When the Financial Conduct Authority (FCA) published CP25/18 on 2 July 2025, it sent a clear signal to regulated firms: workplace culture is no longer an internal or peripheral issue.
According to Wordwatch, framed as a consultation and policy statement on tackling non-financial misconduct in financial services, CP25/18 positions culture squarely as a regulatory risk that boards, senior managers and compliance teams can no longer afford to treat as “soft” or secondary.
Officially titled Tackling non-financial misconduct in financial services, CP25/18 combines finalised rule changes with draft guidance designed to explain how firms should apply them in practice. While the document is technical in tone, its implications are far-reaching. The FCA is redefining the boundary between internal employment matters and regulated conduct, reinforcing the idea that behaviour within firms directly affects trust, market integrity and consumer outcomes.
At the centre of the proposals is the extension of the FCA’s conduct framework to explicitly include serious non-financial misconduct for non-bank firms. Behaviour such as bullying, harassment, violence or actions that create an intimidating, hostile, degrading or offensive environment is no longer outside regulatory scope. Through the introduction of a new rule, COCON 1.1.7FR, the FCA is aligning expectations across almost all FSMA-authorised firms with Part 4A permissions. From 1 September 2026, individuals subject to COCON will be expected to treat serious workplace misconduct as a breach of regulatory conduct standards, not merely an HR issue.
This shift goes beyond technical amendments to the Code of Conduct. It reflects a broader change in how the regulator views fitness, propriety and market integrity. Culture, in the FCA’s view, directly influences decision-making, risk appetite and the likelihood of consumer harm.
To support this change, the FCA is consulting on updated guidance across COCON and the Fitness and Propriety sourcebook (FIT). The guidance tackles areas firms have historically struggled with, including how to judge the seriousness of alleged misconduct, where the line sits between everyday workplace conflict and regulated behaviour, and when conduct outside work becomes relevant to regulatory assessments. These questions are difficult precisely because they are nuanced, but under CP25/18 they can no longer be handled informally or inconsistently.
The regulator’s motivation is rooted in concerns about wider systemic harm. The FCA has repeatedly highlighted the risk of “rolling bad apples”, where individuals with misconduct histories move between firms without transparency. Although the FCA stepped back from broader diversity and inclusion proposals outlined in CP23/20, CP25/18 makes clear that non-financial misconduct remains firmly on the supervisory agenda.
For firms, the practical consequences are significant. Serious workplace misconduct now clearly sits within regulatory scope, meaning HR processes alone are insufficient. Investigation, disciplinary, whistleblowing and escalation frameworks across HR, compliance and legal teams must be aligned.
Training programmes need to reflect regulatory expectations, and documentation must be robust enough to withstand scrutiny. Senior Managers under SM&CR face greater accountability, with culture now something that must be demonstrable and defensible.
As a result, evidentiary readiness becomes critical. Firms must be able to show not only that issues were addressed, but how and when decisions were made. This is where RegTech platforms such as Wordwatch can support compliance efforts. As a modular communications governance and archiving platform, Wordwatch enables comprehensive capture of voice and digital communications, strong auditability and defensible record-keeping. These capabilities are increasingly important as conduct, culture and compliance converge under CP25/18.
Ultimately, CP25/18 raises the bar for regulated organisations. It reframes culture as something that must be governed with the same rigour as financial risk. For firms that respond proactively, it offers an opportunity to strengthen trust and resilience. For those that do not, it serves as a clear regulatory warning.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
