Regulators occupy a difficult position. They must stand impartial and separate from the industries they have oversight of, but must also maintain a flexible, open dialogue with that industry in order to adapt to its pace of change. Inevitably, they also face comparisons to – and pressure from – their counterparts in other territories.
The U.K.’s Financial Conduct Authority (FCA) has been in the unenviable position of being compared to the U.S. Securities and Exchange Commission (SEC) on the tricky topic of WhatsApp ever since the latter began its ‘communications compliance crackdown’ in 2021. Since then, speculation has been rife across the industry, asking if and when the FCA would follow suit – now, the industry has its answer.
“A different relationship”
On 28 January 2025, it was reported that Nikhil Rathi, chief executive of the FCA, confirmed that the regulator had:
“Decided not to introduce rules to prevent City bankers from using WhatsApp and other encrypted apps for unauthorized business communications.”
Rathi contextualized this decision “not to impose a blanket approach” was part of a wholesale “shift away from detailed rulemaking” from the FCA, explaining that:
“We’re not planning any wholesale new rules around this. We don’t think firms should expect from us lots of detailed rules to try and pin down every possible scenario that they are planning for.”
Instead, Rathi said that The City can expect “a different relationship” with the regulator going forward – one that may well prove to be more “hands off.”
Our survey says …
In September 2024, it was reported that the FCA was issuing a survey to regulated firms requesting “a list of confirmed breaches of unmonitored and/or encrypted applications policies that have been recorded in the U.K. over the last 12 months.” The survey included questions on the seniority of those involved in potential breaches, their business area, how breaches were identified, and any impact on compensation or promotions.
The survey also requested details on “enhancements/testing work [firms have] undertaken regarding the use of unmonitored and/or encrypted communications applications in the U.K.”. The FCA has undertaken two rounds of surveys into the approach firms are taking to encrypted apps, but is yet to take direct enforcement action as a result of the findings, or announce any regulatory plans. Rathi identified that:
“It’s obviously a significant issue with the prevalence of different forms of communication … We’re working with firms on a case-by-case basis to understand how they are monitoring these types of activities.”
While we are yet to see any enforcement actions from the FCA on off-channel communications, communications monitoring expectations are clearly still in place. A lack of intention to set out specific rules does not give firms carte-blanche to abandon current monitoring, archiving, and surveillance practices, and the regulator working “case-by-case” means there is still ample room for a case to be the first to see an enforcement result.
The FCA was on something of a survey hype through 2024, having also issued a first industry-wide survey into incidences of non-financial misconduct (NFM) in October, with the results indicating a year-on-year increase in reported incidents over the three years surveyed. While firms have been bracing for the regulator to issue specific NFM guidance or prescriptive rules and definitions following the survey, Rathi downplayed any plans:
“What can be categorized as non-financial misconduct is quite broad … I don’t think we could realistically give completely precise rules for everything. That would just be unrealistic.”
Under pressure
The FCA has found itself under increasing pressure from a variety of sources over the last few years. With the SEC continuing to roll out regular multi-million-dollar fines for off-channel communications violations year on year, the U.K. regulator has consistently asked to set a clear course on whether it will take similar action.
Rathi’s statement seems to have put to rest speculation around a potential SEC-style enforcement drive, and – despite recent proclamations that its focus on off-channel will continue – changes at the top of the SEC may mean we have seen the end of the regulatory “war on WhatsApp” in its current format and cadence.
However, the FCA has also found itself under recent pressure from the U.K. government to support its drive towards increasing economic growth and competitiveness, with the potential to reduce regulatory burdens and allow market participants to take on more risk.
The FCA has responded with a range of measures aimed at streamlining existing regulations and avoiding establishing new regulatory frameworks that might impede growth. Rathi confirmed the regulator has begun to “rigorously prioritize resources” to support growth becoming a cornerstone of FCA strategy through to 2030.
The regulator also faced a degree of scrutiny from the financial industry and the U.K. government around its controversial plans to “name and shame” firms under investigation in a bid to increase enforcement transparency. Concerns were immediately raised around the potential impact this could have on the reputations of firms and individuals, and on overall market integrity. The “strength of feeling” from the industry resulted in a year of clarifications and climb-downs throughout 2024, and assurances that decisions would be made in early 2025 – decisions that have yet to materialize.
Whether the FCA’s decision around prescriptive WhatsApp rules for banks is the result of pressure from the U.K. government not to stymie growth, the regulator’s confidence in existing frameworks and legislation, or hesitancy to endure another “name and shame” level brouhaha, the FCA may well be going “hands off” because they’ve been burnt.
