From 1 September 2026, FCA Policy Statement PS25/23 extends the Conduct Rules (COCON) to cover serious non-financial misconduct, meaning bullying, harassment and violence, at all SMCR firms. Firms must update COCON training so staff understand the expanded rules, and ensure Senior Managers and HR can assess whether conduct crosses the regulatory threshold.
The FCA has been clear about the direction of travel. Dear CEO letters in 2022 and 2023 identified inconsistent firm approaches to non-financial misconduct as a systemic weakness: the same conduct was being treated as a regulatory matter at some firms and an HR matter at others, with no consistent standard. PS25/23, published 12 December 2025, responds by giving firms regulatory clarity: serious non-financial misconduct is now explicitly within the scope of COCON at all SMCR firms, and individuals, as well as firms, can be held accountable for it.
The PS26/6 SM&CR Phase 1 reforms bring COCON amendments on the same 1 September 2026 date, in alignment with PS25/23. For the training implications of PS26/6’s broader reform package (the 12-week rule, certification changes, threshold changes), see our guide to SM&CR reform 2026.
What is PS25/23 and what does it change?
PS25/23 amends COCON (the FCA’s Code of Conduct sourcebook) by introducing rule COCON 1.1.7FR. This new rule extends COCON’s scope to cover serious non-financial misconduct at all firms holding a Part 4A permission under FSMA. Before this change, banks and dual-regulated firms had COCON apply in a way that broadly covered NFM; for FCA solo-regulated firms (insurers, asset managers, wealth managers, fintechs and payment institutions), this is new regulatory territory.
Non-financial misconduct under COCON 1.1.7FR means serious bullying, harassment and violence. The “serious” threshold is deliberate: minor or trivial interpersonal friction is not in regulatory scope. Conduct falls within COCON 1.1.7FR where either the person carrying out the conduct or the subject of it deals with the financial services business of the firm. Only where both individuals work in entirely separate functions unconnected to the firm’s financial services operations does the conduct fall outside scope.
Three specific rule changes carry direct training implications. First, Individual Conduct Rule 1 (act with integrity) and Individual Conduct Rule 2 (act with due skill, care and diligence) can now be breached through serious NFM: what was previously treated solely as an HR or employment law matter can become a regulatory breach against a named individual. Second, Senior Manager Conduct Rule SC4 creates a disclosure obligation: Senior Managers must disclose private-life conduct that is material to an assessment of their fitness and propriety. Third, PS25/23 amends the FIT sourcebook to clarify that serious NFM is relevant to the honesty, integrity and reputation element of the fit and proper test.
The full policy statement is published at FCA PS25/23. The FCA has also published flow diagrams for consistent NFM assessment, which are a useful input to training design for HR and compliance teams.
For an introduction to the Conduct Rules and how COCON applies across the firm, see our guide to what is SM&CR training.
Does PS25/23 require firms to update their training?
Yes. The FCA’s guidance in PS25/23 explicitly identifies training as part of how firms implement the new rules. There are two distinct layers, and treating them as one is the most common implementation mistake.
The first layer is all-staff COCON awareness. Every member of staff subject to the Conduct Rules needs to know that the rules now explicitly cover serious NFM: what that means in practice, how Individual Conduct Rules 1 and 2 apply to interpersonal conduct, and how to report suspected NFM internally. This is not a new standalone module. Firms running annual COCON or Conduct Rules refresher training should add NFM-specific scenarios to those programmes. A proportionate update to existing training is appropriate; a separate NFM compliance module alongside a full COCON programme adds cost without adding regulatory value.
The second layer is targeted training for Senior Managers, HR and compliance. The FCA’s guidance makes clear that these functions need to understand how to assess NFM severity (specifically what the COCON 1.1.7FR threshold looks like in practice), what “reasonable steps” mean for preventing and addressing NFM within a Senior Manager’s area of responsibility, and how NFM findings interact with the firm’s breach-reporting obligations under SUP. This targeted training is more demanding than general awareness and must be treated as a distinct programme element. The FCA will look for evidence that Senior Managers and compliance and HR teams received targeted training, not just the all-staff module.
