On 7 August 2025, the UK Financial Conduct Authority (FCA) published its multi-firm review into off-channel communications across 11 wholesale banks. Eight of the firms disclosed 178 breaches of their own internal policies over the previous 12 months, with 41% of recorded incidents involving individuals at director grade or above. The FCA stresses that a breach of internal policy isn’t automatically a breach of FCA rules – but the pattern highlights persistent behavioural and control gaps that boards should treat as a standing conduct risk.
“The FCA has provided a strong message and a very timely warning here, without needing to take direct enforcement action… It’s particularly concerning that the majority (over 41%) came from senior staff, who know full-well they should be leading by example. This has set a clear expectation: regulated firms need to take action and stay alert – if not, the enforcers will no doubt be knocking on doors,” says Rob Mason, Director of Regulatory Intelligence, Global Relay.What the FCA Surveyed
The review scoped policy frameworks, surveillance controls, third-party vendor (TPV) performance, management information (MI), breaches and consequence management. The FCA relied on firm-provided data (it did not collect or interrogate personal devices) and aimed to surface practical actions peers can adopt. The through-line is outcomes: for in-scope activities, firms must ensure communications are recorded, retained and auditable, consistent with the SYSC 10A regime and the expectations reiterated in FCA Market Watch 66.
The FCA notes improvements across the sample but ongoing breaches, including at senior grades – which calls for better behaviour, not just better detection. In practice, blanket “ban the app” policies often falter against client preferences and frontline workflows. A more sustainable approach is to approve the channels people actually use and connect them via sanctioned, capture-ready integrations so compliance becomes the easiest path.
What the FCA Found
Frameworks: Firms updated policies to reflect modern devices, streamlined self-disclosure of off-channel messages, and clarified contact points for advice. Global groups often moved to single, global policies – useful for consistency, provided UK specifics remain explicit.
Surveillance: Lexicons now look for channel-hopping, emojis/GIFs, voice notes and video messages. Some banks are augmenting lexicons with NLP/AI to reduce noise. Practitioner view: AI monitoring only scales if compliant platforms are widely adopted, because effectiveness depends on comprehensive, high-quality capture.
Third-party vendors: TPV coverage across channels is improving, but firms reported outages, reconciliation gaps and weak transcription in places. The FCA’s reminder is unambiguous: accountability under SYSC 10A cannot be outsourced – i.e., robust vendor oversight, not black-box reliance.
Management information: The strongest MI blended breach metrics with BYOD/corporate-device coverage, adoption of approved apps, TPV KPIs, alert disposition, and trend analysis with Red, Amber, Green (RAG) thresholds and narrative for boards, providing the context to steer behaviour and investment.
Breaches and consequences: Three firms reported none; eight reported 178 in total, with 131 concentrated in three institutions. Disciplinary measures ranged from training and warnings through to impacts on performance reviews and bonuses; the review did not see the most severe penalties used in the sample.
Governance and Controls
Closing the policy–behaviour gap where it matters most, at the top is a key first step. The 41% senior-level share signals culture and tone-from-the-top issues. Under the Senior Managers and Certification Regime (SM&CR), leaders are expected to set norms – e.g., making approved-channel use and attestations the default for senior grades and making “approved and captured” the path of least resistance for everyone else. If clients prefer mobile messaging, meet them there, but only via sanctioned configurations that deliver recordable, retrievable, supervised communications for in-scope business.The FCA doesn’t ban or endorse, specific apps; it sets outcomes and expects firms to achieve them. Market Watch 66 is explicit: if an app is used for in-scope work on business-permitted equipment, it must be recorded and auditable. That opens the door to a “permissioned enablement” strategy: approve channels through official APIs, capture everything into the archive, and supervise alongside email, chat and voice. This is the sustainable way to drive consistent adoption – a prerequisite for any AI-assisted surveillance to add value.
Tone from the Top
Numbers alone can mislead, and high counts might reflect effective detection; low counts don’t prove control maturity. What matters is how quickly firms learn and improve controls where breaches are detected. As Rob Mason notes, the FCA has “set a clear expectation,” and if firms don’t act, enforcement risk rises. The review also catalogues consequence frameworks from reminders and refreshers to performance impacts; firms should be ready to escalate where behaviour persists, particularly at senior grades.
Off-channel comms won’t stand still. New features (ephemeral media, voice notes, stickers) and new networks will keep testing capture and surveillance. The FCA flags the importance of strong vendor oversight because poor service can discourage use of recorded channels and push behaviour off-channel. Looking ahead, adopting purpose-built, compliant platforms now helps firms get ahead of future shocks, including the possibility that advances in cryptography (e.g., quantum computing) could alter the risk posture around today’s end-to-end encryption. Either way, governance, capture completeness and demonstrable controls will matter more than any single app choice.
The FCA hasn’t created new rules; it has re-stated outcomes, showed what good looks like, and highlighted where frameworks, tooling and behaviour are falling short. Replace “zero-tolerance bans” with practical enablement on approved, capture-ready channels; turn TPVs into well-assured control components; and raise MI so boards can effect culture change rather than count incidents.
For a deeper dive into the e-comms surveillance challenge, head over to A-Team Group’s RegTech Summit in London on October 16 for a panel discussion titled: “The WhatsApp dilemma: Moving from prohibition to practical surveillance.” This discussion will examine the critical capabilities to look for in a good technology partner as well as the key elements Regulators expect to see in an effective off-channel communications programme.
Subscribe to our newsletter
