About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

FCA Off-Channel Comms Survey Reveals 41% Senior-Level Incidents

Subscribe to our newsletter

On 7 August 2025, the UK Financial Conduct Authority (FCA) published its multi-firm review into off-channel communications across 11 wholesale banks. Eight of the firms disclosed 178 breaches of their own internal policies over the previous 12 months, with 41% of recorded incidents involving individuals at director grade or above. The FCA stresses that a breach of internal policy isn’t automatically a breach of FCA rules – but the pattern highlights persistent behavioural and control gaps that boards should treat as a standing conduct risk.

“The FCA has provided a strong message and a very timely warning here, without needing to take direct enforcement action… It’s particularly concerning that the majority (over 41%) came from senior staff, who know full-well they should be leading by example. This has set a clear expectation: regulated firms need to take action and stay alert – if not, the enforcers will no doubt be knocking on doors,” says Rob Mason, Director of Regulatory Intelligence, Global Relay.

What the FCA Surveyed

The review scoped policy frameworks, surveillance controls, third-party vendor (TPV) performance, management information (MI), breaches and consequence management. The FCA relied on firm-provided data (it did not collect or interrogate personal devices) and aimed to surface practical actions peers can adopt. The through-line is outcomes: for in-scope activities, firms must ensure communications are recorded, retained and auditable, consistent with the SYSC 10A regime and the expectations reiterated in FCA Market Watch 66.

The FCA notes improvements across the sample but ongoing breaches, including at senior grades – which calls for better behaviour, not just better detection. In practice, blanket “ban the app” policies often falter against client preferences and frontline workflows. A more sustainable approach is to approve the channels people actually use and connect them via sanctioned, capture-ready integrations so compliance becomes the easiest path.

What the FCA Found

Frameworks: Firms updated policies to reflect modern devices, streamlined self-disclosure of off-channel messages, and clarified contact points for advice. Global groups often moved to single, global policies – useful for consistency, provided UK specifics remain explicit.

Surveillance: Lexicons now look for channel-hopping, emojis/GIFs, voice notes and video messages. Some banks are augmenting lexicons with NLP/AI to reduce noise. Practitioner view: AI monitoring only scales if compliant platforms are widely adopted, because effectiveness depends on comprehensive, high-quality capture.

Third-party vendors: TPV coverage across channels is improving, but firms reported outages, reconciliation gaps and weak transcription in places. The FCA’s reminder is unambiguous: accountability under SYSC 10A cannot be outsourced – i.e., robust vendor oversight, not black-box reliance.

Management information: The strongest MI blended breach metrics with BYOD/corporate-device coverage, adoption of approved apps, TPV KPIs, alert disposition, and trend analysis with Red, Amber, Green (RAG) thresholds and narrative for boards, providing the context to steer behaviour and investment.

Breaches and consequences: Three firms reported none; eight reported 178 in total, with 131 concentrated in three institutions. Disciplinary measures ranged from training and warnings through to impacts on performance reviews and bonuses; the review did not see the most severe penalties used in the sample.

Governance and Controls

Closing the policy–behaviour gap where it matters most, at the top is a key first step. The 41% senior-level share signals culture and tone-from-the-top issues. Under the Senior Managers and Certification Regime (SM&CR), leaders are expected to set norms – e.g., making approved-channel use and attestations the default for senior grades and making “approved and captured” the path of least resistance for everyone else. If clients prefer mobile messaging, meet them there, but only via sanctioned configurations that deliver recordable, retrievable, supervised communications for in-scope business.

The FCA doesn’t ban or endorse, specific apps; it sets outcomes and expects firms to achieve them. Market Watch 66 is explicit: if an app is used for in-scope work on business-permitted equipment, it must be recorded and auditable. That opens the door to a “permissioned enablement” strategy: approve channels through official APIs, capture everything into the archive, and supervise alongside email, chat and voice. This is the sustainable way to drive consistent adoption – a prerequisite for any AI-assisted surveillance to add value.

Tone from the Top

Numbers alone can mislead, and high counts might reflect effective detection; low counts don’t prove control maturity. What matters is how quickly firms learn and improve controls where breaches are detected. As Rob Mason notes, the FCA has “set a clear expectation,” and if firms don’t act, enforcement risk rises. The review also catalogues consequence frameworks from reminders and refreshers to performance impacts; firms should be ready to escalate where behaviour persists, particularly at senior grades.

Off-channel comms won’t stand still. New features (ephemeral media, voice notes, stickers) and new networks will keep testing capture and surveillance. The FCA flags the importance of strong vendor oversight because poor service can discourage use of recorded channels and push behaviour off-channel. Looking ahead, adopting purpose-built, compliant platforms now helps firms get ahead of future shocks, including the possibility that advances in cryptography (e.g., quantum computing) could alter the risk posture around today’s end-to-end encryption. Either way, governance, capture completeness and demonstrable controls will matter more than any single app choice.

The FCA hasn’t created new rules; it has re-stated outcomes, showed what good looks like, and highlighted where frameworks, tooling and behaviour are falling short. Replace “zero-tolerance bans” with practical enablement on approved, capture-ready channels; turn TPVs into well-assured control components; and raise MI so boards can effect culture change rather than count incidents.

For a deeper dive into the e-comms surveillance challenge, head over to A-Team Group’s RegTech Summit in London on October 16 for a panel discussion titled: “The WhatsApp dilemma: Moving from prohibition to practical surveillance.” This discussion will examine the critical capabilities to look for in a good technology partner as well as the key elements Regulators expect to see in an effective off-channel communications programme.

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: GenAI and LLM case studies for Surveillance, Screening and Scanning

12 November 2025 11:00am ET | 3:00pm London | 4:00pm CET Duration: 50 Minutes As Generative AI (GenAI) and Large Language Models (LLMs) move from pilot to production, compliance, surveillance, and screening functions are seeing tangible results — and new risks. From trade surveillance to adverse media screening to policy and regulatory scanning, GenAI and...

BLOG

IOSCO 2025 Thematic Review puts Regulators on Notice

The International Organization of Securities Commissions (IOSCO) released a key thematic review in February 2025. The report examines how Market Authorities (MAs) – supervisory authorities/regulators, trading venues and self-regulatory organizations (SROs) – around the world have implemented surveillance recommendations first established in 2013. This latest review specifically addresses regulators’ ability to oversee trading activities across...

EVENT

AI in Capital Markets Summit London

The AI in Capital Markets Summit will explore current and emerging trends in AI, the potential of Generative AI and LLMs and how AI can be applied for efficiencies and business value across a number of use cases, in the front and back office of financial institutions. The agenda will explore the risks and challenges of adopting AI and the foundational technologies and data management capabilities that underpin successful deployment.

GUIDE

The DORA Implementation Playbook: A Practitioner’s Guide to Demonstrating Resilience Beyond the Deadline

The Digital Operational Resilience Act (DORA) has fundamentally reshaped the European Union’s financial regulatory landscape, with its full application beginning on January 17, 2025. This regulation goes beyond traditional risk management, explicitly acknowledging that digital incidents can threaten the stability of the entire financial system. As the deadline has passed, the focus is now shifting...