From 1 September 2026, FCA rule PS25/23 brings serious work-related bullying, harassment and violence into the conduct rules, whether or not a protected characteristic is involved. It is a personal liability shift for senior managers. Get too close to an investigation and you risk the tribunal. Stay too distant from your function and you risk the regulator. The only way it reconciles is a hard line between system and case. Treat September 2026 as a governance project, not a policy refresh.
The FCA published a policy statement last year. PS25/23. It comes into force on 1 September 2026.
Recently, I argued people risk belongs on the risk register alongside market and operational risk. PS25/23 is what it looks like when the regulator stops asking and starts measuring.
Most firms are treating it like a policy update. Refresh the dignity at work policy. Roll out some training, make sure the box is ticked, alongside all of the ERA changes.
This is something markedly different. It is a personal liability shift, and there is a structural tension at the heart of it that nobody is resolving.
What the rule actually does
The new rule expands the FCA’s Conduct Rules to make clear that serious work-related non-financial misconduct, put very simply as bullying, harassment and violence directed at colleagues or others in the work context, can amount to a regulatory breach.
The FCA’s definition of harassment aligns with section 26 of the Equality Act, with one significant difference. The conduct does not need to be linked to a protected characteristic. Serious work-related bullying or harassment can be in scope regardless of who is involved or why, and that distinction widens the net considerably.
The tension nobody is resolving
The tension lies between what employment law requires and what the FCA asks of an SMF. Employment law requires that disciplinary outcomes be decided by impartial people without predetermination. Senior managers can hold governance oversight, but they cannot be the people influencing outcomes in individual cases. If an SMF is seen to have improperly influenced an outcome, the claimant has a procedural unfairness argument.
SMCR pulls the other way. The SMF is personally accountable for what happens in their function, and PS25/23 sharpens that. The FCA has said accountability is relative to a manager’s knowledge and authority. In practice, an SMF with authority over an area but no system for knowing what is happening in it is going to find that distinction hard to lean on.
Now consider those positions together. If you get too close to investigations you risk the employment tribunal. Stay too distant from your function and you risk the regulator. The same SMF, the same incident, two different ways to be exposed.
The FCA has given firms a test, but it has left firms to build the operating model that resolves it.
System, not case
The only way it reconciles in practice is through a distinction between system and case.
SMFs are accountable for the architecture, not the verdict. They should see themes, patterns, volumes. Time to resolution. Investigation capability and capacity. Repeat offenders and repeat hot spots. What they should not see is live case detail, nor specific outcome decisions before they are made.
The margin note that hands over the case
Take the SMF who hears one of their senior people is under investigation. They ask to see the draft report. They disagree with a finding and leave a comment in the margin. Later, during the tribunal claim or a subject access request, that comment surfaces in disclosure. The procedural unfairness argument writes itself. They were trying to be diligent, but in reality they have just handed the claimant their case.
What to build, and how
First, draw the line between system and case. Decide explicitly what an SMF should see and what they should not. Themes, volumes, time to resolution, capability and capacity, repeat hot spots, escalation patterns. Absolutely. Live case detail, draft investigator findings, individual outcome decisions before they are made. Absolutely not.
Second, map the process. From the moment a complaint lands, who knows, when, and who decides. If systemic information only reaches the SMF in a quarterly pack, the system is too slow to be defensible. If case detail reaches the SMF in real time, the system is too leaky to protect the process. The right architecture sits between the two.
Third, bring it into the boardroom. Treat September 2026 as a governance project, not an HR one. The board needs to understand the rule, the tension, and what the firm has built to reconcile them. Not a paper to file, or a box to tick, but a conversation the board actively engages in.
What the FCA is actually going to do
The regulator has said the policy work is done. The focus turns now to how firms are tackling this in practice. That means supervision and thematic reviews. It also means fitness and propriety questions for senior managers when something goes wrong, public censure for firms that cannot show they took it seriously, and in the worst cases potential financial penalties and prohibitions for individuals the regulator concludes were on watch when it mattered.
The industry that prices risk for everyone else has weeks to put a number on its own.
PS25/23 is a governance problem before it is an HR one. If you are working out what an SMF should see, what they should not, and how to build the line between them, that is the kind of work I do.