Your Guide to the FCA’s 2026 Non-Financial Misconduct Rules (CP25/18)

The essential glossary and practical handbook every financial firm should use.

A Short Overview of the Upcoming Changes 

Workplace culture is no longer just an HR concern. From September 1, 2026, it becomes an explicit regulatory obligation. The UK Financial Conduct Authority (FCA) has made it clear through CP25/18: serious non-financial misconduct (NFM) is now firmly within the scope of regulatory supervision, individual accountability, and conduct rule enforcement.  
 
Firms authorised under the Financial Services and Markets Act and operating under the Senior Managers and Certification Regime (SM&CR), including both banks and non-bank firms, must be prepared to demonstrate how they prevent, identify, escalate, and remediate misconduct connected to work. 
 
Under the updated Conduct Rules framework, serious bullying, harassment, violence, and other work-related misconduct are no longer treated as ambiguous edge cases. For non-bank firms in particular, COCON 1.1.7FR removes doubt by explicitly confirming that such behaviour can constitute a breach of the Conduct Rules. Where misconduct reflects weak culture, inadequate controls, or failures in oversight, it becomes directly relevant to fitness and propriety assessments and individual accountability under SM&CR. 

CP25/18 also sharpens expectations for senior management. Senior managers are expected to take reasonable steps to ensure effective governance, reporting, escalation, and remediation of serious non-financial misconduct within their areas of responsibility. Failures in culture oversight, documentation, or control frameworks may engage Conduct Rule breaches, typically under Rule 2 (due skill, care, and diligence), and in some cases Rule 1 (integrity). 

Importantly, the new rules are not retrospective. Firms are not required to re-investigate historical cases. However, where prior regulatory notifications are inaccurate or incomplete, firms are expected to correct them. 

This article provides a practical breakdown of CP25/18, focusing on what has changed, why it matters, and how firms should prepare for the 2026 implementation. 
 

How to use this Article:  

• A comprehensive glossary of scope and terminology 
  Clarify how CP25/18 applies in practice including how it extends, refines, or reframes existing conduct and governance concepts across SM&CR, the FCA Conduct Rules (including COCON 1.1.7FR), and fitness and propriety. 
• Practical FAQs on how CP25/18 works across firms  
  See how the new rules operate across different firm types, including scope, materiality thresholds, interaction with existing obligations, and implementation expectations. 
• Role-specific guidance to support accountability and execution 
  Understand what CP25/18 means in practice for Senior Management Functions (SMFs), HR, Legal, Compliance, and firm leadership, with a focus on investigations, reporting, culture oversight, and regulatory defensibility. 

Want a deeper look at how CP25/18 reshapes expectations on conduct and culture? Read our full analysis: Culture, Conduct, and Control: What CP25/18 Means for Every Firm. 

CP25/18 Terminology and Scope

How CP25/18 applies, clarifies, or reframes familiar conduct and governance terms 

D&I – Diversity & Inclusion 

CP25/18 explicitly links serious non-financial misconduct to firm culture and equality objectives. It reinforces the FCA’s position that conduct issues such as harassment or discrimination are not isolated employment matters. Instead, they are indicators of broader governance and cultural failings. 

Equality Act (2010) 

CP25/18 references the Equality Act to acknowledge overlap between employment law and regulatory conduct standards. The FCA makes clear that behaviour which may engage Equality Act protections (such as harassment or discrimination) can also be relevant to Conduct Rules. It may also be relevant to fitness and propriety assessments, depending on seriousness and context. 

Worker Protection (Amendment of Equality Act 2010) Act 2023 

The Worker Protection Act introduces a statutory duty to take reasonable steps to prevent sexual harassment. CP25/18 sits alongside this development and reflects the FCA’s recognition that preventive obligations under employment law inform expectations around culture, governance, and reasonable steps in regulated firms. 

Fit and Proper Test (FIT) 

CP25/18 reinforces that serious non-financial misconduct may be relevant to assessments of integrity, reputation, and overall fitness and propriety, even where there is no financial wrongdoing. The FCA emphasises relevance, seriousness, and context rather than automatic conclusions. 

Updated FIT Guidance 

As part of CP25/18, the FCA is consulting on clarifications to FIT guidance to support more consistent treatment of serious non-financial misconduct, including conduct connected to work and, in limited circumstances, conduct outside work where it is relevant to fitness and propriety. 

Harassment 

Harassment is one of the core behaviours explicitly captured within CP25/18’s non-financial misconduct scope. Under COCON 1.1.7FR, serious harassment of colleagues can constitute a Conduct Rules breach from 2026. 

Objective Reasonableness 

While not a defined FCA Handbook term, CP25/18 repeatedly frames expectations around what is reasonable in the circumstances, including judgments about scope, seriousness, disclosure, and notification. The concept underpins the FCA’s emphasis on proportionality and consistency. 

Regulatory References 

CP25/18 clarifies how serious non-financial misconduct may be reflected in regulatory references under SM&CR. The FCA distinguishes between: 

• Required disclosures where a Conduct Rules breach has been established and disciplinary action was taken 
• Other fitness and propriety information that firms may disclose where they reasonably consider it relevant, fair, and accurate. 

This clarification is intended to improve consistency of disclosure while avoiding automatic or disproportionate reporting of workplace issues. 

Rolling Bad Apples 

Although informal language, CP25/18 explicitly addresses concerns about individuals moving between firms without serious misconduct being appropriately disclosed. The consultation reinforces regulatory references as a key control mechanism to address this risk without encouraging blanket or defensive disclosure. 

Supervision Sourcebook (SUP) 

CP25/18 reiterates that notification obligations under SUP 15.11 are triggered only where disciplinary action (as defined in section 64C FSMA) has been taken for a Conduct Rules breach, and reminds firms to correct prior mis-notifications based on unreasonable interpretations of scope. 

Frequently Asked Questions on CP25/18 

These are the key questions firms are grappling with.

1. What Problem is CP25/18 Trying to Fix? 

CP25/18 is aimed at inconsistent treatment of serious non-financial misconduct across SM&CR firms, particularly between banks and non-banks. The FCA’s concern is not isolated incidents, but weak escalation, unclear accountability, and cultural blind spots that undermine governance, trust, and market integrity. 

2. What Has Changed Under COCON? 

For non-bank firms, CP25/18 introduces explicit scope clarity via COCON 1.1.7FR, confirming that serious bullying, harassment, or violence toward colleagues can constitute a Conduct Rules breach. This removes ambiguity rather than expanding Conduct Rules wholesale. 

3. Does CP25/18 Create A New Category of Misconduct? 

No. CP25/18 does not create a new misconduct regime. It clarifies when existing Conduct Rules and fitness and propriety standards apply to serious non-financial misconduct, and how firms should interpret relevance and seriousness more consistently. 

4. Where Is the Boundary Between HR Issues and Regulatory Issues Now? 

CP25/18 draws a clearer line: Not all HR issues are regulatory, but serious, substantiated misconduct that indicates integrity, diligence, or cultural failure may engage COCON and FIT. The key shift is interpretation and escalation, not volume. 

5. When Does Non-Financial Misconduct Affect Fitness and Propriety Under CP25/18? 

CP25/18 makes clear that serious non-financial misconduct is not automatically disqualifying but may be relevant to fitness and propriety where it calls into question integrity, reputation, or suitability for the role. 

The FCA’s emphasis is on context, evidence, and proportionality—including the nature of the conduct, its connection to the role, and whether it indicates a broader pattern—rather than on blanket outcomes or zero-tolerance assumptions. 

6. Does Misconduct Outside Work Fall Within Scope? 

Potentially. CP25/18 distinguishes between: 

• Conduct Rules scope, which is primarily work-associated 
• Fitness and propriety, where serious misconduct outside work may be relevant if it has a clear bearing on suitability. 

There is no expectation of proactive monitoring of private life. 

7. What Does “Serious” Mean in CP25/18? 

CP25/18 avoids a fixed definition by design. The FCA focuses on: 

• The nature of the behaviour 
• Its impact on others or firm culture 
• Patterns or repetition 
• The individual’s role and responsibility 

The aim is consistent judgment, not rigid thresholds. 

8. When Does Non-Financial Misconduct Need to Appear in a Regulatory Reference? 

CP25/18 clarifies that not all workplace misconduct belongs in a regulatory reference. Disclosure is required only where a Conduct Rules breach has been established and disciplinary action taken. Other fitness and propriety information should be included only where it is relevant, fair, and accurate. 

The FCA’s focus is on decision quality and consistency, not broader or more defensive disclosure. 