The FCA supplies flow diagrams for conducting consistent NFM assessments. Building these into the targeted training for HR and compliance, rather than simply mentioning that they exist, demonstrates the kind of serious implementation the regulator expects.
What must non-financial misconduct training cover?
Effective NFM training maps to three audience layers, each with distinct content requirements.
All COCON staff: awareness training. This layer reaches everyone subject to the Conduct Rules. It should cover what NFM is under COCON 1.1.7FR (serious bullying, harassment and violence) and the scope test that determines whether conduct falls within the rule. It should also show how IC1 (integrity) and IC2 (due skill, care and diligence) apply to NFM in practice: what does acting with integrity look like in interpersonal workplace conduct? Scenario-based examples set in a financial services context will be more effective than abstract rule recitation. The training should also cover the internal escalation route (how to report suspected NFM) and make clear that the FCA can now act against individuals, as well as firms, for serious NFM findings.
Senior Managers: targeted training. Senior Managers need content that goes beyond awareness. SC4 disclosure obligations must be explained: what private-life conduct is material to a fitness and propriety assessment, and how Senior Managers should handle potential disclosure situations. The concept of reasonable steps needs concrete grounding: what does a Senior Manager responsible for a team or business area need to have in place to demonstrate they took reasonable steps to prevent and address NFM in their area? And the assessment process itself: how does the firm assess whether conduct crosses the COCON 1.1.7FR threshold, and what does that mean for a Senior Manager who has first-hand knowledge of potential misconduct?
Compliance and HR: process training. This layer trains the functions who will operationalise the new rules. Content should build literacy around the FCA’s assessment flow diagrams; explain how to coordinate a COCON breach assessment with an HR disciplinary process (the two can run in parallel but address distinct obligations); and set out the record-keeping expectations: the FCA will expect to see how a firm assessed and responded to NFM allegations, not just a completion log for a training module.
Our Anti-Harassment & Inclusion training and Sexual Harassment training provide scenario-based content that supports the all-staff awareness layer. Our SM&CR course addresses the FIT sourcebook and certification implications that are particularly relevant for compliance teams managing the annual certification process.
Who must be trained and when?
PS25/23 applies to all FCA-authorised firms holding a Part 4A permission whose staff are subject to COCON, in practice all SMCR firms. The September 2026 deadline is the same for all firm types, though training priority differs by firm profile and function.
| Firm type | COCON applies to | Training priority |
|---|---|---|
| Banks and dual-regulated firms | All COCON staff | High: COCON already covered NFM broadly; update for COCON 1.1.7FR explicitly |
| FCA solo-regulated firms (insurers, asset managers, fintechs) | All COCON staff | High: COCON 1.1.7FR is new regulatory territory |
| Senior Managers (all firms) | SC4 disclosure obligations | Critical: targeted training before 1 September 2026 |
| HR and compliance functions | NFM assessment process | Critical: process training before 1 September 2026 |
For banking firms, PS25/23 refines obligations that existed in part; the main action is updating content to reflect COCON 1.1.7FR explicitly and ensuring SC4 training is current. For insurance and asset and wealth management firms, COCON 1.1.7FR is largely new territory, and training programmes will need more substantive updates. Fintech and payments firms with SMF holders may find that the SC4 disclosure obligation requires Senior Manager training that is more developed than their current content.
One point of coordination: the Worker Protection Act 2023, in force since October 2023, already requires employers to take reasonable steps to prevent sexual harassment in the workplace. PS25/23 adds a regulatory dimension, the COCON framework, on top of the existing employment-law obligation. The two regimes operate in parallel, not in competition. Firms should not consolidate their Worker Protection Act training with their COCON NFM training; they address related but distinct obligations. Our Anti-Harassment & Inclusion and Sexual Harassment courses address the employment-law dimension; COCON NFM training must explicitly reference COCON 1.1.7FR and the regulatory consequences of serious misconduct.
How does non-financial misconduct link to fitness and propriety?
PS25/23 amends the FIT sourcebook to clarify that serious NFM is relevant to the honesty, integrity and reputation element of the fit and proper test. The practical consequence is that annual certification (the process by which firms assess whether Certified Persons and Senior Managers remain fit and proper) should now factor in any NFM findings since the last assessment. A regulatory finding of serious NFM can affect an individual’s certified status or SMF approval.
