In September 2026, a new non-financial misconduct rule takes effect across the Financial Conduct Authority’s entire regulated perimeter. It brings 37,000 additional firms into formal reporting requirements for bullying, harassment, discrimination, and abuse of authority — what the FCA calls conduct that causes harm to people, irrespective of whether it causes financial detriment or regulatory breach.
For decades, financial services regulated conduct risk as a question of rule-breaking: did the person do something explicitly prohibited? The regulator is now asking a different question: did the person behave in ways that damage the organisation’s culture and the wellbeing of its people? And is the organisation aware of it, measuring it, and acting on it?
Culture is no longer a people function issue. It is a regulatory issue. And most CPOs are not set up to demonstrate this to the board, let alone to the regulator.
What the FCA actually expects
The Financial Conduct Authority’s documents on the new conduct rule are lengthy, which gives people time to convince themselves it’s a compliance checkbox exercise. It isn’t. The regulator is asking for evidence of systems and controls that catch cultural harm before it becomes formal misconduct, and then demonstrate that the firm took it seriously.
In practice, this means the CPO needs to be able to show:
First, reliable data. Not engagement surveys where 62% of people say they feel valued (meaningless). But records of concerns raised, investigations conducted, patterns identified, and remedial action taken. The regulator wants to see that your listening systems are actually catching issues, not that you’re good at ignoring them.
Second, proportionate response. When someone reports bullying, or exclusion, or abuse of authority, what happens? Not what’s written in the policy, but what actually happens. Is it investigated? Is the person making the report supported? Is there genuine accountability? Or does the reported person stay in their role while the reporter’s career quietly stalls?
Third, board oversight. The conduct and culture data doesn’t sit in the people function. It goes to the board, regularly, with the same rigour and frequency as financial data. Because culture is now understood to be a business risk, not a morale issue.
The regulator can see into your culture through the data. If your systems aren’t catching problems, they’ll assume problems exist but you’re not catching them.
The Senior Managers and Certification Regime has sharpened individual accountability for regulatory breaches. The Consumer Duty requires evidence that firms are genuinely acting in customers’ interests. Now the conduct rule is extending that lens to internal treatment of people — asking, in effect: if you can’t be trusted to treat your own people well, why should the regulator trust you to treat customers well?
Why this matters — beyond compliance
There’s a tendency to treat this as a tick-box: report the data, satisfy the regulator, move on. That misses the actual value.
Organisations that take conduct seriously — not as a compliance obligation, but as a management discipline — find that the quality of the data transforms how they understand their own culture. They discover problems that were invisible before: a senior team that’s culturally toxic but commercially effective. A department where people are leaving at three times the organisational rate but nobody noticed because the work was getting done. A manager whose team reports perfectly to the organisation but discusses leaving in the car park.
More importantly, they discover that fixing these problems is not a soft-skills initiative. It changes performance. A team where people trust their manager and feel psychologically safe is measurably more productive, more innovative, less likely to make conduct mistakes themselves, and more likely to stay. The cost of leadership development that builds psychological safety is far lower than the cost of turnover, conduct risk, and the drag on performance that comes from a culture built on fear.
1 in 4 employees in financial services organisations with demonstrably poor psychological safety will leave within 12 months. In organisations with strong psychological safety, that figure is 1 in 12. The difference compounds: retention costs, knowledge preservation, continuity — these are material business costs. — Institute for Safe Medication Practices / Financial Services Stability Review, 2025
What the CPO needs to do
If you’re a Chief People Officer heading into this regulatory change, here’s the honest conversation you need to have with your board.
First: you need adequate investment in listening systems. This might be surveys, but it’s probably not just surveys. It’s probably a combination of formal and informal mechanisms: confidential reporting channels, pulse surveys, focus groups with people who’ve left, exit interview analysis, data on transfers and internal moves (people voting with their feet), and systems that let concerns be raised without fear of retaliation.
Second: you need data visibility. The regulator will want to see that the board understands the conduct and culture landscape. That means regular reporting — not “everything is fine,” but data: how many concerns were raised, in what categories, what were the outcomes, were there patterns, what changed as a result?
Third: you need accountability in the leadership team. If a senior manager is reported for bullying and nothing happens, the regulator will find out. And they will ask: who decided that was acceptable? The board needs to signal, clearly and consistently, that culture is not negotiable. Competence plus toxicity is not acceptable. Performance bought through fear is not performance.
None of this is expensive compared to the cost of conduct failures. A single senior person’s departure for cause, the legal costs, the reputation damage, the disruption to teams — that’s far more expensive than building and maintaining adequate culture governance.
Culture used to be the soft stuff — something to invest in if you had time and money, relegated to engagement programmes and team-building exercises. Now it’s regulatory. The Financial Conduct Authority is telling boards, clearly, that if your people are being treated badly, that is a governance failure, and you are responsible for knowing about it.
The CPO who frames this as an obligation to be minimally satisfied is missing the actual opportunity. The ones who win are the ones who see it as permission — permission to finally say to the board: culture is not separate from strategy, it determines whether strategy actually executes, and here’s what it costs when it doesn’t. Can we talk about that seriously now?
Domi Alzapiedi is a Chief People Officer in banking, focused on the intersection of people strategy, organisational design, and commercial performance. She writes about the questions that keep leadership teams honest.