- within Insurance and Corporate/Commercial Law topic(s)
In the inaugural episode of Ropes & Gray's Non-Financial Misconduct four-part miniseries, Amanda Raad, co-chair of the firm's global anti-corruption & international risk practice, is joined by asset management partner Eve Ellis and litigation & enforcement senior attorney Sarah Lambert-Porter to discuss the evolving regulatory landscape for non-financial misconduct in the UK financial services sector. The conversation examines the Financial Conduct Authority's new rules, the impact of the Worker Protection Act, and the increasing regulatory and legal risks associated with issues such as bullying, harassment, and discrimination. Drawing on recent survey data and enforcement trends, the hosts highlight key risk areas for asset managers, private equity sponsors, and other regulated firms, including the importance of breaking down organizational silos, adapting to remote and hybrid work environments, and ensuring senior management accountability. The episode provides practical guidance on updating policies, strengthening investigations, leveraging data, and fostering a culture of compliance, helping organizations prepare for the new regulatory requirements.
Transcript:
Amanda Raad: Hello, everyone, and welcome to our Non-Financial Misconduct series. I'm Amanda Raad, a partner at Ropes & Gray here in the London office, and I am joined by my colleagues Eve Ellis and Sarah Lambert-Porter. We are very happy to be bringing this series to you and starting today with our first episode, where we're going to be talking about the regulatory landscape here in the UK, and the Financial Conduct Authority's new rules on non-financial misconduct. Before we dive into that, I want to think a little bit with our team here about why we're doing this series. So, Sarah, why don't you kick us off?
Sarah Lambert-Porter: Yeah, sure. So, the bottom line I guess for the board is that non-financial misconduct – which the UK regulators define to include bullying, harassment, discrimination, and violent or sexual offenses and other types of serious dishonesty – is now both a legal as well as a regulatory risk, and failure to take appropriate action to comply with, and follow up on, and investigate, and take action in relation to non-financial misconduct really does open up the organization now to civil litigation as well as to regulatory fines. And then, of course, the reputational damage that follows on from that. So proactive prevention, governance, and culture change are all really essential in this area.
Amanda Raad: Thanks, Sarah. All of that isn't completely new, but a lot of it is. So, Eve, can you tee up for us what has changed recently?
Eve Ellis: Sure. Sort of the long-awaited rule proposals from the FCA were released in July. They come into force next September. And what these rules will basically do is incorporate non-financial misconduct into various areas of the FCA rules, including fitness and propriety assessments, conduct rules, and notification rules.
So, it is a shift. What happened in July is they published that policy statement, but they also published a consultation paper, which will have guidance to support how firms are meant to interpret these rules. So, as I say, first of September next year is the date for the new rules to take effect. And we're hoping to get the final guidance by the end of this year.
Amanda Raad: But we're not going to wait for that to give you as much information as we can so that you can start being as prepared as possible and take the right actions you can now. So, for the series, we're going to have a four-part series. And I just want to tee up briefly for you where we're going, so hopefully you will tune back in.
So today, we'll do a bit of scene-setting and looking at the regulatory landscape. And then we'll talk as best we can on what are some of the practical steps that you can be taking, particularly for asset managers and private equity sponsors, what you can be doing now.
And then in our next episode, we're going to have more of an employment law focus. And we will be joined by one of our guests, which is Sharon Tan from Mishcon, and an employment law specialist, to talk about the employment angle here to non-financial misconduct.
Then in episode three, we're going to really take a deep dive into assessing culture. And we will be joined by our Insights Lab's Cultural Psychologist Michelle DiMartino to talk about the successful angle with regard to non-financial misconduct.
And then finally, we're going to bring the in-house perspective to this discussion. So, what are companies doing to prepare? And we will be joined by the Insights Lab Director of Ethics and Compliance, Katie Daniels, who has recently joined us from an in-house position. And we'll take a deeper dive into that perspective.
But to get back to today and where we are, we thought it might be good to take a little bit of a deeper dive into the scale of the problem of non-financial misconduct and what the FCA has actually responded to, and try to look at some of the data and the numbers to tell this story.
