ARTICLE
18 August 2025

Has Off-channel Gone 'Off The Boil'? The UK FCA Releases Findings Of Review Into Use Of Unapproved Communication Channels By Wholesale Banks' Staff

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
The UK FCA has set out the findings of a multi-firm review into how firms manage off-channel communications.
United Kingdom Media, Telecoms, IT, Entertainment
Jenny Stainsby,Jack Moore,Shaun Miskelly
+1 Authors
 Your Author LinkedIn Connections

The UK FCA has set out the findings of a multi-firm review into how firms manage off-channel communications.

In August 2025, the UK Financial Conduct Authority (FCA) published the results of its review into the use of so-called 'off-channel communications' by staff at eleven wholesale banks; off-channel communications are those concerning regulated activities that take place outside of monitored, recorded channels a firm has permitted. These results are likely to be of particular interest to those firms who have noted the penalties imposed by regulators in the U.S. on firms for breaches of recordkeeping requirements which involved use of off-channel communications.

Background

Off-channel communications typically include the use of personal devices, messaging apps (e.g. WhatsApp), private email accounts, messaging on social media or other tools that fall outside a firm's official communication infrastructure. Use of these channels by staff can make compliance with regulatory obligations on recordkeeping difficult.

Under 10A.1.6R in the Senior Management Arrangement, Systems and Controls Sourcebook (SYSC) of the FCA Handbook, firms must 'take all reasonable steps to record telephone conversations, and keep a copy of electronic communications, that relate to' regulated activities where that conversation or communication is made with , sent from, or received on a work device (whether provided by the firm or a personal device that is permitted for work use). Further, SYSC 10A.1.7R requires that firms 'take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy.'

Attention was drawn to the issue by the actions taken by U.S. regulators under the previous Administration. Both the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) took enforcement action against firms for recordkeeping failures in relation to off-channel communications. The U.S. fines were substantial and often required firms to appoint an independent compliance consultant(s) to comprehensively review policies and procedures and make recommendations for improvement.

How are firms tackling the challenges of off-channel communications?

The FCA reports that the firms they reviewed had improved their processes over the past two years and made the following findings:

Policy: Firms are updating policies to account for emerging technologies, including devices such as smart watches. They are also encouraging staff to self‑report off‑channel communications, prohibiting the inclusion of personal contact details in directories and out-of-office replies, and encouraging multiple approved communication routes. Some have set up dedicated helplines and scenario-driven training to cover common queries received on off-channel communications. Some large firms have implemented global policies to ensure consistency between different offices; however, where this is the case, the regulator urges firms to ensure that those global policies meet UK standards.

Surveillance: Some firms have adjusted their 'surveillance lexicon' to include terms that might indicate 'channel hopping' (switching from approved to unapproved channels). Other actions include scanning emojis, GIFs, voice notes, and video messages. Some have integrated AI and natural language processing in their surveillance to filter out false alerts. While not obliged to by the FCA's rules, most of the firms in the sample issued corporate devices to their client-facing staff, rather than relying on a 'Bring Your Own Device' approach. The firms considered this to not only improve monitoring but to 'reinforce the separation of work-related and personal activities'.

Third‑Party Vendors (TPVs): It was found to be common for firms to rely on a TPV for facilitating and monitoring their communications channels. However, it was noted that the technology is not always foolproof and can be undermined by failures such as transcription errors or recording gaps.

The review also identified that poor service can discourage the use of authorised communication channels, and push staff to familiar and user-friendly channels. Firms are reminded of the need to have effective oversight over the quality of vendor service and that their responsibilities for compliance may not be transferred to third parties.

Management Information (MI): The quality of MI varied between the firms surveyed, with large firms tending to have more granular and complex MI.

  • Large firms: The FCA identified that the most comprehensive MI in large firms tracks policy breaches by business area, employee grade, and severity, and monitors metrics such as the volume and outcome of surveillance alerts, staff responses, and escalation trends.
  • Small firms: The FCA seems to recognise that expectations are lower for small firms (most likely given resource constraints), and the most comprehensive MI identified in small firms involves reporting data at the group level, UK-specific metrics, trend analysis of alert and investigation volumes, and regular reporting on off-channel communications issues and enhancement programmes.