9. Does CP25/18 Require Firms to Reopen or Re-litigate Past Misconduct Cases? 

No. CP25/18 is not retrospective. Firms are not expected to reopen closed cases or re-assess historic outcomes under the new scope. 

However, the FCA does expect firms to correct prior misinterpretations where regulatory notifications or references were submitted based on an unreasonable reading of scope at the time. 

10. Where Does the FCA Expect Firms to Struggle Most? 

Although CP25/18 is framed as clarification, the FCA implicitly targets: 

• Inconsistent seriousness thresholds 
• Poor documentation of judgment 
• HR–compliance disconnects 
• Defensive over- or under-reporting 

These are supervisory risk areas, not technical gaps. 

11. How Does CP25/18 Interact with Employment Law Developments? 

CP25/18 sits alongside a higher employment law baseline (including the Worker Protection Act duty effective October 26, 2024). While distinct regimes, both reinforce expectations around reasonable steps, prevention, and culture, increasing scrutiny of how firms manage serious misconduct end-to-end. 

12. What Capabilities Matter Most for Evidencing Compliance with CP25/18? 

CP25/18 raises expectations around consistency, auditability, and defensibility in how firms handle serious non-financial misconduct. This places greater weight on a firm’s ability to: 

• Retain accurate and complete records of investigations and outcomes. 
• Demonstrate consistent application of seriousness and relevance thresholds. 
• Support regulatory references and notifications with clear evidence trails. 

The FCA is less concerned with how firms achieve this, and more concerned that firms can show their reasoning, controls, and decisions hold together under scrutiny. 

13. What Are the Estimated Costs of Implementing CP25/18? 

In the FCA’s cost benefit analysis of CP25/18, it estimates that the core rule changes relating to non-financial misconduct will result in approximately £25m in one-off implementation costs across affected firms. Ongoing annual costs are expected to be around £15 million thereafter. 

Role-Specific Responsibilities 

From interpretation to execution: who owns what under CP25/18 

Compliance and Conduct Risk Focus 

What CP25/18 Tightens or Clarifies 

CP25/18 makes the FCA’s expectations explicit for non-bank firms by bringing serious bullying, harassment, and violence into clearer Conduct Rules scope under COCON 1.1.7FR, aligning treatment more closely with banks. 

It also reinforces that serious non-financial misconduct may be relevant to fitness and propriety, including where misconduct occurs outside work but is relevant to an individual’s suitability. 

What Compliance Owns 

• Embedding serious non-financial misconduct within the firm’s conduct risk framework, rather than treating it as a standalone HR issue. 
• Setting and maintaining consistent seriousness and relevance thresholds across HR, Legal, and SM&CR decision-makers. 
• Ensuring decisions are defensible, with clear evidence, rationale, escalation paths, and outcomes that can withstand supervisory scrutiny. 

What Good Looks Like 

• Non-financial misconduct is governed as a defined conduct risk, with clear escalation routes into conduct risk committees and board-level MI focused on trends rather than individual cases. 
• A consistent internal distinction between Conduct Rules scope (including the clarified 1.1.7FR work-related scope) and fitness and propriety relevance, which may extend to out-of-work conduct where appropriate. 
• A firm-wide standard for what constitutes “disciplinary action” for Conduct Rules purposes, recognising this as the trigger for notification obligations. 

Reporting Anchor 

Where a Conduct Rules breach results in disciplinary action, as defined in section 64C FSMA, notification obligations arise under SUP 15.11, including use of Form H / REP008 for conduct-rules staff other than senior managers in the circumstances set out in the Handbook. 

Legal Focus

What CP25/18 Tightens or Clarifies 

CP25/18 reinforces that serious workplace misconduct can have regulatory consequences under COCON and FIT, while remaining anchored in existing employment law principles. The FCA’s focus is on consistent and fair application, not on altering dismissal thresholds or employment law tests. 

This places legal teams at the intersection of procedural fairness, privacy, documentation quality, and the defensibility of disclosures and notifications. 

What Legal Owns 

• Maintaining a credible boundary between employment law process and regulatory judgment, ensuring neither undermines the other. 
• Ensuring investigation outcomes and disclosure decisions are robust against employment claims and regulatory challenge, with clear reasoning and proportionality. 

