September 2026 Deadline: Non-Banks Face New FCA Misconduct Rules. Are You Ready?
In 18 months, non-bank financial services firms will face the same regulatory scrutiny on workplace misconduct as their banking counterparts. The question isn't whether you'll comply. The question is whether you'll be ready when the FCA starts asking tough questions about your culture.
From 1 September 2026, the FCA extends its non-financial misconduct rules to all firms under the Senior Managers and Certification Regime. Non-banks include investment firms, insurers, asset managers, consumer credit companies, and other FCA-regulated entities outside traditional banking. This change, detailed in Consultation Paper CP25/18, closes a long-standing gap between banks and these other financial services firms. Serious workplace misconduct like bullying, harassment, and violence becomes a regulatory concern for everyone operating in financial services.
With industry-wide implementation costs potentially reaching £75 million and ongoing annual costs of £40 million, this represents a fundamental shift in how non-banks must operate.
Why it matters
The FCA’s new rules bring sweeping misconduct accountability to thousands of non-bank firms for the first time — and the regulator expects you to be ready. This article breaks down what’s changing, what’s expected, and what your firm must start doing now to avoid regulatory, reputational and operational risk.
Why the FCA is taking action
The regulator's evidence tells a clear story: poor market conduct stems from weak workplace culture. Non-financial misconduct serves as an early warning system for deeper organizational problems. Extending the Code of Conduct to non-banks delivers four key benefits:
Stops the 'rolling bad apples' problem
Firms must now include substantiated cases of bullying or harassment in regulatory references. Individuals with misconduct records can no longer simply hop between firms.
Removes an unjustified discrepancy
Banks have operated under broader conduct rules for years. Non-banks faced requirements only for specific SMCR-related activities. Aligning both sectors brings clarity and consistency.
Reflects strong industry support
In the prior consultation (CP23/20), 80% of respondents backed extending the rules, including 90% of trade bodies. The Treasury Select Committee endorsed the change.
Builds healthier workplace cultures
Unchecked harassment drives away talent, kills open communication, and undermines performance. Clear standards help create environments where staff feel safe raising concerns.
Three critical implementation challenges
Non-banks face practical hurdles as they prepare for September 2026. The FCA is developing additional guidance, but three issues demand immediate attention:
Defining what's in scope
The Code of Conduct applies only to behaviour related to a firm's functions and activities. Purely private conduct falls outside regulatory scope. However, private behaviour can still affect professional standards, particularly involving criminal convictions or serious ethical breaches.
The draft guidance will include examples helping firms distinguish work-related incidents from personal matters. The line isn't always obvious, and firms need clear decision-making frameworks.
Determining what counts as 'serious'
The regime targets conduct that violates dignity or creates intimidating, hostile, degrading, humiliating, or offensive environments. Firms must consider both the individual's perception and whether that perception was reasonable.
This requires nuanced judgment calls. Documentation becomes crucial. Firms need consistent processes for evaluating incidents and clear reasoning for their decisions.
Planning resource requirements
The FCA's cost-benefit analysis estimates one-off industry costs around £25 million, with £15 million in ongoing annual expenses. If firms enhance policies and training beyond minimum requirements, implementation costs could reach £75 million with £40 million annually.
Budget planning must cover policy updates, revised disciplinary processes, comprehensive training programs, and system upgrades across all organizational levels.
Technology: Your compliance backbone
Clear policies represent only the starting point. Meeting FCA expectations requires battle-tested systems that capture, analyse, and surface genuine misconduct risks while reducing the noise that overwhelms compliance teams. The infrastructure challenge is real. Firms need regulatory-grade platforms that don't just archive communications but actively empower compliance workflows from incident detection through investigation to regulatory reporting.
Capture everything, surface what matters
Cloud-native archiving preserves all communications around harassment or bullying incidents, while regulatory-grade AI reduces false positives and helps compliance teams identify true risk 3x faster than legacy approaches.
Turn data into actionable intelligence
Advanced analytics detect concerning behavioural patterns before they escalate into culture-wide problems. Early intervention powered by machine learning prevents small issues from becoming regulatory headaches.
Demonstrate bulletproof compliance to regulators
Comprehensive training records and incident documentation provide the transparency regulators expect. When FCA examiners ask tough questions about your culture program, you need systems that deliver confident, well-documented answers.
Your 18-month preparation roadmap
Now through Q2 2025: Foundation building
Conduct comprehensive policy reviews and gap analyses. Identify where current procedures fall short of new requirements.
Q3 2025: System implementation
Roll out upgraded systems and begin intensive staff training. Test new processes with pilot groups before full deployment.
Q4 2025 through Q1 2026: Testing and refinement
Run scenario-based testing of incident management procedures. Refine processes based on real-world application.
Q2 2026: Final preparations
Complete regulatory sign-off procedures. Ensure all staff understand new requirements and reporting obligations.
Building a single standard
When September 2026 arrives, all financial services firms will operate under identical standards for bullying and harassment. This unified approach creates several advantages:
- The playing field gets levelled. Every firm knows exactly what falls within regulatory scope and what doesn't.
- Firms face stronger incentives to act decisively when serious misconduct occurs, backed by mandatory disclosure requirements in regulatory references.
- Psychological safety improves across the sector, driving better decision-making, appropriate risk-taking, and innovation.
Don’t wait for the regulator to knock
The firms that excel under these new rules won't be scrambling to comply in summer 2026. They'll be the organizations building robust cultures and systems today. Early preparation prevents compliance costs from multiplying and gives you first access to shrinking talent pools.
Your competition is already moving. The question is whether you'll lead the change or get dragged along by it. With 18 months until implementation, you have time to do this right. But that window closes quickly.
Don't wait for the deadline to start thinking about compliance. Start building the culture you want now, before the rules force your hand.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
More Resources
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US