On 7 August 2025, the Financial Conduct Authority (FCA) published its findings on firms’ approach to off-channel communications (those that take place outside of monitored, recorded channels a firm has permitted). We have published a summary of the paper here.
It may be a matter of concern to firms that the FCA has identified continuing evidence of breaches of internal policies across the board, including at a senior level, despite improvements to internal policies and procedures and increased awareness of the dangers of off-channel communications following high-profile enforcement cases. If more junior staff see their bosses communicating on WhatsApp for example, in defiance of an internal ban, they are likely to follow suit and this may even contribute to a more general disregard for compliance which could become a bigger problem for the firm and its senior managers.
Compliance teams may be faced with having to find ways of getting across the message about the dangers of off-channel communications whilst facilitating and effectively monitoring a variety of user-friendly compliant communication channels. Articulating the pain that can arise from investigations into off-channel communications, including having your device seized and your messages reviewed, can be helpful as part of a campaign to improve standards.
Key considerations for firms and senior managers include:
- Evidencing reasonable steps: How would the firm evidence that reasonable steps have been taken to prevent employees from using unrecorded channels such as access for employees to advice on communication-related queries. Simple attestations of compliance may not be sufficient on their own and the most effective training will include real life tailored examples and feedback from surveillance. A key risk may be employees with two devices mistaking their personal device for their corporate one and the FCA gives an example of firms using brightly coloured corporate devices for easy identification.
- Keeping up to date: Whetherinternal policies and surveillance are keeping pace with new devices, such as watches; new channels, such as messaging apps; and new ways of communicating, such as through emojis, gifs or video messages; and whether new strategies may be usefully employed such as using AI tools or identifying low usage of approved channels.
- Trend analysis: Whether there are repeated breaches of internal policies reflecting a trend and/or involving senior leaders which could warrant some further attention.
- Management information: How the firm is collating breach data and other communications-related MI and whether this is being appropriately escalated to and considered by senior management in sufficient detail with appropriate action taken with disciplinary action and consequences where warranted.
- Effective monitoring: How firms are monitoring compliance with internal policies and whether any indications of potential breaches are being investigated and followed up where appropriate.
- Self-reporting: Whether firms have adequate processes for employees to submit off-channel messages and contingency plans for when primary systems are down.
- Global standards: Whether global policies and implementation of these are sufficient to meet UK requirements.
- Third party vendors: How firms would evidence adequate oversight over any third-party vendors engaged in the monitoring and recording of communication channels particularly given challenges identified by some firms such as outages which disrupt recording and inaccurate transcriptions.
- Self-assessment: Whether firms have conducted self-assessment on the basis of the FCA’s questions which include whether leadership is setting a strong ‘tone from the top’ and encouraging a speak-up culture; whether senior managers have sufficient oversight of any global framework and whether accountable executives receive the right MI to oversee compliance and assess surveillance effectiveness.
If you would like any more information on the issues raised in this blog please do not hesitate to contact the author.