Watch out for WhatsApp: Does the FCA plan to follow in the footsteps of U.S. regulators?

Communications compliance – it’s the phrase on the industry’s lips. Since 2021, we’ve seen ceaseless enforcement actions coming from multiple regulators, including the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). To date, the total amount charged of responsible firms has surpassed $3 billion.

However, despite rumors, U.K. financial regulators have been relatively quiet on the topic of compliant comms. Surprisingly, the U.K.’s Office of Gas and Electricity Markets (Ofgem) issued a fine against Morgan Stanley in August 2023 for “failure to record and retain electronic trading communications,” including traders’ use of WhatsApp to discuss business. These actions violated REMIT regulations, which are in place to safeguard the integrity and transparency of energy markets.

As Ofgem oversees electricity and downstream natural gas markets, this was not what the industry expected to be the first recordkeeping failure enforcement coming out of the U.K. Yet, the country’s financial watchdogs – most notably the Financial Conduct Authority (FCA) – have not taken steps to indicate that communications compliance is a chief concentration. That is, until recent updates, which hint the topic may be a fast-growing focus for the regulator.

The subject of the survey

As reported by FN London, the FCA will be issuing a survey to regulated firms requesting that they “provide a list of confirmed breaches of unmonitored and/or encrypted applications policies that have been recorded in the U.K. over the last 12 months.” In doing so, the regulators looks to understand how applications like WhatsApp, Signal, and Telegram are utilized in financial services.

The survey inquires about the seniority of those who were involved in breaches, their business area, how breaches were identified, and the impact these breaches had on compensation and promotions. Similarly, the survey requests information about “enhancements/testing work your firm has undertaken regarding the use of unmonitored and/or encrypted communications applications in the U.K.,” especially in light of fines for off-channel communications in the U.S..

Also included is the request for details on client complaints involving missing communications related to order executions, any audits firms have done on encrypted messaging app use, and related information sent to management.

Another key factor in the off-channel communications discussion is personal device management. The FCA addresses this in the survey by requesting that firms share the percentage of client-facing staff that have been issued a corporate device and the criteria used to select staff members who receive devices.

Commonalties across all requests made by U.S. regulators reflect several aspects of the FCA’s survey, such as the emphasis on fortifying “tone at the top,” the commitment to supervising employee communications, the spotlight on personal devices, and the subsequent response factors upon identification of communications misconduct instances.  

It’s widely known that regulators across jurisdictions have tackled recordkeeping failures with varying levels of severity. Could it be that this survey plants the seed for a budding interest in the way U.K. firms are managing communications expectations and modernizing channels?

An interconnected combo: Comms, culture, and conduct

The FCA’s attention to both the seniority of those involved in breaches and the escalation of breaches to management continues a conversation on the cruciality of conduct and culture, especially in light of what the FCA has done to hone in on non-financial misconduct over the past year.

In February 2024, the regulator sent out a survey on non-financial misconduct requiring that insurance firms provide information related to incidents of non-financial misconduct and their outcomes. In a speech on the survey, FCA Chief Executive Nikhil Rathi clarified that firms need to consider non-financial misconduct as much of a risk as financial misconduct.

It seems the FCA’s governance of recordkeeping and non-financial misconduct work concurrently to secure desired compliance outcomes. With surveys and statements intertwining to outline, in no uncertain terms, the immediate areas firms should be working on, the FCA is clear on the fact that it expects firms to have comprehensive communications and surveillance policies.

The inside scoop on off-channel comms

Earlier in 2024, Jamie Bell participated in a fireside chat at Global Relay to deliberate a variety of trends in the industry, including communications compliance. When discussing the FCA’s stance on off-channel communications, Bell stated that it was a “perennial question,” especially considering the current crackdown.

Bell underscored that although the FCA has taken a diverging approach to assessing communications compliance compared to U.S. regulators, it “will be unsympathetic” should a firm fail to manage its communications risk, surveillance policies, and breach matrix procedures. The regulator requires firms to continually uphold their communications policies and set out a “proper compliance culture.”

Financial Communications Authority?

While the industry will have to wait and see whether this movement progresses toward further regulations and investigations, firms can be sure that the FCA is serious about adherence to communications compliance regulations.

On several occasions, the FCA has reminded firms of their obligation to maintain business records. In 2021, it stated expectations for electronic communications and telephone record retention in relation to remote working. In October 2022, it commented on personal devices and their use in the industry. In its Handbook, it laid out electronic communications regulations. And with the current survey, it seems the emphasis on communications policies and record retention is only continuing to grow.

As the U.K. regulator moves in a direction similar to that of U.S. regulators, firms would be wise to follow in FCA compliance footsteps to avoid the dangers of straying too far from the path that’s been drawn out.