From Policies to Proof: What the FCA’s Updated Guidance Means for Inside Information Controls

During a private conversation, a corporate executive tells an analyst:

“We are going to miss earnings by approximately 25% this quarter.”

That is the type of communication that could constitute inside information because, if made public, it would likely affect the company’s share price.

The analyst may not have done anything wrong by receiving the information. In fact, many financial professionals legitimately come into possession of inside information as part of their day-to-day responsibilities. The challenge begins once that information is received.

Who else has access to it? How is it being communicated? Is it being shared appropriately? Can the firm demonstrate how it was controlled?

These are precisely the kinds of questions addressed in the FCA’s updated guidance on handling inside information.

To be clear, this is not a major new regulatory regime or a significant expansion of Market Abuse Regulation (MAR) obligations. Rather, the guidance reinforces existing expectations and serves as a reminder that firms should review their policies, procedures, and controls for identifying, handling, disclosing, and investigating inside information.

However, when viewed alongside broader FCA supervisory trends, the guidance signals something more important: Regulators increasingly expect firms not only to establish controls around material non-public information (MNPI), but to demonstrate that those controls are operating effectively in practice.

The obligation may be familiar, but the communications environment is not. As sensitive information moves across more channels and formats than ever before, maintaining visibility and control becomes increasingly challenging.

Why This Matters

The FCA’s guidance sits within the broader framework of the UK Market Abuse Regulation (UK MAR), which was originally introduced under the EU Market Abuse Regulation in 2016 and subsequently incorporated into UK law following Brexit.

Several UK MAR provisions are particularly relevant. Article 10 governs unlawful disclosure of inside information, Article 14 prohibits insider dealing and unlawful disclosure, while Articles 16 and 18 establish expectations around surveillance, insider controls, and recordkeeping.

However, the relevance of this guidance extends beyond MAR. The ability to control, monitor, and investigate the movement of sensitive information sits at the heart of multiple compliance functions, from market abuse and surveillance to information barriers and investigations.

Together, these provisions place responsibility on firms to control access to inside information, monitor how it moves across the organization, and identify potential misuse before it results in regulatory exposure.

The FCA’s latest guidance does not fundamentally change these obligations. What it does do is reinforce the importance of governance, documentation, and evidence.

From Policies to Proof

The FCA’s guidance focuses heavily on governance and control. It recommends that organizations establish clear procedures for identifying inside information, restricting access, maintaining records, controlling disclosure, and responding to leaks or inadvertent disclosures.

At its core, the guidance reflects a broader regulatory trend: Compliance is becoming evidence-based. It is no longer sufficient to have policies describing how sensitive information should be handled. Firms are now expected to demonstrate that those controls are operating effectively in practice and that they can provide evidence when questions arise.

When regulators investigate a leak, a disclosure event, or potential market abuse, they might ask:

• Who had access to the information?
• When did they receive it?
• Through which channels was it communicated?
• Was it shared beyond those with a legitimate need to know?
• What actions were taken once the information was identified as sensitive?
• Can the firm reconstruct what happened?

The ability to answer those questions depends on the quality of a firm’s information governance framework and the completeness of its communications records.

A Familiar Compliance Challenge in a More Complex Environment

While the guidance focuses specifically on inside information, the underlying challenge is familiar.

The same concerns that sit behind recordkeeping requirements, off-channel communications enforcement, data completeness initiatives, and modern communications surveillance programs also apply here. Firms must maintain visibility into how sensitive information moves across the organization and be able to demonstrate effective controls.

This challenge is amplified by the rapid expansion of communications channels. Inside information may now move through email, mobile messaging, voice calls, collaboration platforms, meeting summaries, and AI-assisted workflows. Information can be copied, summarized, forwarded, discussed, and transformed across channels in ways that were difficult to imagine when many surveillance programs were first established.

While the FCA’s guidance itself is relatively modest, it reflects a broader supervisory direction. Across market abuse, communications surveillance, and conduct risk, regulators are moving away from a “tick-the-box” approach and toward measurable outcomes. This represents a broader shift from reactive compliance toward proactive risk identification and active threat mitigation.

