Applying the FCA’s Off-channel Communications Findings to Energy and Commodity Firms

On 7 August 2025, the FCA published a report (click here) on its findings from a multi-firm review of wholesale banks on their approach to off-channel communications. That is communications which take place outside of monitored and recorded channels which a firm has permitted. The review covered eleven wholesale banks (both large and small) and focused on practical actions firms may take rather than on actual rule changes. Interestingly, the FCA notes that, unlike US regulators, it did not seize or scrutinise personal devices to interrogate them for possible off-channel communications as part of its review.

The FCA reiterated that the core recording obligations sit in SYSC 10A (click here) and were communicated in prior communications such as FCA Market Watch 66 (click here) from January 2011. While SYSC 10A applies to regulated firms carrying out MiFID business, energy and commodity firms that do not have a regulated entity but which trade in the UK will also likely benefit from reviewing the FCA’s findings and, where appropriate, benchmark and enhance their current off-channel communication governance and controls.

In the report, the FCA stresses that firms must record and monitor in-scope communications, including those that lead to in-scope activities, and must take reasonable steps to prevent the use of unrecorded channels. At the same time, it signals that it will continue to take an outcomes-based approach and does not intend to codify rules for every new app or encrypted service in the marketplace.

What were key report findings identified by the FCA?

[1] Off-Channel Communication Governance is making progress but still requires work. All firms in the sample could evidence improvements in managing off-channel communications over the past two years. Yet most still reported breaches of their own internal policies, and these occurred across all staff grades.

Notably, 41% of breaches involved individuals at Director level or above and also included breaches by third party contractors and even interns. The FCA noted that a breach of internal policy is not automatically a breach of FCA rules, and that breach volumes are a somewhat ambiguous signal. High numbers may reflect a functioning detection framework, while low numbers may point to under-detection.

[2] Monitoring Off-Channel Communication is strengthening. Banks are updating monitoring policy terminology to keep pace with devices like smartwatches, streamlining self-disclosure processes, and tightening simple but high-impact practices such as prohibiting personal numbers in out-of-office replies and in company active directories.

Many firms have moved to single global off-channel communication policies to drive consistency, although the FCA reminds firms that UK standards must still be met and that local implementation has to align with those standards. Several banks now provide corporate devices to client-facing staff to reinforce separation of business and personal use, sometimes using distinctive colours for quick identification in sensitive areas like trading floors.

[3] Communication Surveillance tooling is evolving. Firms are expanding lexicons to include emerging channel vernacular, emojis, GIFs, and are surveilling voice notes and even video messages.

Some are integrating natural language processing (NLP) alongside lexicon models to reduce false alerts and to spot “channel hopping” behaviour from recorded to unrecorded platforms. A few banks are monitoring on-channel usage patterns to identify anomalously low activity that may indicate off-channel migration.

Most communication surveillance vendors now offer NLP to enhance lexicon-based surveillance capabilities. Firms like Shield, Behavox, SteelEye, Smarsh, and Global Relay all claim to provide some type of NLP or Artificial Intelligence capability.

For those energy and commodity firms exploring onboarding a communication surveillance vendor, the initial phase of deploying such a tool typically starts by using a baseline lexicon key word and phrases library to identify potential market abuse. While all vendors are promoting and actively pushing firms to adopt AI and NLP, banks are still just dipping their toes into these capabilities. Many energy and commodity firms will be familiar with lexicon surveillance for spot checking communications however with the introduction of AI and NLP, the theory is that more ‘true positives’ are identified while reducing the number of ‘false positives’. In addition, new behaviours and conduct risks that may not be identifiable using lexicons would also be flagged via NLP thus highlighting new risks not found using traditional lexicons.

The jury is still out as to how impactful AI is in communication surveillance. Like any new technology, AI and NLP requires up-front investment in time and training by surveillance analysts to help tune the models to specific firm risks. All vendors provide ‘out of the box’ surveillance policies across e-communication and voice however the ‘secret sauce’ is in the tuning and training / re-training of the surveillance policies once live which requires firms to review and augment their trade surveillance teams and operating models.

