The Financial Conduct Authority (FCA) has issued CP23/20: Diversity and inclusion in the financial sector which sets out its long-awaited proposals to introduce a new regulatory framework on Diversity and Inclusion (D&I) in the financial sector.

This follows a Discussion Paper in July 2021 and reflects the FCA's concerns around the impact of groupthink, a lack of diverse perspectives or constructive challenge in firms and a lack of understanding of the diverse needs of customers.

The proposals are relevant for all FCA-authorised firms although the most onerous proposals will only apply to firms with 251 or more employees (other than limited-scope SM&CR firms). We call these the Large Firm Rules. The rules will not be relevant for payment service providers or e-money firms unless they also have an additional Part 4A permission.

The proposals include the following:

  • The FCA will incorporate non-financial misconduct into its Conduct Rules, fit and proper assessments, suitability guidance on the Threshold Conditions and guidance on regulatory references. This will apply in respect of all firms with a Part 4A permission.

  • Firms within scope of the Large Firm Rules will be required to:

    • develop a D&I strategy;
    • set targets to address underrepresentation;
    • report and make disclosures annually on certain D&I matters; and
    • incorporate D&I into the firm's governance.

  • In order for the FCA and the PRA to monitor which firms are in scope of the Large Firm Rules, all firms (other than limited-scope SM&CR firms) have to report on the number of employees annually. This will apply in respect of all firms with a Part 4A permission.

The proposals are therefore less wide ranging than had been originally contemplated. For firms with a Part 4A permission but which do not fall within the Large Firm Rules, the impact will be limited to the requirement to report the number of employees and the incorporation of non-financial misconduct into various key rules. The FCA has also said that there are a number of proposals in the Discussion Paper which it does not currently propose to take forward such as a specific individual having responsibility for D&I and linking D&I to remuneration.

The deadline for comments is 18 December 2023 and the FCA intends to publish a Policy Statement with the final rules in 2024. The new rules are expected to come into force 12 months after that. Industry associations and other market participants, particularly those within the scope of the Large Firm Rules, are likely to be keen to respond to the consultation.

The Prudential Regulation Authority (PRA) has also issued its own consultation (CP18/23 – Diversity and inclusion in PRA-regulated firms) for PRA-regulated firms which has been developed in parallel with the FCA consultation.

We discuss the FCA's proposals further below.

1. Scope of the Large Firm Rules and requirement to report number of employees

A key question for firms will be whether they are in scope of the Large Firm Rules. The Large Firm Rules will only apply to firms with a Part 4A permission which have 251 or more employees. The 251 employee threshold reflects the threshold in the Companies Act 2006 which is used for reporting under the Gender Pay Gap regulations.

"Employees" in this context will be based on the FCA definition which also may include contractors, secondees and non-executive directors. The threshold will be calculated on a solo basis, over a rolling three-year period and there will be limited transitional provisions for where a firm which was previously not a "large firm" newly falls within the definition. The Large Firm Rules will not apply to limited-scope SM&CR firms (such as certain limited permission consumer credit firms).

The requirements would only apply to employees that carry out their activities from an establishment in the UK. The requirements would therefore only apply to overseas firms in respect of their activities which are carried out from a UK establishment.

Certain elements of the Large Firm Rules (in particular, the requirement for a D&I strategy) apply to dual-regulated firms subject to the UK Capital Requirements Regulation and UK Solvency II, regardless of their size.

In order for the FCA (and the PRA) to monitor firms within scope of the Large Firm Rules, all FCA firms with a Part 4A permission to carry on regulated activities will have to report their average number of employees to the FCA on an annual basis. The first report would be due three months after the rules come into effect (likely to during 2025). This requirement would not apply to Limited Scope SM&CR firms.

2. Requirements applicable to all firms - Non-financial misconduct

The FCA intends to incorporate the concept of "non-financial misconduct" into its Conduct Rules in COCON in the FCA Handbook, fit and proper assessments, the guidance on Suitability under the FCA's Threshold Conditions and the giving of regulatory references.

FCA's Conduct Rules

The FCA is proposing to include guidance of types of behaviour that would fall within the Conduct Rules and which, if carried on, could amount to a breach by the relevant individual of COCON. The FCA views this as an expansion of the scope of COCON.

These would include, in relation to other persons working for the firm, serious instances of bullying, harassment and similar behaviour towards colleagues.

An individual's behaviour would only potentially lead to a breach of COCON, if the behaviour affects other persons working for the firm – although this is drawn broadly and includes, for example, an individual who provides services to the firm or a member of its group.

Conduct is also only within the scope of the rules in COCON if (broadly) it relates to the firm's regulated activities. However, the guidance makes it clear that this is not restricted to direct dealings with counterparties and customers or their assets at the point of sale or at the time of the transaction. In the FCA's view this also covers some associated activities such as post-transaction activities and designing policies and procedures, as well as firm-organised social functions. It seems likely that firms will continue to face difficult questions in the future as to whether to consider certain behaviours as within the scope of COCON or not.

