Culture, Conduct, and Control: What CP25/18 means for every firm

Culture isn’t just a leadership issue anymore—it’s becoming a regulatory control oversight. 

Through Consultation Paper CP25/18, the UK Financial Conduct Authority (FCA) is extending its Code of Conduct (COCON) to bring nearly 38,000 non-bank firms into scope under expanded non-financial misconduct (NFM) rules. Bullying, harassment, and violence will now fall under regulatory oversight for all FSMA-authorized solo-regulated firms, not just banks. 

For compliance, HR, legal and front office teams, this reshapes how firms monitor behavior and manage culture risk. 

At a glance: What CP25/18

• Who’s affected: FSMA-authorized solo-regulated firms—not just banks 
• What’s in scope: Bullying, harassment, and violence under COCON 
• Manager accountability: Cultural oversight is now a regulatory obligation 
• Key deadlines:
  • Consultation closes: September 10, 2025
  • Rules go live: September 1, 2026

What’s Changing in Culture and Compliance – and Why Now 

Until now, personal misconduct rarely triggered regulatory scrutiny—unless it led to a public scandal or criminal conviction. CP25/18 moves the line. The FCA is making clear that serious non-financial misconduct—whether it happens inside the office or out—can now breach regulatory rules. 

This expansion comes with added accountability. Managers, especially those holding SMF responsibilities under the Senior Managers & Certification Regime (SMCR), are now expected to monitor cultural risk the way they would financial risk. Their job isn’t just to respond when a problem explodes—it’s to spot the signs early, intervene, and document why. 

This isn’t theoretical. It follows a string of high-profile cases and rising public pressure. The FCA’s own survey revealed a spike in harassment and bullying across the industry. The Treasury Committee’s Sexism in the City report laid bare systemic cultural failures. And the FCA’s ban of Crispin Odey for “lack of integrity” over decades of misconduct sent a message: Conduct and culture are now inseparable. 

Adding to the shift, the UK government’s July 7 amendment to the Employee Rights Bill effectively outlaws NDAs designed to silence harassment complaints. Staff can speak up without fear of breaching confidentiality—removing yet another layer of silence. 

Surveillance isn’t just about market abuse anymore 

For years, communications monitoring was all about trade risk and compliance obligations—insider tips, front-running, price manipulation, personal account dealing, gifts and other policy level infractions. That’s changing. Now, the FCA expects firms to read between the lines of culture. 

Behavioral signals—language, tone, context—matter more than ever. Public or semi-public comments, including on social media, may be relevant to fitness and propriety if they show threats, harassment, or signs of deeper cultural issues. Firms won’t be required to proactively monitor private accounts, but if a red flag emerges, they’ll need to show they responded appropriately. 

The standard is no longer “Did you know?”—it’s “Should you have known?” 

That shift reframes monitoring as a cultural control. What used to be an HR issue is now shared with the compliance domain. 

HR alone can’t carry the weight 

Many firms will instinctively turn to HR. But traditional escalation path and whistleblowing channels, all of them absolutely necessary, only capture what’s reported. They can’t detect unspoken issues, validate behavioral patterns, or audit the consistency of investigations. 

That’s where surveillance becomes essential—not just for catching misconduct, but for preventing it. 

Communications monitoring gives firms a proactive lens. It picks up on risk signals—shifts in tone, escalation cues, inappropriate language—before they turn into regulatory breaches. It gives HR, compliance, and front office a shared view of what’s really happening beneath the surface. 

HR teams can’t manage what they can’t see. An effective surveillance platform helps surface the risk signals hiding in everyday conversations—before they escalate. 

Action Plan for Firms: Steps to meet FCA’s new culture and conduct rules 

With a year to prepare, firms should start embedding cultural governance into their risk framework. Steps include: 

• Audit your policies and systems: Ensure your whistleblowing channels, speak-up processes, and monitoring tools capture cultural as well as financial risk. 
• Map HR and compliance boundaries: If one HR function spans regulated and unregulated entities, COCON may apply more broadly than expected. 
• Train senior managers: Equip leaders to spot early warning signs, apply consistent discipline, and document defensible decisions. 
• Update escalation processes: Make sure NFM is integrated into board reporting, dashboards, and SMF attestations. 

Surveillance considerations 

Firms should explore how existing surveillance tools can help satisfy the new requirements. This includes:  

• Ensuring coverage across discrimination and bullying-related language: Monitoring of complaints language as it manifests, whether internally, across roles or with external parties. *Just looking for misspelled swear words is not necessarily going to tell where problems are percolating. 
• Tagging weak signals: Chats and voice, among other channels, are rich with the kind of cultural signals that can indicate a potential issue. By tagging sentiment firms can form a rich dataset across which to surface conduct risk. 
• Minimizing noise: Not all frustration indicates a problem (people are entitled to have bad days or may want to complain about their sports team) so having a tool that can tell the difference goes a long way.  

Where culture meets compliance

The FCA’s guidance makes one thing clear: Context is everything. 

Misconduct with colleagues during client dinners, at conferences, over video calls, or during firm-sponsored events is squarely in scope. So, anything that follows directly from official business—especially when power dynamics are involved, is also in focus. Even private gatherings may fall under scrutiny if there’s a clear link back to the workplace. 

For firms operating across both regulated and unregulated lines of business, the structure of HR becomes a hidden control. 

• A unified HR team may unintentionally bring all staff under COCON—even if only part of the business is regulated. 
• A segmented HR model, if clearly defined, may offer some boundaries. But only if firms can prove the separation holds. 

And when it comes to “serious misconduct,” the FCA has updated the playbook. It’s not just what someone did—but how often, for how long, with what impact, and under what imbalance of power. 

How Shield Surveillance helps firms stay ahead 

Shield’s AI-powered surveillance platform is built for the cultural oversight CP25/18 demands. We don’t just detect risky messages—we analyze tone, frustration, and context to surface deeper patterns of behavior. 

For compliance and HR teams, that means: 

• Seeing early warning signs of bullying, harassment, or complaints—even when no one speaks up. 
• Maintaining defensible audit trails for FIT assessments and internal investigations. 
• Reducing investigation time through AI-generated summaries and risk prioritization. 
• Empowering senior managers with the evidence they need to fulfill their “reasonable steps” obligations. 

By monitoring across regulated and unregulated entities, Shield helps firms meet the FCA’s “Should you have known?” standard—and prove they acted before risk turned into damage. 

A new lens on culture 

This isn’t just a policy update. It’s a signal that trust and integrity are measurable—and enforceable—regulatory outcomes. 

Firms that treat culture as a monitored control, not just an HR ideal, will be best positioned to lead in this new landscape. The ones who don’t may find themselves caught flat-footed—unable to defend what they didn’t see coming. 

At Shield, we’ve always believed that context is everything. Now, the regulator does too. 

Culture is now a regulatory control. Your monitoring system needs to prove it. 

Reach out now to see how Shield can help you prepare before the new rules take effect in September 2026.

• Download White Paper