FCA resets the NFM standard: is it at the right level, sufficiently fair and legally certain?

The Financial Conduct Authority is introducing new standards to address non-financial misconduct in the financial services sector. These changes will have significant implications for both firms and individuals. We look at the key proposals, areas of uncertainty, and what firms should do to prepare.

On 2 July 2025, the FCA published a consultation paper and policy statement (CP25/18) aimed at tackling non-financial misconduct (“NFM”) in financial services. The paper reports strong support for the FCA’s proposals to tackle NFM, suggesting that the debate about whether this is a matter for the FCA at all has now been settled. However, questions remain as to whether the FCA is going about this in the right way.

This article explains the changes that will be coming into effect and raises key questions for firms and individuals to think about in relation to the further changes proposed.

What does this mean for the industry?

The paper brings the FCA a step closer to setting clear rules on NFM for individuals, and - by extension - firms. On the one hand, these are necessary to facilitate inclusivity, good culture leading to balanced risk-taking, growth, and good outcomes for customers. On the other hand, the rules and guidance need to be fair and provide legal certainty. It is not yet clear whether the current proposals achieve this balance.

In summary, the paper sets out:

A new substantive rule that will expressly bring certain types of NFM in non-banks into the scope of the conduct rules section of the FCA handbook (“COCON”). We refer to this as the “New Rule” throughout this article;
Proposed guidance on the New Rule; and
Proposed changes to the section of the FCA handbook that deals with fitness and propriety assessments (“FIT”) covering a wide variety of NFM.

We recommend that firms and individuals impacted by the proposals read them carefully, particularly the proposed FIT guidance, and seriously consider submitting a response to the consultation directly or through an industry body.

Bringing NFM into scope for non-banks: the new rule and proposed guidance

The New Rule (set out in the FCA handbook at COCON 1.1.7FR) will not come into effect until 1 September 2026 (and will not apply retrospectively). Once in force, it will broaden the circumstances under which NFM can be caught by the FCA’s conduct rules (the “Conduct Rules”) in non-banks.

Previously, NFM could only be caught under the Conduct Rules at a non-bank if it was part of, or for the purpose of, the firm’s “SMCR financial activities” (referred to below as the “original rule”) - a limitation that did not apply to banks. Under the New Rule, certain types of NFM will now be in scope of the Conduct Rules at non-banks if they occur in any part of the business that involves such activities. Specifically, in-scope conduct will include instances of conduct which is directed towards (broadly speaking) others working for the firm which:

has the purpose or effect of violating that individual’s dignity, or creating an intimidating, hostile, degrading, humiliating or offensive environment for them; or
is violent towards them.

This wording captures behaviour that would be harassment under the Equality Act 2010, but goes further as the behaviour does not need to be related to a protected characteristic – an intentional choice by the FCA. NFM not covered by the New Rule will continue to be covered by the original rule in so far as it is in scope.

What is meant by ‘SMCR financial activities’?

The phrase ‘SMCR financial activities’ is a critical one because the New Rule stipulates that harassment and violence towards staff in non-banks will only breach the Conduct Rules if it occurs within a business that involves such activities. Further, under the original rule, other NFM in non-banks will only breach the Conduct Rules if it “forms part of, or is for the purpose of” the firm’s “SMCR financial activities”.

The FCA has proposed an expansive interpretation of this phrase. The guidance states that “SMCR financial activities” goes beyond conduct involving direct dealings with counterparties and customers, to include conduct ranging from record-keeping and designing and operating policies and procedures, as well as conduct concerning related internal systems and controls, acquisition and management of resources and risk management.

For NFM not in scope of the New Rule, the proposed guidance clarifies that NFM will not be in scope of the original rule just because it relates to activity that is connected to an SMCR financial activity carried on by the firm, but that is not itself an SMCR financial activity. For example, theft of physical goods from a firm would not be in scope just because the firm sells some of those physical goods on credit and so has permission for consumer credit.

