FCA September 2026 Non-Financial Misconduct Rules: The Section 250 Intersection

What PS26/6 changes from September 2026

FCA Policy Statement PS26/6, published 22 April 2026, confirms changes to the Conduct Rules (COCON) and the SM&CR guidance framework, with the key NFM provisions taking effect in September 2026.

The core change: non-financial misconduct — including bullying, harassment, and serious unprofessional behaviour — is now explicitly addressed within COCON Individual Conduct Rule 1 (acting with integrity) and COCON Individual Conduct Rule 2 (acting with due skill, care and diligence). The FCA had long taken the view that serious NFM could constitute a breach of these rules, but PS26/6 and its accompanying guidance make the link explicit and provide illustrative examples.

For firms, the practical effect is: a finding of non-financial misconduct against a conduct-rules-in-scope individual can now be addressed directly through COCON referral to the FCA, not only through internal disciplinary process. The FCA has confirmed it expects firms to take NFM seriously as a regulatory matter, and that the FCA is prepared to use its enforcement powers where firms fail to do so.

This is not a new criminal provision. The September 2026 NFM rules remain FCA conduct regulation — breaches attract regulatory sanctions (fines, prohibitions, withdrawal of approval, public censure) through FCA enforcement. They are not, in themselves, a route to criminal prosecution. That distinction matters for understanding the Section 250 intersection.

The two regimes: one regulatory, one criminal

COCON and Section 250 of the Crime and Policing Act 2026 are built on entirely different foundations and serve different purposes. It is worth stating the boundary clearly before mapping the overlap.

COCON (including the expanded NFM rules) is FCA conduct regulation under the Financial Services and Markets Act 2000. The FCA enforces it through its regulatory powers: supervisory engagement, enforcement action, fines, and individual prohibition. A firm that breaches COCON faces regulatory consequences from the FCA. An individual in breach of COCON Individual Conduct Rules faces potential FCA enforcement including withdrawal of approval or certification. None of this is criminal.

Section 250 of the Crime and Policing Act 2026 (c.20) is a corporate criminal attribution mechanism. Under s.250(1), where a senior manager of a body corporate or partnership commits a criminal offence under UK law within the actual or apparent scope of their authority, the organisation is also treated as having committed that offence. The penalty the organisation faces is the penalty for the underlying criminal offence — not a regulatory fine, and not anything imposed by the s.250 section text itself. Prosecution is through the criminal courts: the SFO and CPS for the most serious matters.

These are parallel regimes. A failure under COCON is not automatically a criminal offence. A criminal offence by a senior manager does not automatically constitute a COCON breach (it will often do so, but the test is different). Both can apply to the same conduct, but through different processes and with different consequences.

Where the populations overlap

The interesting question for firms is not which regime applies in theory — both do, separately — but which individuals fall in scope of both.

COCON applies to conduct-rules-in-scope individuals: all non-ancillary staff, broadly. The NFM rules, given their explicit COCON footing, apply to this broad population.

Section 250(3) applies to a different, narrower population: individuals who play a significant role in the making of decisions about how the whole or a substantial part of the organisation's activities are managed or organised, or in the managing or organising of those activities. The s.250(3) test is functional — it turns on actual organisational authority, not FCA registration status.

The overlap: an individual who meets the s.250(3) functional test will also, almost certainly, be conduct-rules-in-scope under COCON. Senior managers (SMF holders) are specifically in scope for COCON Senior Manager Conduct Rules. The broader s.250(3) population — including individuals who exercise real organisational authority but hold no SMF — will typically be in scope for Individual Conduct Rules.

So for an FCA-regulated firm: the individuals at the heart of the NFM rule changes are the same individuals whose criminal conduct could trigger corporate attribution under s.250. The populations are not identical, but they are substantially overlapping for the senior and managerial cohort.

NFM referrals and s.250: what the interaction looks like in practice

Consider what happens when a senior manager of an FCA-regulated firm is found to have committed an act of serious harassment — conduct that could constitute the criminal offence of harassment under the Protection from Harassment Act 1997.

