It’s been eight years since the "Sexism in the City" inquiry was first launched, and two years since its findings laid bare the culture of the UK’s financial services sector. The results were a sobering read, revealing that 45% of women in the industry have experienced sexual harassment.
Those findings were the catalyst for the rigorous new regulatory framework for non-financial misconduct (NFM) that the FCA is implementing in September 2026.
At Zinc, I’ve been watching this shift closely. NFM is no longer just a "human resources problem." It has become a core pillar of fitness and propriety.
A warning to your board and an opportunity for HR
For the C-suite, the message is straightforward: the era of plausible deniability is over.
The FCA’s latest guidance clarifies that firms are explicitly responsible for misconduct occurring in digital and remote channels. Liability often hinges on whether a firm "reasonably should have known" about an individual’s conduct.
If an executive has a public history of online harassment or discriminatory behaviour that was never checked, your firm is exposed. We have already seen how quickly this can escalate in financial services.
The name Crispin Odey should be familiar with many readers, and he's been in the headlines again recently. Last week he was reported to be considering settlements with five women bringing civil sexual assault claims against him, including one allegation of rape. The same but wider Odey scandal already resulted in an FCA ban and a £1.8m regulatory fine last year, which Odey is still challenging.
This is but one of many examples of regulatory fines and tribunal settlements related to non-financial misconduct. The point for boards is not subtle: where serious misconduct is known, alleged, or capable of being discovered through reasonable governance, inaction can create legal, regulatory and reputational exposure.
However, for HR and Compliance leaders, this shift is actually a major opportunity. Instead of relying on gut feel, you can now provide the board with actionable, documented data. Moving toward online reputational screening means you're no longer just guessing about a candidate’s character: you’re providing the board with a defensible evidence trail for every senior appointment.
Debunking the retrospective myth
There is some confusion regarding the scope of these new rules (but when isn’t there opportunity for interpretation regarding new FCA rules?)
To be clear, the FCA has explicitly stated that firms are not expected to retrospectively screen everyone’s social media account by September 2026. Nor are they mandating blanket, 24/7 surveillance of your employee’s private lives, because that would be weird.
While the FCA does not mandate social media screening (and to say so would be an overreach), they do expect firms to take "reasonable steps" to identify credible information regarding misconduct. This means that while you don't need to snoop, you cannot afford to ignore what is publicly available, particularly for specific risk categories like Senior Management Functions (SMFs).
Why annual assessments matter
One-time screening at the point of hire is no longer a robust enough shield. People change, and a personal crisis or shift in behaviour can spill into the public domain overnight.
This is why online reputational screening must be embedded into your annual fitness and propriety (F&P) assessments and SMCR re-certification cycles. It ensures that the "fit and proper" standard is maintained every day, not just on the day someone joins the firm.
Why the "old ways" are failing
The tools we have relied on for decades are losing their edge. Criminal record checks now offer a false sense of security, as changes to the Rehabilitation of Offenders Act and new DBS filtering rules mean that many relevant past convictions no longer appear on a standard certificate. For instance, a conviction for fraud leading to a 12-month custodial sentence becomes “spent” just one year after the sentence is served.
Can your firm still afford to rely solely on these checks as adequate risk mitigation?
At the same time, employment references have become "factual-only" as firms try to avoid their own legal risks. Increasingly, you will get little more than employment dates and a job title in what have become more accurately referred to as employment verifications.
These traditional methods might tick a compliance box, but they simply won't adequately mitigate the risks we face in the 2026 workplace. We need modern tools to match modern risks.
The danger of the DIY approach
When firms decide to act, the biggest mistake they make is trying to handle online reputational screening in-house. Reviewing a candidate’s digital footprint manually is a minefield. It’s inconsistent, prone to conscious and unconscious bias, and creates significant risks regarding the handling of sensitive data.
Professional, outsourced social media screening is the only way to ensure the process is proportionate and legally defensible. Modern solutions can efficiently triage vast volumes of digital content (including written, image, video, and audio) to identify flags for specific risk categories. Crucially, they’re designed to remove conscious and unconscious bias and filter out protected information, resulting in effective and fully unbiased decision-making.
Professional social media screening isn’t always about termination or non-hire; serious action is only warranted when the seriousness threshold for employment termination has been met.
Often, candidates and employees are blissfully unaware of the adverse content that a professional screening will surface. Once informed of the implications, they can be guided to comply with your firm's social media usage policy. Protecting themselves and the business can be as easy as just deleting borderline content or potentially restricting public access to friends and family.
The October 2026 deadline
This isn’t just about the FCA, though. The Worker Protection Act and the Employment Rights Bill mandate that by 1 October 2026, all UK firms must take "all reasonable steps" to protect their staff from harassment. If the legal standard is now "all reasonable steps," ignoring public, online evidence of misconduct is becoming an impossible position to justify.
What you can do now
To prepare for the 2026 deadline, we suggest three practical steps:
- Audit your framework: Check if your current HR policies clearly define online harassment as a breach of fitness and propriety.
- Review your screening stack: Ask if your current criminal record checks and references are actually giving you the risk-mitigation you think they are.
- Establish a committee: Consider a "Joint Misconduct Committee" involving Legal, Risk, and HR to ensure that any findings are handled consistently.
Ultimately, the goal is to identify "digital smoke" before it becomes a regulatory fire. Protecting the reputation of your firm is about more than compliance: it is about protecting the integrity of the entire profession.
If you want more advice on keeping your firm compliant with new and changing FCA regulations, speak to our team today.
