Understanding PS25/23 requirements for tackling bullying, harassment, and misconduct, with implementation guidance for affected firms.
The Financial Conduct Authority has made clear that a firm's culture is inseparable from its conduct risk profile. With the publication of Policy Statement PS25/23, the regulator has now extended its non-financial misconduct requirements to approximately 37,000 non-bank firms, with a compliance deadline of 1 September 2026. This article examines what these changes mean in practice and how affected firms should prepare.
The Regulatory Context
Non-financial misconduct—encompassing bullying, harassment, discrimination, and other behaviours that fall outside traditional financial wrongdoing—has been on the FCA's radar for several years. The regulator's concern is straightforward: firms with toxic cultures tend to produce poor customer outcomes. Where employees are mistreated, silenced, or fear speaking up, the likelihood of financial misconduct going undetected increases substantially.
The banking sector has been subject to these requirements since 2024, following the FCA's earlier consultation and policy work. The extension to non-bank firms reflects the regulator's view that culture problems are not confined to large deposit-takers and investment banks—they exist across the financial services landscape, from small advice firms to insurance intermediaries.
PS25/23 represents the final policy position following extensive consultation. It confirms the scope of the new requirements, the amendments to the Code of Conduct (COCON), and the expectations for reporting and disclosure.
What Constitutes Non-Financial Misconduct?
Understanding what falls within scope is essential for any compliance programme. The FCA's definition of non-financial misconduct encompasses conduct that does not directly relate to financial services activities but which is nonetheless relevant to a person's fitness and propriety or a firm's culture.
Explicit Categories
The FCA has identified several categories of behaviour that now constitute explicit breaches of the Conduct Rules:
Bullying includes persistent criticism, humiliation, or intimidation that undermines an individual's confidence or professional standing. This extends to both overt aggression and more subtle patterns of behaviour designed to marginalise or exclude colleagues.
Harassment covers unwanted conduct related to a protected characteristic (such as sex, race, disability, religion, or sexual orientation) that violates dignity or creates a hostile, degrading, or offensive environment. Sexual harassment receives particular attention, including unwanted physical contact, inappropriate comments, and requests for sexual favours.
Violence and physical intimidation extends to any physical aggression or threats of violence in the workplace or connected to professional activities.
Discrimination includes treating individuals less favourably based on protected characteristics, whether in recruitment, promotion, day-to-day management, or any other aspect of employment.
Victimisation covers subjecting someone to a detriment because they have made or supported a complaint about misconduct, or because they are believed to have done so.
The Fitness and Propriety Connection
The FCA's approach connects non-financial misconduct directly to the existing fitness and propriety framework. Under SYSC and the FCA's FIT requirements, individuals must demonstrate honesty, integrity, and reputation. The regulator has clarified that involvement in serious non-financial misconduct—whether inside or outside the workplace—is relevant to these assessments.
This means that incidents of domestic violence, serious harassment outside work, or criminal conduct involving violence or dishonesty may all be relevant to whether an individual can continue in a regulated role.
COCON Application to Non-Bank Firms
The Code of Conduct (COCON) establishes fundamental standards of behaviour for individuals working in financial services. The Individual Conduct Rules apply to almost all employees, while Senior Manager Conduct Rules apply to those holding Senior Management Functions (SMFs).
Individual Conduct Rule 1: Integrity
Individual Conduct Rule 1 requires that "You must act with integrity." The FCA has confirmed that serious non-financial misconduct, including bullying, harassment, and discrimination, constitutes a breach of this rule. Acting with integrity is incompatible with creating a hostile working environment or treating colleagues with disrespect based on protected characteristics.
This represents a significant expansion of how Rule 1 should be interpreted. Previously, some firms may have viewed integrity breaches as limited to dishonesty in financial matters. The FCA's position is unambiguous: integrity encompasses behaviour towards colleagues and others connected to the firm's activities.
Senior Manager Conduct Rule 1: Effective Control
Senior Manager Conduct Rule 1 (SC1) requires senior managers to take reasonable steps to ensure the business is controlled effectively. The FCA has clarified that this includes establishing and maintaining a workplace culture free from bullying, harassment, and discrimination.
