A multi-firm review by the FCA into off-channel comms reveals ongoing breaches at firms across all staff grades.

The FCA study focused on the approach of firms to off-channel comms – those taking place outside of the monitored and record channels that a firm has permitted – with 11 wholesale banks, both large and small, taking part.

The data underpinning the study is that submitted by the firms themselves. Notably, the FCA did not validate or check on the submissions by collecting and auditing personal devices of users.

The rules applying to the capture and monitoring of both voice and electronic comms are contained in SYSC 10A and were reaffirmed in Market Watch 66.

The FCA is stressing once again that, in order to comply with these rules, firms are required to record, monitor and also ensure that comms related to in-scope activities are auditable. And that this requirement to capture also includes conversations that lead to such in-scope activities, but not necessarily those that involve non-regulated activities such as meeting logistics.

While noting the growing use of encrypted comms, the FCA nevertheless indicates that it does not intend to introduce new rules to cater for every potential scenario related to monitoring.

Off-channel communications

In a summary of its findings the FCA said that all firms in the review sample could “evidence action taken to improve their approach” to off-channel comms, but that those improvements were being made “to varying degrees”.

The regulator makes very clear that it expects firms to take reasonable steps to prevent employees from using unrecorded channels for comms connected to in-scope activities. And it also suggests that repeated breaches of the firm’s internal policies, particularly those involving senior staff, may warrant supervisory attention. Implied is that this may be the case even in instances where such breaches do not necessarily constitute violations of FCA rules themselves.

Rob Mason, Director, Regulatory Intelligence Strategy & Market Intelligence at Global Relay, saw this document as a strong “further reaffirmation of this issue including regulatory expectations regarding capture, recording and monitoring of mobile chat and voice comms, where relevant to business.”

Improvements by firms connected to the management of off-channel comms that the FCA observed included:

• updating policies in order to ensure they cover mobile technologies;
• ensuring multiple authorized comms channels are available;
• putting in place back-up systems to record and archive comms;
• streamlining processes for self-disclosure by employees of off-channel comms;
• prohibiting the inclusion of personal numbers in out-of-office replies and directories;
• creating a dedicated off-channel comms helpline; and
• integrating common off-channel queries into training programmes.

Large firms have adopted global policies that apply across jurisdictions in order to ensure consistency. The FCA wants such firms to ensure that the policies meet UK standards.

In connection with comms surveillance the following improvements at firms were noted by the regulator:

• updating surveillance lexicons in response to emerging and non-text comms channels including emojis, GIFs, voice notes and video messages;
• identifying channel hopping by employees;
• integrating natural language processing alongside lexicon-based models;
• exploring the use of AI to filter out false alerts;
• comparing peer groups when assessing on-channel comms in order to detect potential off-channel use; and
• providing corporate devices to client-facing staff (the FCA adds here that this is not required under its rules).

In connection with the last point, some surveillance managers the regulator spoke to favored corporate devices because the use of these results in “improved recording and control as well as expectations it sets among staff.”  An interesting, though anecdotal, point and one to be contrasted with a point made below about potential barriers to staff being able to follow policy frameworks.

Comms capture

An increase in the use of comms capture services provided by third-party providers was also noted, which went hand in had with an increase in approved applications available to staff.

Firms reported a number of issues with such third-party services including:

• outages;
• data reconciliation and validation issues; and
• delays in supplying data or missing recorded data.

The FCA singled out a transcription service that was “largely inaccurate” and noted that third party tools do not always perform as expected. In this context firms were reminded that regulatory responsibilities cannot be transferred to third parties and urged to “maintain strong oversight of their vendors and the quality of their services.”

The FCA’s findings in connection with management information are summarized in a table setting less comprehensive against more comprehensive approaches:

	More comprehensive	Less comprehensive
Large firm	– Detailed breach tracking – Remedial project updates – Framework effectiveness assessment – Third-party vendor KPIs Corporate device and BYOD monitoring – Trend analysis	– Focus solely on breach metrics without broader context
Small firm	– UK-specific metrics included in breach data reported at group level – Monitoring of SLAs for reviewing alerts – Tracking of issues and enhancement programmes	– Spot-checking outcomes for in-scope staff

Breach data for 12 months preceding August 2024 was requested from firms. This data is high-level and so difficult to interpret, but it does demonstrate that while breaches did occur across staff grades, 41% of these involved senior staff (director grade or above).

The review report does not make clear how the reported breaches were actually addressed, with the FCA simply noting that firms reported on the disciplinary actions “they may apply.” And despite the high incidence of breaches at a senior level the FCA found no evidence of disciplinary action by firms involving stricter consequences for staff.

Mason suggested that the FCA’s findings showing that such a large proportion of the breaches were by directors or grades above “reinforced the message that senior colleagues (who should have known better!) were the worst offenders”. But he went on to point out something well worth noting more generally: “These findings were provided by the selected firms, so not corroborated by the FCA.”

The FCA is also emphasizing the need for effective training in making clear and reinforcing expectations, and has suggested that this should involve role-targeted, scenario-based sessions that incorporate real examples from surveillance.

The regulator wants all firms to consider a number of key questions in connection with off-channel comms including:

• Do employees fully understand their responsibilities?
• Does leadership set a strong tone from the top and encourage a speak-up culture?
• Are there barriers to staff following the policy frameworks effectively?
• Is third-party vendor performance being monitored effectively?
• Is the firm surveillance model well-aligned with its business model?
• Do UK senior managers have sufficient oversight in instances where a global framework is in place?
• Do senior executives receive the right information to permit them to oversee compliance and assess surveillance effectiveness?
• Where there are patterns of non-compliance, do accountable senior management functions (SMFs) take prompt corrective action?

The point about potential presence of barriers to staff following policy frameworks effectively is one that is particularly worth noting in the context of rapid and continuous comms technology change.

To conclude, the FCA remains adamant that robust recordkeeping and monitoring of communications is “essential.”

This is not only in order for firms to detect and investigate misconduct, but also because it “serves as an important safeguard for firms in client disputes and litigation.”