Reference Case Number:
FOI11473
Freedom of Information: Right to know request:
Please provide information pertaining to a project carried out on the use of encrypted communication applications. A full summary of your requests and our responses can be found at Annex A below.
FCA response:
In September 2022, the FCA contacted a sample of 22 firms to request information about the steps they have taken to monitor the use of encrypted communication applications (apps) for sharing potentially sensitive information connected with work. The firms contacted included wholesale banks, wholesale brokers and asset managers.
The information below is a summary based on responses that were provided by firms. We have aggregated the information gathered from multiple responses and not all the information listed below was reported by all firms. This summary does not reflect any judgement or evaluation from the FCA.
The request sent to firms contained 7 questions and the key information can be found below.
Please be aware that there is some information that was contained within the responses to questions 2, 3, 5, 6 and 7 that we are prohibited from disclosing to you, as it constitutes ‘confidential information’ for the purposes of section 348 of the Financial Services and Markets Act 2000 (FSMA), which the FCA has received in the discharge of its public functions. We are therefore exempt from the duty to disclose this information under section 44 of FOIA. For further details on why this exemption applies, please see Annex B.
Responses:
- Prohibition policies and procedures which are reviewed regularly.
- Employees are required to attest compliance to the policies.
- Reminders sent to new joiners.
- Training is provided regularly including on market abuse.
- Compliance, policy reminders and regular communications are sent to staff.
- Communications and compliance surveillance programs are in place.
- Additional lexicon terms embedded into surveillance platforms.
- Technical controls applied to privately owned devices and business-issued devices.
- Prohibition of unauthorised personal devices.
- Escalation and investigation processes.
Responses:
- The number of incidents reported by firms varied across the sample.
Responses:
- Detail of IA audits and assurance reviews conducted in the last 5 years on different topics such as electronic communication surveillance, audio communications surveillance, chat channels, conduct framework, voice recording controls, off-premises trading.
Responses:
- Compliance team conducts ongoing reviews of recorded messages to identify any flags.
- There is surveillance monitoring programme in place.
- Firms have different policies and procedures in place that staff must adhere to.
- Regular communications and policy reminders are sent to staff.
- Annual attestations are required from staff.
- E-communications & voice communications are subject to recording obligations.
- Training provided to staff on the requirement re communications channel usage and market abuse.
- There is a ban on personal devices on the trading floor.
Responses:
- Annual compliance training.
- New joiners are required to complete induction training.
- Mandatory training focused on key regulatory and compliance topics.
- Case study training on breaches.
- Scenario based training.
- Participation in industry forums.
- Fail rates are monitored and considered in promotion, compensation and performance management.
Responses:
- Tone from the top.
- Attendance at committee meetings, working groups, and industry forums.
- Reviewing MI.
- Providing challenge and feedback.
- SMF16 regularly reviews policies and training materials.
- Breach reporting to SMRs.
- Open Forums, Town Halls and Divisional Meetings.
Responses:
- Working groups.
- Participation in industry forums.
- Enhancing escalation processes.
- New frameworks introduced.
- Strengthened surveillance.
- Corporate mobile distribution extended.
- Enhanced monitoring of global developments.
Supporting document
FOI11473 Annex A
FOI11473 Annex B
