Insight & Analysis

RIP BYOD? The compliance challenge of off-channel communications

Published: Sep 2025

Last month, the United Kingdom’s Financial Conduct Authority released findings into how well financial services firms are managing risks and processes around “off-channel communications.”

Photo of a phone box with Big Ben in the background.

Although corporates have introduced stronger governance frameworks around how their employees communicate with other staff members and employees in other firms on unauthorised devices where communication can’t be monitored or retained by the employer, some firms are still struggling with the process.

The FCA’s review revealed 178 policy breaches identified across eight firms in 12 months. Notably, 41% of these breaches involved director-grade or above staff, suggesting cultural issues persist despite heightened awareness in the wake of heavy US enforcement actions. Since December 2021, the US has issued over US$2bn in penalties.

“While the FCA figures represent internal policy breaches rather than confirmed regulatory violations, the concentration of incidents among senior employees could undermine the ‘tone from the top’ necessary for effective compliance. The persistence of these breaches, particularly given firms’ enhanced frameworks over the past two years, indicates that technological solutions alone are not sufficient. The real challenge is understanding why certain employees, particularly senior ones who should know better, still reach for WhatsApp when they understand the rules,” says Christopher Collins, partner at Katten Muchin Rosenman UK LLP.

Clear divide in regulatory approach

There is a fairly clear divide in regulatory approaches. While US authorities have imposed billions in fines and required firms to, among other things, appoint independent compliance consultants, the UK has maintained a more measured supervisory approach focused on behavioural change, culture and governance.

Within Europe, Germany’s BaFin appears to be more willing to take enforcement action, recently fining Deutsche Bank for compliance failures including telephone recording obligations.

In its latest review, the FCA confirmed it wants to maintain its principles-based approach, rather than trying to introduce new rules to cater for every potential scenario. That said, UK regulators have shown they will act when needed. The PRA censured Wyelands Bank Plc in April 2023 and fined its former CEO £118,000 for failures including electronic message retention issues. In 2022 the FCA fined Sigma Brokers and its directors for market abuse reporting failures arising from off channel communication.

“The current review serves as both guidance and warning: firms are on notice that repeated internal policy breaches, particularly involving senior staff, may lead to supervisory attention,” says Collins.

UK firms are addressing the root causes. This means removing reasons to use off-channel communications by prohibiting personal numbers in directories, establishing dedicated helplines for guidance, and ensuring multiple approved channels remain available during system outages.

Some firms have introduced brightly coloured corporate devices on trading floors as visible compliance reminders. Yet, technology has not solved the problem. Firms with comprehensive management information can at least identify patterns – tracking breaches by seniority, business area and severity will reveal more than raw numbers.

“When combined with material consequences, training that uses real breach scenarios, and senior management that genuinely engages with the data, are some of the measures that could shift behaviour rather than simply document violations,” says Collins.

Three critical failure points emerge from the review:

First, over-reliance on third-party vendors without adequate oversight contributes to failure. Second, the disconnect between policy and practice in consequence management: despite policies threatening to limit bonuses, promotion restrictions and dismissal, the FCA found no evidence of the most severe penalties being used, undermining deterrence. Third, inadequate management information that focuses solely on breach metrics without context prevents firms from understanding underlying causes.

With 41% of breaches involving director-grade or above staff, the most fundamental failure may be cultural – when senior leaders who should exemplify compliance are themselves violating policies, it signals that firms have not truly embedded the behavioural change necessary for effective control.

The FCA encouraged forms to consider eight questions:

  • Do employees fully understand their responsibility to record all relevant communications?

  • Does leadership set a strong ‘tone from the top’ and encourage a ‘speak up’ culture for compliance with SYSC 10A?

  • Are there any unreasonable barriers preventing staff from following the policy framework effectively?

  • Does the firm effectively monitor third-party vendors to ensure expected performance and reliability?

  • Is the firm’s surveillance model well-aligned with its business model?

  • Where a global framework is in place, do UK senior managers have sufficient oversight of its implementation and results?

  • Do accountable executives receive the right MI to oversee compliance and assess surveillance effectiveness?

  • Where patterns of non-compliance emerge, do accountable Senior Management Functions (SMFs) take prompt corrective action?

“In practical terms, first and foremost, firms should ensure that only company equipment is utilised for work communications rather than using personal devises for company businesses, that is locked down so that only approved apps can be installed and utilised. Whilst bring your own device policies can work and personal devices are not prohibited by the PRA/FCA, privacy considerations (GDPR) and employment law considerations restricts the ability for a company to monitor employees personal devices in the UK/EU,” says Karl Foster, partner at Spencer West LLP.

He notes that technical measures should also be adopted to assist in the monitoring and review of and contextualise messages (eg the use of emojis and GIFs) and automate review to include voice notes, videos and other communication methods. AI can also help both filter and discover hidden messages and patterns of communication via trend analysis.

Technical measures should be supported with robust device usage policies and firms should also be clear in their policies that they are placing responsibilities on staff members, supported by appropriate and ongoing training, to take personal responsibility to only utilise approved communications channels.

“Firms must proactively consider what reasonable steps they need to take to react to the review. One thing is certain – a box ticking exercise is not sufficient,” concludes Foster.

All our content is free, just register below

Already have an account? Sign In

Already a member? Sign In

Read more insights

Short Reads - 2 hours ago
European payment processes reach another milestone
Short Reads - 2 hours ago
Leadership Workshop: Singapore workshop inspires with communication, confidence and personal branding strategies
Short Reads - 2 hours ago
Adam Smith Awards Asia 2025
Short Reads - 7 days ago
Calm before the storm: how the US–China tech rivalry redefines global finance and supply chains
Short Reads - 7 days ago
Corporate leaders defend Fed independence
This website uses cookies and asks for your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).
Ok, I agree Privacy Policy