Firms should review their certification assessment process to include an explicit NFM question. The question should reflect COCON 1.1.7FR: has there been any finding, allegation under active investigation, or upheld complaint relating to serious bullying, harassment or violence since the last assessment? The SC4 disclosure obligation for Senior Managers runs alongside this: a Senior Manager who is aware of private-life conduct material to their fitness assessment has a regulatory obligation to disclose.
Training implication: Certified Persons and Senior Managers need to understand that conduct in the areas covered by COCON 1.1.7FR can affect their fitness and propriety assessment and their regulatory status. Our SM&CR course covers the FIT sourcebook framework and the annual certification process, including the PS25/23 FIT amendments.
How should firms evidence NFM training to the FCA?
The FCA expects firms to be able to demonstrate three things: that training content was updated before 1 September 2026 to reflect COCON 1.1.7FR; that the right people completed the right tier of training (all-staff awareness, Senior Manager targeted, HR and compliance process); and that Senior Managers and the HR and compliance function received training at the targeted level, not just the all-staff module.
In practice this means time-stamped completion records that identify the learner, their role or function, the module completed, the version of the content, and the date. The FCA will ask to see how the firm designed its training response to PS25/23, not just a list of completion rates. A file showing the training-design rationale, the population assignment, and the completion records gives the regulator what it needs during a supervisory visit.
The CityREPORTS platform produces time-stamped, role-attributed, exportable completion records, the format the FCA expects. For the broader programme structure, see our guide to building a compliance training plan that stands up to regulatory scrutiny.
Common questions about FCA non-financial misconduct training
What is non-financial misconduct under the FCA? Non-financial misconduct is defined in FCA rule COCON 1.1.7FR as serious bullying, harassment and violence. From 1 September 2026, it is explicitly within the scope of COCON at all SMCR firms. Conduct is in scope if either the person carrying out it or the subject deals with the firm’s financial services business. The “serious” threshold distinguishes regulatory concern from minor interpersonal friction.
Does PS25/23 require firms to provide training before 1 September 2026? Yes. The FCA’s PS25/23 guidance explicitly identifies training as part of firms’ implementation obligations. Firms should update their COCON and Conduct Rules training to incorporate NFM before the new rules take effect. Senior Managers, HR and compliance teams need targeted training on how to assess severity and what reasonable steps look like. All COCON staff need awareness of the expanded conduct standards.
What changes does PS25/23 make to the Conduct Rules? PS25/23 introduces COCON 1.1.7FR, extending COCON’s scope to cover serious non-financial misconduct at all FSMA Part 4A firms. Individual Conduct Rules 1 (integrity) and 2 (due skill, care and diligence) can now be breached through serious NFM. Senior Manager Conduct Rule SC4 creates a disclosure obligation for Senior Managers regarding private-life conduct material to their fitness assessment.
How does non-financial misconduct affect the fit and proper test? PS25/23 amends the FIT sourcebook to clarify that serious NFM is relevant to the honesty, integrity and reputation element of the fit and proper test. Firms conducting annual certification should factor NFM matters into their fitness and propriety assessments. A regulatory finding of serious NFM can affect an individual’s certified status or SMF approval.
Which firms does PS25/23 apply to? PS25/23 applies to all FCA-authorised firms with a Part 4A permission whose staff are subject to COCON, in practice all SMCR firms including banks, insurers, asset managers, wealth managers, fintechs and payment institutions. Dual-regulated firms were already subject to COCON broadly; COCON 1.1.7FR is particularly significant for FCA solo-regulated firms.
What is the deadline for updating COCON training for PS25/23? The new COCON rules take effect on 1 September 2026. Firms should aim to have updated training deployed and completed before that date, not on it. Given content-update lead times and completion time across a firm’s population, a realistic internal deadline is mid-August 2026 at the latest for any firm of scale.
CityLearning’s Anti-Harassment & Inclusion and SM&CR training courses are updated for the PS25/23 changes, with scenario-based content on non-financial misconduct and the expanded Conduct Rules. The CityREPORTS platform records completion by tier and role, the evidence the FCA expects before 1 September 2026. Request a demo to see how it fits your firm’s implementation plan.