The UK’s Financial Conduct Authority (FCA) has released its findings on firms’ management of off-channel communications. The FCA’s review highlights that while most financial institutions (FIs) surveyed have strengthened their frameworks, breaches continue to happen across all staff levels. More alarmingly, 41% of these breaches involved director-level roles and above. The FCA reaffirms that “Robust record-keeping and monitoring of communications is essential for firms to detect and investigate misconduct.”
The FCA’s report relied on breach data provided to it by firms rather than performing interrogation of personal devices to evidence off-channel communications. The regulator found that surveyed firms had taken actions to enhance their frameworks including policy updates to include new technologies, such as smartwatches, streamlined their processes for employees to self-disclose off-channel communications, prohibited personal number inclusions in directories, and undertaken training and staff guidance measures.
Surveillance improvements also included updating lexicons to support emerging communication channels and identifying ‘channel hopping’, and non-text communications, such as emojis and GIFs. Firms were also using sophisticated surveillance technologies that filtered out false alerts with lexicon-based and natural language processing (NLP) models, and monitoring low on-channel usage as a means of identifying potential instances of off-channel behaviours.
Additionally, the FCA notes that large firms have “adopted a single, global recording and monitoring policy across jurisdictions to ensure consistency.”
From the review, the FCA found that 8 firms disclosed a total of 178 breaches, with 131 concentrated in 3 firms. Firms disclosed they may apply a range of disciplinary actions from “policy reminders and refresher training to caution letters, formal warnings and performance review impacts” to address these breaches.
See more information about what the FCA means for UK firms or read the FCA’s published article about its multi-firm review into off-channel communications.
The State of eComms from a Regulatory Perspective
Electronic communications (eComms) messages occurring outside of approved, recorded systems, have gained an increasing share of the regulatory spotlight in the UK, US, Europe, and the APAC region in recent years. Regulators now expect evidence—not only of detection but also of behavioural change driven by strong policies, oversight and regulatory technology (RegTech).
The FCA’s rules on the recording and monitoring of telephone and eComms are detailed in SYSC 10A and reaffirmed in its Market Watch 66 communication. The regulator highlights that firms must ensure conversations leading to in-scope activities are recorded, and that steps are taken to prevent the use of unmonitored and/or encrypted apps such as WhatsApp, Signal and Telegram. It has already acted against individuals and firms for misconduct involving the use of such apps to arrange deals and provide investment advice, including the transmission of ‘trading signals’ and other investment recommendations to clients. The FCA says, “We view these actions as serious and have sought orders preventing such individuals from carrying out these activities in the future. We expect this to remain an area of focus.”
What Regulators Expect from Communications Surveillance
Business communications can include any interactions relating to a firm’s operations, decisions, or client engagements. These communications also take place over various channels, including email, mobile, collaboration tools, social media, financial platforms, and phone conversations. Financial firms are responsible for capturing and retaining records of these communications to ensure compliance with regulatory bodies, such as the UK Financial Conduct Authority (FCA), US Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), the Monetary Authority of Singapore (MAS), the Australian Securities and Investments Commission (ASIC), the Hong Kong Securities and Futures Commission (SFC), and more.
All conversations that involve business communications typically need to be captured, particularly when using firm-issued devices. Firms often record business-related calls and messages on both firm-owned devices and, in some cases, personal devices used under a Bring Your Own Device (BYOD) policy. Regulatory requirements around conversation capture vary by firm and operating jurisdiction, but tend to focus on communications with clients, transaction orders, or any discussions that could impact market integrity. Firms need to ensure all business-related conversations, especially through established and emerging digital channels, are logged, monitored, and stored in compliance with the relevant regulatory standards.
