On 1 September 2026, the FCA’s Code of Conduct will extend to cover bullying, harassment and discrimination across every FCA-authorised organisation — not just banks. Most firms have already completed the visible groundwork: policies have been refreshed, training programmes are underway and “reasonable steps” have been committed to paper.
Yet a harder question persists beneath the surface. When the first allegation arrives, can your organisation retrieve the relevant conversation — whichever channel it took place on — in a defensible format, within the timeframe the regulator demands?
The firms that navigate the opening wave of scrutiny successfully will not necessarily be those with the most polished policies. They will be those whose evidence layer is genuinely prepared.
Wordwatch recently put together a whitepaper on the FCA non-financial misconduct evidence gap.
What the FCA has already signalled
The regulator’s direction of travel has been consistent and unambiguous. In August 2025, the FCA’s multi-firm review of 11 wholesale banks uncovered 178 confirmed breaches of internal communications policies within a single year. Notably, 41% of those breaches involved directors or senior managers — precisely the population most exposed under the incoming conduct rule. In January 2026, enforcement co-executive director Therese Chambers confirmed at the BCLP Emerging Themes event that the FCA does not rule out enforcement action over non-financial misconduct. The Decision Notice against Crispin Odey, published in March 2025, now stands as the defining senior-conduct precedent. Taken together, the message from the FCA is clear: surveillance is technology-neutral, the channel is irrelevant, and records must be complete, retrievable and defensible.
What compliance leaders need to understand before September
For asset managers, insurers, brokers and wealth platforms, the practical implications of COCON 1.1.7FR extend well beyond policy documents. Firms need to understand precisely where the FCA has drawn the line between historic conduct and what falls within the new scope — and they need to examine four key FCA outputs in combination: the August 2025 multi-firm review, the 2026 Wholesale Markets Regulatory Priorities Report, the January 2026 commentary from Therese Chambers, and the Odey Decision Notice. The signal, as the regulator itself has made plain, lies in the overlap.
The retrieval scenarios most firms cannot yet answer
Three retrieval scenarios are already exposing gaps at many organisations. The first involves a cross-channel allegation against a senior trader, where communications may be spread across email, messaging platforms and voice. The second concerns a legacy-pattern complaint that stretches back several years, requiring firms to demonstrate continuity of capture across systems that may have since been replaced. The third is an integrity test: records may have been captured, but can the firm prove that capture was working on a specific date? These are not hypothetical edge cases — they are the situations in which evidence gaps become enforcement vulnerabilities.
Where vendor accountability ends and yours begins
A common misconception among compliance and IT teams is that outsourcing the evidence layer transfers responsibility. It does not. Third-party outages, reconciliation gaps and missing data remain the firm’s problem in the eyes of the regulator. Any organisation whose capture, archive or retrieval function sits with an external provider should be asking pointed questions now about what “good” looks like — and whether they can demonstrate it. Practical benchmarks already exist at firms that have consolidated their evidence infrastructure, covering capture completeness, archive integrity, reconciliation cadence and self-service retrieval speed.
A five-question diagnostic for leadership teams
Before September, compliance and IT leaders should be able to answer five questions honestly: Can your organisation pull a specific conversation across every regulated channel within one working day? Can you evidence that capture was functioning correctly on a given date? Can you trace any AI-flagged alert back to the underlying record? Are reconciliation gaps identified and closed within a defined timeframe? And does your response capability hold when a third-party provider experiences an outage? If the answer to any of these is unclear, that uncertainty is itself a compliance risk — and one the FCA has signalled it will pursue.
Download the full whitepaper by Wordwatch here.
Copyright © 2026 FinTech Global
