The Financial Conduct Authority (FCA) has urged firms to strengthen their oversight of off-channel communications and related vendor risks, following its recent review of practices across eleven wholesale banks. The review identified key weaknesses in systems, processes and staff behaviours that could undermine firms’ ability to detect misconduct, protect consumers and maintain robust record-keeping.
The FCA assessed firm’s policies, monitoring frameworks, reporting mechanisms, breaches and third-party arrangements to evaluate whether appropriate controls are in place to meet regulatory expectations. The review focused on communications made outside approved or monitored channels, such as unrecorded messaging apps or personal devices, when used for regulated activities.
While the review centred on wholesale banks subject to the record-keeping requirements under SYSC 10A of the FCA Handbook, the FCA noted that the findings and lessons are broadly relevant across the wider financial services sector.
Why This Matters:
Unrecorded or off-channel communications represent significant regulatory risks for firms, as they can allow misconduct to go undetected, hinder the reconstruction of key conversations, breach regulatory obligations and undermine consumer and investor trust.
The increasing use of modern communication methods, including encrypted messaging apps, smart devices, voice and video messages, and even emojis or GIFs, means that traditional email and telephone monitoring alone is no longer sufficient.
The FCA’s findings underscore that firms must take monitoring seriously, going beyond mere compliance with the rules to demonstrate effective behaviour change, robust oversight and meaningful outcomes in managing communication risks.
FCA Findings:
Positive Findings
The FCA noted that over the past two years, all firms in the sample did take steps to strengthen their frameworks for managing off-channel communications. Measures include:
- updating device and mobile policies to cover smartwatches;
- making it easier for staff to submit self-disclosed off-channel messages;
- providing business devices to client-facing employees; and
- prohibiting the use of personal numbers in out-of-office replies.
Surveillance practices have also evolved. Firms are updating monitoring lexicons to capture emojis, GIFs, voice notes and video messages, as well as tracking usage patterns to identify under-use of approved communication channels.
Areas of Concern
- Management Information (MI) Gaps: Some firms’ MI was not sufficiently comprehensive, focusing only on breach counts rather than root causes, trends or vendor performance metrics.
- Vendor Reliability Issues: Reliance on third-party vendor solutions for recording and monitoring presented challenges, including outages, data reconciliation failures and inaccurate transcription, meaning firms may not reliably capture off-channel communications.
- Internal Policy Breaches: In the 12-month period surveyed, eight firms reported a total of 178 breaches of internal policy. Notably:
- 131 of the 178 breaches (74%) were concentrated in just three firms;
-
- 41% of breaches involved individuals at director grade or above; and
-
- Breakdown by role included Vice Presidents (32 breaches), Analysts (30 breaches), and other senior managers.
- Persistent Behavioural Risks: Despite system upgrades, the persistence of breaches highlights the need to focus not only on systems and processes but also on behavioural change, ensuring staff use approved channels and understand associated risks.
Recommendations:
- Ensure Robust Recording and Monitoring: Firms must record and monitor all telephone and electronic communications related to in-scope regulated activities, such as dealing or arranging deals in investments in accordance with SYSC 10A. They must also take reasonable steps to prevent the use of unrecorded or unmonitored channels.
- Adopt an Outcome-Based Approach: The FCA’s rules do not prescribe specific platforms or apps. Firms should design controls that achieve the regulatory objective, ensuring all relevant communications can be captured, monitored and retrieved regardless of the technology used.
- Address Policy Breaches Proactively: While a single internal policy breach may not constitute a regulatory violation, repeated or serious breaches will attract FCA scrutiny. Firms should implement processes to identify, report and remediate breaches promptly.
- Promote a Culture of Compliance: Reinforce expectations through training, clear internal communications and senior leadership engagement. Staff should understand the risks of off-channel communications, and leadership should model and enforce compliance behaviours.
- Strengthen Vendor Oversight: Where third-party solutions are used for recording or monitoring, firms must ensure vendors operate reliably and deliver complete, accurate and timely data. Regular reviews and oversight of these arrangements are essential.
How Complyport Can Help?
Complyport can support your firm in navigating the compliance challenges arising from this regulatory update by providing:
- Regulatory Guidance: Expert advice on how the FCA’s findings may affect your firm’s communications-surveillance obligations and record-keeping frameworks.
- Ongoing Support: Continuous compliance assistance to ensure your firm’s processes remain aligned with evolving FCA expectations.
- Compliance Documentation: Review and update of policies and procedures, including drafting new documentation reflecting enhanced governance, vendor oversight and behavioural-change programmes.
- Training: Tailored sessions on the practical implications of the FCA’s review and best practices for communications compliance implementation.
Contact Us
To understand how these regulatory developments may impact your business and to discuss your compliance needs, contact Complyport today to book a meeting with one of our Subject Matter Experts.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
