Navigating Off-Channel Communications: From Hidden Chats to Regulatory Frontline 

On August 7, 2025, the FCA released findings from a review of eleven financial firms’ approaches to off-channel communications (OCC). The findings didn’t add new rules, but they underscored a shift: Regulators now treat OCC as a frontline conduct and governance risk. 

That risk is already visible inside firms. The FCA’s review found that while 85% of executives say they worry about OCC fines, only 51% make avoidance a priority. One in four admit their mobile communication policies aren’t enforced—and nearly one in 10 have no OCC policy at all. 

Meanwhile, with over three billion people using apps like WhatsApp, WeChat, Telegram, and iMessage, employees and clients naturally gravitate toward fast, familiar tools, even when policies prohibit them.  

Making it increasingly difficult for firms to supervise conversations outside approved channels—a challenge underscored by roughly $755 million in fines issued by the SEC and CFTC over the past 24 months. 

The trend shows no sign of slowing. In the U.S., the SEC has fined more than 100 firms a combined $2 billion since last year, including $600 million in 2024 alone and $63.1 million in January against firms such as Charles Schwab, Apollo, and KKR. Regulators on both sides of the Atlantic are aligned in treating OCC as a top enforcement priority. 

These findings highlight more than technical gaps; they reveal cultural and operational misalignments. Enforcement is being used not only to penalize but also to push firms toward aligning technology, policy, and workplace habits with long-standing recordkeeping requirements.  

For firms, the real task is aligning people, processes, and policies. It’s not just about updating rules, it means equipping people with the right tools, embedding compliant processes into daily workflows, and reinforcing a culture of accountability. 

What Are Off-Channel Communications 

Off-channel communications are any business-related communication sent outside a company’s approved and monitored platforms, whether through personal apps like WhatsApp, WeChat, or iMessage, or on social media. 

When employees take business conversations offline, oversight and recordkeeping are lost. Period. If you can’t see it, you can’t monitor it. This opens firms to regulatory and reputational risk. On paper, the solution seems simple: Keep staff only on approved platforms, but in practice, toggling between personal and work apps is a daily friction point. When the goal for traders is to make a deal and the customer wants to make a deal on WhatsApp, do you think they’re going to force the customer back to Bloomberg? Unlikely. 

Even as firms authorize additional apps, end-to-end encrypted platforms like WhatsApp and Telegram present ongoing challenges. The harder question is: How can firms exercise oversight in consumer-first tools designed for privacy, not compliance? 

Surveillance tools that flag cues such as “text me later” or “check WhatsApp” can signal off-channel use, even without explicit mentions, giving compliance professionals an early warning. 

The Tension Between Financial Firms and Regulators  

Under the FCA’s SYSC 10A, firms must record and monitor in-scope communications and take reasonable steps to prevent unapproved channels.  

10 essential compliance takeaways from SYSC 10A:  

1. SYSC 10A sets out rules requiring firms to record calls and electronic communications related to activities in financial instruments. 
2. It applies to MiFID investment firms and other regulated entities involved in arranging, dealing, or managing investments. 
3. Firms must record and retain telephone conversations and electronic communications that relate to orders, transactions, or investment services. 
4. All reasonable steps must be taken to prevent business being conducted on unrecorded devices (e.g., private mobiles or messaging apps). 
5. The recording obligation covers both actual and intended transactions—even if a deal is never completed. 
6. Clients must be notified that their communications may be recorded before receiving investment services. 
7. Records must be stored securely in a tamper-proof format and kept for at least five years (seven if requested by the FCA). 
8. Retail firms may keep written notes instead of recordings, if they meet exemption criteria under MiFID optional rules. 
9. Face-to-face or non-telephone instructions must be recorded in a durable medium, such as a written note or email record. 
10. The purpose of SYSC 10A is to enhance market integrity and protect consumers by ensuring transparency, traceability, and compliance oversight. 

The FCA won’t regulate every app, but it expects firms to prove their surveillance is effective. This requires leadership to embed strong compliance strategies that integrate governance, risk assessment, policies and procedures, culture, training, and data-driven technology.

