"7.2% fewer firms are anticipating action from UK regulators and taking proactive steps to make themselves compliant this year, in comparison to 2023."
Last year was marked by the FCA’s conspicuous absence from the arena of recordkeeping enforcement, which seemingly left the UK’s energy regulators Ofgem and the Prudential Regulation Authority (PRA) to fill the gap. The ongoing struggles within firms to enforce bans on WhatsApp and other platforms, and Bring Your Own Device's (BYOD) growing in popularity in some jurisdictions, mean firms may find themselves on the back foot when – and if – the FCA decides to crack down on recordkeeping.
When it comes to financial regulation, perception can be as powerful as policy. When regulators are seen as “all bark and no bite”, doubts can creep in about whether enforcement action will ever materialise. These doubts can push particular risk areas to the bottom of a firm’s priority list, and make compliance teams’ jobs more difficult as they fight to ensure employees take them seriously.
A troubling trend
Global Relay’s recently published Industry Insights: Compliant Communication 2024 report examines how compliance, surveillance, and risk leaders in financial services are responding to intensified regulatory scrutiny surrounding recordkeeping and compliant communications. The findings of the report show that 7.2% fewer firms are anticipating action from UK regulators and taking proactive steps to make themselves compliant this year, in comparison to 2023. This apparent indifference to proactive communications compliance could cause serious problems should the FCA find its teeth.
Since the publication of last year’s report, the US has seen three waves of enforcement for recordkeeping failures, totalling nearly $450 million, while the UK has only experienced a single £5.4 million fine issued by energy regulator Ofgem. The FCA’s head of secondary market oversight, Jamie Bell, has also previously suggested that the FCA would not take the hard-line approach of its US counterparts, and the FCA’s list of priority areas for 2024 did not include recordkeeping. The direct comparison of the two paints the FCA’s stance as more passive, which will potentially lead to UK based firms taking a more relaxed approach to recordkeeping compliance than their US peers.
Effectiveness in question
The US Securities and Exchange Commission (SEC)’s landmark $125 million fine imposed against J.P. Morgan Securities LLP led to a domino-effect of widespread bans of WhatsApp, WeChat, and other messaging platforms. These policies were assumed to be a stopgap, while more comprehensive solutions were developed and implemented.
We saw this sentiment in the 2023 version of the Industry Insights report, which found that 59% of respondents had opted to ban certain communication channels, but only 56% believed these channel bans to be an effective solution. A year later, with more communications compliance solutions available to the market, a surprising 43.5% of respondents are still relying on bans to WhatsApp for business purposes to plug the compliance risk gap. Interestingly, we still see around half of firms surveyed remaining uncertain as to whether bans are effective, leaving questions around what a truly effective recordkeeping and communications compliance solution might look like.
Across the pond, the perception that the FCA may not throw their weight behind a recordkeeping crackdown is putting compliance teams in a difficult position. Nearly two-thirds (65.2%) of survey respondents noted their biggest concern when ensuring compliance with communications channels is “getting staff to comply,” so the perception that the rules are more advisory than mandatory is potentially fuelling internal resistance. Compliance teams will struggle to enforce any internal policy if their employees deem the risk of ignoring the policy to be low, and we see time and again that employees will use non-approved channels to communicate, even if those channels are banned internally.
Blurring boundaries
Adding to the challenges faced by compliance teams is the growing popularity of BYOD policies. While there are operational benefits of these policies that include considerable cost savings, BYOD blurs the lines between personal and professional communications, making it easier for employees to circumvent channel bans.
BYOD policies are more prevalent than ever, with over half of respondents using a BYOD model for business communications, up from 35.9% of respondents in 2023. Although there are plenty of solutions to make personal devices compliant for business use, more firms are moving high-risk employees onto corporate devices for easier monitoring, suggesting that corporate devices are still perceived as the gold standard for compliant communications. These devices can be integrated into compliance and recordkeeping policies by ensuring necessary communications capture and monitoring technologies are implemented and that employees follow procedures, However, if firms aren’t clear in setting and enforcing expectations around the boundaries between business and personal communications, we may see future fines where poorly implemented BYOD policies have opened up risk.
The perception that there is a regulatory divide between the US and the UK when it comes to recordkeeping and compliant communications could be lulling firms into a false sense of security. Should firms assume this will continue to be the case, and fail to invest in robust recordkeeping infrastructure and implement sound policies, they might find that a future regulatory reality check hits them hard.