What the FCA Doesn’t Address

One notable omission from the guidance is generative AI. While the FCA focuses on information handling, disclosure controls, and leak prevention, it says little about how firms should govern AI-generated summaries, AI-assisted workflows, or the use of sensitive information within AI tools.

As adoption accelerates, firms will need to extend existing MNPI controls to AI environments, ensuring sensitive information remains protected regardless of whether it is shared by a human or processed by an AI assistant.

For many organizations, generative AI represents the newest frontier in information leakage risk, and one that will likely receive increasing regulatory attention in the years ahead.

Whether information is shared through traditional communications channels or AI-enabled workflows, firms need technology capable of detecting risk, enforcing controls, and providing defensible evidence of compliance.

How Shield Helps Firms Address These Challenges

Shield’s platform is purpose-built to help regulated organizations modernize digital communications governance while strengthening oversight around market abuse and material non-public information (MNPI) risks.

Unified Communications Governance

Shield provides a single, cloud-native platform that unifies archiving, surveillance, supervision, investigations, and voice communications monitoring.

Rather than stitching together multiple point solutions, firms can govern communications within a centralized and consistent compliance framework. This becomes more important as regulators focus on cross-channel visibility, data completeness, and the ability to demonstrate effective governance processes.

Bringing communications data together into a single environment allows firms to gain a more complete view of how sensitive information moves across the organization.

Information Barriers and MNPI Governance

Shield’s Information Barriers capabilities help firms proactively manage material non-public information risks through:

Watch and restricted list governance

• Ethical wall monitoring
• Participant tracking
• Communications surveillance tied to deal and insider contexts

Rather than relying solely on policy documentation and periodic reviews, firms can operationalize their MNPI controls and monitor communications activity against established information-sharing restrictions.

This helps firms strengthen controls around the movement and disclosure of inside information while providing greater visibility into potential barrier crossings, unauthorized sharing, and need-to-know violations.

Integrated Voice and Electronic Communications Surveillance

One of the most significant operational gaps across the industry remains fragmented voice surveillance.

Shield’s Voice offering enables firms to transcribe and analyze voice communications with high accuracy, monitor voice and written communications together, and investigate communications context holistically.

Shield’s AI-powered transcription technology is designed to perform in multilingual and noisy trading-floor conditions, helping firms surface risks that may otherwise remain hidden. As regulators focus on how information is communicated across all business communications channels, having a unified view of voice and electronic communications becomes critical.

AI-Powered Risk Detection with Explainability

As communication volumes continue to grow, firms need automation that improves effectiveness without sacrificing defensibility.

Shield’s multi-layered AI approach combines behavioral models, natural language processing, generative AI capabilities, contextual risk analysis, and explainable reasoning.

Capabilities such as Fortified Surveillance, Risk Reasoning, and AmplifAI’s agentic AI framework help compliance teams:

• Reduce false positives
• Prioritize genuine risk
• Accelerate investigations
• Maintain transparency around AI-assisted decisions

This is particularly important as regulators scrutinize the governance, accountability, and explainability of AI within compliance workflows.

Data Integrity and Defensibility

At the core of effective governance is trust in the underlying data. Shield’s architecture focuses heavily on completeness assurance, ingestion transparency, auditability, encryption, and strict access controls.

Capabilities such as record-level completeness reporting help firms validate that communications were properly captured, processed, and retained, strengthening both regulatory defensibility and operational confidence.

Building a Defensible Framework

The FCA’s guidance does not introduce new obligations, but it reinforces a broader supervisory expectation: Firms must be able to demonstrate that their controls around inside information are effective.

The complexity of communications environments requires visibility into how sensitive information moves across the organization and the ability to prove that it was appropriately controlled.

The challenge has moved beyond identifying inside information. Firms must now be able to demonstrate who had access to it, how it was controlled, and what safeguards were in place to prevent misuse.

Want to learn how Shield can support your compliance needs? Contact us.