The Financial Conduct Authority’s (FCA) latest multi-firm review into off-channel communications breaches might not have come with headlines about blockbuster fines or public naming and shaming. But make no mistake – the message to banks is loud and clear.
Across 11 wholesale banks, the FCA found 178 breaches of internal policies on the use of unmonitored channels such as WhatsApp and Signal within the last 12 months. That number is troubling enough, but more concerning still is that over 41% of breaches were committed by senior staff.
These are the very individuals expected to lead by example on culture, conduct, and compliance, and to enshrine the FCA’s much sought-after “tone from the top”. Instead, the data suggests that – at least in some quarters – those at the top are normalising the very behaviours they are meant to deter. If this is the environment that leaders are cultivating – one in which the attitude may be “do as I say, not as I do” – why should we expect more junior staff to toe the line on compliance?
Keeping (smart) watch for misconduct
The FCA has been explicit: Robust recordkeeping and communications monitoring is essential to detect and mitigate misconduct – and this means firms must capture communications across every channel. When FCA executive director of markets, Simon Walls, talks about how, bad actors will be “actively seeking to avoid... channels” as they “may be savvy to the source of the monitoring that’s taking place,” it becomes apparent that, by compliantly capturing and enabling every communications channel, firms leave misconduct nowhere to propagate.
The context here is important. US regulators have already imposed significant fines on global banks for recordkeeping failures linked to off-channel communications. That wave of enforcement triggered a scramble to implement new controls – from banning personal devices for business chats, to issuing “brightly coloured phones” to the populations presenting the highest potential risk of communications breaches. Some firms have even introduced policies for smartwatches. Yet, the FCA’s latest findings show that deterrents alone aren’t quite enough.
Building better behaviours
While technology has been implemented to control off-channel communications, the real issue is behavioural. Compliance tools can only go so far if there is no willingness – particularly among senior staff – to use approved channels consistently. Worse still, when those at the top cut corners, it sends a corrosive message to everyone else: That policies are optional.
This is why the FCA’s warning is so timely. The regulator’s questions to firms cut right to the cultural core: Do employees truly understand their obligations? Does leadership model the right behaviours? Are there barriers, real or perceived, that push people toward non-compliant channels? And when patterns emerge, do senior managers act decisively?
These are not box-ticking questions. They are the foundation of a compliance culture that works in practice, not just on paper.
Closing the compliance gap
Given the current pace of communications channel change, firms must keep pace with emerging technologies – including spotting “channel hopping” between apps – but the real change will come from removing excuses and reinforcing the right culture.
That means making compliance tools as frictionless and functional as possible, ensuring senior leaders are visible champions of policy, treating breaches consistently – regardless of the rank or revenue generation of those responsible – and embedding off-channel compliance into performance reviews, promotion criteria, and potential salary clawbacks.
This isn’t just about WhatsApp, Signal, or whatever the next “problem” app might be. It’s about integrity, accountability, the credibility of leadership, and transparency and equal expectations around compliance. And those are channels that must remain open at all times.
The FCA has given the industry a chance to act without the looming threat of enforcement – for now. Regulated firms need to act and stay alert. If not, the enforcers will no doubt be knocking on doors.
