By Harry Barnes, Principal Compliance Consultant
It was increasingly clear during 2024 that the use of off-channel communications by employees is becoming a higher priority for regulators. Following significant SEC fines in the U.S. and with supervisory interest from the FCA also starting, it is timely for UK firms to understand their obligations and how they can prevent their employees from using off-channel communications.
What are off-channel communications and why are regulators concerned?
Off-channel communications are communications (including calls and written messages) made through channels not approved by the employer and to which neither employers nor regulators have access. Common examples of such channels include encrypted messaging services such as WhatsApp, Signal and Telegram, but could include any number of other channels including the use of personal email accounts and text messages on unrecorded devices.
The use of off-channel communications creates regulatory risk in several different ways, including:
- Record-keeping – Regulated firms and their employees are obliged to retain all records relating to their regulated activities including all relevant communications with clients, counterparties and other employees of the firm. It is particularly difficult, if not impossible, for some encryption services to capture off-channel communications. Failures of this nature can leave firms in breach of their record-keeping obligations
- Market abuse – Regulators have expressed concern that the use of off-channel communications limits both firms’ and regulators’ ability to identify, monitor, detect and prosecute possible episodes of market abuse
- Oversight – The use of off-channel communications limits the ability of the firm and its senior management to have appropriate oversight of the regulated activities being undertaken in the name of the firm. Failure to maintain appropriate oversight could result in the FCA determining that there has been a failure by Senior Management Function (SMF) holders to establish and maintain adequate risk management, contrary to the FCA’s Principle for Business 3.
What actions have regulators taken?
Since 2021, the SEC has led the way on the issue, with a raft of investigations that have seen some of the biggest firms receive sizeable fines, some as high as $200m between the SEC and CFTC. Total fines by the SEC relating to the use of off-channel communications since 2021 have exceeded $2.2bn, with the SEC settling with 26 firms for almost $400m in August 2024 alone.
The FCA has levied no fines on the issue to date. However, the Prudential Regulation Authority (PRA) has issued fines over the poor retention of WhatsApp messages, including fines for individual SMFs deemed to have fallen foul of the conduct rules. Interestingly, Ofgem, the energy regulator, has also been involved in issuing fines to financial services firms’ energy trading businesses for record-keeping failures regarding WhatsApp communications.
In January 2025, the FCA’s chief executive, Nikhil Rathi, stated that the FCA would not establish any new discrete rules around the use of WhatsApp and other off-channel communications, preferring to enforce existing rules regarding recording, record-keeping and oversight.
What actions should firms be taking to minimise their risk?
Firms should make sure their policies relevant to communications and communication recording are up to date. Where firms have implemented “bring your own device” policies, there should be sufficient ability to record and capture business communications on these devices, such as utilising up-to-date software that allows for the capture of encrypted communications. Where communications can’t be adequately captured, then prohibitions on using certain methods and devices for business communications should be incorporated into the firms’ policies.
Firms should also remain vigilant for signs of staff using off-channel communications. This can be picked up through regular communications monitoring and other internal compliance monitoring.
Firms should also consider whether they need to adhere to the SEC rules on this matter. This would be the case, for example, where the firm also acts as a Registered Investment Adviser (RIA).
How IQ-EQ can help
At IQ-EQ we have an experienced team who can assist FCA-regulated investment firms on the most appropriate ways to establish and ensure compliance with the relevant rules around off-channel communications. And for investment firms also acting as RIAs in the U.S., we’re able to draw on the expertise of our U.S. regulatory compliance team to advise on industry best practice in complying with SEC rules.
To discuss your firm’s approach to capturing off-channel communications or to find out more about the support available from IQ-EQ’s expert compliance consulting team, contact us today.