Regulators expect more than coverage—they expect precision. Compliance leaders must cut through the noise and focus on meaningful signals.

Why Surveillance Must Move Beyond Keywords 

As communication formats expand, which now include emojis, GIFs, and voice notes, traditional lexicon-based monitoring is no longer enough.  

Regulators now expect surveillance technologies to evolve beyond keywords, using context-aware approaches, like Natural Language Processing (NLP), that can identify behaviors and intent. Attempts to move conversations off record, “channel-hopping,” or subtle cues such as “message me later.” 

The operational challenge is significant: As highlighted in a WatersTechnology article, 78% of compliance teams remain swamped by false positives, while legacy practices like random sampling leave critical gaps.  

Modern approaches combine advanced analytics, entity recognition, and behavioral pattern detection help firms focus resources on the highest-risk activity. Context-aware monitoring is critical to catching subtle OCC risks that keywords alone miss.  

As I recently explained in a WatersTechnology interview, “We look for patterns and associated risk, for example, talking about a trade and then saying, ‘text me later.’” Context-aware monitoring is critical to catching subtle OCC risks that keywords alone miss. 

But regulators are clear: Technology is only effective when paired with human judgment and strong governance.  

Why Accountability Still Belongs to the Firm 

Many firms rely on third-party vendors to broaden surveillance coverage. However, the FCA has been clear: Accountability under SYSC 10A cannot be outsourced. 

Vendors may promise comprehensive capture, but in practice data outages, transcription errors, and reconciliation gaps create blind spots. To mitigate these risks, firms must treat vendor oversight as an ongoing governance function, not a procurement checkbox. This means: 

• Setting clear resilience expectations
• Stress-testing systems 
• Demanding transparency on accuracy and false-positive reduction 

Firms need a strategic partner that ensures alignment across initiatives while owning both execution and outcomes. Technology alone isn’t enough; organizations must continuously validate results, reconcile vendor outputs with internal data, and act quickly when gaps appear. By doing so, compliance teams gain the clarity and confidence to make informed decisions and strengthen overall performance. 

Challenges and Complexities 

After billion-dollar fines, why are firms still struggling with off-channel communications? 

Human Behavior and Practical Realities 

Because the challenge isn’t just policy—it’s people and practicality. Employees will always default to the fastest, most familiar tools, and no policy alone can stop that. Encryption, personal devices, and hybrid work blur boundaries between professional and personal life, making supervision harder by design. These human behaviors create an uneven foundation. One that even the most advanced technology struggles to control.  

Technology Gaps and Legacy Surveillance Systems  

Technology gaps add to the problem. Many firms still rely on outdated, lexicon-based surveillance systems that look for specific words but miss the intent behind them. This approach can be especially noisy when taking into account permissible uses of SMS and messaging apps that firms have put into place on the other side of the SEC fines and ongoing OCC guidance.  

The result? A flood of irrelevant alerts that add noise instead of insight, which is a problem that compliance teams know all too well.  

False Positives and Compliance Fatigue 

In practice, this noise is compounded by everyday use cases that aren’t truly risky. For example, in some jurisdictions it’s common for someone to include WhatsApp in their signature. Or marketing materials might invite recipients to SMS a number for more information.  

The list of legitimate but irrelevant mentions of “taking things offline” is long. So what’s the result when tackled with simple lexicon? Endless false positives that bury true risk and exhaust compliance teams. 

AI and Context-Aware Monitoring 

But these challenges are where AI can change the equation. Context-aware monitoring powered by Natural Language Processing (NLP) and behavioral analytics can detect patterns, sentiment, and subtle off-channel cues. For example, phrases like “message me later” or “let’s talk elsewhere” could be missed by traditional systems. 

AI helps compliance teams move from reactive review to proactive detection. It reduces noise, surfaces real behavioral risk, and lets human reviewers focus on what truly matters. 