Behaviour in an individual's private or personal life would not be caught. For example, the FCA's guidance states that misconduct in relation to a fellow employee at a social occasion organised by the firm would fall within COCON, whereas misconduct in relation to a fellow employee at a social occasion organised in a personal capacity generally would not. However, the distinction between private and personal life may be less clear in certain circumstances.

Not every instance of misconduct will be a breach of COCON – this will be limited to serious breaches taking into account factors such as the duration of the conduct and the seniority of the individual.

Fit and proper assessments

The FCA also proposes to include non-financial misconduct as something that should be considered as part of the fit and proper test for employees and senior personnel. This would also include behaviour which would fall outside the scope of COCON, including where it relates to the individual's private life. The FCA considers that non-financial misconduct in the private life, such as sexually or racially motivated offences, can harm the FCA's objective of maintaining confidence in the financial system.

This reflects the approach increasingly taken by the FCA, such as in the case of Jon Frensham, where the FCA took action for lack of integrity to work in financial services following a child sexual grooming conviction.

Threshold Conditions

When considering whether a firm meets the Threshold Conditions for authorisation by the FCA, the FCA proposes that, in order to maintain market integrity and conduct, the assessment relating to Suitability should include additional points for consideration such as whether the firm or a related person has engaged in discriminatory practices or sexual or racially motivated offences.

Regulatory references

The FCA also proposes new guidance to the effect that when deciding the information to be included in a regulatory reference a firm may consider including information about disciplinary action taken for misconduct in relation to other employees and, possibly, also persons outside work.

3. The Large Firm Rules

D&I Strategy

Large firms will need to develop and evidence-based D&I strategy (D&I Strategy) which includes:

  • its D&I objectives and goals;

  • a plan for meeting those objectives and goals and measuring progress;

  • a summary of the arrangements to identify and manage any obstacles to those objectives and goals; and

  • ways to ensure adequate knowledge of the D&I Strategy amongst staff.

The management body would be responsible for maintaining and overseeing the D&I Strategy which should be periodically reviewed. The D&I Strategy would also need to be easily accessible, free of charge, for example, by publishing on the firm's website.


A large firm must also set appropriate targets to address underrepresentation of demographic characteristics within the firm. "Demographic characteristics" is not defined and the FCA suggests that it should have its ordinary meaning.

These targets should be stretching but realistic and the firm should use its own judgement in deciding which demographic characteristics it sets targets for (and it will need to disclose its rationale).

The FCA expects that a firm would usually set at least one target for each of the following categories of employees:

  • its management body;

  • its senior leadership; and

  • its employees.

Overseas firms with a non-UK management body or non-UK senior leadership would not need to set targets for that management body or senior leadership (as applicable).

The firm's management body will be responsible for overseeing and monitoring the targets.

Reporting and disclosures

In addition to the requirement to report on the number of employees that applies to all relevant firms, large firms will also need to make a number of additional reports. All of these reports will be made in specific FCA Diversity and Inclusion Report and the information should be provided on a solo basis.

Large firms will therefore also need to include quantitative information on the workforce including in respect of age, sex or gender, disability or long-term health conditions, ethnicity, religion and sexual orientation. Large firms may also disclose information on a voluntary basis on sex or gender (i.e. whichever is not mandatorily reported), gender identity, socio-economic background and parental and caring responsibilities.

The report should also include matters of culture and inclusion, including information on whether employees feel:

  • safe to speak up if they observe inappropriate behaviour or misconduct;

  • safe to express disagreement with or challenge the dominant opinion or decision without fear of negative consequences;

  • their contributions are valued and meaningfully considered;

  • they are subject to treatment (for example actions or remarks) that has made them feel insulted or badly treated because of their personal characteristics;

  • safe to make an honest mistake; and

  • that their manager cultivates an inclusive environment at work.

In order to provide this information, firms will need first to have surveyed their staff and sought the information from them (although staff will not be required to provide this information).

Finally, firms will need to report detailed information the targets that they have set and their progress against these targets.

This information should be reported in three categories: management body; senior leadership; and all employees.

Reporting to the FCA should generally be within three months of the relevant reference date with the first reports likely to become due during 2025. However, for the first year, there would be a transitional period allowing firms to report on a "comply or explain" basis. Nevertheless, in that first year, firms should still try and report as much as they can.

Firms will also need to make public disclosures on the matters above, for example, on their website. In order to try and address issues around confidentiality, firms will be able to make certain aggregate disclosures where more granular disclosures would permit an individual to be identified. The FCA will also permit firms not to make disclosures where this would breach data protection law or other relevant laws in the UK or elsewhere.

Public disclosures will be voluntary for the first year and mandatory thereafter.

Risk and governance

Large firms will also be required to treat matters relating to D&I as a non-financial risk and deal with them appropriately within the firm's governance structures. It will be left to the firm to choose how to deal with these risks but functions which will need to be involved are likely to include internal audit and risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.