The FCA Just Made Culture a Compliance Requirement

For decades, compliance in financial services has meant preventing market abuse, detecting insider trading, and ensuring data integrity. But the FCA’s latest consultation paper, CP25/18, signals a clear shift: the focus is now on people, behavior, and culture, said Shield in a statement. 

The proposed rules on non-financial misconduct (NFM) expand the regulator’s reach to nearly 38,000 firms, including asset managers, brokers, and insurers. For the first time, bullying, harassment, and abuse of power are being treated as regulatory risks, not just HR problems. And the key question firms must answer is no longer, “Did you know?” but “Should you have known?”

“The expansion of non-financial misconduct rules to nearly 38,000 firms is a watershed moment,” said Alex de Lucena, Head of Surveillance and Governance Strategy at Shield. “It’s no longer enough to say ‘we didn’t know.’ Regulators are asking, ‘should you have known?’ This focus extends beyond UK borders to any global financial institution with UK operations, ensuring conduct oversight applies not just within the UK but across international firms’ entire organizational structures.”

Standardizing What Was Once Subjective

Much of the FCA guidance focuses on better standardizing HR controls as they relate to conduct. This ensures a more operationalized risk program that doesn’t favor one approach or person over another. The regulator wants consistent, auditable processes that can withstand scrutiny.

This standardization extends to how firms detect, investigate, and document misconduct. Private behavior, social media activity, and internal conversations are now part of the risk landscape. Firms that fail to prepare face serious exposure to fines, reputational damage, and loss of trust.

A Unified Approach to Risk Detection

The solution doesn’t require separate systems for financial and non-financial risks. By creating distinct workflows and use cases for different departments while using the same data, platform, and investment, firms can provide more value across their risk functions.

Shield’s AI-driven surveillance platform is designed for this new reality. By unifying compliance, HR, and supervisory oversight with secure, permission-based access controls, Shield helps firms:

• Spot early warning signs of bullying, harassment, or misconduct hidden in everyday communications
• Standardize detection and response across departments using consistent, auditable processes
• Document decisions and investigations to create defensible audit trails for regulators
• Reduce managerial risk by surfacing issues before they escalate
• Protect privacy while enabling oversight through granular permission controls

Training Through Real Examples

Implementation should include internal employee training using real examples of what constitutes misconduct. This approach helps staff understand boundaries while demonstrating the firm’s commitment to cultural standards. The same surveillance technology that detects issues can help create training scenarios that illustrate proper conduct.

Leading the Industry Standard

The financial sector has long invested in monitoring trades and transactions. Now it’s time to monitor culture with the same rigor and technological sophistication.

“The firms that act now won’t just comply with September 2026 requirements—they’ll set the cultural standard for the industry,” said de Lucena. “Organizations need to treat cultural oversight as seriously as market surveillance, because integrity isn’t just measurable, it’s competitive advantage.”

Shield’s comprehensive analysis of CP25/18’s requirements breaks down the regulatory text into actionable steps compliance teams can take before the consultation closes and implementation begins.