For NFM in scope of the New Rule, the NFM has to occur in a part of the firm’s business that carries on regulated activities or other SMCR financial activities. Where a firm has both a financial services business and a non-financial services business, NFM relating exclusively to the non-financial services business would be out of scope. This would not be the case where, for example, NFM occurred in a shared HR function supporting both the financial services business and non-financial services business.

Outstanding questions

In effect, the New Rule gives the Conduct Rules a much wider application to NFM. However, two key questions emerge:

1. What about other types of NFM at non-banks?

add

2. What are the rules for banks?

add

NFM that would constitute a breach under COCON – proposed guidance

Having widened the application of the Conduct Rules to NFM at non-banks, the FCA has also proposed guidance on assessing when a breach has actually occurred. This guidance should be followed by banks as well as non-banks.

1. Only conduct ‘at work’ can breach the Conduct Rules. But where is the line drawn between work and private life?

The FCA handbook is already clear that, for all firms (banks and non-banks), the Conduct Rules can only be breached by an individual’s activities at work and not in their private or personal life. However, the dividing line between the workplace and home can be very tricky to draw. The FCA is proposing a list of factors that would be relevant in determining whether NFM was performed ‘at work’ and is therefore within the scope of the Conduct Rules. They reflect the types of factors that Employment Tribunal case law has identified as relevant when making the same assessment:

the perpetrator’s physical location (for example, on work premises or at a firm event);
whether they were engaged in work at the time;
whether there is a link between their victim and the firm (for example, whether the victim was a client or a member of staff);
whether the perpetrator used the firm’s equipment or staff when perpetrating the NFM;
whether they abused their position at the firm to help enable them to carry out the NFM; and
whether (misguided or not) the purpose of their NFM was to benefit the firm.

The proposals contain a table outlining scenarios with guidance on whether they would generally fall within the scope of the Conduct Rules. Concerns were raised in a previous consultation about providing hard guidance, as this could mean that the specific circumstances of a case are overlooked. In response, the FCA refers to the guidance ‘pointing towards’ a breach, and expressly states that all features of each individual case are relevant.

2. The FCA has clarified that, under Senior Manager Conduct Rule 4, senior managers should disclose information about their personal or private life if relevant to their fitness and propriety. Should this extend to certification of staff under the Individual Conduct Rules?

The FCA has confirmed that, under Senior Manager Conduct Rule 4 (which requires senior managers to disclose appropriately any information of which the FCA or PRA would reasonably expect notice), senior managers must disclose information about their personal or private life if this is relevant to their fitness and propriety. Whilst these individuals would already be expected to disclose this information when completing their firm’s fitness and propriety questionnaire, and often in accordance with obligations arising under their employment contract, the combination of this proposal and the proposed changes to FIT (see below) would impose a potentially very wide disclosure obligation on individuals that could require senior managers to ‘shop’ themselves for matters with a limited connection to their work, some of which they might consider sensitive and personal, or risk breaching the conduct rules.

This raises the question: if this obligation is to apply to senior managers, why not also extend it to certified persons, who can also hold senior roles? It seems artificial to draw a distinction between the scope of the disclosure obligations between individuals subject to the Senior Manager Conduct Rules and those subject to the Individual Conduct Rules, given that non-senior managers may nonetheless hold positions of very significant responsibility.

3. When might NFM breach Individual Conduct Rule 1?

Individual Conduct Rule 1 states that individuals must act with integrity.

Preventing others from complying with their obligations

In a new development, the FCA has proposed guidance that states that a breach of Individual Conduct Rule 1 will occur where an individual subjects others to a detriment for:

using a firm’s whistleblowing procedure;
complying with individual Conduct Rule 3, which states that individuals must be open and cooperative with the FCA, the PRA and other regulators; or
complying with Senior Manager Conduct Rule 4, which requires senior managers to disclose appropriately information of which the FCA or PRA would reasonably expect notice.

Seriousness and lack of integrity

In circumstances beyond those set out above, NFM would need to be both serious and involve a lack of integrity to constitute a breach.

On seriousness, the FCA has set out a list of factors for firms to take into account. They include:

Whether the conduct is part of a repeated pattern of behaviour or has gone on for a long time;
The impact of the conduct on the subject (which must be, at a minimum, serious and marked);
The seniority of the perpetrator and any disparity with the seniority of the subject, including whether the perpetrator has influence over the subject’s career;
Whether the subject has specific characteristics or vulnerabilities, particularly if this is a factor in the conduct in question;
Whether the perpetrator has previously been warned or disciplined for similar conduct and whether they have previously undertaken not to carry out the conduct in question; and
Whether the conduct is criminal or would justify dismissal.

On integrity, the proposal is that a person would not be deemed to lack integrity (and would not, therefore, breach Conduct Rule 1) if:

they had a reasonable belief that there was a good and proper reason for their conduct and that the conduct and its effect were proportionate to its intended aim; or
they did not intend for their conduct to have a negative impact on the subject, did not know that it was doing so and were not reckless about the effect of their conduct.

However, conduct not considered to breach Conduct Rule 1 based on an assessment of integrity could still breach Conduct Rule 2.

4. When might NFM breach Individual Conduct Rule 2?

Individual Conduct Rule 2 requires individuals to act with due skill, care and diligence. Under the proposed new guidance, managers might breach Individual Conduct Rule 2 if they (in broad terms):

Know that NFM is taking place or wilfully stick their head in the sand and, in either case, fail to intervene to stop it;
Do not operate policies, systems and controls appropriately to detect NFM and, assuming they have authority to do so, fail to set up and maintain those policies, systems and controls;
Fail to respond appropriately to complaints of NFM; or
Fail to take reasonable steps to provide a safe environment for people to raise concerns about such treatment.

What would be expected of a manager is dependent on the specific facts of the matter and the proposed guidance acknowledges that there will often be a number of different reasonable courses of action that can be taken in a particular case.

As with Individual Conduct Rule 1, the proposed guidance makes the knowledge and thought processes of the perpetrator relevant to the question of whether they have breached Individual Conduct Rule 2. A manager would not demonstrate a lack of due skill, care and diligence (meaning they would not breach Individual Conduct Rule 2) if the manager:

thought that the perpetrator’s conduct would have no ill effects on the subject; and
a reasonable person with the skills that the manager in question has or ought to have would have thought the same and would have thought the conduct was justified.

Individual Conduct Rules

Rule 1: You must act with integrity.
Rule 2: You must act with due skill, care and diligence.
Rule 3: You must be open and cooperative with the FCA, the PRA and other regulators.
Rule 4: You must pay due regard to the interests of customers and treat them fairly.
Rule 5: You must observe proper standards of market conduct.
Rule 6: You must act to deliver good outcomes for retail customers

Senior Manager Conduct Rules

SC1: You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively.
SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.
SC3: You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively.
SC4: You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

Proposed guidance on NFM under FIT

The FCA has also proposed a number of changes to FIT, which are potentially very significant for those who require fitness and propriety certification (and, by extension, the firms at which they work). It is evident that these proposals are intended to address the Upper Tribunal’s decision in Frensham, which restricted the FCA’s ability to sanction NFM. In short, the Upper Tribunal held:

that there would need to be a nexus between NFM in an individual’s personal life and their work in order for it to be relevant to an assessment of their fitness and propriety; and
that nexus would not exist simply because the conduct outside of work was particularly egregious.

It is not entirely clear whether the proposed FIT guidance fully addresses the challenges presented by Frensham, or indeed if it is appropriate for it to do so.

1. What conduct does the proposed guidance say will be relevant to fitness and propriety assessments?

The guidance appears to cover four categories of relevant conduct:

Conduct (whether inside or outside of work) that breaches the requirements of the regulatory system

add

Conduct connected to work

add

Conduct that is inconsistent with the FCA's statutory objectives

add

The FCA states in the proposed guidance that conduct that is inconsistent with the FCA’s statutory objectives is likely to indicate that an individual is not fit and proper. The FCA refers specifically to its statutory objective of maintaining confidence in the financial system and financial services industry. It states that conduct that is likely to damage public confidence is likely to indicate that the individual is not fit and proper.