So, what we do know is that sexual harassment and other kinds of non-financial misconduct – other kinds of harassment, discrimination, and bullying – are widespread issues that companies are dealing with all around the world. And also, we know that, while reporting has increased, these issues do remain under-reported compared to some of their counterparts. There are a few statistics here that we're going to go over. And Sarah, I think you have some recent ones from September that we can dive into.
Sarah Lambert-Porter: Yeah, that's right. In the middle of September, ACAS published statistics for us. For those who are not based in the UK, and might not be familiar, ACAS is the Advisory, Conciliation and Arbitration Service, and what that is an independent UK body that essentially provides free advice to employers and employees alike on workplace rights and best practices, and they also get involved in helping to resolve disputes and employment issues.
And it's quite interesting that they showed that inquiries about sexual harassment have increased by 39% in the first half of 2025 as compared to the first half of 2024. And they noted that even though obviously the Worker Protection Act came into effect in October of 2024 when the new duty came in, which we will I'm sure come to shortly, they'd already grown by 7% in the months before that actually came into effect. So, the general trend is one of increase.
Amanda Raad: We also thought we'd take a look at the Financial Conduct Authority's Non-Financial Misconduct Survey of 2023 - 2024, which was prepared for purposes of informing rule-making and also for enforcement. And we saw substantial increase there, too.
So, an increase of 40% over the surveyed period of 2021 to 2023 overall. And then, 23% of those claims were discrimination, 26% for bullying and harassment, and 41% were other kinds of non-financial misconduct, whether that be violence, or intimidation, substance or alcohol misuse, data protection breaches, or offensive, inappropriate language, or items of that type.
Sarah Lambert-Porter: And I think the other interesting things that came out of the FCA's survey data are about things like detection. Quite interesting to see that the bulk of detection of these incidents comes from grievance or formal escalation processes or, you know, through whistleblowing type channels. So, 56-70% of incidents are detected that way.
Whereas a slightly lesser percentage is done through surveillance tools. So, only 1-10% of non-financial misconduct issues are actually detected through email, or call monitoring, or other controls that the firms might have in place. So, I thought that was quite interesting.
And then just to build on that, I think it's always interesting to see what firms are actually doing in response. And that's something that the FCA obviously was very interested in. And in terms of disciplinary action, that's the most common result that they saw for sexual harassment issues.
So, 64% of the sexual harassment cases had disciplinary action as a result. And then violence or intimidation cases, 73% of those would end up in disciplinary action. And in terms of the actual action that is taken, the bulk of it was written warnings, or training, or coaching.
And the least-used type, actually, was remuneration adjustment, which is interesting because you would think that that was a relatively strong deterrent for employees. And when it was used, which was, you know, fairly rare, it was most often exercised against unvested variable pay, rather than by sort of docking your fixed salary or by way of clawbacks.
And interestingly, dismissal seemed only to be the most common outcome for cases that involved, you know, drugs. So, 21% of those drug cases ended up with dismissals, and 22% of sexual harassment cases only ended up with dismissals. And around the same level, 21%, for violence or intimidation.
And then in that sort of 'Other' category to which you referred just now, Amanda, 24% of those cases ended in just verbal warnings. But then we do see that there is sort of an increasing trend (in almost all cases, 92% of cases) where regulatory references are actually being used to reflect and record non-financial misconduct issues. And interestingly, that includes firms going back and updating references they'd already provided. So those are some of the quite interesting responses that firms have been taking, based the FCA survey data.
Amanda Raad: I think it's interesting that the surveillance tools are really only 1-10%. And I would be curious over time to kind of compare that and see if that changes because I think the surveillance tools are probably much higher for other kinds of misconduct.
So, for financial misconduct, I suspect we would probably see a flip of some of these statistics. And I do wonder if part of this is because of the way organizations have currently structured their reporting processes and divisions of responsibility for who's going to review financial misconduct issues, versus who's going to review non-financial misconduct issues.
And now that we're talking about the regulatory impacts that occur for both financial and non-financial misconduct, hopefully we'll see a little bit of a blending of some of these issues. I know we're going to talk about that later, but I think that method of detection statistic will be an interesting one to watch. So, I'm glad you called that one out.
Eve Ellis: I was actually thinking the same thing when Sarah was giving those statistics. And I suspect, as these new rules bed in, that is an area that we will see a shift in. And I think just sort of taking a step back, I think the survey itself was a really interesting indication of how much the FCA is sort of shifting to culture and data when it's trying to review new areas and present rules.
