From 1 September 2026, the FCA’s Code of Conduct will extend to misconduct such as bullying, harassment and violence across every FCA-authorised organisation.
According to Wordwatch, the change brings nearly 38,000 UK firms into expanded non-financial misconduct (NFM) scope for the first time — and it signals something fundamental: conduct governance is no longer the preserve of human resources. It is fast becoming a core regulatory control.
For many compliance leaders, the policy groundwork is largely done. Frameworks have been updated, escalation procedures drafted, training rolled out. But the harder half of readiness is only beginning to receive serious attention. Firms now need to demonstrate not only that they have the right culture in place, but that they can produce defensible evidence of what happened — across every channel — when an allegation lands.
That distinction matters enormously. An FCA examination will not be satisfied by a well-written policy document. Investigators will want to understand whether problematic behaviour was identified early, how it was handled, and whether the firm can reconstruct events with precision and integrity. For organisations operating across fragmented communication channels — including those that have historically sat outside formal surveillance perimeters — that is a significant operational challenge.
The population most exposed to the expanded rule is often the population least monitored today. Senior managers, client-facing teams, and remote workers frequently communicate across channels that compliance infrastructure has not kept pace with. Closing that gap requires more than a technology fix. It demands a clear understanding of what “reasonable steps” actually means when the question is not whether a manager should have acted, but whether they could reasonably have known.
Chris Reed and Andy Davies, who work daily inside the capture and surveillance estates of regulated organisations, have been tracking how compliance leaders are responding in real time. Their analysis points to three retrieval scenarios that most firms cannot yet answer confidently — including how to handle the legacy gap, where historical communications may be incomplete, inconsistently archived, or simply unreachable within investigation timelines.
The awkward channels question is equally pressing. Oversight of informal or encrypted communications remains a live and unresolved challenge for many institutions, and the regulatory expectation is unlikely to be sympathetic to firms that treated oversight as optional because a channel was inconvenient to monitor.
The most forward-thinking organisations are not simply bracing for scrutiny. They are using the September deadline as a catalyst to move from reactive investigation to proactive culture — embedding behavioural signals into their ongoing engagement with staff rather than waiting for an allegation to trigger a scramble for evidence.
The firms that get both the cultural and the evidence layer right stand to gain more than regulatory compliance. They are better positioned to protect their reputation, retain talent, and build the kind of internal trust that a conduct-first regulator increasingly expects to see demonstrated, not just asserted.
To register for the webinar, click here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
