Will AI be the next off-channel communications scandal?
Off-channel communication risks are a tale as old as time, and AI is just a new character in the regulatory story. Firms must see it as another channel to capture and monitor for misconduct, and enlist tools and policies to ensure compliant use.
Written by a human
In brief:
- Despite a reduction in the frequency of recordkeeping enforcement, U.S. regulators still have their sight set on voice monitoring, highlighted in FINRA’s 2026 Oversight report
- Voice oversight should be a priority as regulators scale up efforts to combat financial crime and to leave misconduct nowhere to hide
- Firms should also ensure they’re retaining AI-generated transcripts or summaries, which can qualify as business communications
AI is the talk of the financial industry is surrounded by AI – whether its news outlets reporting on paradigm-shifting frontier models, the rollout of new integration roadmaps in workplaces, or simply debates over whether to use OpenAI versus Anthropic.
But one conversations firms might not be having around AI is its potential to hide off-channel communications risk – and how to tackle this.
Regulators and financial institutions know the story of off-channel communications all too well, with billions of dollars in fines for recordkeeping and off-channel failures issued over the last few years. This begs the question – while the industry has a playbook for navigating off-channel risks, has it falling behind on writing new AI chapters?
The GenAI is out of the bottle
The industry is well aware of the regulatory repercussions of off-channel communications and unmonitored channels after years of high-profile enforcement actions against firms and individuals:
- September 2022 – The Securities and Exchange Commission (SEC) fined 16 Wall Street firms combined fines of over $1.1 billion for widespread recordkeeping failures due to employees routinely communicating about business matters using text messaging applications.
- September 2024 – The SEC and Commodity Futures Trading Commission (CFTC) fined 13 firms a combined penalty of $118 million for failing to capture and retain electronic communications, thus not meeting legal recordkeeping requirements.
- October 2025 – FINRA suspended and fined a broker $10,000 for sending business-related messages on a personal device, then deleting the messages to cover up misconduct.
As the industry modernizes, employees have adopted popular communications channels, such as WhatsApp and LinkedIn, because they’re fast, convenient, and familiar – though this left compliance teams needing to catch up when it came to capture. Global Relay’s Industry Insights: Compliant Communications 2025 Report, found that 39% of firms now enable and monitor all communications channels compared to just 10.3% in 2023.
Having spent the past six years grappling with instant messaging and social media channels, compliance teams are now having to consider how their organizations are using generative AI (GenAI) applications. FINRA noted that content generation, data enhancement, and conversation and question answering are some of the most common GenAI use cases, which produce outputs that may constitute business records.
The current dynamic is all too familiar: employee adoption is outpacing governance, and the industry faces a potential future compliance crisis if adjustments aren’t made today.
AI – everything, everywhere, all at once
Employees use GenAI for drafting, analysis, summarization, and decision-making across a plethora of platforms, often without compliance knowledge or oversight. An AI platform being okayed for use by cybersecurity or IT teams is one thing, but compliance teams must be an integral part of the consideration and onboarding process to avoid conversations occurring outside supervised environments.
Collaboration adds a layer of complexity – if two employees work together on a shared AI thread, that interaction may exist outside the scope of surveillance. A business communication taking place over a channel like WhatsApp is clear cut, but it can be much harder to define where an AI thread or conversation might cross into business communication territory.. Firms are also exercising caution around “black box” AI models, as there are concerns around explainability and transparency where models use complex patterns to make decisions.
While the pressure is on firms to get to grips with AI’s place in potential off-channel communications and to train teams in compliant use of these platforms, regulators also have a part to play in setting clear benchmarks they expect that firms will hit.
Regulator, regulator…wherefore art thou regulator?
Regulators globally are working to keep pace with the evolution of AI:
- The SEC is making a concerted effort to question firms about their AI governance frameworks in examinations. In 2025, it flagged artificial-intelligence-related misconduct as a key enforcement priority.
- FINRA’s 2026 Annual Regulatory Oversight Report highlights GenAI as a core compliance priority and emerging risk, urging firms to not fall behind on governance, supervision, and recordkeeping requirements.
- The FCA is conducting ongoing work on operational resilience and Consumer Duty enforcement, increasingly touching on whether firms have adequate oversight of generative tools to ensure safe and responsible use of AI in financial markets.
- The EU AI Act introduced the world’s first comprehensive legal framework for artificial intelligence to ensure AI systems are safe, transparent, and respectful of fundamental rights – though it continues to be debated and delayed.
Regulators are prioritizing innovation and encouraging the use of responsible AI to remain ahead of potential threats and misuse, leveraging existing regulatory frameworks to govern firms’ AI use – though calls for specific AI regulation or more clarity of current expectations are growing in volume.
In some ways, this is a contrast to previous stances on off-channel use, where regulators implemented blanket requirements to capture and retain communications channels without making explicit recommendations on how to do so. Firms are being left to figure out where AI platforms sit within their compliance expectations and ecosystem for themselves, leading to a range of approaches based on individual risk appetites.
Moving forward but looking back
The current AI communications risk situation is a mirror image of the off-channel communications saga. Off-channel communications proliferated where new technologies were adopted outside of a governance system to capture them, leaving compliance to play catch up with an unexpected risk avenue. With AI, the technology is already well embedded with firms, and the risk avenue should be anticipated, but compliance teams still seem to be on the back foot.
Firms that proactively implement policies and monitoring solutions and undertake employee training and vendor due diligence will be in a better position than those waiting for greater regulatory clarity. Plausible deniability did not protect firms in off-channel communications cases, and it will not now.
Firms do need to be wary of how they proceed, but they can learn from past mistakes to ensure history does not repeat itself. We may have seen this story before, but firms that act can write a happier ending.
To learn more about compliantly capturing GenAI channels to minimize risk and meet regulatory recordkeeping requirements, head here.
