Non-financial Misconduct: Can You Prove What Was Said under the FCA's 2026 COCON Rule?

From September 1st, 2026, bullying, harassment and violence between colleagues fall inside the FCA's Code of Conduct (COCON) for firms beyond banking. The new rule does not just ask you to hold a policy. It requires a defensible judgment about what happened, and that judgment rests on proof.

This article explains what changes, who falls within scope, and why every decision the rule demands turns on a single question: Can you prove what was said?

What is non-financial misconduct?

Non-financial misconduct is serious workplace misconduct that is not financial in nature. Examples comprise bullying, harassment (including sexual harassment), and violence toward a colleague. The Financial Conduct Authority (FCA)'s guidance covers conduct whose purpose or effect is to violate a colleague's dignity, or to create an intimidating, hostile, degrading, humiliating, or offensive environment.

Three categories sit at the center of the rule:

• Bullying and harassment: Unwanted conduct that violates a colleague's dignity or creates a hostile environment for them.

• Violence: Physical acts toward a colleague, which the guidance explicitly brings within scope.

• Sexual harassment: Covered by the rule, alongside firms' separate duties under the Equality Act.

The most important distinction from standard conduct supervision is that the rule applies only to “serious” misconduct, and seriousness is judged on the facts of each case, not on whether a formal complaint was made.

What changes under the FCA's new COCON rule in 2026?

From September 1, 2026, work-related misconduct toward a colleague falls within COCON for firms beyond banks when it relates to the performance of the individual's role. This is a change of scope, and it is set out in the new rule at COCON 1.1.7FR.

The rule was confirmed by the FCA in July 2025, with final Handbook guidance published in Policy Statement PS25/23 in December 2025. Until now, conduct rules at non-banks applied mainly to behavior tied to a firm's financial-services activities. The new rule widens that boundary: Misconduct toward a colleague is in scope whether or not it forms part of a financial-services activity, aligning non-banks with the wider rules that already apply to banks.

I want firms to be equally clear about what the rule does not do. The rule does not regulate every interpersonal friction or personality clash. It captures serious conduct, connected to work, that engages one of the individual conduct rules, and it requires the firm to make and stand behind that judgment.

Who do the FCA's new conduct rules apply to?

The FCA’s COCON rule applies to firms holding a Part 4A permission whose staff are subject to the conduct rules. A Part 4A permission is the authorization under the Financial Services and Markets Act 2000 (FSMA) that lets a firm carry on regulated activities, in other words, the standard marker of an FCA-regulated firm.

That population reaches well beyond banks. According to the FCA's cost analysis in PS25/23 (paragraph 5.5), the rule and its guidance affect an estimated 37,805 firms under the Senior Managers and Certification Regime (SM&CR), the framework that makes individuals in regulated firms personally accountable for their conduct and competence. In practice, that brings asset managers, insurers, brokers, and wealth managers into scope.

There is a sensible boundary. Conduct is in scope when either the person responsible or the subject of the misconduct works in the financial-services part of the business. Where a firm runs a genuinely separate non-financial business, conduct confined entirely to that part stays outside the rule. For most regulated firms, though, that is a narrow carve-out, not an escape hatch.

Why the new non-financial misconduct rule demands proof

Every decision the rule requires rests on one question: What actually happened? When an allegation lands, a firm must judge:

1. whether the conduct was serious,

2. whether it was reasonable for it to have the effect described, and

3. which conduct rule it engaged.

Each of those is a finding of fact before it is a finding of law.

Memory is contested. Records are not. Where the conduct happened on company channels, a call, a meeting, a Microsoft Teams message, the distance between a defensible decision and a disputed one is whether you can replay what was said.

After years of watching firms handle disputed allegations, I can tell you the three operative decisions the rule creates. All three rest on the same foundation: a record.

1. Was it a conduct rule breach?

Whether conduct counts as a breach depends on two things: how serious it was, and whether it was reasonable to treat it as having the effect the complainant describes. Both are judged on the facts of what happened, not on competing recollections.