The following is a short list of considerations when exploring the onboarding of a communication surveillance vendor with respect to their NLP and AI capabilities:

• Model Detection approach. Are the vendors surveillance policies lexicon rules first, AI first, or a hybrid? Can you see why an alert fired, and can you tune it without a data scientist?
• False positives. What concrete features cut out noise? Contextual NLP, conversation threading, sentiment, entity linking, de-duplication, social media understanding, and behavioral baselines (e.g. low on-channel usage by peer group, unusual time-of-day patterns) are all good indicators to measure in a proof of concept (PoC).
• New behavior risks. Can the system spot channel hopping (i.e. where employees switch from recorded to non-recorded channels), code words, emojis/GIFs, voice notes, and short video? Can it learn from your cases and add scenarios quickly?
• Voice. What is the accuracy of your voice transcription across unique languages and intra-language with specific dialects and/or accents? How does your voice transcription provide and assign speaker diarization e.g. identifying who is speaking? How does your system reduce background noise? Can you transcribe multiple languages including the ability to identify language switching intra-conversation?
• Policy lifecycle. What are your out-of-the-box surveillance policy scenarios? For each policy, do you have vendor release notes that are descriptive in explaining how surveillance is done? How do you perform A/B tests and back tests to ensure policy accuracy and no model drifting? What vendor documentation evidence on AI/NLP policy transparency do you have which can be handed over to both internal parties, for example internal audit or risk and external parties such as regulators or exchanges?
• Operational reality. How do you validate capture completeness by channel? What capabilities do you offer to reconcile data feed from source to system ingestion? How do you manage data recovery and what are your data resilience service level agreements (SLAs) when data is found missing or incomplete? What management information (MI) reports do you provide to monitor and manage data resilience? How are you able to export data to other data models?

Third-party vendors are both enabling and stressing the framework. Banks report the benefits of third-party vendor solutions for capturing a wider set of channels, but also highlight outages, data reconciliation challenges, and inaccurate transcription.

The FCA is direct on accountability noting that firms cannot transfer their regulatory responsibilities under SYSC 10A to service providers. Firms must maintain vendor oversight and ensure data quality controls are in place when data is incomplete or missing.

MI is a key differentiator. The strongest MI suites include:

• Granular breach trend analysis, covering corporate titles, business areas, communication channels and severity gradings;
• Device activation and usage monitoring;
• Vendor KPIs;
• Training and attestation rates; and
• Second-line findings, all presented with clear RAG thresholds and commentary.

Where MI is narrow and breach-only, the FCA observed that oversight committees are stuck reacting to symptoms rather than diagnosing causes. In smaller firms, it noted that the best examples still achieve group-level visibility with UK-specific breakouts and SLA-based alert handling.

Consequence management is visible, but calibration varies. Firms use a spectrum of measures from reminders and refresher training through to formal warnings and impacts on bonuses or promotions where off-channel communications are identified. The review however did not see the most severe penalties applied.

Targeted training that uses real examples, and that promotes self-reporting and speaking up, is becoming increasingly common.

The FCA concludes its report with a set of questions for firms that reinforce expected board-level ownership, senior management accountability, vendor oversight, and alignment of surveillance models to the business as follows:

• Do employees fully understand their responsibility to record all relevant communications?
• Does leadership set a strong 'tone from the top' and encourage a 'speak up' culture for compliance with SYSC 10A?
• Are there any unreasonable barriers preventing staff from following the policy framework effectively?
• Does the firm effectively monitor third-party vendors to ensure expected performance and reliability?
• Is the firm's surveillance model well-aligned with its business model?
• Where a global framework is in place, do UK senior managers have sufficient oversight of its implementation and results?
• Do accountable executives receive the right MI to oversee compliance, and assess surveillance effectiveness?
• Where patterns of non-compliance emerge, do accountable Senior Management Functions (SMFs) take prompt corrective action?

We summarise a list of key findings and dive further into detail alongside compliance considerations below.

On 7 August 2025, the FCA published a report (click here) on its findings from a multi-firm review of wholesale banks on their approach to off-channel communications. That is communications which take place outside of monitored and recorded channels which a firm has permitted. The review covered eleven wholesale banks (both large and small) and focused on practical actions firms may take rather than on actual rule changes. Interestingly, the FCA notes that, unlike US regulators, it did not seize or scrutinise personal devices to interrogate them for possible off-channel communications as part of its review.

The FCA reiterated that the core recording obligations sit in SYSC 10A (click here) and were communicated in prior communications such as FCA Market Watch 66 (click here) from January 2011. While SYSC 10A applies to regulated firms carrying out MiFID business, energy and commodity firms that do not have a regulated entity but which trade in the UK will also likely benefit from reviewing the FCA’s findings and, where appropriate, benchmark and enhance their current off-channel communication governance and controls.

