Just when the finance industry may have started to feel that the regulatory “War on WhatsApp” was at an end, the Financial Conduct Authority (FCA) has released the results of a multi-firm review of off-channel communications breaches at 11 wholesale banks.
Our survey says …
A Financial Industry Regulatory Authority (FINRA) investigation found that, from October 2020 to January 20The FCA’s survey found that, over the last 12 months, the banks had reported 178 breaches of their policies governing the use of communications channels like WhatsApp and Signal, despite the ongoing crackdown the industry is conducting on off-channel communications. Of these reported breaches, 131 were within just three firms.
The FCA defined off-channel communications as “those that take place outside of monitored, recorded channels a firm has permitted.” Concerningly, the regulator identified that the largest proportion of breaches (41%) came from senior staff – the very people expected to lead from the front and set the right “tone from the top” when it comes to compliant behaviors.
Keeping (Smart) watch
It was fThe survey found that, in the wake of huge fines issued to firms by U.S. regulators for off-channel communications and recordkeeping violations in recent years, banks have been introducing a range of policies and technologies to monitor and control communications channels.
The FCA shared that banks had “introduced policies on smart watches as well as phones,” and “streamlined processes for staff to report these breaches,” with most large banks leveraging “a single, global recording and monitoring system” for employee communications. Policies also ban personal devices at work and have included issuing “brightly coloured phones” to some employees for easier identification and to “reinforce the separation of work-related and personal activities.”
Unsurprisingly, most focused monitoring and communications capture efforts on client-facing roles like investment bankers and traders, and have extended surveillance “to include emojis, GIFs, voice notes and video messages.”
The regulator noted that “AI is being used to phase out false alerts,” with firms also updating surveillance lexicons to include terms associated with emerging communications channels and to identify potential instances of “channel hopping,” where employees suggest moving conversations between channels to try and avoid being monitored.
No room for complacency
The FCA laid out its expectation that “robust record keeping and monitoring of communications is essential for firms to detect and investigate misconduct.” Simon Walls, executive director of markets at the FCA, confirmed that the most important thing is that banks are capturing and recording these conversations:
“When we do a separate investigation, we seize phones and we look through these things clearly, if we find off channel communications that matter and are designed to evade surveillance, there’s a much bigger problem with serious integrity consequences.”
“We need to recognize that with the most nefarious conversations, people will be actively seeking to avoid those sorts of channels and may be savvy to the source of the monitoring that’s taking place. So there’s no room for complacency.”
The regulator reiterated that firms are obligated to “record, monitor, and ensure communications related to in-scope activities are auditable, including conversations leading to such activities,” and that they must take “reasonable steps” to prevent employees engaging in off-channel communications. Interestingly, the FCA clearly views the issue as requiring a two-pronged approach, with firms not only leveraging compliance technologies to detect, capture, and monitor conversations, but also “focusing on improvements in behavior.”
———
Rob Mason, Director, Regulatory Intelligence – Global Relay
“The FCA has provided a strong message and a very timely warning here, without needing to take direct enforcement action. The data surrounding breaches of internal compliance policy at some firms will be cause for the industry to sit up and take notice, and it’s particularly concerning that the majority (over 41%) came from senior staff, who know full well they should be leading by example.”
“This has set a clear expectation: regulated firms need to take action and stay alert – if not, the enforcers will no doubt be knocking on doors.”
———
How can firms cut down on off-channel communications breaches?
While the survey findings do not include any breaches that the FCA may follow up with enforcement action, the findings have made it clear that off-channel communications issues persist within many firms, despite the increasing use of compliant communications solutions. In order to help firms establish what action to take next, the regulator posed several key questions, including:
- Do employees fully understand their responsibility to record all relevant communications?
- Does leadership set a strong ‘tone from the top’ and encourage a ‘speak up’ culture for compliance with SYSC 10A?
- Are there any unreasonable barriers preventing staff from following the policy framework effectively?
- Is the firm’s surveillance model well-aligned with its business model?
- Where patterns of non-compliance emerge, do accountable Senior Management Functions (SMFs) take prompt corrective action?
Firms may feel they have ready answers to some of these key questions, or that they may need some introspection on their communications compliance. One thing’s for sure – there’s no question that off-channel communications continue to be on the regulatory radar.
Establishing clear, understandable communications compliance policies and focusing on building a compliant culture are vital in the fight against off-channel communications. But, as the FCA’s survey found, solutions that enable firms to capture their communications data, including WhatsApp, and compliantly archive and monitor that data are now a business essential.