Adapting Beyond Policy 

Ultimately, firms that thrive in this new regulatory environment recognize a simple truth: You can’t policy your way out of the off-channel problem—you have to analyze, understand, and adapt to it. 

Best Practices and the Way Forward 

Firms leading the way, treat OCC oversight as a dynamic discipline, not a compliance checkbox. From both FCA guidance and industry practice, a few priorities stand out: 

• Refresh communication mapping and policies regularly. Channel use evolves constantly. Regular reviews ensure coverage keeps pace with new apps, devices, and communication patterns. 
• Establish clear BYOD vs. corporate-device strategies. Employees need clarity on what’s permitted and where the line is drawn. Strong boundaries between personal and business communication minimize risk and confusion. 
• Layer AI/NLP on top of lexicons for smarter surveillance. Context-aware monitoring helps firms detect intent and behavioral cues—reducing false positives and surfacing higher-value alerts faster. 
• Rigorously test and oversee vendors. Surveillance responsibility doesn’t end with procurement. Firms should stress-test capture accuracy, validate data integrity, and demand transparency from third-party providers. 
• Use training as a lever for cultural change. Embedding compliance in daily behavior turns policies into habits. Practical training and leadership modeling help make compliant communication second nature. 
• Enforce consistent consequence management. Strong governance depends on fair, transparent enforcement. Firms leading in OCC oversight apply policies consistently, ensuring accountability and deterring repeat breaches. 

What Does Effective Surveillance Look Like With Shield? 

Effective surveillance means more than detecting keywords or casting wide nets to capture every mention of WhatsApp, disrupting risk programs and capacity as a result. It’s about surfacing true risk—faster and with confidence. 

A Multi-Layered, AI-Driven Approach 

That’s why Shield takes a multi-layered, AI-driven approach. First, entity recognition tags every mention of messaging apps or personal devices. Then, a custom off-channel classifier flags any instance of off-channel language, whether or not there’s immediate risk, so nothing slips through the cracks. 

We also go further by combining that signal with behavioral rules and risk language patterns to isolate the most problematic or evasive activity. And finally, everything passes through Shield’s AmplifAI Fortified Surveillance: A GenAI-powered validation layer that suppresses irrelevant alerts and surfaces any missed risk. 

Data Integrity as the Foundation of Compliance 

Effective surveillance depends on data you can trust. Shield’s latest data integrity framework sets a new benchmark for completeness and transparency across the full communications lifecycle. Built into the native, AI-powered Shield platform, it delivers zero-gap data capture, real-time visibility, and on-demand access—eliminating blind spots that undermine compliance confidence. By ensuring every message, alert, and audit trail is verifiable end-to-end, Shield gives firms the clarity and control they need to meet rising regulatory expectations and close the data integrity gap once and for all. 

Turning Oversight into Proactive Control 

With a foundation of complete, transparent data and AI-powered surveillance, Shield enables compliance teams to focus on what truly matters. Every alert is context-rich and explainable. Every action is traceable. Every policy is enforceable. The result is a defensible, data-driven compliance framework that transforms oversight from reactive review to proactive control. 

Making Off-Channel Communications Compliance Part Of Daily Behavior 

Off-channel communications have been a frontline compliance risk since the release of the first smartphone. Communications evolve as the world evolves, and so must our way to monitor them. The recent FCA’s findings make clear that firms must show governance, surveillance, and culture keeping pace with how people communicate today. 

Policies alone are not enough. Firms need strong leadership oversight, smarter surveillance, and cultural reinforcement of compliant habits. And they must hold vendors to the same standard of accountability—because regulatory responsibility cannot be outsourced. 

The real differentiator will be how well firms embed compliance into daily behavior—not just systems. Done well, this reduces regulatory risk while strengthening trust with clients, employees, and regulators alike. Off-channel conversations aren’t a glitch—they’re a governance gap. 

Our experts can help you transform compliance operations with smarter surveillance, sharper insights, and actionable behavioral oversight. Contact us today to learn how Shield closes the gap for leading financial institutions. 

• Contact Us