Under COCON, the firm has regulatory obligations: to investigate, to take appropriate action, and potentially to refer to the FCA if the conduct constitutes a breach of Individual Conduct Rules. The NFM rules in PS26/6 make the expectation clear: firms are not to treat serious NFM as a purely HR matter when the individual is conduct-rules-in-scope.

Under s.250, a separate and parallel question arises: did this individual commit a criminal offence under UK law (harassment, in this example) within the actual or apparent scope of their authority? If yes, and if the individual meets the s.250(3) functional test, the organisation is also treated as having committed that offence. The organisation does not escape criminal attribution by running a COCON process. COCON referral is a regulatory response; it is not a barrier to, nor a substitute for, the criminal analysis.

The practical implication for compliance officers: where an NFM matter involves potential criminal conduct by a senior individual, the firm's response must consider both tracks — the regulatory COCON track and the s.250 corporate attribution exposure — simultaneously and separately. Running one does not discharge the other.

This is not a novel complexity. It reflects the general structure of UK law: regulatory enforcement and criminal enforcement run concurrently, managed by different bodies, under different standards of proof, with different consequences.

What firms should do before September 2026

The September 2026 NFM rule changes give firms two distinct tasks to complete before the effective date, and the two tasks should not be conflated.

The first task is the COCON/NFM governance task: ensuring that the firm's NFM policy, investigation procedures, escalation framework, and COCON referral processes are fit for purpose in light of PS26/6 guidance. This includes training managers, updating People Policies, and ensuring HR and compliance work jointly on NFM matters. This is the regulatory compliance task under the FCA's conduct regime.

The second task is the s.250 gap analysis task: ensuring that the firm has identified which individuals meet the s.250(3) functional test, obtained declarations from those individuals, and generated a board evidence pack. This task should have been completed before 29 June 2026 (when s.250 came into force), but firms that have not completed it must do so now. The NFM rule changes do not make this task optional, and completing the COCON/NFM task does not substitute for it.

Where the two tasks connect: the s.250(3) population is substantially the senior and managerial cohort that is also most likely to be in scope for the enhanced NFM scrutiny under PS26/6. A firm that has a complete s.250(3) register of in-scope individuals has the raw material for its PS26/6 NFM governance — it knows who the senior people are, which roles carry what decision-making authority, and where the s.250 exposure sits.

What PS26/6 does not change

To be precise about the boundaries: PS26/6 does not create new criminal liability. The FCA's NFM rules are regulatory conduct rules. A breach of COCON is not a criminal offence. The FCA cannot prosecute firms or individuals for criminal offences under COCON enforcement powers.

PS26/6 does not alter the s.250(3) functional test. Section 250 is primary legislation in the Crime and Policing Act 2026 (c.20). The FCA has no power to modify it. The standard for who qualifies as a "senior manager" under s.250(3) is set by Parliament, not by the FCA, and PS26/6 does not touch it.

PS26/6 does not create a defence to s.250. A firm that has fully complied with PS26/6 and run a sound NFM governance process has reduced its regulatory risk under COCON. It has not, through those steps alone, addressed its s.250 corporate criminal attribution exposure. That requires the gap analysis, the declaration cycle, and the board evidence pack — regardless of what else the firm does under FCA conduct rules.

The honest framing of what the September 2026 changes add: they raise the regulatory bar for how firms handle NFM. That is a meaningful and important development. But for firms exposed under s.250, it is a parallel development — to be managed alongside the s.250 work, not instead of it.

Related articles

Sources

• FCA PS26/6 — Policy Statement: non-financial misconduct, 22 Apr 2026www.fca.org.uk/publication/policy/ps26-6.pdf
• FCA — Conduct Rules (COCON)www.handbook.fca.org.uk/handbook/COCON/
• Crime and Policing Act 2026, s.250 (c.20)www.legislation.gov.uk/ukpga/2026/20/section/250
• Protection from Harassment Act 1997www.legislation.gov.uk/ukpga/1997/40/contents
• FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime