Off-channel communications: FCA signals cultural and accountability failures

The Financial Conduct Authority’s (FCA) August 2025 multi-firm review into “off-channel communications” confirms that they remain a persistent and material risk for firms. While monitoring tools have improved, behavioural change, especially among senior leaders, is lagging.

The FCA’s message is clear. Off-channel communications are not just a record-keeping issue. They are a test of culture, integrity, and accountability.

What the FCA found

“Off-channel communications” are business communications related to MiFID (Markets in Financial Instruments Directive) activities that are not properly captured or monitored. Typical examples include WhatsApp messages on personal devices, private email accounts or unrecorded texts.

Across 11 wholesale banks, the FCA found:

• Eight firms reported 178 policy breaches in the past year.
• 41% involved directors or senior managers, the very people responsible for “setting the tone from the top.”

The FCA acknowledged that firms had made improvements, such as introducing new policies covering smartwatches and emojis, the wider issue of corporate devices, and deployment of AI surveillance tools. But the FCA’s verdict is clear: technology alone will not fix the problem. Behavioural change is the missing piece.

The FCA identified three critical shortcomings:

• Leadership behaviour: Senior managers must model compliant conduct.
• Consequence management gap: There was no evidence of the highest level sanctions being applied for breaches, undermining deterrence and culture. It stressed that disciplinary action must be enforced consistently across all levels, including senior management, otherwise credibility collapses.
• Third party oversight: Many firms lacked robust frameworks to test, challenge, and escalate issues with external systems. The FCA warned that treating vendor failures as external matters rather than internal governance weaknesses represents a material shortcoming.

UK enforcement and global pressure

The FCA has yet to impose fines for off-channel breaches, but has warned that it will continue to review breach data and consider “where further action could be required.” By contrast, other UK regulators have already acted decisively: the Prudential Regulation Authority (PRA) censured Wyelands Bank and fined its former CEO for WhatsApp retention failures. Similarly, Ofgem fined Morgan Stanley’s energy trading unit £5.41 million for WhatsApp-related violations.

Internationally, the US has taken a far more  forceful approach in respect of fines imposed and the remedial action required. Since 2021, the US Securities and Exchange Commission and Commodity Futures Trading Commission have imposed more than $3 billion in fines, including JPMorgan’s $200 million penalty and a $1.1 billion settlement across 16 firms in 2022. In several cases, US regulators went so far as to compel firms to recover business messages from employees’ personal devices, a step that would be incompatible with UK or EU privacy law. However, it highlights the seriousness with which these breaches are viewed internationally.

Against this backdrop, persistent cultural failings will not be tolerated indefinitely. The FCA’s principles based supervision has clear limits. Firms should anticipate a shift toward more scrutiny, and ultimately enforcement, if leadership fails to deliver meaningful cultural change.

Beyond record keeping: the wider risks for all firms

The Senior Management Arrangements, Systems and Controls (SYSC) sourcebook obligations under SYSC 10A apply primarily to MiFID investment firms but the regulatory risks associated with off-channel communications could extend much further.”

From 1 September 2026, changes to the FCA’s non-financial misconduct (NFM) rules will expand the Code of Conduct to cover behaviours like harassment, bullying, or discrimination, even if communicated via informal channels.

Persistent use of off-channel communication could also:

• Call into question a senior manager’s fitness and propriety under the Senior Managers and Certification Regime (SMCR).
• Breach Principle 3 of the FCA’s Principles for Businesses, which requires firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems.
• Attract regulatory action outside of SYSC 10A, as illustrated by the recent interventions by the PRA and Ofgem.

Key takeaway 

The FCA’s message fits squarely within its broader programme of accountability and cultural reform. Surveillance tools may help firms monitor off-channel communications, but they are not enough. Enhanced frameworks can strengthen compliance, yet they cannot create accountability or culture.

Boards and senior management must ensure that disciplinary standards are applied consistently, third-party oversight is robust, and ethical conduct is modelled from the top. The review reinforces the FCA’s continuing focus on personal responsibility, integrity, and governance; themes that run through recent initiatives such as the Senior Managers and Certification Regime, the Consumer Duty, and the forthcoming non-financial misconduct reforms.

Comment

Firms that continue to treat off-channel communications as a narrow record-keeping issue risk sharper regulatory scrutiny. The direction of travel is clear: for the FCA, culture and accountability, not technology, remain the defining tests of effective leadership.

Related articles:

• The FCA’s pro-growth agenda should not be mistaken for regulatory leniency
• FCA approves $100M penalty for unconscionable conduct
• SM&CR reform: what CP25/21 means for firms and their Insurers