I think it was one of the first times it had ever done a survey of this kind. And there certainly is an expectation by the FCA that firms should also be using data and monitoring that data. And if anyone hasn't looked at the survey that the FCA put out and actually benchmarked that against their own firm, that is certainly something the FCA expects firms to do. So that's certainly sort of an action point that, if you haven't done that, you should be doing that now.
Amanda Raad: Great. Thanks, Eve. Let's take a look at what the current regulatory landscape looks like. So, Sarah, can you tell us a little bit more about the rules and expectations?
Sarah Lambert-Porter: Sure. I think it's really important to bear in mind that there are sort of multiple layers of requirements to navigate if you're a regulated firm because if we zoom right out and look at the UK as a whole, after many years of campaigning by unions and civil society groups and so on, the Worker Protection Act came along and introduced a proactive and preventative legal duty for all employers, regardless of their size or the sector in which they're operating. That came into force in late October of 2024, and essentially what that does is it requires employers, be they regulated or otherwise, to take reasonable steps to prevent sexual harassment of their employees in the workplace. And that includes worker-on-worker harassment, as well as harassment by third parties such as, you know, the firm's customers or clients.
And so, in a nutshell, employers all over the UK must now proactively identify and mitigate risks of sexual harassment, rather than just reacting to incidents, you know, after the fact. As ever the question then becomes, "What are reasonable steps for them to be taking?" and in this context it's similar to what you would expect for the other 'failure to prevent'-type offenses, right? So, it's: conducting risk assessments to identify potential vulnerabilities; implementing policies and procedures for reporting, and investigating harassment issues; providing training to staff on, you know, expected behaviors and unacceptable behaviors in the workplace; and then just taking measures as much as you can to mitigate third-party harassment or prevent it from arising. And the enforcement lens there is that employment tribunals can increase the amount of compensation that is due to employees in successful sexual harassment cases, I think by up to 25% if the employer also had failed to take reasonable steps to prevent the harassment occurring.
So that's the sort of general background against which the FCA's rules sit. And so, if I go through those buckets of requirements briefly:
The FCA obviously has fitness and propriety requirements, and non-financial misconduct matters can render an individual not fit and proper, even if it's conduct that's unrelated to their client dealings. And that really requires quite robust annual certification and testing. And, you know, quite crucially, event-driven reassessments. So, it's what you do after an event has happened, as well, that is quite important on the fitness and propriety front.
The second bucket is obviously the Conduct Rules. Conduct Rules one through six apply to behaviors that undermine the integrity and proper standards of the market. And so repeated or serious bullying and harassment might breach Conduct Rule One, which is, you know, the duty to act with integrity, or Conduct Rule Two, which is, you know, acting with due skill, care, and diligence.
The third bucket is obviously senior management accountability under the Senior Managers and Certification Regime. So, SMFs 16 and 17 all have obligations to ensure the effectiveness of controls, fair investigations, and escalation. And reasonable steps here will include ensuring that policy design and training, effectiveness, and so on, and data monitoring sort of management information and so on is all happening appropriately in those different senior managers' areas of responsibility.
And then the final bucket relates to notifications. So obviously, there are event-driven notification obligations, which sit under SUP15 for significant misconduct where you need to notify the regulator, but then there are related obligations obviously when you're filing returns like the REP008 and Form H disclosures where there are certification issues and where you've taken disciplinary action in relation to employees' misconduct. And then finally, regulatory references under SYSC22, which need to include substantiated findings of serious misconduct.
Amanda Raad: So now we know about kind of all of the expectations and all of the regulatory requirements. But I think it's helpful to take a little bit of a look at where we are most commonly seeing risk spots, or areas to watch out for.
And we'll try to dive through this, looking at this from the lens of some of our asset management and private equity and investor clients to think about that. So, Eve, can you call out just where are some of the places that people need to keep their eyes and ears alert?
Eve Ellis: Yeah. Look, I think there are a few areas. I think in my mind, one of the biggest areas is ensuring that all the different stakeholders are connected and aligned. I think one of the biggest risk areas here is that it's all siloed within an organization, and non-financial misconduct may historically have been driven and reviewed and considered by HR.