However (in answer to the Upper Tribunal’s comments in Frensham), it goes on to say that conduct does not have to measurably prejudice the FCA’s statutory objectives by itself to mean a person is not fit and proper. Nor does it have to be shown that it will directly or discernibly cause damage to public confidence in the financial system or financial services industry in the UK, or the firm itself.

So how should a firm identify conduct impacting the FCA’s objectives? As things stand, it appears that firms are required to determine (without any evidence base) if conduct impacts these objectives. If correct, that sets a very low bar indeed. It hands it to the firm to determine when conduct might damage public confidence, with no need for a proven nexus between the two. What lowers someone’s professional reputation in the eyes of one person might not do so in the eyes of another, and there is considerable scope for one firm to conclude that conduct is relevant when another would not. This formulation therefore provides no certainty of interpretation or application.

The FCA’s rationale for its approach appears to be that allowing persons to carry on working in such circumstances would reflect negatively on the rigour and quality of the standards expected of those working in such positions, and in turn on the quality of those who work in them – i.e. the regulatory standards applied to a person working for one firm are likely to reflect on the credibility of the regulatory framework as a whole. Many will see the merits in rooting out conduct that has this effect. However, the issue is determining when it will have that effect, given the apparent absence of a requirement for supporting evidence. If someone is to be excluded from a job, potentially a career, on the basis of protecting regulatory standards, their conduct should surely be measurably or discernibly prejudicial to those standards.

In the proposed guidance, the FCA uses fraud as an example of conduct that is inconsistent with its statutory objectives and likely to mean that someone is not fit and proper. Given that it involves dishonesty, its relevance is uncontroversial and already made clear by the existing guidance in FIT (i.e. without any need to rely on these new proposals concerning the FCA’s statutory objectives).

Conduct in one's private or personal life

add

The FCA has proposed that conduct that occurs outside of work and in an individual’s private and personal life may still be relevant to an assessment of their fitness and propriety:

If it shows that there is a risk that the individual will breach the requirements of the regulatory system;
In cases where, if repeated in their role, it would breach the requirements of the regulatory system;
Even if there is little or no risk of it being repeated in their role:
1. if it demonstrates a willingness to disregard ethical or legal obligations; abuse a position of trust; or exploit the vulnerabilities of others; and/or
2. if it is sufficiently serious that, were the person permitted to work at a firm, it could undermine public confidence in the regulatory system (or any part thereof) or otherwise impact the FCA’s statutory objectives.

Some guidance is provided on these proposals, but it tackles only clear-cut cases, such as cases of dishonesty, violent or sexual offences (where there is a risk they might be repeated in work), offences where a custodial sentence has been imposed (including where suspended) and less serious criminal offences that are repeated frequently.

It is the less clear-cut cases that demonstrate the potential for these rules to bring into the work sphere conduct that many people would consider truly private and unrelated to their work. Some examples of private personal conduct that might now jeopardise someone’s career include:

Bullying a spouse. This is conduct that, if repeated towards colleagues at work, would breach Individual Conduct Rule 1 and, therefore, the requirements of the regulatory system. That makes it relevant to an assessment of the individual’s fitness and propriety.
Engaging in personal sexual relationships where there is a power disparity. If someone volunteered in their spare time as a football coach and began a relationship with a player who, although an adult, is considerably younger than them, that might be said to demonstrate a willingness to abuse a position of trust and, for that reason, might be relevant to an assessment of their fitness and propriety.
Consuming large amounts of alcohol at the weekend. That is conduct that, if repeated during work would demonstrate a lack of due care and diligence. It would breach Individual Conduct Rule 2 (and, therefore, the requirements of the regulatory system). For this reason, this type of conduct is arguably relevant to an assessment of an individual’s fitness and propriety.

