Security Breaches From Off-Channel Communications

The UK’s Financial Conduct Authority (FCA) recently surfaced a persistent challenge in wholesale banking: off-channel communications.

This isn’t a new issue, but the findings from their recent multi-firm review serve as a stark reminder that compliance is a continuous journey, not a destination. The findings are relevant, not only to the players in the financial services (banking) industry, but also other organizations, especially those operating in the regulated industry verticals.

The FCA’s exercise, which surveyed 11 firms, was a “state-of-play” assessment, not an enforcement probe. Their goal was to understand how firms are proactively managing off-channel communication risks—that is, professional conversations that happen outside of approved channels like personal instant messages or social media. The results? A mixed bag. While all firms had taken some action, the effectiveness varied significantly.

A key takeaway was the uneven distribution of policy breaches. Out of 178 reported incidents, a staggering 131 were concentrated within just three large firms. This disparity points to potential gaps in governance and controls, suggesting that some organizations are more exposed than others.

Even more concerning was the involvement of senior staff. The review found that 79 breaches involved director-level or above, with a total of 99 incidents when including vice president-level staff. This pattern shows that even experienced professionals are not consistently meeting compliance expectations. It raises serious questions about “tone from the top” and the effectiveness of training and accountability mechanisms.

These findings arrive against a backdrop of well-established regulations. Rules like SYSC 10A, which mandates firms to maintain robust systems and controls and guidance like MW66, which details expectations for off-channel conduct, have been in place for years. Yet, the FCA’s report suggests that some individuals may still feel they can evade detection or are simply unaware of the risks.

So, what are the practical takeaways for firms looking to tighten their controls and promote a culture of compliance?

1. First, it’s time for a comprehensive review of internal policies. Firms must go beyond simply having policies on paper and ensure they have clear, enforceable rules with predetermined consequences for non-compliance
2. Second, effective information management and surveillance are critical. Investing in dashboards that provide real-time visibility into potential breaches and trends can help firms stay ahead of the curve
3. Finally, strong governance from the top is non-negotiable. Senior leaders must not only understand the rules but also model the behavior expected of the entire organization. This requires ongoing training, consistent accountability and visible enforcement

The FCA’s review is a clear signal that regulatory scrutiny is not going away. Firms must be prepared to demonstrate not just their policies, but their actual controls and outcomes.

Compliance is an ongoing discipline and only through sustained attention, robust governance and a proactive culture can firms mitigate the risks posed by off-channel communications and protect both, their organization and the broader financial ecosystem.