When the client is not always right: third-party harassment and the October 2026 duty

Many years ago, Richard Branson made the point that “clients do not come first. Employees come first. If you take care of your employees, they will take care of the clients.” 

Whilst Branson's leadership style may not appeal to everyone, it is a useful provocation and the core idea still holds: you protect the people you serve by protecting the people who serve them.

I have been thinking about that in the context of October 2026, when new employer liability for third-party harassment comes into force under the Employment Rights Act. From that point, employers will be legally responsible if their staff are harassed by clients, customers, contractors or suppliers in the course of their employment and they have not taken all reasonable steps to prevent it. 

The legal shift matters but perhaps the more important question for most organisations is not a legal one. It is a cultural one. And it is one that many have been avoiding for years.

When values meet commercial reality: the third-party harassment problem

Most organisations have policies that say people will be treated with dignity and respect. Many mean it. But those values tend to get tested in a particular kind of moment when the person causing the problem is not a colleague but a client. A revenue-generating one. A long-standing relationship. Someone important.

There is often a quiet fear sitting underneath these situations: if we challenge this, do we lose the client?

That framing can be misleading. In many cases, it is not “the client” as an organisation that is behaving poorly, but an individual or small number of individuals within it. Addressing that behaviour can, in reality, be part of supporting the client relationship rather than undermining it.

Clients themselves increasingly have their own regulatory, legal and cultural obligations to consider. Flagging risks, setting expectations and dealing with problematic behaviour can be consistent with, and sometimes necessary for, maintaining a healthy client relationship.

In practice, though, the instinct in many organisations, particularly in financial services and professional services, has been to manage it quietly. To protect the relationship. To ask the employee to be understanding, or resilient, to only match certain people with the client or to see it from the client’s perspective.

That approach has never been good enough from a human standpoint. From October 2026, it will not be good enough from a legal one either.

What has changed and why it matters

This is not an entirely new concept. The Equality Act 2010 originally included provisions making employers potentially liable for harassment by third parties. Those provisions were repealed in 2013, leaving a gap in protection for employees. 

Under that earlier regime, liability was tied to what became known as a “three strikes” rule. Employers were only exposed where they knew harassment had happened on at least two previous occasions and had failed to act. That created a relatively high threshold. In effect, it took repeated incidents before legal responsibility crystallised.

The October 2026 duty is different. It does not depend on prior incidents or a pattern over time. The focus is on whether the employer has taken all reasonable steps to prevent harassment from happening in the first place. 

That shift matters. It lowers the practical bar for claims and increases scrutiny on what organisations did in advance, not what they did after a problem had already emerged more than once.

What “all reasonable steps” actually requires

The standard employers must meet is “all reasonable steps”, language that sounds modest but carries real weight. Whilst there will be more guidance on what this means, it is clear that it requires proactive planning, not just reactive response. Risk assessments for roles and settings where third-party interaction is a feature. Policies that explicitly address third-party conduct. Training that gives managers the confidence and the permission and skills to act, including when the person behaving badly is commercially important.

There is also a more structural step that some organisations are beginning to take: embedding expectations around behaviour into terms with clients, suppliers and contractors. Clear standards, coupled with a willingness to enforce them, are likely to form part of demonstrating that reasonable steps have been taken.

Managers in client-facing roles often know when something is not right. What many lack is the organisational backing to act. They need to know that if they step in, or raise a concern about a client or contractor’s behaviour, they will be supported rather than sidelined for addressing the concern appropriately.

Senior leadership has to mean it. Not just in policy, but in practice. The organisations that will navigate this well are those where the message is already clear: this behaviour is not acceptable, regardless of who it comes from.

Preparing for October 2026: more than compliance

The legal risk is real and it is rising. But organisations that approach the October 2026 duty purely as a compliance exercise will miss the point and are likely to fall short of the standard anyway.

The consequences of failing to meet the duty are legal, financial and reputational. But this is as much about culture and leadership as it is about policy and training.

The underlying principle, however it is phrased, remains the same. Organisations that are prepared to support their people, set boundaries and have difficult conversations are better placed not only to meet the legal standard, but to build stronger and more sustainable client relationships.

If you would like to find out how our training can help your organisation prepare, please do get in touch.

‍