By Paul Cottee, Director, Regulatory Compliance, NICE Actimize.
The UK’s financial regulator, the Financial Conduct Authority (FCA), recently published the results of its multi-firm review into off-channel communications within wholesale banking. Off-channel communications, in this context, refer to any professional communication that occurs outside of the firm’s approved channels, such as personal emails, instant messages, or social media interactions.
The exercise surveyed 11 firms and aimed to establish a current snapshot of internal policy adherence, the measures firms have implemented to strengthen compliance, and the management information used to monitor adherence. Notably, the FCA stressed that this was not an enforcement probe, with no devices seized or interrogated, and the regulator relying solely on the breach data provided by participating firms.The FCA characterized the review as a state-of-play exercise designed to gauge how firms are proactively managing off-channel communication risk today. It noted that all firms in the sample demonstrated some action to improve their approach, but the level and effectiveness of that action varied. Eight of the 11 firms reported internal policy breaches, totaling 178 incidents, with a striking concentration of 131 breaches among three larger firms.
This distribution, weighted heavily on larger firms, suggests an uneven adherence to policies across the industry and points to potential gaps in governance, controls, and enforcement that warrant closer attention.
Senior Staff and Breaches
A significant concern highlighted by the FCA is the participation of senior staff in breaches. Seventy-nine breaches occurred at the director level or above, and when including vice president-level staff – roles typically held by professionals with eight to ten years of experience – the total rises to 99. This pattern of involvement by senior-level personnel shows that these experienced professionals are not consistently meeting compliance expectations. This scenario raises significant questions about governance structures, sanction mechanisms, and the effectiveness of training and escalation processes.
In reviewing its discoveries, the regulator emphasized that “tone from the top” is important, underscoring the need for stronger accountability across the leadership echelons of these firms.
These results also arrive against a backdrop of long-standing regulatory monitoring and enforcement penalties across the sector. Established rules, such as SYSC 10A, which outlines the requirements for firms to develop and maintain systems and controls to manage risks, along with guidance like MW66, published in January 2021, which provides additional details on off-channel conduct and monitoring, spell out stringent expectations for off-channel conduct and monitoring.Compliance Challenges Noted
Despite straightforward rules and the ongoing enforcement activity by global regulators, the FCA notes persistent challenges in achieving comprehensive compliance with off-channel communications.
The report suggests that some individuals may believe they can evade detection, feeling insulated from accountability. Others may be completely oblivious as to how they conduct professional communications, assuming they won’t get caught bending the rules. In essence, the FCA’s findings reinforce that compliance is an ongoing effort without a distinct finish line. Firms must remain vigilant, proactive, and ready to demonstrate tangible improvement, rather than merely holding internal policies with no clear enforcement power.
Interpreting the results further, the FCA implies that there is significant variability in how firms implement and embed off-channel controls. The uneven distribution of reported breaches indicates that some organizations have made progress in hardening their controls, while others, unfortunately, remain more exposed to non-compliance.
This factor shows the critical requirement for consistent, firm-wide governance and monitoring that extends beyond policy creation to the practicalities of day-to-day supervision and operational management.
The involvement of senior personnel further signals potential gaps in governance, policy understanding, or enforcement which must be addressed through stronger accountability mechanisms, targeted training, and robust escalation processes.
The FCA’s framing of the exercise as a state-of-play assessment sharply underscores the expectation that there will be ongoing scrutiny and that firms must demonstrate readiness to present demonstrable controls and outcomes, not just policies-on-paper.
The practical takeaways aimed at developing and enforcing best practices are clear: firms should strictly formulate and then re-align internal policies governing off-channel communications to ensure comprehensive coverage across all relevant platforms.
Adopt Invigorated Review
An invigorated review process should include the evaluation and implementation of more clearly defined, permissible use policies and established predetermined consequences for non-compliance. Effective information management and surveillance are essential; firms should invest in dashboards that provide timely visibility into potential breaches and trends across both their teams and platforms.
Fostering a culture of compliance requires strong governance from the top, consistent accountability, ongoing training, and visible enforcement to ensure that senior personnel model the behavior expected of the wider organization. Above all, firms should prepare for ongoing external scrutiny by maintaining proactive monitoring, rapid incident response capabilities, and a clear record of improvements resulting from breaches.
By reiterating the potential consequences of non-compliance, firms can instill a sense of urgency and the need for immediate action, making the audience feel the gravity of the situation and the need for swift response.
The FCA’s multi-firm review on off-channel communications confirms that while firms are taking steps to strengthen controls, significant challenges remain, particularly among larger firms and at senior levels of responsibility. The exercise is a reminder that compliance is not a one-time task, but an ongoing discipline requiring sustained attention, governance, and demonstrated effectiveness.
As regulators continue to examine the risks posed by off-channel communications, firms will need to strengthen their policies, monitoring processes, and firm culture to reduce the likelihood of breaches. This also addresses potential consequences for the organizations involved and the broader financial ecosystem.
Emphasizing the ongoing nature of compliance should make business users at all levels understand and appreciate the importance of continuous vigilance and the need for sustained attention to regulatory requirements.
Meet NICE Actimize at A-Team Group’s RegTech Summit in London on October 16, and New York on November 20.
Subscribe to our newsletter
