Banks are changing up how they carry out compliance “fire drills”, with reports outlining that senior leaders are now sending dummy messages to staff phones to check the potential use of off-channel communications in business dealings.
While it is common practice for compliance staff to create suspicious scenarios to check that controls are working as expected, including a dummy trade, data file, communication or regulatory request, this is an interesting application of “phishing” methods beloved by IT and cybersecurity teams worldwide.
Off channel but not off the radar
The pace of regulatory enforcement actions may have slowed compared to previous years, but in the past year alone, FINRA has fined a broker $10,000 for breaching off-channel communications and recordkeeping rules.
The SEC has also denied a motion to amend the undertakings from settled cases associated with off-channel violations, to ensure lasting impact, underlining that the penalties for non-compliance with regulations is not up for debate. A recent Financial Conduct Authority (FCA) survey into communications compliance policy breaches at major banks identified 178 WhatsApp policy breaches in just one year. Perhaps most concerningly of all, the FCA identified that senior staff were responsible for over 40% of breaches.
Clearly, off-channel communications is still on the regulatory radar, and firms are getting the message. Global Relay’s Data Insights: Communications Capture Trends in 2025/26 Report found that, across 12,000 financial institutions, there has been a 36% rise in WhatsApp capture as organizations prioritize adopting compliant capture technologies to meet regulatory expectations
This is not a drill …
“Fire drills” may be a familiar simulation exercise to test out responses to high-pressure scenarios and that compliance systems and policies are functioning as intended, but they are beginning to feel increasingly necessary.
Cyberattacks and breaches are becoming increasingly prevalent, and their impacts on business function, reputation, and profit are similarly rising. The 2024 ransomware breach of Evolve Bank and Trust through a malicious internet link resulted in the sensitive data of 7.6 million clients being stolen. Even regulators aren’t immune to potential breaches, with the Securities and Exchange Commission (SEC)’s 2024 X account takeover resulting in a $40 billion market swing (and no little embarrassment).
Fire drills and stress testing are important for ensuring systems are secure and teams are following policy but should not be considered a safe substitute for leveraging appropriate compliance technology.
Compliance should be built in, not phoned in
Using phishing methods to identify where staff might be communicating off channel is an interesting method that may see results but feels curiously redundant given the prevalence and effectiveness of communications capture solutions.
Enabling teams to use their preferred communications channels compliantly, whether WhatsApp or Telegram, means compliance teams know that records of conversations are being automatically kept. They don’t have to speculatively cast a wide net with phishing messages to see if individuals are committing to policy, because they have given them tools with compliance built in.
With Global Relay Connectors, all your data is ingested from any channel from Telegram to Snapchat, allowing businesses to compliantly capture communications seamlessly. Learn more.