What Good Looks Like 

• Employment law fairness and regulatory relevance are assessed together through a coherent dual-track approach, rather than in sequence or in silos. 
• Disclosure decisions (regulatory references and FCA notifications) are evidence-based and proportionate, avoiding both defensive over-disclosure and regulatory under-reporting. 
• Legal privilege is applied deliberately, without creating gaps that weaken the evidential basis for regulatory decisions. 

HR Team Focus 

What CP25/18 Tightens or Clarifies 

CP25/18 removes ambiguity around the regulatory relevance of serious bullying, harassment, and violence in SM&CR firms, particularly following the explicit clarification under COCON 1.1.7FR for non-bank firms. 

For HR teams, the shift is not about redefining misconduct, but about standardising how serious non-financial misconduct is handled so that outcomes are consistent, repeatable, and capable of supporting regulatory judgments, including Conduct Rules outcomes, fitness and propriety assessments, and disclosures. 

This sits alongside a higher employment-law baseline, including the Worker Protection Act duty effective October 26, 2024, but CP25/18 adds a regulatory lens focused on governance and defensibility rather than process alone. 

What HR Owns Under CP25/18 

HR is the institutional owner of standardising misconduct handling. Under CP25/18, HR teams are expected to move away from bespoke, manager-led responses toward institution-wide, standardised processes that support consistent regulatory outcomes. 

This includes ownership of: 

• Standardised investigation frameworks that produce comparable outputs across cases, regardless of business line or geography. 
• Consistent language and thresholds for assessing seriousness and outcomes, reducing the risk of materially different treatment for similar fact patterns. 
• Defined and predictable escalation points into Compliance and Legal teams where matters may engage COCON, FIT, or disclosure obligations. 

The FCA’s concern is not the specific outcome reached, but whether outcomes are reached using the same process, logic, and criteria across the firm. 

What Good Looks Like 

• Investigations follow a single, standardised structure, generating outputs that can be relied on for conduct risk decisions, notifications, and regulatory references without reinterpretation. 
• Comparable cases produce comparable assessments, with any deviation explicitly documented and justified. 
• Escalation to Compliance and Legal teams is embedded into the process, rather than triggered ad hoc, avoiding retrospective reworking of conclusions. 
• Investigation records are structured to support downstream regulatory use, including Conduct Rules assessments, fitness and propriety decisions, and disclosures, without reopening fact-finding. 
• Patterns and trends are visible over time, allowing repeat behaviours or systemic issues to be identified rather than remaining isolated within individual cases. 

Firm-Wide Readiness Focus (Banks and Larger SM&CR Firms) 

What CP25/18 Tightens or Clarifies 

The FCA’s direction is consistency: consistent scope, thresholds, escalation, and disclosure. The principal supervisory risk is not definitional error, but inconsistent judgment and weak documentation across functions and business lines. 

For groups with mixed regulated and non-regulated populations, CP25/18 requires particular care in consistently identifying when misconduct involves the financial services business and therefore falls within Conduct Rules scope. 

What Leadership Owns 

• Clear allocation of accountability under SM&CR for culture oversight, investigation governance, escalation, and remediation. 
• Management information that enables boards and senior committees to identify patterns early and intervene, rather than reacting only once issues escalate. 

Where Technology Supports the Programme 

CP25/18 increases the importance of evidencing decisions over time, particularly around conduct outcomes, notifications, and regulatory references. Systems that strengthen record completeness, audit trails, retention, and retrieval support consistency and reduce reliance on hindsight reconstruction during supervisory review. 

From Awareness to Action: Meeting the FCA’s New Standards 

CP25/18 makes clear that culture and non-financial misconduct are now matters of regulatory judgment, not post-hoc explanation. Firms need to be able to show that conduct decisions are consistent, traceable, and defensible across cases, functions, and time. 

Shield supports firms in operationalizing these expectations by providing the governance, surveillance, and evidencing capabilities needed to manage non-financial misconduct at scale. As regulatory focus evolves, our models are updated to reflect emerging conduct risks, including clearer separation between employee conduct and regulated compliance behaviours, and expanded coverage of workplace misconduct such as harassment and bullying. 

For a deeper analysis of CP25/18 and its implications across Compliance, HR, Legal, and senior management teams, download our white paper. 

To see how Shield can support compliance teams in meeting the FCA’s new non-financial misconduct rules, get in touch with us.