On 1 September 2026, the Financial Conduct Authority’s (FCA) Code of Conduct will formally extend to cover bullying, harassment and discrimination across every FCA-authorised organisation — not just banks.
For many firms, the visible groundwork has already been laid: policies have been refreshed, training programmes are underway, and “reasonable steps” have been documented.
But a more fundamental question remains. When the first allegation arrives, can the relevant conversation be retrieved — from whichever channel it took place on — in a defensible format, within the timeframe the regulator demands? The firms that navigate the initial wave of scrutiny successfully will not necessarily be those with the most polished policies. They will be those whose evidence layer is operationally ready.
Wordwatch recently put together a whitepaper on the FCA non-financial misconduct evidence gap.
What the FCA has signalled
The regulator’s direction of travel has been unambiguous. In August 2025, the FCA’s multi-firm review of 11 wholesale banks identified 178 confirmed breaches of internal communications policies within a single year. Notably, 41% of those breaches involved directors or senior managers — precisely the population most exposed under the incoming conduct rule.
Then, in January 2026, co-executive director of enforcement Therese Chambers confirmed at the BCLP Emerging Themes event that the FCA does not rule out enforcement action in relation to non-financial misconduct cases. The Decision Notice against Crispin Odey, published in March 2025, meanwhile stands as the established senior-conduct precedent. Taken together, the message is consistent: surveillance is technology-neutral, the channel is irrelevant, and the record must be complete, retrievable and defensible.
What firms need to understand before September
According to Wordwatch, for asset managers, insurers, brokers and wealth platforms, the practical implications of COCON 1.1.7FR go beyond policy drafting. Firms need a precise understanding of where the FCA has drawn the line between historic conduct and what now falls within scope. Equally important is reading the FCA’s recent communications in combination: the August 2025 multi-firm review, the 2026 Wholesale Markets Regulatory Priorities Report, the Chambers commentary from January 2026, and the Odey Decision Notice each carry weight individually — but it is the overlap between them that reveals the regulatory signal most clearly.
Three retrieval scenarios most firms cannot yet answer
Several scenarios are likely to expose unprepared organisations. The first involves a cross-channel allegation against a senior trader, where communications may span email, messaging apps and voice. The second concerns a legacy-pattern complaint extending back several years, requiring the retrieval of records that may predate current archiving arrangements.
The third is an integrity test: records that were captured, but where completeness cannot be demonstrated to a regulator’s standard. Each of these scenarios demands not just that records exist, but that firms can prove they were accurately captured at the time.
Vendor accountability and where responsibility lies
One frequently overlooked risk involves the limits of third-party accountability. Third-party outages, reconciliation gaps and missing data do not transfer regulatory responsibility away from the authorised firm.
For any organisation whose evidence layer is outsourced, this has direct implications: the firm remains accountable regardless of where the failure originated. Compliance and IT teams need to understand the precise boundary between what a vendor is responsible for and what falls squarely within the firm’s own obligations.
What good looks like before the deadline
Practical benchmarks already exist, drawn from firms that have consolidated their evidence layer. Effective capture, robust archiving, rigorous reconciliation and self-service retrieval are the four pillars.
A useful internal test is whether your organisation can pull a specific conversation across every regulated channel within a single working day, demonstrate that capture was functioning on any given date, and trace any AI-flagged alert back to its underlying record. If those three questions cannot be answered confidently, the September deadline represents a live exposureFCA’s conduct rules expand in September 2026. Is your evidence layer ready? Read the essential guide for compliance leaders. — one that no amount of policy documentation will fully address.
Download the full whitepaper by Wordwatch here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