And I think the key point here is that this can't just be considered by HR in a vacuum. It needs to be looked at at a broader compliance issue alongside legal and compliance and senior management to make sure that actually the regulatory lens is being applied to this.
So, I think one of the key things is making sure that your internal framework is updated, if it needs to be, to ensure that these issues can be looked at holistically across the organization and across different areas. The other couple of areas that I think are important to monitor and will be risk areas will be social situations and making sure that, you know, workplace sort of social events are monitored, and any sort of issues in that regard are picked up early, and action is taken.
And then also sort of remote and hybrid working environments. You know, we still have remote working. We still have hybrid working. And making sure that issues there can be detected easily, particularly where people aren't in the office and are usually potentially informal channels and messaging apps, for example. I mean, Sarah, are there any other areas that spring to mind from your perspective?
Sarah Lambert-Porter: Yeah, I think in the particular context of asset management, PE-type clients, there's – well, actually all financial services firms – that there's sort of the senior rainmaker or key person-related risk because there is often a perception of sort of star immunity; a sense that the more senior members of staff are in some way above the rules.
And so, it's critical to ensure that there is a degree of independence and robustness to the controls that seek to keep them in check, as well as lower levels of employees. And I think deal teams, investor relations type situations, those are really high-touch, high-pressure environments, and there are obvious power asymmetries inherent in those. So, there is a heightened risk of bullying, harassment, and/or misconduct that happens in the sort of hospitality or entertainment setting.
The other thing is obviously – apart from remote or hybrid working – 'out-of-hours' working, especially late at night if you're doing a closing or something like that, there's an area where, again, the risk goes up a notch.
Amanda Raad: Thanks for calling out all those risks. Thinking about a little bit what do you do, and how do you make sure that you as an organization are seeing the risks soon enough, and being able to respond to them, one of the most important things that we see across all kinds of risk areas, whether it be financial misconduct or non-financial misconduct, is looking at how do you encourage reporting.
And then once you are in possession of an allegation of some kind, who needs to have access to it, as Eve called out—making sure that you don't have a siloed approach where only certain people are given access to a particular kind of allegation, and then you might have inconsistent treatment of people that are raising complaints, inconsistent consequences or disciplinary actions, which all of that can really create a full circle problem where you then suddenly don't have reporting of certain kinds of issues, or you're setting a culture tone where certain things may be perceived to be tolerated or perceived to be consistent with the values of an organization.
So, it's a great thing in some ways that the regulatory framework is shifting to bring these issues together to be looked at holistically, but it is going to require an analysis of structures within organizations to say, "Across the board, how are you intaking information? And what are you actually doing with it once you have it?"
And I think really the key point, and one of the biggest risks, which I think is the first one Eve actually called out, is this siloed approach that really does exist within many organizations. Also, I know we're talking about this from the UK Financial Conduct Authority perspective, but this is a global issue.
There are obviously regulatory frameworks that exist in jurisdictions, whether they be criminal, or civil, or employment-related. There are rules and requirements. And there are, of course, all of the reputational harms that go along with these issues.
So, this is a lever to use to consider how to bring this up on the agenda when you're talking about risk areas and speaking with boards, but it's something that shouldn't be narrowly tailored to just the UK or businesses that touch the UK, because obviously, this is really a global issue.
And pausing on that just for a moment, the global point, is you really do have to take into consideration what may be sometimes true conflicts of law, or potential conflicts of law from different jurisdictions. So, when you're doing an investigation, thinking about the various data privacy considerations, what can be said, what can't be reported out on, what must be reported out on, and obviously, for disciplinary procedures as well, looking at the employment laws of the different jurisdictions that can come into play.
So, just as you would for any kind of allegation of misconduct, it's really important to start from the very beginning and ground up in thinking about how you're going to intake, how you're going to investigate, and then what processes you're going to follow for potential remediation. Eve, guiding us back for a moment to the FCA in particular, can you tell us a little bit more about some practical tips or guidance to comply?
Eve Ellis: Sure. I mean, look, I think at the moment we're still waiting for the FCA's guidance that will accompany the rules. But I think among some of the key areas that firms are going to grapple with, the first one is sort of tying a nexus to the rules. And I think the key point is something personal behavior, professional behavior, where do the lines blur? Where is it that it needs to be an issue under the regulatory framework. And so, I think that is certainly something that firms will need to think hard about.
