The UK financial services market has anticipated further guidance from the Financial Conduct Authority (FCA) on off-channel communications ever since the U.S. Securities and Exchange Commission (SEC) began issuing record-breaking fines in late 2021. More than 100 regulated firms have collectively paid in excess of $2bn to the SEC for record-keeping and monitoring failures connected to employee use of unauthorised communication platforms. 

As discussed in our previous article on this topic, while the FCA has, to date, preferred supervisory engagement to large-scale enforcement, it flagged the “significant compliance risks” posed by off-channel communications as early as Issue 66 of Market Watch in January 2021.

On 7 August 2025 the FCA published its findings from a review of 11 wholesale banks of varying size and complexity. The review forms part of a wider suite of multi-firm exercises intended to test the adequacy of controls in key supervisory risk areas. Off-channel messaging—defined by the FCA as communications which take place outside of monitored, recorded channels a firm has permitted - remains firmly on that list.

The FCA’s findings do not introduce new rules. They do, however, sharpen supervisory expectations and place firms on notice that a failure to translate policy into practice will risk attracting close regulatory scrutiny.

Breach data

All firms surveyed had enhanced their procedures during the previous two years, yet the breach statistics varied markedly: a handful of banks reported no policy breaches at all, while others recorded significant numbers. The FCA has cautioned that zero breaches may be as concerning as high volumes, potentially signalling ineffective detection rather than exemplary conduct.

Notably, 41% of reported breaches involved staff at director level or above. The FCA views this as a warning sign that senior managers may not be setting an appropriate “tone from the top”. While the breach data related to internal policy breaches (as opposed to FCA rule breaches), the FCA emphasised that “repeated breaches of a firm’s own internal policy – especially if it involves a senior leader or reflects an increasing trend – may still warrant supervisory attention”.

Other findings

The FCA noted examples of how firms have improved their processes for recording and monitoring of communications:

• frameworks: Policies have been broadened to capture new technologies (for example, smart-watch functionality). Several firms now operate dedicated helplines to provide real-time guidance and have streamlined internal disclosure processes for inadvertent off-channel use;
• surveillance: Banks have expanded lexicons to recognise emojis and GIFs, deployed tools capable of reviewing voice notes and video messages and begun using artificial intelligence to filter false positives. Some firms analyse usage patterns to detect unusually low traffic on approved platforms (suggesting potential use of off-channel communications). Others have issued corporate devices to client-facing staff to reinforce boundaries between business and personal communication;
• third party providers: Outsourcing of recording and monitoring solutions is on the rise, yet the FCA reminded firms that regulatory responsibilities cannot be transferred to third parties. Due diligence, oversight and contractual provisions must therefore remain robust;
• management information: While the sophistication of MI will be proportionate to the size and scale of the firm in question, the types of MI collected by firms on this topic include: quantative breach data with narrative context; attestation and training completion rates; corporate device monitoring tracking activation and usage; trend analysis (e.g. re alert and investigation volumes); and progress reports on enhancement programmes; and
• consequence management: Although internal policies frequently reference potentially serious consequences for policy breaches, the FCA found no evidence of the most serious disciplinary actions being imposed in practice.

The FCA has confirmed that it does not intend to impose new rules to further regulate communications monitoring, but it has encouraged relevant firms to reflect on the findings of its review and to consider their approach in light of the practice points identified. The absence of new prescriptive requirements should not be mistaken for leniency. Instead, the review’s findings will inform supervisors’ baseline expectations during firm visits and supervisory engagement.

It is clear that off-channel communications remain a key regulatory risk area and that the FCA’s expectations on how firms should manage this risk continue to heighten as the technology to detect and manage the risks becomes ever-more advanced.