Where a senior manager knows or ought to know that misconduct is occurring within their area of responsibility and fails to address it, this may constitute a breach of SC1. The same applies where a senior manager fails to implement adequate policies, training, or reporting mechanisms to prevent and detect misconduct.
Senior Manager Conduct Rule 4: Disclosure
Senior Manager Conduct Rule 4 (SC4) requires senior managers to disclose appropriately any information of which the FCA would reasonably expect notice. This includes information about serious non-financial misconduct within the firm, particularly where it relates to individuals in regulated roles or suggests broader cultural problems.
The duty to disclose is not limited to confirmed misconduct—reasonable grounds to believe that misconduct has occurred may trigger the disclosure obligation.
Reporting and Disclosure Requirements
PS25/23 establishes clear expectations for how firms should handle non-financial misconduct from a regulatory reporting perspective.
Regulatory References
When providing regulatory references for individuals moving between firms, the departing firm must include information about concluded disciplinary proceedings relating to non-financial misconduct. This applies regardless of whether the individual resigned, was dismissed, or left for other reasons.
The requirement covers the six-year reference period and extends to any misconduct that would be relevant to the receiving firm's fitness and propriety assessment of the individual.
Section 64C Notifications
Firms must notify the FCA when they take disciplinary action against an individual for a breach of the Conduct Rules. With non-financial misconduct now expressly within the scope of Individual Conduct Rule 1, disciplinary action for bullying, harassment, or discrimination will require notification where it amounts to a Rule 1 breach.
The FCA has acknowledged that not every workplace disagreement or minor interpersonal conflict will rise to this level. Notification is required where the misconduct is sufficiently serious to constitute a breach of the Conduct Rules as set out in FCA guidance.
Directory Disclosure
The FCA's Financial Services Register and Directory include information about regulatory action taken against individuals. Where the FCA takes enforcement action relating to non-financial misconduct, this will appear on an individual's Directory entry, visible to consumers and other firms.
Building a Healthy and Inclusive Culture
The FCA's approach is not merely punitive. The regulator recognises that sustainable compliance requires firms to build positive cultures where misconduct is less likely to occur and more likely to be detected if it does.
Tone from the Top
Culture starts with leadership. Senior managers must demonstrate through their own conduct that bullying, harassment, and discrimination are unacceptable. This means modelling respectful behaviour, taking complaints seriously, and visibly supporting those who raise concerns.
Boards and governing bodies should receive regular management information on culture-related matters, including employee survey results, turnover patterns, grievance and disciplinary data, and any incidents of misconduct.
Psychological Safety
Research consistently shows that employees are more likely to raise concerns in environments where they feel psychologically safe—where speaking up does not risk retaliation or marginalisation. Firms should actively cultivate this safety through clear non-retaliation policies, multiple reporting channels (including anonymous options), and visible follow-through on concerns raised.
Diversity, Equity, and Inclusion
The FCA has drawn explicit connections between diversity, equity, and inclusion (DEI) and conduct risk. Firms with poor DEI outcomes often have cultures where certain groups feel marginalised or unable to challenge poor behaviour. Conversely, genuinely inclusive cultures tend to have stronger accountability and more effective risk management.
This does not mean firms must meet specific diversity targets to comply with PS25/23. Rather, firms should consider whether their culture enables all employees to participate fully and whether certain groups experience disproportionate rates of misconduct or barriers to raising concerns.
Cultural Red Flags and Risk Management
The FCA has identified cultural indicators that may signal elevated conduct risk. Firms should monitor for these red flags and treat them as prompts for further investigation.
Warning Signs
High turnover in specific teams or functions may indicate management problems or toxic dynamics within those areas. Exit interview data can provide valuable intelligence, though firms should recognise that departing employees may not always feel comfortable sharing concerns.
Repeated complaints about the same individuals suggest patterns of behaviour that are not being addressed effectively. Even where individual complaints are not substantiated, multiple allegations warrant serious attention.
Settlement agreements with non-disclosure provisions may indicate that problems are being managed rather than resolved. While such agreements have legitimate uses, a pattern of their use to address misconduct concerns should prompt scrutiny.
Under-reporting of grievances and complaints can be as concerning as high volumes. If employees do not trust the process or fear retaliation, they may suffer in silence rather than raise concerns.
