41% of identified policy breaches occur at director grade or above
The Financial Conduct Authority ("FCA") has published its findings on firms' approaches to off-channel communications, being those taking place outside of monitored and/or recorded channels (and in many cases, via personal devices).
In September 2022, the US Securities and Exchange Commission ("SEC") fined fifteen broker-dealers a total of $1.1 billion for record-keeping failures arising from widespread and longstanding practices of sending messages on personal devices for business-related purposes.
In the UK, OFGEM has fined Morgan Stanley for similar failings, relating to traders' use of WhatsApp on personal phones, and the PRA criticised Wyeland Bank’s failure to have in place formal record keeping policies and procedures to manage and retain WhatsApp messages exchanged between senior executives and directors.
The FCA's findings will be of primary interest to wholesale banks and firms in scope of the FCA's record-keeping rules in SYSC 10A.
However, given the potential for misconduct to occur, or be evidenced by, off-platform communications, not least in view of the FCA's increased focus (and impending new Rules and Guidance) on non-financial misconduct, the findings should be noteworthy for all FCA- regulated firms.
Scope of the review
The FCA surveyed eleven wholesale banks, large and small, requesting information on policy enhancements, MI and breach data. The intention behind the exercise was to, "shar[e] actions firms have taken … to allow firms to learn from others and reflect on their own approach."
The review took place in August 2024.
Key findings
- All firms in the sample had improved processes in the last two years.
- Policies have been updated to reflect technological evolutions and contingency plans for communication recording when systems are down has improved.
- Surveillance has been upgraded, with systems capable of detecting emojis and GIFs as well as unexpectedly low usage of firm-approved communications channels and devices.
- Some firms are providing brightly coloured business devices, for ease of identification, particularly in restricted areas such as trading floors.
- Third-party vendors are being used to monitor communications, although standards varied. One transcription service that was being utilised for this purpose was found to be largely inaccurate.
- MI varied across the firms sampled, with the "most comprehensive" including not just breach data but information on the causes of breaches, e.g. about the broader framework, project updates, trend analyses, and metrics and meeting minutes (for relevant oversight committees).
- Policy breach data received by the FCA showed breaches occurring across all staff grades, with 41% of breaches "involving individuals at director grade or above".
Next steps
At the end of the review, the FCA invites firms to consider the following:
- Do employees fully understand their responsibility to record all relevant communications?
- Does leadership set a strong 'tone from the top' and encourage a 'speak up' culture for compliance with SYSC 10A?
- Are there any unreasonable barriers preventing staff from following the policy framework effectively?
- Does the firm effectively monitor third-party vendors to ensure expected performance and reliability?
- Is the firm's surveillance model well-aligned with its business model?
- Where a global framework is in place, do UK senior managers have sufficient oversight of its implementation and results?
- Do accountable executives receive the right MI to oversee compliance and assess surveillance effectiveness?
- Where patterns of non-compliance emerge, do accountable Senior Management Functions take prompt corrective action?
Comment
Internal and external written communications and messages have historically represented and remain a source of risk for regulated financial services businesses. Whether a firm is within the scope of SYSC 10A or not, control over and visibility of communications are critical aspects of risk management.
The FCA's review and published findings should be welcomed by firms and present an opportunity to reflect on the controls around communications and the use of personal devices, with reference to what the published findings reveal about the steps other firms are taking.
The findings on breaches may assist some firms in re-calibrating thinking about where risks lie within the business. While "director grade" is not defined, the clear impression that a significant proportion of policy breaches are occurring at a senior level is eye catching.
Author
Alan Ward, Partner
