Dear Clients and Friends,
Managing electronic communication channels has been one of the most debated compliance topics over the past few years; the tension between reconciling regulatory expectations in an environment of ever evolving use of language and new technology is real. Given the rapid adoption of services such as WhatsApp and WeChat, it is difficult for regulatory guidance to keep pace but now the FCA has published their Multi-Firm Review and whilst there are no detailed rules, firms are expected to show effective controls are in place. The FCA’s work focused on the banking sector but is applicable across the regulated sphere.
Key Takeaways:
- Policy Check – “Policy-Only” Controls Are Not Enough
Telling staff not to use WhatsApp etc., or personal devices does not alone demonstrate compliance.
What Now?
Evidence that controls are applied in practice, not just documented on paper. Can you illustrate sufficient monitoring and oversight? Senior leaders should set clear expectations, call out breaches, and reinforce the importance of recordkeeping. Does staff training use scenario-based examples to illustrate risks and highlight pitfalls?
- Monitoring Approach Must Match Modern Behaviours
Traditional surveillance may not capture today’s communication styles – from emojis and GIFs to voice notes or “channel-hopping”.
What Now?
Test whether your surveillance and lexicons are up to date and reflect modern parlance and use of language and images.
- MI Reporting Should Show Control Effectiveness
For many, breaches are infrequent, making trend analysis difficult. Raw breach counts alone tell an incomplete story.
What Now?
Focus MI on demonstrating control effectiveness: staff attestations, training completion rates, timeliness of responses, surveillance gaps, and use of approved channels. Retain breach data and capture near misses or self-disclosures to demonstrate you understand your risk profile.
- Scrutiny Will Focus on Practice, Not Paper
The FCA is not interested in how policies read, but how they work day-to-day.
What Now?
Be prepared to evidence how breaches are identified, how MI informs oversight, and how risks are mitigated. Regulators will want to see controls operating in practice, not just documented intent.
Eight Questions Firms Should Ask Themselves:
The FCA highlights eight key questions to guide firms in assessing their approach to off-channel communications (see also Market Watch 66):
- Do employees understand their responsibility to record all relevant communications?
- Does leadership set the right “tone from the top” and encourage a “speak up” culture?
- Are there unreasonable barriers preventing staff from following policy?
- Is third-party vendor performance monitored effectively?
- Is surveillance aligned with the business model?
- Do UK senior managers have sufficient oversight where global frameworks exist?
- Do executives receive MI that enables proper compliance oversight?
- Do accountable SMFs act promptly when non-compliance patterns emerge?
Final Thoughts
It is not sufficient to prohibit off-channel communications on paper. Controls need to be operationally effective, monitored, and overseen by accountable SMFs.
For clients also subject to SEC oversight, it is important to note that U.S. requirements are stricter: all business-related communications must be captured and retained, including those on personal devices or non-approved apps. Both the SEC and CFTC have issued significant fines for recordkeeping failures.
Judd Advisory
September 2025.
