Leaders and employees know they need to keep communications over approved, auditable channels. But an out-of-office message directing a client to a personal mobile number is off-channel. A WhatsApp message arranging a meeting is off-channel.
These aren’t acts of bad faith, but they are breaches of internal communications policy. When they relate to MiFID-regulated activities, they may also engage obligations under SYSC 10A.
From September 2026, that obligation expands further: the FCA’s new non-financial misconduct rules bring bullying, harassment, and violence into scope, including cases where they occur outside monitored channels.
In August 2025, the Financial Conduct Authority published findings from its multi-firm review of off-channel communications at eleven wholesale banks. The FCA found 178 breaches of internal communications policies in a single year.
Of those breaches, 41% involved individuals at the director level or higher, indicating a strategic blind spot for leadership.
The frameworks firms are building on the ground haven’t been matched by the visibility, tools, and accountability structures that leadership needs to be part of the same system.
- What the FCA's Off-Channel Communications Review Actually Found
- Off-Channel Compliance Is a Strategic Leadership Challenge
- Third-Party Vendors and the Off-Channel Accountability Gap
- What "Reasonable Steps" Means Under FCA Scrutiny in 2026
- The September 2026 Deadline: What the New FCA Conduct Rules Mean for Off-Channel Compliance
- Frequently asked questions
What the FCA’s Off-Channel Communications Review Actually Found
The FCA surveyed 11 wholesale banks, asked them to self-report breach data for the preceding 12 months, and held follow-up discussions with firms and industry panels. No devices were seized. Everything in the report came from what firms chose to disclose.
The risks the FCA identified cluster in the places compliance programs tend to trust most: senior leadership, third-party vendors, and the cultural assumptions that connect both.
Off-Channel Compliance Is a Strategic Leadership Challenge
Every firm in the FCA’s review sample had improved its processes over the preceding two years. Surveillance systems now capture emojis, GIFs, voice notes, and video messages. AI and natural language processing are filtering false alerts. Corporate devices are standard for client-facing staff. On some trading floors, brightly coloured phones mark restricted areas so no one can plausibly confuse work and personal devices.
These are meaningful investments. What the FCA’s review raises is whether the systems around them are giving the right visibility to the right people.
Arun Chauhan, Director and Founder of Tenet Law Firm, explains why that gap persists: “People don’t prioritize compliance until something goes wrong.” The fix, he argues, isn’t just better policy. “The critical thing is policies aren’t enough. Bring them to life, make them relatable to your people so that they can understand what the risks are.”
What's it take to bring compliance to life? Watch the On-Demand Webinar
Regarder le webinaireThe FCA’s review closes with eight questions it expects firms to answer. Several target senior leadership directly. The FCA wants evidence that senior leaders can actually answer these questions, not just sign off on the policies beneath them.
Banks need to focus their energy–and their culture, policies, and tools–on the directors and senior managers to whom those questions are directed.
Third-Party Vendors and the Off-Channel Accountability Gap
The August 2025 review found an increase in third-party providers facilitating the recording and monitoring of communications. It also found that firms aren’t managing those relationships with adequate rigor.
Some firms reported service outages that disrupted recording. In at least one case, a transcription service was found to be largely inaccurate — and continued to be relied upon.
The FCA’s position is unambiguous: regulatory responsibilities under SYSC 10A cannot be transferred to a third party. Firms that understood this treated third-party performance as an internal compliance question rather than an external supplier issue. They set clear contractual obligations, continuously monitor vendors, and escalate failures.
Firms assess or monitor only 33% of their vendors on average, according to Mitratech’s Third-Party Risk Management Study. And 49% report their current methods can’t track risk at every stage of the vendor lifecycle. Half of companies are still managing those relationships in spreadsheets. A vendor can pass initial due diligence but fail to maintain it. Under SYSC 10A, the firm carries that risk either way.
A vendor failure under SYSC 10A is a leadership failure. Senior managers who lack visibility into how their third-party providers are performing are facing the same strategic gap the FCA identified across the rest of the framework. It just shows up here in a different form.