The FCA's guidance lists the factors that inform the seriousness assessment:

• whether the conduct was repeated or part of a pattern,

• its duration,

• the scale of its impact,

• the seniority of the person responsible, and

• any prior warnings, among others.

The effect of the conduct carries both a subjective and an objective test:

1. Did the conduct actually affect the person, for example, did it genuinely violate their dignity?

2. Was it reasonable for the conduct to be seen that way?

A firm cannot apply either limb honestly while guessing at what was said. A contemporaneous record protects the accused as fairly as the complainant, because context and intent are part of the assessment.

2. Do you notify the FCA?

Take formal disciplinary action for a conduct-rule breach and a notification obligation follows. Under section 64C FSMA, a firm must notify the FCA where it issues a formal written warning, suspends or dismisses the person, or reduces or claws back remuneration for the breach. Informal handling does not trigger the duty.

The FCA wants neither over-reporting nor under-reporting. The consequence is that the notify decision depends on a defensible finding that a breach occurred, and that finding depends on the facts. A firm that cannot evidence what happened risks getting it wrong both ways: notifying on a breach it cannot stand behind, or failing to notify on one it should have.

3. What goes in a regulatory reference?

What goes in the reference is a fair and accurate account of any established conduct-rule breach, including serious non-financial misconduct, so the receiving firm is made aware of them.

Preventing individuals from carrying undisclosed misconduct from one firm to the next is a core aim of the reform. A regulatory reference must be both fair to the individual and accurate to the facts, and a reference request may arrive years after the conduct. (How long records must be kept is a question for each firm's own retention policy, set against its reference obligations and data-protection duties, not a fixed period the conduct rule prescribes.) When that request comes, a contemporaneous record is often the only source that still reflects what actually happened. Without it, a firm is asked to certify something it can no longer verify.

Does the FCA’s COCON rule cover employees' private lives?

No, COCON does not reach into private life. The FCA has stated that a person's private or personal life is outside the scope of its power to make and enforce conduct rules, and that the new guidance does not change that position (PS25/23). The rule is about conduct connected to work, on company systems and company time, which is precisely where recording is legitimate.

The distinction answers the surveillance objection directly. The FCA has confirmed that firms are not expected to monitor employees' personal lives or social media accounts. Unlike a surveillance net cast over people's private behavior, recording on company channels is accountability infrastructure: It captures the work conversations a firm is already entitled to oversee, and it strengthens the fairness of an investigation rather than undermining it.

Handled correctly, that infrastructure is governed under the General Data Protection Regulation (GDPR), with a lawful basis, defined retention, and controlled access. The stakes are real, and firms in regulated markets feel them daily. As one of our Luware Recording customers, Christoph Ruys, Product Owner at KBC, said,

The following table depicts a useful way to hold the boundary:

How to prove what was said under the FCA's non-financial misconduct rule

The question to answer before September 1st is simple to state and harder to satisfy: When misconduct happens on your platforms, can you prove what was said, accurately enough for a regulator, and for long enough to answer a reference request years later? If the answer is anything short of yes, that is a gap.

Luware Recording, Luware's compliance recording platform for Microsoft Teams and other unified communications (UC) platforms, is built to close this gap. It captures the calls, meetings, and chats your people already use for work, with the retention and access controls that let you stand behind an investigation, a notification, or a reference. Advanced search makes it possible to find the relevant conversation in minutes when an allegation lands, rather than reconstruct it from memory. On top of that, AI flags conversations automatically, so potential issues surface as they happen instead of months later in a complaint. As a result, the three decisions the rule demands all rest on a record rather than a recollection.

The capability exists. The work between now and the September deadline is ensuring that your firm can answer the rule's central question, "Can you prove what was said?", with a confident yes.

To see how that works in your environment, learn more about Luware Recording or request a demo with me.

This article contains general information on the FCA's new COCON rule on non-financial misconduct and is not legal advice. Firms are advised to take their own legal and compliance advice on the rule and related data-protection obligations.