Comply Launches Financial Services' First Agentic Compliance Platform MCP Server, Enabling Teams to Build Custom AI Agents Without Developers 
The FCA has spent several years signalling that non-financial misconduct — bullying, harassment, and other serious behavioural failures — sits squarely within the scope of its regulatory framework. PS25/23, which introduces binding changes to how firms must handle and report non-financial misconduct, makes that expectation enforceable from 1 September 2026.
For compliance teams, the question is no longer whether non-financial misconduct is a regulatory matter. It is whether your code of conduct, breach reporting processes, and conduct monitoring programme are designed to meet the standard the FCA will now apply.
What has changed?
PS25/23 is the FCA’s policy statement on diversity, inclusion, and non-financial misconduct. The conduct-related provisions that take effect from 1 September 2026 have direct implications for how firms structure their code of conduct and what they are required to report under SM&CR conduct rules.
Conduct Rule 1 (“you must act with integrity”) has been clarified to explicitly encompass non-financial misconduct. The FCA has confirmed that serious bullying, harassment, and victimisation by individuals subject to conduct rules falls within the scope of the individual conduct rules — not just internal HR policy.
Breach reporting under PS26/6 already narrowed the notification requirement to breaches where specified disciplinary action was taken. PS25/23 adds specificity around what constitutes a reportable breach in a non-financial misconduct context — and firms need to ensure their triage and escalation processes can apply that test consistently.
Regulatory references must now capture non-financial misconduct findings where they are relevant to fitness and propriety. This has direct implications for your reference process and what is retained in the underlying HR and compliance record.
Non-financial misconduct is no longer a people-management issue that sits adjacent to compliance. From 1 September 2026, it is part of the conduct framework your firm will be assessed against.
What This Means for Your Code of Conduct
Most firms have a code of conduct that addresses non-financial misconduct in some form – typically through an anti-harassment or similar HR policies. PS25/23 changes the regulatory weight of that policy and the standard it needs to meet.
Scope clarity. Your code of conduct needs to make explicit that serious bullying, harassment, and victimisation are compliance matters, not only HR matters — and that individuals subject to SM&CR conduct rules are accountable for their behaviour in this area under the regulatory framework, not just under employment law.
Escalation pathways. The code needs to set out a clear route from a non-financial misconduct allegation to a compliance-owned triage process. If every complaint routes exclusively through HR without a structured compliance gateway, the firm cannot demonstrate that it is applying the conduct rule lens the FCA now requires.
Attestation and training. Employees subject to conduct rules need to understand, and attest to understanding, that non-financial misconduct falls within the scope of those rules. Generic dignity at work training does not satisfy this. The training needs to connect the behaviour to the regulatory obligation.
Record retention. Where a non-financial misconduct matter results in disciplinary action, the compliance record needs to capture the outcome in a form that supports the firm’s breach reporting assessment and, where relevant, the regulatory reference process.
The Code of Conduct Monitoring Gap
The most common structural gap firms will face under PS25/23 is not in their policy. It is in their monitoring. Most conduct monitoring programmes are designed around financial misconduct and regulatory breaches: personal trading, conflicts of interest, market conduct. Non-financial misconduct has typically lived in HR systems, separately from the compliance function’s visibility.
PS25/23 requires that gap to close. Specifically:
- Compliance needs visibility of non-financial misconduct outcomes sufficient to make an informed breach reporting assessment. That means a structured information-sharing arrangement with HR, not an ad hoc one.
- The triage process needs to be documented. When a compliance team reviews a non-financial misconduct outcome and determines it does or does not meet the threshold for conduct rule breach reporting, that determination needs a rationale that can withstand regulatory scrutiny.
- Monitoring data needs to inform conduct risk assessment. A pattern of low-level complaints about the same individual, none of which individually triggers a breach report, is a conduct risk indicator. Firms need a monitoring framework that can surface those patterns, not just process individual cases in isolation.
If your compliance function cannot demonstrate that it has visibility of non-financial misconduct outcomes and applies a structured conduct rule assessment to them, that is a gap the FCA will identify.
What Good Looks Like
A conduct risk framework that meets the PS25/23 standard has three characteristics working together.
An integrated code of conduct that explicitly covers non-financial misconduct as a conduct rule matter, with training that connects the behaviour to the regulatory obligation and attestation records that compliance can retrieve.
A structured compliance-HR interface that routes non-financial misconduct outcomes through a documented compliance triage process — with a clear, recorded determination on whether the matter meets the threshold for conduct rule breach reporting.
Conduct monitoring that aggregates as well as processes, so that patterns across individuals, teams, and business lines are visible to the compliance function rather than siloed within individual HR cases.
Frequently Asked Questions
What is non-financial misconduct under the FCA’s framework?
Non-financial misconduct refers to serious behavioural failures — including bullying, harassment, and victimisation — that the FCA has confirmed fall within the scope of individual conduct rules for individuals subject to SM&CR. From 1 September 2026, PS25/23 makes this enforceable, meaning firms must treat serious non-financial misconduct as a conduct rule matter subject to breach reporting assessments and, where relevant, regulatory reference obligations — not only as an HR or employment law issue.
Does PS25/23 change what firms must include in their code of conduct?
PS25/23 raises the regulatory weight of how codes of conduct address non-financial misconduct. Firms need to ensure their code makes explicit that serious bullying, harassment, and victimisation are conduct rule matters for SM&CR-regulated individuals; that training connects the behaviour to the regulatory obligation rather than treating it as solely an HR matter; and that attestation records are retained in a compliance-accessible format. A dignity at work policy alone is no longer sufficient to demonstrate compliance with the FCA’s conduct expectations.
How should compliance teams structure their approach to non-financial misconduct monitoring?
Compliance teams need a structured information-sharing arrangement with HR that gives them visibility of non-financial misconduct outcomes, a documented triage process that applies a conduct rule assessment to each outcome and records the rationale, and monitoring capability that can surface patterns across individuals and business lines — not just process individual cases. The FCA will expect to see evidence that compliance has applied a regulatory lens to non-financial misconduct matters, not merely that HR has managed them.
How Comply Supports Conduct Risk Monitoring
Comply’s code of conduct and employee compliance solution gives compliance teams the visibility, documentation, and monitoring capability the new rules require – from policy attestations to conduct pattern reporting. Book a demo to see how it works for your firm.