The use of encrypted messaging apps such as WhatsApp, Signal, Telegram and WeChat has become routine in financial services. For client-facing staff, traders and senior executives, these platforms provide speed and ease of communication. But for regulators, they represent one of the most significant blind spots in compliance today. Conversations that take place outside official channels are difficult to monitor and harder still to preserve, undermining the systems designed to ensure transparency and market integrity.
Both UK and US regulators have sharpened their scrutiny of “off-channel communications” in recent years. The US Securities and Exchange Commission (SEC) has already issued more than $2bn in fines since 2021 for record-keeping and monitoring failures. The UK’s Financial Conduct Authority (FCA), meanwhile, has taken a more supervisory approach – but its latest findings suggest that patience may be running thin.
What are off-channel communications?
The FCA defines off-channel communications as messages conducted outside of monitored, recorded channels a firm has permitted. This typically means:
- WhatsApp, Signal, Telegram, WeChat and similar apps.
- Consumer device features such as smartwatches, GIFs, emojis, voice notes, or disappearing messages.
- Personal devices used for business purposes without monitoring.
For regulators, the central concern is clear: if conversations relevant to trading, client advice, or deal execution happen on channels the firm cannot monitor, they may breach record-keeping rules and undermine market integrity.
The US crackdown: Enforcement through record-breaking fines
The United States has led the way in addressing off-channel communications, and its approach has been uncompromising. Since late 2021, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have levied more than $2bn in fines on over 100 firms. The cases have involved both Wall Street’s largest institutions and smaller regional players, showing that no firm is too big or too small to avoid scrutiny.
Consistent compliance failures have included:
- Persistent, widespread use of unapproved communications methods by employees, including supervisory personnel;
- Failures to preserve communications that constituted required business records due to employees using unapproved communications methods on business and / or personal devices;
- Inadequate compliance policies and procedures; and
- Failures to reasonably supervise personnel with a view to preventing and detecting these types of violations.
What is striking is that these fines have not always related to the substance of the conversations but to the failure to preserve and monitor them. The SEC’s stance is simple: if a firm cannot produce a complete record of its employees’ communications, it cannot demonstrate compliance. The penalties are intended to send a deterrent message across the market, forcing firms to confront the risks of staff using WhatsApp or other unauthorised platforms for business conversations.
The UK Response: From Supervision to Sharpened Expectations
The UK’s Financial Conduct Authority (FCA) raised concerns about off-channel communications as early as 2021 in its Market Watch newsletter. Unlike the US, however, the FCA has avoided large-scale enforcement actions. Instead, it has preferred supervisory engagement, encouraging firms to strengthen controls through dialogue and thematic reviews.
That position is shifting. In August 2025, the FCA published the results of a review into eleven wholesale banks. This review highlighted widespread challenges in translating policies into practice. Across the banks surveyed, 178 breaches of WhatsApp and Signal policies were identified in the past year, with 131 of those breaches concentrated in just three firms.
The findings raise serious questions about leadership accountability. Forty-one percent of breaches involved directors or other senior staff, suggesting that many firms are struggling to set the right tone from the top. The FCA also noted that banks reporting zero breaches may not be demonstrating good behaviour but poor detection, warning that ineffective monitoring is itself a red flag.
What the FCA found: Policies, surveillance and consequence management
The FCA’s review showed that banks have invested heavily in new systems. Policies have been expanded to cover emerging technologies such as smartwatches, and many firms have streamlined internal processes to allow staff to report inadvertent breaches quickly. Some firms have even set up helplines to give employees real-time guidance on whether their communication channels are compliant.
Surveillance has also become more advanced. Banks now use lexicons that capture emojis, GIFs and slang, deploy artificial intelligence to review voice notes and video messages, and monitor traffic patterns on authorised platforms to detect suspiciously low usage. In some cases, firms have provided staff with corporate devices, sometimes brightly coloured phones for traders, to make it easier to distinguish business from personal communication.
Despite these steps, consequence management remains weak. Policies often state that breaches can result in dismissal or other serious sanctions, but the FCA found little evidence that such penalties are ever applied. The regulator cautioned that when senior managers or vice presidents use WhatsApp in breach of policy without facing consequences, it undermines the credibility of the entire compliance programme.
Comparing regulatory approaches: UK vs US
The contrast between the US and UK approaches is stark. In the United States, regulators rely on heavy fines to force behavioural change. In the UK, the FCA has not introduced new rules and continues to emphasise supervision, but its latest review sets clear expectations that firms must detect, record and address breaches in practice.
This difference should not be mistaken for leniency. The FCA’s findings will now serve as a benchmark against which firms are assessed. The absence of enforcement today does not mean it will not come tomorrow if firms are found to be complacent. The FCA has confirmed it does not plan new rules, but warned that the findings now represent baseline supervisory expectations.
The risks for compliance teams
For compliance officers, the risks of off-channel communications are significant. A failure to detect breaches will be viewed as a failure of oversight, even if the number of recorded breaches is low. Regulators are looking closely at the role of senior leaders, and repeated or high-level breaches will draw scrutiny regardless of whether they technically break FCA rules. The reputational impact of being seen to tolerate off-channel use can be just as damaging as the regulatory consequences.
The challenge for firms is cultural as much as technological. Surveillance systems must be able to capture emojis, disappearing messages and other modern forms of communication, but policies must also be backed up by real accountability. Without disciplinary follow-through, rules will not be taken seriously by staff.
Record-keeping is non-negotiable – Whether in the UK or US, regulators want assurance that firms can reconstruct communications in full.
Senior leadership must set the tone – Policies are meaningless if directors themselves flout them.
Detection > deterrence – Zero breaches do not reassure regulators; credible monitoring and realistic statistics do.
Technology should match behaviour – Surveillance must adapt to emojis, voice notes, disappearing messages and smart devices.
Consequences need teeth – Without real disciplinary follow-through, policies lose credibility.
Train your staff on communications compliance with our award winning eLearning courses.
