When the Financial Conduct Authority (FCA) published CP25/18 on 2 July 2025, it sent a clear signal to regulated firms: workplace culture is no longer a peripheral issue.
According to Wordwatch, rather than treating conduct and behaviour as an internal HR concern, the regulator has positioned culture itself as a source of regulatory risk that can directly affect market integrity and consumer trust.
Officially titled Tackling non-financial misconduct in financial services, CP25/18 brings together a Policy Statement confirming final rule changes and a consultation on draft guidance that explains how firms should apply those rules in practice. While the document is technical in tone, its underlying message represents a material shift in how the FCA views behaviour, accountability and fitness within regulated organisations.
At the centre of CP25/18 is a broadening of the FCA’s conduct framework to explicitly capture serious non-financial misconduct. Behaviour such as bullying, harassment, violence or actions that create an intimidating, hostile, degrading or offensive environment are now clearly framed as regulatory issues, rather than matters to be managed quietly through internal processes.
This shift is delivered through a new rule, COCON 1.1.7FR, which aligns non-bank firms with standards already applied in the banking sector. From 1 September 2026, almost all firms authorised under FSMA with Part 4A permissions, along with individuals subject to COCON, will be expected to treat serious workplace misconduct as a breach of regulatory conduct standards. In effect, the FCA is redefining what it considers relevant to fitness, propriety and the sound functioning of markets.
Alongside the rule change, the FCA is consulting on updates to the Code of Conduct and the Fitness and Propriety sourcebook (FIT). The proposed guidance is designed to help firms make difficult and often uncomfortable judgements, including how to assess the seriousness of alleged misconduct, where the boundary lies between normal workplace conflict and regulated behaviour, and when actions outside the workplace become relevant to regulatory expectations.
In practical terms, this removes the comfort of ambiguity. Informal resolution, inconsistent handling or reliance on HR discretion alone will be harder to justify where conduct decisions may later be examined by supervisors or enforcement teams.
Why the FCA is sharpening its focus
The regulator’s rationale is increasingly explicit. Non-financial misconduct is viewed as a contributor to wider harm, including cultural weakness, consumer detriment and erosion of confidence in financial markets. The FCA has repeatedly highlighted concerns about “rolling bad apples”, where individuals with known misconduct histories move between firms without transparency or consequence.
Although the FCA stepped back from the broader diversity and inclusion proposals set out in CP23/20, CP25/18 demonstrates that non-financial misconduct remains firmly on the agenda. The emphasis has shifted from aspiration to enforceability.
For firms across financial services, the implications are difficult to ignore. Serious workplace misconduct now sits squarely within regulatory scope, meaning HR processes alone are no longer a protective boundary. Disciplinary, investigation, whistleblowing and escalation frameworks need to be reviewed across HR, compliance and legal functions to ensure consistency and defensibility.
Training programmes must reflect regulatory expectations rather than internal policy alone, while documentation and record-keeping around incidents and outcomes become critical. Senior Managers under SM&CR also face heightened accountability, as culture is increasingly treated as something measurable and governable rather than intangible.
As culture becomes a regulatory lever, evidentiary readiness matters. Firms must be able to demonstrate not only that issues were addressed, but how, when and by whom. This is where governance and compliance technology plays a growing role.
Platforms such as Wordwatch, a modular communications governance and archiving solution, are designed to support these requirements. Comprehensive capture and archiving across voice and digital channels provides reliable, timestamped records, while strong data governance and auditability help firms evidence completeness and integrity. Modular workflows also allow conduct and culture oversight to sit alongside traditional financial compliance, supporting SM&CR accountability through clear audit trails.
CP25/18 raises the bar for regulated organisations. It reframes culture as something that must be governed, evidenced and defended, not simply articulated in policy statements. Firms that recognise this shift have an opportunity to strengthen trust, accountability and resilience. Those that do not may find that culture has become an unexpected source of regulatory exposure.
Find more on RegTech Analyst.
Copyright © 2026 FinTech Global
