Electronic communications (eComms) surveillance has moved from a supporting control to a core regulatory expectation. The Financial Conduct Authority has reinforced that firms must be able to capture, retain, and monitor business communications effectively, particularly as off-channel activity continues to surface across firms.
A recent FCA multi-firm review found that while many firms have strengthened their frameworks, breaches remain common and occur across all levels of seniority. A notable proportion of breaches involved senior roles, which reinforces a key regulatory message: communications compliance is not just an operational issue; it is a governance issue.
For firms operating globally, including across APAC, this is not a regional concern. It is a signal of how regulators are approaching communications risk across jurisdictions.
Off-channel communications are business-related conversations that occur outside approved, recorded, and monitored systems.
This can include:
The risk is not the channel itself. The risk is the absence of capture, supervision, and auditability. When firms cannot evidence communications, they cannot demonstrate compliance with recordkeeping or fulfill obligations.
Regulators increasingly expect firms to do more than maintain policies. They expect evidence that communications are:
The Financial Conduct Authority sets out its expectations in SYSC 10A and related communications, including Market Watch publications. In the United States, the Securities and Exchange Commission and Financial Industry Regulatory Authority require firms to maintain and supervise records of communications related to their business. Across APAC, regulators such as the Monetary Authority of Singapore, the Australian Securities and Investments Commission, and the Securities and Futures Commission set similar expectations.
The direction is consistent. Firms are expected to eliminate blind spots in communications surveillance.
Tip - Focus on evidence, not intent. Regulators assess whether communications were captured and supervised, not whether the firm intended to comply.
Firms are generally expected to monitor and retain communications that relate to business activity, particularly where those communications could:
This includes communications across:
The exact scope varies by jurisdiction, but the principle is consistent: if a communication relates to a regulated activity, it is likely to fall within recordkeeping and supervision requirements.
For firms operating in APAC, communications surveillance adds an additional layer of complexity.
Platforms such as WeChat combine messaging, payments, and social interaction. This makes it harder to distinguish between personal and business communications, increasing the risk of incomplete capture.
The region’s language diversity means surveillance tools must address multiple, complex languages and local dialects. This can require advanced technology to detect compliance risks across written and spoken communication.
Firms often must meet both local and global standards, with the strictest prevailing across jurisdictions.
Tip - Design your surveillance framework to handle the most complex jurisdiction in which you operate. This usually simplifies compliance across the rest of the business.
Firms are increasingly using more sophisticated tools to manage communications risk.
These include:
These approaches help reduce false positives and improve the identification of higher-risk behavior. But they also increase expectations. Once firms adopt more advanced surveillance, regulators expect them to use it effectively.
Ephemeral messaging refers to communications that automatically disappear after a set period.
Common examples include:
These channels create a direct conflict with recordkeeping requirements by preventing firms from retaining communications.
Regulators regard this as a serious risk. If firms use uncapturable channels for business, they may face enforcement for non-compliance.
Tip - If a channel cannot be captured and retained, it should not be used for business communications.
A structured response to eComms breaches is now an expected part of compliance frameworks.
Detect off-channel or unrecorded communications through surveillance or self-reporting.
Determine whether the communication involved a regulated activity, client interaction, or potential misconduct.
Notify compliance, legal, and relevant senior management.
Reconstruct the communication where possible and document findings.
This may include training, warnings, disciplinary action, or enhancements to control.
Update policies, controls, and monitoring to prevent recurrence.
Pro tip - Track breach patterns, not just individual incidents. Repeated issues often point to structural weaknesses in policy or culture.
A strong eComms framework should connect capture, monitoring, and governance into a single process.
Ensure all approved channels are recorded and retained.
Apply risk-based monitoring using automated and manual review.
Route potential issues to compliance teams for investigation.
Maintain accessible, complete records in line with regulatory requirements.
Support internal reporting and regulatory inquiries with clear audit trails.
As communication channels expand, manual approaches become less effective. Technology plays a key role in:
A well-implemented platform can help firms demonstrate that communications are captured, supervised, and governed in line with regulatory expectations.
The FCA’s review is part of a broader global trend. Regulators are no longer focused only on whether firms have policies in place. They are focused on whether firms can prove that communications are being captured, monitored, and controlled in practice.
For firms operating across regions, including APAC, the challenge is to build a framework that works across different technologies, languages, and regulatory expectations. Those who can do this effectively will be better positioned to manage conduct risk and withstand regulatory scrutiny.