The result is that individuals’ freedom to act as they please in their personal life could become severely constrained through the imposition of what could be seen as a moral code with the ultimate sanction being the loss of one’s career. The FCA abandoned the references in its previous paper to conduct that was “disgraceful” or “morally reprehensible” on the basis that it was subjective and could not be applied by firms consistently. However, the proposal to make conduct that shows a disregard for “ethical obligations” relevant to an assessment of someone’s fitness and propriety suffers from the same issue – i.e. whose ethical standard should be applied?

2. Does conduct have to be serious to render an individual no longer fit and proper to perform their role?

It is clear from the draft COCON guidance that conduct must be serious for it to breach the Conduct Rules. The same is not true of the proposed guidance in FIT. This seems odd given that a finding of a lack of fitness and propriety is potentially far more serious for an individual than a finding that they have breached a Conduct Rule.

This is particularly important in the context of behaviour in a person’s private or personal life. As outlined above, seriousness is a general factor to be considered when assessing the relevance of a breach of the requirements of the regulatory system to someone’s fitness and propriety. However, some conduct outside of work may be relevant to an assessment of an individual’s fitness and propriety even if it only poses a risk that those requirements will be breached or if it poses no such risk but demonstrates a willingness to disregard ethical or legal obligations, abuse a position of trust or exploit the vulnerabilities of others without necessarily being serious.

Under the proposed guidance, relatively minor conduct with no clear relevance to the workplace could be potentially career-ending. It seems unlikely that this is the intention but, without the clear application of a seriousness threshold, this could be the practical effect - particularly where firms are seeking to protect their own regulatory position.

3. How should firms investigate conduct in someone’s personal life that might be relevant to their fitness and propriety?

The FCA helpfully clarifies that firms do not need to monitor the private lives of their staff, including social media, other than where there is good reason to (for example, an allegation has been made which would call into question the person’s fitness and propriety). The FCA acknowledges that a firm may have limited ability to investigate and that it may be more appropriate for the relevant law enforcement or other authorities to conduct any investigation.

Given the significant potential impact of the proposed guidance on the effect of an individual’s conduct in their personal life, this is perhaps its saving grace – practically, a firm is unlikely to find out about it. However, arguably, it would neither be comfortable nor fair to have to stake one’s career on not being caught out.

Controversially, where a firm has not been able to fully investigate, it expects firms to report such matters to the FCA where, if the matter were to be established to be true, it would reasonably be material to an assessment of fitness and propriety.

4. What offences are relevant to an assessment of an individual’s fitness and propriety?

The relevance of offences is touched upon above. However, additionally, the FCA has expanded an existing list (set out in FIT) of the types of offence to which the FCA will give (and firms should give) “particular consideration”. The list was previously focused on financial offences and offences of dishonesty. This remains the case, but it now also includes offences of violence, sexual offences and offences related to a person’s or a group’s demographic characteristics such as racially motivated or aggravated offences, whether or not in the UK.

5. What additional guidance is there specifically on honesty, integrity and reputation?

The FCA has set out additional guidance specific to this limb of the fitness and propriety assessment. This specifies that, when considering an individual’s fitness and propriety under this limb, in relation to bullying, harassment, victimisation or discrimination it will be relevant whether a person:

was asked to resign or resigned as a result of involvement in such conduct
has been found by a tribunal or court to have been engaged in such conduct, and
has been the subject of an upheld internal complaint related to such conduct.

This is a different formulation from the test under the new conduct rule for non-banks, creating another disparity in the standards applicable to work and private life. However, these proposed criteria are at least capable of objective application and in the vast majority of cases would capture similar conduct.

What should firms do now?

Carefully consider the proposed new provisions and whether to submit a response to the consultation. We will be working with other law firms and barristers to produce a combined response and would love to hear from you with any comments.
Review policies prior to 1 September 2026 and make any amendments necessary to reflect the new rules under COCON.
Ensure that you comply with your duty to notify Conduct Rules staff about the rules and take all reasonable steps to make sure they understand how these apply to them.

If you would like assistance with any of the steps outlined above, please get in touch with our experts.