And perhaps designing sort of, you know, a notification, sort of, tree to help with that decision-making, whilst also remaining flexible because there may be certain circumstances that, you know, you need to sort of notify or consider as part of the fitness and propriety assessment or Conduct Rule breaches.
What was helpful in the FCA's draft guidance is they talk about monitoring behaviors. They also talk about sort of looking at social media. But I think they do say that they don't expect firms to proactively monitor social media, for example. But the big "but" to that is that if firms become aware of something that they see on an employee's social media that sort of raises concerns, that's something that firms will need to consider and work out whether it's something that there is a nexus there to the rules.
I know that the FCA's overall expectation, particularly around notifications, is that they will increase as a result of these, the changes in the rules. So, they're expecting to see more notifications around Conduct Rule breaches because of the new non-financial misconduct regime.
Equally with fitness and propriety assessments, again I think the FCA's expectations are that not all breaches or issues will lead to an outcome that someone isn't fit and proper. But these are all areas that firms are going to have to sort of grapple with, and particularly once the guidance is finalized, you know, work out how they put that into practice within their organizations and what their monitoring processes will be, as we talked about earlier, whether changes to surveillance are needed.
So, there's still a little bit that's not known yet from the FCA as we wait for their guidance. But certainly, I think these issues of creating the nexus to the regime are going to be one of the key considerations that firms are going to have to deal with.
Amanda Raad: And I just have to jump in and say really quick, Eve, I do think sometimes there is a tendency to wait for the regulators to tell us exactly what they expect with regard to compliance and controls. And especially in this arena, we can't wait because the risk exists today. And so, trying to think about how are you actually going to take steps to mitigate this risk and get ahead of the curve I think is really important here. And I'm not sure there is a way, even with all the best intentions, and all the research, and all the surveying, for them to really come up with solutions that are tailored to meet any individual organization's kind of risk management framework. So, I really do encourage people just, of course, to follow the updates, but hopefully not wait too long.
Eve Ellis: Yeah, look, I think that's completely right, Amanda. And I think there is always that balancing act. But as you say, these issues are live, and whilst the rules aren't enforced yet, getting ahead of the position, particularly working out what your framework looks like, looking at the issues as they come up, is really important.
Amanda Raad: And then finally, I think we're going to spend a little bit of time talking about the practical impact on frameworks and controls and a little bit about policies, processes, certifications. Eve, are you going to walk through that?
Eve Ellis: Yeah. I mean, we've touched on a few of these themes already. But I think firms will need to update their policies generally around non-financial misconduct, and especially with specific reference to the code of conduct, Speak Up policies, disciplinary investigations, and regulatory references.
These are all areas that are going to need updates to policies, procedures, and sort of internal governance processes. And sort of linked to that is sort of, again, dual tracking and combining HR and compliance intake, and making sure that these issues are considered both on onboarding, or taking on new staff, but also on an ongoing basis. So again, updating those processes which, you know, cuts across both intake, but also the ongoing certification that firms will be doing for all of their, you know, senior management and certified staff.
Amanda Raad: Sarah, what other things can we be doing now?
Sarah Lambert-Porter: So, I think it's really going to be important to think about the investigations piece. You need real global coherence but UK specificity, so that you've got sort of a common group standard and procedure for how you deal with issues of non-financial misconduct, and then also UK-specific local procedures that will help you to navigate the employment law and data privacy aspects of it, so that you've got a firm-wide culture and governance really in place across the board.
In terms of the investigations themselves, you really do need to think very carefully about independence and enlisting the help of external counsel, especially if it's, you know, a matter that involves really senior people, or if it's very complex, or cross-border.
And then, really, also think about witness care and sort of trauma-based interviewing and that sort of thing. And making sure that you've got an independent process that's really fair and yet comprehensive.
And one thing to really pull out here I think is also data privacy in these sorts of investigations because inherently, non-financial misconduct issues are going to involve sensitive personal data under the GDPR. So that will need really careful handling. And you will need to have thought about that and put in place the right sort of steps in your policies and procedures for investigating.
