Written by a human
Checklist: 10 steps to help you meet September’s NFM-rule deadline
With the FCA’s September 2026 NFM deadline looming, we’ve created a 10-step checklist to help FSMA-authorized firms prepare - covering policy, HR, surveillance, training, and regulatory notification requirements
Written by a human
In the U.K., firms will soon be subject to stringent regulatory requirements to detect, report, and prevent non-financial misconduct. Serious workplace bullying, harassment and violence will constitute a breach of the Financial Conduct Authority’s (FCA) Conduct Rules at all Financial Services and Markets Act (FSMA)-authorised firms – not just banks. The FCA has been clear: it will be testing whether firms’ prevention and detection controls actually work in practice, not just whether the policies exist on paper.
In order to help firms meet the deadline, we’ve put together a checklist of 10 key steps firms can take so they feel confident they’ll stand up to regulatory scrutiny.
How to meet September’s NFM-rule deadline
1. Check whether your firm is in the scope of the new rules
Probably the most obvious yet critical step in this journey. Firstly, check whether the expanded non-financial misconduct rules will apply to your firm. The new rules apply to:
- All UK banks, non-banks, and any financial services firm authorized under the Financial Services and Markets Act 2000 (FSMA) with a Part 4A permission; and
- Individuals subject to the FCA’s Code of Conduct (COCON) and the Fit and Proper (FIT) test, including Senior Managers and Certified Persons.
2. Update conduct and behavior policies
To ensure that employees understand the expectations under the new rules, firms should update policies to explicitly reference non-financial misconduct as defined in COCON (bullying, harassment and violence), and expectations in the FIT test. These policy updates should include examples of what a “serious” breach looks like, and cross-reference the Equality Act 2010 and any relevant legislation for your organization.
3. Define what “seriousness” means to your firm
The FCA’s new rules are deliberately broad and do not prescriptively define “serious non-financial misconduct” as the regulator “consider[s] firms are best placed to assess the unique circumstances of each case.” As such, newly covered firms should work to define what “seriousness” looks like within a clearly documented framework, and set out how it will exercise judgement aligned to the FCA’s published guidance.
4. Build a relationship with HR, and establish a regulatory triage process
Every conduct-related HR case should be assessed at the outset for potential NFM Rule implications, with a clear trigger point for compliance involvement, and vice versa. HR and compliance can no longer operate in separate lanes and, ahead of the deadline, compliance teams should work with their HR partners to establish a clear escalation process and break down siloes.
5. Check that communication monitoring solutions can detect non-financial misconduct
Communications monitoring is commonplace across financial institutions, but may be fine-tuned to detect signs of financial misconduct, rather than instances of bullying, harassment, etc. Firms should take this time to look at their existing monitoring systems and establish whether they can capture and record instances of NFM end-to-end. If the answer is no, firms should speak to their surveillance provider to explore expanding their use cases.
6. Update regulatory reference templates and processes
After the September 2026 deadline substantiated, serious NFM must be disclosed in regulatory references. Where this is uncovered, firms should ensure there is a clear regulatory reporting process, and consider adding an NFM disclosure to references, to be updated before they are sent to investigative organizations.
7. Refresh fitness and propriety (FIT) assessments
NFM history is now material to Fitness and Proprietary testing. Firms should revise their FIT review processes to establish a formal, information-sharing system so that HR disciplinary outcomes, as well as compliance conduct concerns, feed into annual FIT reviews. There may be an opportunity here to look at company data siloes more broadly, and consider how information is captured, retained, and shared across the business. If all departments are working from the same data set, NFM reporting will be simpler.
8. Strengthen speak-up channels
While communications monitoring will be vital to the detection of NFM, existing “speak up” channels will be essential in the exposure of sensitive disclosures. Firms should check that such channels – especially anonymous ones – are accessible, publicized, and trusted by employees. Ensure that any anti-retaliation protections are credible and taken seriously, regardless of the seniority of employees involved.
9. Train everyone, and make expectations clear
All staff need to understand what their role will look like under the new rules. Line managers need to understand “reasonable steps” and their escalation duties, Senior Managers need to understand their personal SMCR exposure if they knew, or should have known, and failed to act, and individuals must understand the scope of NFM and what such activity could mean for them. Training is not a “one and done” exercise and must be continually reviewed and reinforced until the correct habits form.
10. Map your firm’s SUP 15 notification process
Come September 1, 206, under the FCA’s SUP 15 rule, firms must immediately notify the regulator of serious NFM that occurs in the workplace or in relevant private contexts. Before the deadline, firms should make sure they know exactly when a substantiated NFM case meets the reporting threshold, who is authorized to notify the FCA, and document every decision – including reasoned decisions not to notify.
Following these 10 steps should stand your firm in good stead for the impending September deadline. The FCA has already started supervisory cases across in-scope (and soon to be in-scope) sectors, signifying that it is serious about NFM. Come September, the regulator will be asking firms to evidence that their controls meet expectation. To meet the deadline, firms should start preparing now.