Security Breaches From Off-Channel Communications
The FCA's 2025 review found persistent risks from off-channel communications—such as private messaging apps—which even senior banking staff still use against policy. Most breaches clustered in a few large firms, highlighting governance and enforcement gaps. Key takeaways include the need for enforceable internal policies, improved real-time monitoring, top-down governance, and ongoing training and accountability to prevent compliance failures and protect firm integrity.
What did the FCA's multi-firm review find about off-channel communications?
The FCA surveyed 11 wholesale banking firms and found 178 reported incidents of off-channel communication breaches, with 131 concentrated in just three large firms, indicating uneven governance and controls.
What are off-channel communications?
Off-channel communications are professional conversations conducted outside firm-approved platforms, such as personal instant messaging apps or social media, which fall outside required record-keeping and surveillance systems.
How involved were senior staff in these breaches?
The review found 79 breaches involved director-level staff or above, rising to 99 incidents when including vice president-level employees, raising concerns about tone from the top and accountability.
Which regulations govern off-channel communications in UK financial services?
Rules such as SYSC 10A require firms to maintain robust systems and controls, while guidance like MW66 sets specific expectations for managing off-channel conduct.
What steps should firms take to reduce off-channel communication risks?
Firms should review and enforce internal policies with clear consequences, invest in real-time surveillance dashboards, and ensure senior leaders model compliant behavior through consistent training and accountability.
The UK's Financial Conduct Authority (FCA) recently surfaced a persistent challenge in wholesale banking: off-channel communications.
This isn't a new issue, but the findings from their recent multi-firm review serve as a stark reminder that compliance is a continuous journey, not a destination. The findings are relevant, not only to the players in the financial services (banking) industry, but also other organizations, especially those operating in the regulated industry verticals.
The FCA's exercise, which surveyed 11 firms, was a "state-of-play" assessment, not an enforcement probe. Their goal was to understand how firms are proactively managing off-channel communication risks—that is, professional conversations that happen outside of approved channels like personal instant messages or social media. The results? A mixed bag. While all firms had taken some action, the effectiveness varied significantly.
A key takeaway was the uneven distribution of policy breaches. Out of 178 reported incidents, a staggering 131 were concentrated within just three large firms. This disparity points to potential gaps in governance and controls, suggesting that some organizations are more exposed than others.
Even more concerning was the involvement of senior staff. The review found that 79 breaches involved director-level or above, with a total of 99 incidents when including vice president-level staff. This pattern shows that even experienced professionals are not consistently meeting compliance expectations. It raises serious questions about "tone from the top" and the effectiveness of training and accountability mechanisms.
These findings arrive against a backdrop of well-established regulations. Rules like SYSC 10A, which mandates firms to maintain robust systems and controls and guidance like MW66, which details expectations for off-channel conduct, have been in place for years. Yet, the FCA's report suggests that some individuals may still feel they can evade detection or are simply unaware of the risks.
So, what are the practical takeaways for firms looking to tighten their controls and promote a culture of compliance?
- First, it's time for a comprehensive review of internal policies. Firms must go beyond simply having policies on paper and ensure they have clear, enforceable rules with predetermined consequences for non-compliance
- Second, effective information management and surveillance are critical. Investing in dashboards that provide real-time visibility into potential breaches and trends can help firms stay ahead of the curve
- Finally, strong governance from the top is non-negotiable. Senior leaders must not only understand the rules but also model the behavior expected of the entire organization. This requires ongoing training, consistent accountability and visible enforcement
The FCA's review is a clear signal that regulatory scrutiny is not going away. Firms must be prepared to demonstrate not just their policies, but their actual controls and outcomes.
Compliance is an ongoing discipline and only through sustained attention, robust governance and a proactive culture can firms mitigate the risks posed by off-channel communications and protect both, their organization and the broader financial ecosystem.
Despite clear UK regulations and enhanced monitoring tools, financial firms still struggle to manage professional communications on unmonitored channels. The FCA's findings show that robust technical controls alone cannot replace cultural reinforcement or strong leadership; repeated and senior-level breaches risk regulatory scrutiny. Firms are urged to strengthen oversight, enforce policies, and promote a proactive culture of compliance at all levels.
Test Your Knowledge
Security Breaches From Off-Channel Communications
Challenge yourself on the concepts from this article and see how well you understood them.
Subscribers get weekly quizzes and insights — subscribe free
Partner with Think Insights
Reach 50,000+ business leaders, consultants, and strategists. Feature your brand alongside expert articles on strategy, leadership, and digital transformation.