Another point I think that's quite important is, you know, obviously, Eve pulled out the fact that the FCA really is expecting people to use data more and more to show their compliance. That might involve having dashboards on different types of conduct allegations, having information about the type, the severity, how long it took to investigate it, what the outcomes were, and so on. And then also having data or management information about your whistleblowing reports, having heat maps by desks and teams, or countries, or business units so that you could really spot trends and really up the detection because, you know, as I mentioned earlier, the detection is only 1-10% based on the FCA survey data. So really, trying to make sure that you can detect as much as possible without people having to come forward.
And then also having board minutes and so on that really show that the senior management is aware of non-financial misconduct, that they're engaged with it, that they're challenging it, and that they're resourcing the firm's framework for dealing with it appropriately.
Other things people should be doing is thinking about training. Ideally, you would have scenario-based training for your managers on the full gamut from, "What is a microaggression?", through to how power imbalances within a deal team might lead to an increased risk of non-financial misconduct. Also, how to behave on off-sites, really specific training for investigators who deal with non-financial misconduct. And, you know, as I say, that can include trauma-based counseling-type questioning. And just reasonable steps for senior managers who might come in for additional scrutiny in terms of what they did regarding non-financial misconduct in the areas of the business for which they are documented as being responsible.
And then, finally, when it comes to third parties and sort of portfolio companies, really looking at your due diligence questionnaires and your contractual expectations, as regards conduct and non-financial misconduct in particular. Thinking about escalation protocols when there are allegations that arise at those portcos, and then setting in motion a way to deal with them, and having a really clear procedure on dealing with those.
Amanda Raad: So taking this all into consideration for me, my big takeaway I think is the time is now, and that I see this actually as an opportunity to look holistically at internal controls, like culture at the way we navigate investigations and allegations that come in, and really just a chance to, you know, across risk areas, make sure we're really confident in the way that we're handling these kinds of issues. So, I think that's my big takeaway. But I would love to hear from each of you. So, Eve, what about you? What's your takeaway?
Eve Ellis: I think the key messaging is that non-financial misconduct is now definitely a regulatory issue and consideration. It's not just an HR matter anymore. It needs to therefore be treated like any other risk area. And, you know, and senior management will be accountable if things go wrong within the business.
You know, the nexus to the rules needs to be documented. It should ensure fair, thorough investigations. And, you know, importantly, be consistent around sanctioning and certification. So yeah, I think that's my key message, that it's now very much a regulatory consideration.
Amanda Raad: What about you, Sarah?
Sarah Lambert-Porter: I know I keep harping on about the data, but data really will be critical here. It's something that the FCA, you know, is coming to grips with on its own in terms of the data, and they're really expecting firms to have data as well. And I'm not sure where I heard this, but somewhere, someone said, you know, "Evidence beats assertion."
You really do need documented, data-backed evidence of how your firm has thought about non-financial misconduct and sort of built it into the framework that you have for, you know, policies and procedures and so on. And that you've got evidenced, documented rationales that link fitness and propriety to your risk management framework, and how and why those are reasonable and proportionate in the circumstances of your particular firm.
And I think the other thing to remember on data is you need to be careful about your sources. You need to figure out what sources you're looking at, and also make sure that you're not misinterpreting it because, for example, the absence of reporting about non-financial misconduct issues doesn't necessarily mean that there is an absence of sexual harassment or anything else in your firm, and, you know, it might actually speak more to the fact that you have a culture that enables it and silences it. So, you've got to be really careful with the data. But I think the regulatory expectation is that you will be using it, and using it to demonstrate, you know, in a defensive setting, that you have done enough.
Amanda Raad: It's giving me flashbacks, Sarah, to our podcast and our webinars talking about failure to prevent fraud and the importance of data and risk assessment and documentation there.
Going back to the opportunity here, I think it's a nice opportunity to look at fraud risk, but also look at harassment, and discrimination, and bullying, and other non-financial misconduct risk as well, and make sure we're documenting that to the same extent that we are fraud.
All right. So that is episode one. Please do come back for episode two, where we will be joined by Sharon Tan to talk about the employment law focus and the role that employment law plays in non-financial misconduct. We look forward to talking to you again soon. You can listen to us wherever you listen to podcasts. Please follow us, whether that be on Apple or Spotify, and we'll connect soon.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
