Multi-firm review into off-channel communications

Actions we saw that firms had taken included:

• updating policy terminology for mobile devices in policies to include new technologies like smart watches
• streamlining the process for employees to submit self-disclosed off-channel messages, ensuring multiple authorised communication channels are available and, contingency plans to record and archive communications, when primary systems are down
• prohibiting personal numbers in out-of-office replies and directories
• establishing a dedicated helpline to guide staff on off-channel communications and integrating common queries into training programmes 

Large firms have adopted a single, global recording and monitoring policy across jurisdictions to ensure consistency. In such cases, firms should also ensure their policies meet UK standards and that implementation practices align with them.

Examples of action firms had taken included:  

• updating surveillance lexicons to include terms associated with emerging communication channels and identifying 'channel hopping', where employees switch from recorded to non-recorded channels. These lexicons also included non-text communications, such as emojis and GIFs, and were capable of surveilling voice notes and video messages.  
• firms using sophisticated technology to enhance surveillance by integrating natural language processing alongside existing lexicon-based models and exploring AI to filter out false alerts.
• two firms monitoring and analysing staffs’ on-channel behaviour and detecting unexpectedly low usage of approved applications across peer groups to detect potential usage of off-channel communications.
• most firms in our sample were providing corporate devices to client-facing staff to reinforce the separation of work-related and personal activities, though this is not required under our rules. Some firms used brightly coloured devices for easy identification, particularly in restricted areas like trading floors. Surveillance managers we spoke to favoured corporate devices, citing improved monitoring, recording, and control as well as the expectation it sets among staff. While some firms offered them broadly, others limited them to specific client-facing or transactional-facing staff.  

We observed an increase in third-party providers facilitating the monitoring and recording of different communication channels, along with an increase in approved applications available to staff. However, some firms reported challenges with TPV solutions, including service outages that disrupted recording and monitoring, data reconciliation issues that made it difficult for firms to validate that the right communications had been captured at all times to validate captured communications, and delays or missing recorded data from vendors.

TPVs do not always perform as expected. One transcription service, for example, was largely inaccurate. Poor service can also discourage employees from using recorded channels, reinforcing the need for firms to maintain strong oversight of their vendors and the quality of their services. 

We also remind firms that regulatory responsibilities in relation to SYSC 10A cannot be transferred to third parties. 

MI varied based on firm size and complexity. Our review focused on the types of information firms collected and presented rather than how MI was used in decision-making. Larger firms generally had more sophisticated MI, while smaller firms had simpler frameworks. 

The most comprehensive MI in large firms included:

• Detailed breach tracking, covering corporate titles, business areas, communication channels and severity gradings.
• Remedial project updates, including adverse audits and second line of defence (2LOD) findings for executive oversight.
• Framework effectiveness assessment, with attestation and training completion rates, plus surveillance alert disposition rates.
• Third-party vendor KPIs, used for assurance or identifying service gaps. 
• Corporate device and BYOD monitoring that tracked activation and usage to detect potential non-compliance. 
• Trend analysis, metrics which tracked across months or quarters using well-considered RAG thresholds, with accompanied commentary on negative trends. 
• Meeting minutes we reviewed showed that comprehensive MI contributed to fuller discussions.

Less comprehensive MI in large firms included: 

• A focus solely on breach metrics without broader context or reference data/narrative about the broader framework. Oversight committees could only react to breach trends rather than analyse underlying causes. 

The most comprehensive MI in smaller firms included:

• Breach data was reported at the group level, with the best examples including UK-specific metrics. 
• Service level agreements (SLAs) for reviewing alerts were monitored using RAG thresholds, and trend analysis was conducted for alert and investigation volumes. 
• Issues and enhancement programme updates were tracked with regular progress reports. 

Less comprehensive MI in smaller firms:

• Limited to spot-checking outcomes for in-scope staff.

Note: Breaches data is from the sample’s wholesale banking operations. Staff grade terminology across firms has been standardised as above. One low-level incident involving a group of interns has been recorded as one incident. Graph captures 8 firms as 3 firms reported 0 breaches. Where breaches involved individuals with no defined grade – such as contractors – these have been counted in the total breach figures but excluded from grade-based ratio analysis.

Firms are responsible for deciding how to address breaches of internal policy on unapproved communications, particularly when they don’t violate SYSC 10A. Disciplinary actions that firms reported they may apply ranged from policy reminders and refresher training to caution letters, formal warnings and performance review impacts. 

For more serious breaches, some firms outlined stricter consequences, including capping performance grades, limiting bonuses, imposing time-bound promotion restrictions, and dismissal with formal notes in professional references. However, our review found no evidence of the most severe penalties being administered.

Training played a key role in reinforcing expectations. Some firms emphasised in the training self-reporting and speaking up about off-channel communications. Role-targeted, scenario-based sessions incorporated real examples from surveillance to make training more effective.