Homogeneous leadership teams may lack the diversity of perspective needed to identify and challenge problematic behaviours. Where senior teams do not reflect the broader workforce, questions about cultural inclusivity are worth examining.
Integrating Culture into Risk Frameworks
Conduct risk frameworks should explicitly incorporate non-financial misconduct. This means including cultural indicators in risk assessments, conducting regular culture audits or surveys, and ensuring that conduct risk MI captures behavioural as well as financial matters.
Some firms are developing culture risk appetite statements—explicit articulations of the cultural behaviours they expect and will not tolerate. These statements can guide policy development, training content, and disciplinary decisions.
Preparing for September 2026
With fewer than six months until the implementation date, firms should be actively preparing. The following workstreams are essential.
Policy Review and Development
Existing policies on bullying, harassment, discrimination, and grievances should be reviewed against PS25/23 requirements. Key questions include:
- Do policies explicitly reference the Conduct Rules and the consequences of breaches?
- Are reporting mechanisms clearly explained and genuinely accessible?
- Do investigation procedures meet standards of procedural fairness?
- Are non-retaliation protections clearly articulated?
- Do policies cover conduct outside the workplace where relevant to fitness and propriety?
Where gaps exist, policies should be updated before September 2026. Consider involving employment law specialists to ensure policies are legally robust as well as compliant.
Training Programmes
All staff should receive training on the expanded scope of the Conduct Rules. Training should cover what constitutes non-financial misconduct, how to report concerns, what happens when concerns are raised, and the consequences of breaches.
Senior managers require additional training on their specific obligations under SC1 and SC4, including their duty to maintain effective control and to disclose relevant information to the FCA.
Training should be documented, with records retained demonstrating completion. Consider requiring acknowledgement of understanding, particularly for the Conduct Rules elements.
Governance Arrangements
Boards and governing bodies should receive briefings on PS25/23 and its implications. Standing agenda items should be established for culture-related MI, with clear escalation paths for serious incidents.
Consider whether existing committee structures appropriately address non-financial misconduct. Some firms are establishing or enhancing conduct committees with explicit mandates covering both financial and non-financial misconduct.
Fitness and Propriety Processes
Fit and proper assessment procedures should be updated to capture non-financial misconduct considerations. This includes:
- Initial assessment questions covering any history of workplace misconduct, disciplinary action, or relevant criminal matters
- Ongoing monitoring processes that capture misconduct arising during employment
- Clear procedures for reassessment where concerns emerge
- Regulatory reference procedures that capture misconduct information for departing employees
Record-Keeping
The FCA expects firms to maintain adequate records of misconduct allegations, investigations, and outcomes. Review your record-keeping arrangements to ensure they capture the information needed for regulatory references, FCA notifications, and fitness and propriety assessments.
Consider retention periods carefully—regulatory reference obligations extend six years, and some records may need to be retained longer for fitness and propriety purposes.
How MEMA Can Help
Implementing the non-financial misconduct requirements is a significant undertaking, particularly for firms without dedicated compliance resource. MEMA Consultants provides practical, proportionate support tailored to your firm's size and complexity.
Our services include:
- Gap analysis against PS25/23 requirements, identifying areas requiring attention before September 2026
- Policy review and drafting to ensure your procedures meet FCA expectations and employment law requirements
- Conduct Rules training covering both financial and non-financial misconduct, delivered in engaging formats tailored to your workforce
- Board and senior manager briefings explaining obligations and governance requirements
- Fitness and propriety framework development incorporating non-financial misconduct considerations
- Culture assessment support helping you identify and address potential red flags
- Ongoing compliance monitoring providing assurance that your arrangements remain effective
Whether you need comprehensive implementation support or targeted assistance with specific elements of the regime, our regulatory specialists can help.
The September 2026 deadline is approaching. Contact us today to discuss how we can support your firm's preparation.
This article is for general guidance only and does not constitute regulatory or legal advice. Firms should seek independent counsel for their specific circumstances.
MEMA Regulatory Team
The MEMA Regulatory Team includes ex-FCA supervisors and Big 4 consultants with deep expertise across all aspects of UK financial services regulation and compliance.
Need regulatory support?
Our team can help with FCA authorisation, compliance outsourcing, and regulatory change implementation.
Book a consultation
