.svg "MCO-Color-logo")
Electronic communications (eComms) surveillance has moved from a supporting control to a core regulatory expectation. The Financial Conduct Authority has reinforced that firms must be able to capture, retain, and monitor business communications effectively, particularly as off-channel activity continues to surface across firms.
A recent FCA multi-firm review found that while many firms have strengthened their frameworks, breaches remain common and occur across all levels of seniority. A notable proportion of breaches involved senior roles, which reinforces a key regulatory message: communications compliance is not just an operational issue; it is a governance issue.
For firms operating globally, including across APAC, this is not a regional concern. It is a signal of how regulators are approaching communications risk across jurisdictions.
Off-channel communications are business-related conversations that occur outside approved, recorded, and monitored systems.
This can include:
The risk is not the channel itself. The risk is the absence of capture, supervision, and auditability. When firms cannot evidence communications, they cannot demonstrate compliance with recordkeeping or fulfill obligations.
Regulators increasingly expect firms to do more than maintain policies. They expect evidence that communications are:
The Financial Conduct Authority sets out its expectations in SYSC 10A and related communications, including Market Watch publications. In the United States, the Securities and Exchange Commission and Financial Industry Regulatory Authority require firms to maintain and supervise records of communications related to their business. Across APAC, regulators such as the Monetary Authority of Singapore, the Australian Securities and Investments Commission, and the Securities and Futures Commission set similar expectations.
The direction is consistent. Firms are expected to eliminate blind spots in communications surveillance.
Pro tip - Focus on evidence, not intent. Regulators assess whether communications were captured and supervised, not whether the firm intended to comply.
Firms are generally expected to monitor and retain communications that relate to business activity, particularly where those communications could:
This includes communications across:
The exact scope varies by jurisdiction, but the principle is consistent: if a communication relates to a regulated activity, it is likely to fall within recordkeeping and supervision requirements.
For firms operating in APAC, communications surveillance adds an additional layer of complexity.
Platforms such as WeChat combine messaging, payments, and social interaction. This makes it harder to distinguish between personal and business communications, increasing the risk of incomplete capture.
The region’s language diversity means surveillance tools must address multiple, complex languages and local dialects. This can require advanced technology to detect compliance risks across written and spoken communication.
Firms often must meet both local and global standards, with the strictest prevailing across jurisdictions.
Pro tip - Design your surveillance framework to handle the most complex jurisdiction in which you operate. This usually simplifies compliance across the rest of the business.
Firms are increasingly using more sophisticated tools to manage communications risk.
These include:
These approaches help reduce false positives and improve the identification of higher-risk behavior. But they also increase expectations. Once firms adopt more advanced surveillance, regulators expect them to use it effectively.
Ephemeral messaging refers to communications that automatically disappear after a set period.
Common examples include:
These channels create a direct conflict with recordkeeping requirements by preventing firms from retaining communications.
Regulators regard this as a serious risk. If firms use uncapturable channels for business, they may face enforcement for non-compliance.
Pro tip - If a channel cannot be captured and retained, it should not be used for business communications.
A structured response to eComms breaches is now an expected part of compliance frameworks.
Detect off-channel or unrecorded communications through surveillance or self-reporting.
Determine whether the communication involved a regulated activity, client interaction, or potential misconduct.
Notify compliance, legal, and relevant senior management.
Reconstruct the communication where possible and document findings.
This may include training, warnings, disciplinary action, or enhancements to control.
Update policies, controls, and monitoring to prevent recurrence.
Pro tip - Track breach patterns, not just individual incidents. Repeated issues often point to structural weaknesses in policy or culture.
A strong eComms framework should connect capture, monitoring, and governance into a single process.
Ensure all approved channels are recorded and retained.
Apply risk-based monitoring using automated and manual review.
Route potential issues to compliance teams for investigation.
Maintain accessible, complete records in line with regulatory requirements.
Support internal reporting and regulatory inquiries with clear audit trails.
As communication channels expand, manual approaches become less effective. Technology plays a key role in:
A well-implemented platform can help firms demonstrate that communications are captured, supervised, and governed in line with regulatory expectations.
The FCA’s review is part of a broader global trend. Regulators are no longer focused only on whether firms have policies in place. They are focused on whether firms can prove that communications are being captured, monitored, and controlled in practice.
For firms operating across regions, including APAC, the challenge is to build a framework that works across different technologies, languages, and regulatory expectations. Those who can do this effectively will be better positioned to manage conduct risk and withstand regulatory scrutiny.
Off-channel communications are business-related messages or calls that take place outside a firm’s approved, recorded, and monitored systems. This can include personal messaging apps, personal email, or unrecorded calls, which create recordkeeping and supervision risks.
Firms generally need to monitor and retain communications that relate to regulated business activity, especially those involving client interactions, investment activity, orders, recommendations, or conduct risk. The FCA’s SYSC 10A rules require firms in scope to take reasonable steps to record relevant telephone conversations and keep copies of electronic communications.
The FCA expects firms to have robust recordkeeping and monitoring controls for in-scope communications. In its August 2025 off-channel communications review, it emphasized that firms should detect, investigate, and address breaches, and noted that firms had strengthened controls through policy updates, surveillance improvements, and better internal reporting processes.
They create blind spots. If firms cannot capture and retrieve business communications, they may be unable to supervise conduct properly, investigate potential misconduct, or produce records when regulators ask for them. The FCA review also found that breaches continued across all staff levels, including senior roles.
Ephemeral messages are communications that disappear automatically after being viewed or after a set period. They are risky because they can prevent firms from retaining records that may be required for supervision, investigations, and regulatory review. This undermines auditability and books-and-records compliance.
A strong breach process usually includes identifying the issue, assessing whether regulated activity was involved, escalating internally, documenting the investigation, applying remediation, and reviewing whether controls need to be strengthened. The FCA’s review found that firms used a range of responses, from refresher training to formal warnings and performance impacts.
Because regulatory expectations often move across jurisdictions. ASIC’s Information Sheet 283 warns that unmonitored and encrypted communication channels can significantly increase the risk of misconduct going undetected, which aligns closely with the FCA’s direction of travel. Firms operating across APAC and other regions often need to design to the highest practical standard.
Firms can improve by tightening approved-channel policies, expanding capture across relevant channels, enhancing surveillance logic, monitoring off-channel indicators, and making sure records are retained and easily retrievable. The FCA review highlighted steps such as updated lexicons, identification of channel hopping, and processes for employee self-disclosure of breaches.
