racism or sexism in the workplace.

This regulation is particularly interesting because it covers behavior in both work and personal lives, but the FCA’s stance on NFM is focused on risk.

The regulator’s 2024 survey noted that a corporate culture tolerating sexual harassment or other NFM is unlikely to be a culture where concerns will be independently and fairly assessed. Such a culture also raises questions about a firm’s decision-making and risk management abilities, and may also incubate financial misconduct.

The rules involve compliant firms:

  • Establishing an effective system to identify and mitigate all kinds of risks, including those relating to non-financial misconduct.
  • Applying internal investigative procedures based on allegations or evidence of non-financial misconduct.
  • Actioning and reporting the identified incidents, including disclosing disciplinary action or other outcomes.

The FCA will consider the overall actions of each firm on a case-by-case basis.

History: When, why, and how was it introduced?

In May 2018, after FCA’s Megan Butler spoke out about NFM, the regulator received its highest number of disclosures from whistleblowers — triple the number from the year before. This suggested that either NFM was a growing problem, or that it was becoming more normalized to speak out about workplace misconduct.

However, from the FCA’s perspective, introducing regulation around the topic all came down to risk:

RegulatorFeature
Problem		Prevention through NFM rules
Psychological safety: In an open culture where diversity is protected, employees feel safe to voice concerns without fear of retaliation.Misconduct (financial or otherwise) is rarely caught first by regulators. It’s caught by colleagues. If tolerated, it creates a culture of silence around all risks.Misconduct (financial or otherwise) is rarely caught first by regulators. It’s caught by colleagues. If tolerated, it creates a culture of silence around all risks.
When employees feel they belong and are respected, they are more likely to challenge unethical behavior early, before it escalates into a systemic failure or a financial scandal.
Groupthink: A lack of diversity leads to everybody thinking the same way, which is a high-risk factor for financial instability.Discrimination and exclusionary behavior act as a barrier that keeps diverse voices out of the room.By cracking down on NFM, firms protect their diversity. This diversity ensures that a wider range of perspectives are considered during decision-making, which helps identify risks that a homogenous group might overlook.
Financial conduct records: Firms with high levels of NFM often have poor financial conduct records.Leaders are untouchable despite their negative behavior, or issues are hidden to avoid blame and conflict.By ensuring that NFM records follow individuals throughout their career and are included in referencing processes, the entire industry discourages the behavior.

Key updates and considerations for September 2026

NFM final rules have progressed since the initial mentions, as the timeline shows:

  • 2018: Non-financial misconduct is first recognized as a regulatory issue with a statement from the FCA: “non-financial misconduct is misconduct, plain and simple.”
  • September 2023: The FCA publishes CP23/20, proposing a formal regulatory framework for diversity and inclusion and NFM.
  • July 2025: The FCA issues CP25/18, confirming the expansion of the Conduct Rules (COCON) to explicitly include serious NFM (bullying, harassment, and violence) for all firms under the SMCR.
  • September 1, 2026: The date that rules take effect, as detailed in the finalized Policy Statement PS25/23.

The September deadline marks the start date for the policy to take effect for around 37,000 new non-bank firms, as NFM rules are extended to all SMCR firms – presenting these firms with a range of new challenges.

Where is the line?

One challenge that firms are likely to face is difficulty in assessing the fitness and propriety of senior managers. Nikhil Rathi, CEO of the FCA, stated that the regulator “expects firms to have effective systems in place to identify and mitigate risks of all kinds,” and the expansion of NFM rules means firms will now have to consider individuals’ conduct in both the professional and personal sphere.

For example, consider a senior manager who, in their personal time, is an active participant in an anonymous online forum dedicated to harassing individuals based on their protected characteristics, such as race, gender, or religion. The police conclude there is insufficient evidence to meet the high bar for a criminal prosecution, so no formal charges are ever filed.

It essentially leads to a governance deadlock — the senior manager is performing an approved role while being the subject of these allegations. At what stage would the FCA expect the firm to intervene, and what levels of risk to the company’s reputation, bias, and corporate culture are acceptable? Where is the line?

Getting too personal?

A second consideration is potential concerns that the rules may be seen to allow firms to intrude on their employees’ privacy in non-workplace matters. Critics argue that, by making private conduct a matter of professional survival, the FCA is effectively turning employers into morality police.