Consequence management: For breaches of internal policy on off-channel communications, particularly where they do not amount to a breach of SYSC 10A, firms are responsible for deciding what action to take. Potential consequences outlined by firms ranged from (less serious) training reminders and warnings to (more serious) caps on remuneration and dismissal, with formal notes given in references. The FCA did not however find any evidence of the more severe penalties having been imposed.

What did the breach data look like?

The FCA surveyed seven large firms and four small firms. Three of the small firms reported no policy breaches in relation to off-channel communications. The seven large firms and the other small firm disclosed a total of 178 breaches. The breaches were concentrated amongst three of the seven large firms, who reported 49, 48, and 38 breaches each.

The FCA explained that a higher number of breaches does not necessarily mean that there is widespread compliance failure in a firm; a higher number of breaches may indicate more effective detection systems, while a lower number may indicate the opposite. However, given that some firms might have internal policies that are more stringent than is required by SYSC 10A, for example prohibiting off-channel communications in relation to non-regulated activities within the business (whereas the prohibitions set out in SYSC 10A are limited to off-channel communications relating to the performance of regulated activities only), not every reported breach is a violation of the FCA's requirements.

The policy breaches recorded occurred at every level of seniority within the firms. The highest number of breaches were committed by those occupying 'Vice President' positions (32 breaches), while the fewest were committed by 'Interns/Apprentices' (2 breaches). It is not easy to draw conclusions from this data given that the demographic of a firm's staff is likely to vary from firm to firm, with some skewing towards being more top- or bottom- heavy than the market 'average'. The FCA makes the point, however, that 41% of breaches involved individuals at director grade or above.

What should firms do next?

The FCA urges firms to consider the following eight questions when considering their own approach to off-channel communications:

  • Do employees fully understand their responsibility to record all relevant communications?
  • Does leadership set a strong 'tone from the top' and encourage a 'speak up' culture for compliance with SYSC 10A?
  • Are there any unreasonable barriers preventing staff from following the policy framework effectively?
  • Does the firm effectively monitor third-party vendors to ensure expected performance and reliability?
  • Is the firm's surveillance model well-aligned with its business model?
  • Where a global framework is in place, do UK senior managers have sufficient oversight of its implementation and results?
  • Do accountable executives receive the right MI to oversee compliance and assess surveillance effectiveness?
  • Where patterns of non-compliance emerge, do accountable Senior Management Functions (SMFs) take prompt corrective action?

Conclusion

While the FCA's review only looked at data from a small number of firms, it nonetheless provides a potentially useful benchmark for firms to assess their own approaches for tackling the use of off-channel communications, particularly in relation to their size and complexity.

More broadly, in January 2025 Nikhil Rathi, chief executive of the FCA, explained that the FCA would not introduce blanket rules on the use of WhatsApp or social media apps as the regulator shifted away from 'detailed rules'. The FCA reiterates that position: 'we do not intend to introduce new rules to cater for every potential scenario related to communication monitoring.'

So has the issue of off-channel communications gone 'off the boil'? The FCA is cognisant that breaches are occurring and while there might not be further guidance in this area, firms are expected to be appropriately equipped to identify breaches and deal with them as they occur. The FCA is also likely to be alive to the potential role of off-channel communications in the context of, for example, market abuse and non-financial misconduct.

Breaches also present issues for firms dealing with disclosure obligations in both regulatory and litigation proceedings, in particular the practicalities of retrieving such information from off-channel data sources (such as personal phones). This will continue to be a significant challenge for firms seeking to comply with relevant legal requirements.

Finally, firms should reflect on the eight key questions posed by the FCA in this report, make changes where necessary and evidence their response appropriately. They should also ensure they maintain breach data as the FCA indicates it will continue to discuss this with firms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jenny Stainsby
Jenny Stainsby
Photo of Jack Moore
Jack Moore
Photo of Cat Dankos
Cat Dankos
Photo of Shaun Miskelly
Shaun Miskelly
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More