What “Reasonable Steps” Means Under FCA Scrutiny in 2026
The FCA’s regime is technology-neutral by design. It has no prescribed list of approved apps and no blanket prohibitions. What it requires is that firms take all reasonable steps to record and retain relevant communications, and prevent employees from using unrecorded channels for in-scope activities.
The FCA closed its August 2025 multi-firm review, published on its website, with eight questions it expects firms to be able to answer:
- Do employees fully understand their responsibility to record all relevant communications?
- Does leadership set a strong tone from the top and encourage a speak-up culture for compliance with SYSC 10A?
- Are there any unreasonable barriers preventing staff from following the policy framework effectively?
- Does the firm effectively monitor third-party vendors to ensure expected performance and reliability?
- Is the firm’s surveillance model well-aligned with its business model?
- Where a global framework is in place, do UK senior managers have sufficient oversight of its implementation and results?
- Do accountable executives receive the right management information to oversee compliance and assess the effectiveness of surveillance?
- Where patterns of non-compliance emerge, do accountable Senior Management Functions take prompt corrective action?
Consider what that last question looks like in practice for a compliance officer at a mid-sized wholesale bank. The monthly breach report arrives. Three off-channel incidents flagged, one involving a vice president. The FCA found that firms reported they could apply consequences ranging from formal warnings to capped bonuses to dismissal. It also found no evidence that the most severe penalties had ever been administered. The same name appeared last month. Disciplinary action: a reminder email.
The September 2026 Deadline: What the New FCA Conduct Rules Mean for Off-Channel Compliance
From September 1, 2026, the FCA’s new non-financial misconduct rules extend the Code of Conduct to cover bullying, harassment, and violence against colleagues where there is a sufficient work-related link, even where that conduct occurs outside formal channels. If that conduct happens via unmonitored channels, the firm may have no record of it, no evidence of how it was reported, and no documentation of how it was addressed.
Firms preparing for September 2026 need to assess three things. First, whether their surveillance infrastructure has visibility into the shadow IT and informal channels where misconduct is most likely to go unrecorded. Second, whether staff have a credible, accessible mechanism to report conduct that occurs outside formal channels — a speak-up infrastructure that meets the FCA’s expectation. Third, whether the firm’s conduct breach reporting processes, staff policies, and fit and proper assessments are reviewed and updated before the deadline.
The August 2025 review and the September 2026 rules land on the same challenge from different directions: firms need visibility into what is happening outside their formal frameworks, and senior leaders need to be accountable for what that visibility reveals.
Ready to show the FCA you have control of your off-channel communications?
Demander une démonstrationFrequently asked questions
What are off-channel communications?
Off-channel communications are business-related messages sent outside the monitored, recorded channels a firm has approved for use. Common examples include personal messaging apps, private email accounts, and SMS. For firms conducting MiFID-regulated activities, these communications fall within recordkeeping and monitoring obligations under SYSC 10A of the FCA Handbook.
Does the FCA fine firms for off-channel communications breaches?
Not yet — but the trajectory is clear. The August 2025 multi-firm review did not result in enforcement action, and the FCA has confirmed it will not introduce blanket rules banning specific apps. It has stated it will continue reviewing breach data and will consider further action where cultural change is not delivered.
What is SYSC 10A?
SYSC 10A is the section of the FCA Handbook governing the recording and monitoring of telephone and electronic communications. It applies to firms conducting certain MiFID-regulated activities, including arranging investment deals and dealing as agents. Firms in scope must record relevant communications, retain them, and take reasonable steps to prevent employees from using unrecorded channels.
Does the FCA’s guidance cover meeting invitations sent via personal devices?
Yes. The FCA’s rules apply broadly to communications related to in-scope activities. Even routine coordination — such as meeting invitations sent via personal channels — can fall within scope, and if a senior individual does so frequently, the FCA has indicated this warrants investigation. The concern is less about any single message and more about whether a pattern of behavior suggests an attempt to avoid surveillance.