Firms already feel pressured to implement more aggressive and thorough background checks. Some may be concerned that engaging in public life, protests, or robust social media debate – even on non-work topics – may be interpreted by compliance teams as a reputational risk for their firm.

Updates to the FCA COCON handbook

Because of these concerns and the fact that 95% of survey respondents asked for further guidance, the FCA has updated its Code of Conduct (COCON). The updates include explicit examples to help firms navigate the rules confidently and stay on the right track.

  • Extended scope: Previously, the Conduct Rules for non-banks generally only applied to regulated activities (financial tasks). The amendment expands this scope to include bullying, harassment and violence toward any colleague, provided there is a sufficient work-related link.
  • Alignment with Equality Act: The rule’s language is now closely aligned with the Equality Act 2010.
  • Seriousness testing: Not every minor disagreement is a regulatory breach. Factors for assessing seriousness include considering the purpose of an offense and whether there is a pattern of behavior.
  • Managerial accountability: A manager breaches Rule 2 (Due Skill, Care and Diligence) if they fail to take reasonable steps to prevent harassment or fail to take complaints seriously.
  • Regulatory reference integration: Serious, substantiated cases of NFM must be included in regulatory references. This is designed to stop individuals from leaving a firm under a cloud of harassment allegations and joining another firm with a clean reference because the conduct was not strictly financial.
  • Guidance on the workplace boundary: The FCA has added a new scenario table to COCON (specifically under COCON 1.3.7G). This helps determine if the conduct is in scope. For example:
In scope (COCON applies)Out of scope (private life)
Misconduct on firm premises, such as at a workplace Christmas partyMisconduct involving family members at home
Remote working interactions on Zoom or SlackPrivate social events, such as a wedding, not organized by the firm
Offsite training, award ceremonies or client eventsCommuting on public transportation, unless with a colleague
Social media posts using work-issued devicesPersonal social media use, unless it results in workplace bullying

These changes could result in firms being placed under supervision or having their permissions altered or canceled due to NFM considerations, potentially leading to significant reputational consequences for employees and businesses alike.

How non-bank firms can prepare for the FCA NFM deadline

There are three key steps we recommend firms take in preparation:

  1. Bridge the gap between HR and compliance
  2. Build distinct boundaries into policies
  3. Elevate current surveillance solutions

Bridging the gap between HR and compliance

Historically, surveillance was a compliance responsibility, and NFM was an HR responsibility. Keeping these separate under the new updates becomes a regulatory risk.

Firms should consider how they build this workflow. For example, access controls need to allow HR to review necessary behavioral alerts, without exposing sensitive financial data unnecessarily.

Our solution: Create a unified escalation workflow to establish a secure, need-to-know pathway for behavioral alerts directly to both HR and compliance.

Building distinct boundaries into policies

While the FCA provides a scenario table to distinguish between work and private life, firms must ensure internal policies cover the gray areas of modern work where distinctions might blur. For example, the amended COCON rules state that conduct can be a breach even if the victim never saw it (such as an abusive message sent but subsequently deleted).

By updating policies around conduct on firm-approved channels and using metadata to help compliance officers triage whether alerts meet the criteria of being “work-related,” your policies help streamline the process without overreaching into personal privacy.

Our solution: Update your acceptable use policies to include intent-based misconduct and implement WORM-compliant logging to ensure a defensible audit trail for deleted or edited communications.

Elevating current surveillance solutions

The new rules require firms to investigate hostile environments, for which traditional keyword matching is often ineffective. For example, attempting to identify a pattern where a senior manager consistently uses dismissive or intimidating language toward a junior colleague across Slack can be hard to identify proactively.

Our solution: Elevate your current communications monitoring platform with a solution that provides sentiment analysis. By detecting patterns of power imbalance or exclusionary language — even where subtle or using coded language or jargon — you can proactively identify cases of NFM.


About Article

Published 27 May 2026

About Author

Jennie Clarke Head of Content

Tags

Industry

Share Article

Related Articles

Regulatory Unwrapped: Breaking down the FCA’s NFM framework

Podcast

The Conduct Chronicles – “The real-world impact of Market Manipulation”

Article

The Conduct Chronicles – ‘Lessons from the Farage Bank Account Furore’

Article