US financial institutions are under increasing regulatory pressure over their handling (or perhaps more accurately, lack of handling) of off-channel electronic communications (eComms) records. We’ve been monitoring global enforcement data throughout the year and over 70 fines, collectively exceeding $700 million, have been handed out to firms so far for deficiencies in their eComms surveillance.
The vast majority of these fines have been issued by North American regulators. However, the challenges associated with managing off-channel messaging applications are by no means unique to the US. So why have we seen comparatively less regulatory action elsewhere?
Divergent regulatory approaches play a key role. While North American regulators often impose fines to enforce compliance, regulators in the UK, Europe, and Australia take a more hands-on approach. Instead of issuing immediate penalties, they closely oversee regulatory remediation, ensuring that substantial changes are made right away. This process, however, is far from comfortable - financial institutions are effectively pushed to adjust their systems and controls under constant scrutiny. While it may avoid fines in the short term, it’s a challenging way to enact organisational change.
Without large fines to apply public pressure to the rest of the market, these regulators have used other means. The FCA, for example, has voiced concerns related to off-channel communications on a number of occasions, either through newsletters (2021) or directly discussing personal device use with UK authorised firms (2022).
While regulatory approaches may differ, the message is clear: firms cannot afford to overlook eComms surveillance. Firms outside North America should be aware that a single major failure could trigger regulatory contagion, prompting the adoption of stricter measures, such as the large fines imposed in the US. But the risks are not just hypothetical; they are real and immediate. Regulators in the UK, Europe, and beyond have already demonstrated their willingness to impose fines for serious breaches. This blog outlines key examples to help firms understand what to expect.
United Kingdom
The UK remains vigilant. Regulators such as Ofgem, the PRA, and the FCA have taken a strong stance against recordkeeping failures.
Ofgem
Ofgem fined Morgan Stanley £5.4 million for failing to record and retain trader communications sent via WhatsApp, marking the first enforcement of its kind under regulation 8 of REMIT, which requires firms to maintain “relevant communications” for regulatory access.
Ofgem’s Final Notice made reference to deficient systems and controls, and although Morgan Stanley had policies prohibiting non-approved messaging, the steps taken to enforce these policies were insufficient.
PRA
The PRA censured Wyelands Bank in April 2023 for lacking formal recordkeeping policies. Senior executives used WhatsApp to discuss transactions, but messages were not retained.
While there was no monetary penalty in this instance - due to the bank winding down, which meant financial sanctions would have caused unnecessary harm - the fine would have been approximately £8 million if circumstances were different.
FCA
The FCA’s enforcement against Sigma Broking in 2022, although predominantly targeting other issues such as failing to report approximately 56,000 transactions and not submitting any suspicious transaction reports (STRs), also highlighted significant deficiencies in recordkeeping for electronic communications.
The firm allowed senior executives to conduct business via WhatsApp on both personal and firm-issued devices but lacked formal policies or procedures to manage or retain these messages. These lapses severely hindered the FCA’s ability to detect market abuse, resulting in a £531,600 fine.
Looking ahead, the FCA has initiated probes to survey financial firms regarding their use of encrypted messaging platforms. While their approach so far has emphasised improvement over punishment, these efforts serve as early indicators that enforcement actions could become stricter in the future. Firms should be on the lookout for any signature “Dear CEO” letters related to early findings, as these will provide an opportunity to address deficiencies before more significant enforcement actions are taken.
Europe
In 2023, the European Commission fined International Flavors & Fragrances €15.9 million for obstructing an antitrust investigation by deleting WhatsApp messages exchanged during a regulatory inspection. This was a landmark case as it marked the first time the Commission imposed a fine for deleting social media messages during an investigation.
The Commission emphasised that obstructing regulatory investigations by failing to retain key communications undermines the integrity of the regulatory process, sending a clear message to firms about the regulator’s zero-tolerance stance moving forward.
APAC
Australia
In June 2024, ASIC published an information sheet calling on market intermediaries to strengthen supervision of business communications. ASIC Commissioner Simone Constant said, “Bankers, dealers and market participants have important roles as gatekeepers to Australia’s financial markets and stewards of market integrity. We expect them to maintain strong and effective supervisory arrangements to manage the risk of harm to clients and to market integrity.”
The Information Sheet deals with common challenges and pitfalls for market intermediaries in effectively supervising their representatives’ business communications, including:
- The emergence of new and popular communication channels that are outside the scope of their surveillance systems;
- Weak or no controls to identify where data used in surveillance systems is incomplete or erroneous; and
- Reliance on ‘out of the box’ settings of vendor-provided communication surveillance systems and a failure to routinely calibrate alert parameters.
From an enforcement perspective, while we haven’t observed any cases against firms, ASIC’s recent actions show a focus on eComms surveillance across retail channels. One of their most recent investigations culminated in four individuals being charged with conspiracy to commit market rigging through a private Telegram group called the “ASX Pump and Dump Group.” Participants inflated Australian penny stock prices before selling at artificially high prices, leading to charges of market manipulation.
Asia
In Asia, while significant fines for off-channel communications are yet to occur, regulators in Hong Kong, China, Singapore, and Japan require comprehensive records of all business-related communications. Firms must ensure accessibility, auditability, and retention of communications to avoid enforcement actions.
Practical steps to ensure compliance
Enforcement trends differ globally, making it challenging to predict when and how regulators will penalise firms for recordkeeping shortcomings. However, proactive steps can help firms move forward with confidence:
- Establish clear policies: ** ** Communicate a strong compliance message, ensure policies are centrally accessible, educate employees effectively, and obtain attestations.
- Engage leadership: Many recent fines involve senior management breaches. Conduct a comprehensive compliance risk assessment and ensure board engagement to understand the risks of off-channel communications.
- Strengthen systems and controls: Policies alone are insufficient. Effective systems and controls are needed to enforce them. Identify gaps in existing processes and consider third-party tools for monitoring and retaining off-channel communications.
Risk-rank teams and service lines: Identify the teams most at risk of using off-channel communications - particularly involving customer-facing roles - and monitor them closely.