The Challenges for Firms Around the Globe
As discussed in a recent MCO webinar about effective eComms surveillance, enforcement actions in the United States and Europe are often followed by regulators in other regions, such as Asia-Pacific (APAC). For example, ASIC’s Information Sheet 283 in Australia warns that unmonitored encrypted channels create a heightened risk of misconduct going undetected. Similarly, the Monetary Authority of Singapore (MAS) and Hong Kong’s Securities and Futures Commission (SFC) require firms to maintain effective surveillance of communications, in line with global expectations.
In the Asia Pacific region, the prevalence of so-called “super-apps” such as WeChat presents further complexity. These platforms integrate messaging, payments, social media and other services into a single ecosystem, making them widely used for both personal and business interactions. For surveillance teams, this creates significant challenges in distinguishing professional communications from personal use and ensuring that all relevant records are effectively captured. Firms must be prepared to monitor and retain communications across such channels, while balancing local data privacy obligations with global regulatory expectations.
Many firms now face dual pressures: ensuring compliance with local requirements while anticipating higher global standards. Particularly when operating in more than one jurisdiction, such as Australia and the UK, firms must adhere to the highest standard of regulatory requirements.
The rapid growth of remote working and bring-your-own-device policies further compounds the challenge of maintaining effective eComms surveillance and controls. As highlighted in the webinar, the sheer data volumes, language diversity and proliferation of eComms channels make effective monitoring complex and resource-intensive. Failure to address these risks exposes firms to regulatory penalties and reputational damage, and can rapidly erode client trust.
The Role of RegTech in Upholding Compliance Obligations
RegTech solutions, such as MyComplianceOffice (MCO), provide firms with a centralised platform to oversee eComms, integrate surveillance across multiple channels, and demonstrate compliance through auditable workflows.
As an award-winning all-in-one compliance management platform, MCO also supports continuous education and attestation requirements, automated policy management, language-sensitive monitoring and highly customisable workflows and reporting tools. With integrated suites including Know Your Employee (KYE), Know Your Transactions (KYT), Know Your Third Party (KYTP), and Know Your Obligations (KYO), MCO helps compliance teams detect misconduct, manage risks, and align with regulators across multiple jurisdictions with effective policies.
Regulators around the globe are making it clear they will not tolerate blind spots in eComms surveillance and archiving requirements. By adopting proactive monitoring and proven RegTech, firms can not only meet today’s obligations but also position themselves to withstand the scrutiny of developing regulations.
More About MCO’s eComms Review and Keep Modules
MCO delivers streamlined solutions for monitoring and flagging risky communications and archiving cross-channel messages in compliance with global regulatory requirements. eComms Review and eComms Keep modules conduct intelligent surveillance and securely retain communications from Email, Zoom, Bloomberg, Reuters, ICE Chat, Skype, WhatsApp, Signal, SMS, LinkedIn, Teams and other channels, satisfying regulators’ record-keeping rules and enabling more efficient investigations.
The eComms offering was also awarded the Best eComms Surveillance Solution in the APAC RegTech Insight Awards. MCO CEO Brian Fahey comments, “Non-compliant employee communications and recordkeeping pose significant risk for firms today. With our communications surveillance and archiving solutions and the MyComplianceOffice platform, we’re committed to helping organisations proactively identify and mitigate compliance risk, meet regulatory obligations and drive efficiencies across their firms.”
Explore Ephemeral Messaging Compliance Challenges
Ephemeral messaging refers to digital communications that automatically disappear after a set time or once viewed, leaving no lasting record. Popular examples include WhatsApp, WeChat, Signal and Telegram, which allow users to send messages that vanish by default or through configurable auto-delete settings.
These messaging channels pose serious compliance risks for financial firms. Disappearing communications prevent the retention of required records and significantly weaken audit trails. Regulators warn that failure to capture these communications can result in penalties, legal exposure or even criminal liability. However, firms can mitigate the risk by setting clear policies, disabling auto-delete functions on business platforms, prohibiting unapproved apps, and implementing intelligent surveillance tools to capture and archive ephemeral communications.
Read more about the risks and solutions in our article, The Compliance Challenges of Ephemeral Messaging.