In the report, the FCA stresses that firms must record and monitor in-scope communications, including those that lead to in-scope activities, and must take reasonable steps to prevent the use of unrecorded channels. At the same time, it signals that it will continue to take an outcomes-based approach and does not intend to codify rules for every new app or encrypted service in the marketplace.

What were key report findings identified by the FCA?

[1] Off-Channel Communication Governance is making progress but still requires work. All firms in the sample could evidence improvements in managing off-channel communications over the past two years. Yet most still reported breaches of their own internal policies, and these occurred across all staff grades.

Notably, 41% of breaches involved individuals at Director level or above and also included breaches by third party contractors and even interns. The FCA noted that a breach of internal policy is not automatically a breach of FCA rules, and that breach volumes are a somewhat ambiguous signal. High numbers may reflect a functioning detection framework, while low numbers may point to under-detection.

[2] Monitoring Off-Channel Communication is strengthening. Banks are updating monitoring policy terminology to keep pace with devices like smartwatches, streamlining self-disclosure processes, and tightening simple but high-impact practices such as prohibiting personal numbers in out-of-office replies and in company active directories.

Many firms have moved to single global off-channel communication policies to drive consistency, although the FCA reminds firms that UK standards must still be met and that local implementation has to align with those standards. Several banks now provide corporate devices to client-facing staff to reinforce separation of business and personal use, sometimes using distinctive colours for quick identification in sensitive areas like trading floors.

[3] Communication Surveillance tooling is evolving. Firms are expanding lexicons to include emerging channel vernacular, emojis, GIFs, and are surveilling voice notes and even video messages.

Some are integrating natural language processing (NLP) alongside lexicon models to reduce false alerts and to spot “channel hopping” behaviour from recorded to unrecorded platforms. A few banks are monitoring on-channel usage patterns to identify anomalously low activity that may indicate off-channel migration.

Most communication surveillance vendors now offer NLP to enhance lexicon-based surveillance capabilities. Firms like Shield, Behavox, SteelEye, Smarsh, and Global Relay all claim to provide some type of NLP or Artificial Intelligence capability.

For those energy and commodity firms exploring onboarding a communication surveillance vendor, the initial phase of deploying such a tool typically starts by using a baseline lexicon key word and phrases library to identify potential market abuse. While all vendors are promoting and actively pushing firms to adopt AI and NLP, banks are still just dipping their toes into these capabilities. Many energy and commodity firms will be familiar with lexicon surveillance for spot checking communications however with the introduction of AI and NLP, the theory is that more ‘true positives’ are identified while reducing the number of ‘false positives’. In addition, new behaviours and conduct risks that may not be identifiable using lexicons would also be flagged via NLP thus highlighting new risks not found using traditional lexicons.

The jury is still out as to how impactful AI is in communication surveillance. Like any new technology, AI and NLP requires up-front investment in time and training by surveillance analysts to help tune the models to specific firm risks. All vendors provide ‘out of the box’ surveillance policies across e-communication and voice however the ‘secret sauce’ is in the tuning and training / re-training of the surveillance policies once live which requires firms to review and augment their trade surveillance teams and operating models.

The following is a short list of considerations when exploring the onboarding of a communication surveillance vendor with respect to their NLP and AI capabilities:

• Model Detection approach. Are the vendors surveillance policies lexicon rules first, AI first, or a hybrid? Can you see why an alert fired, and can you tune it without a data scientist?
• False positives. What concrete features cut out noise? Contextual NLP, conversation threading, sentiment, entity linking, de-duplication, social media understanding, and behavioral baselines (e.g. low on-channel usage by peer group, unusual time-of-day patterns) are all good indicators to measure in a proof of concept (PoC).
• New behavior risks. Can the system spot channel hopping (i.e. where employees switch from recorded to non-recorded channels), code words, emojis/GIFs, voice notes, and short video? Can it learn from your cases and add scenarios quickly?
• Voice. What is the accuracy of your voice transcription across unique languages and intra-language with specific dialects and/or accents? How does your voice transcription provide and assign speaker diarization e.g. identifying who is speaking? How does your system reduce background noise? Can you transcribe multiple languages including the ability to identify language switching intra-conversation?
• Policy lifecycle. What are your out-of-the-box surveillance policy scenarios? For each policy, do you have vendor release notes that are descriptive in explaining how surveillance is done? How do you perform A/B tests and back tests to ensure policy accuracy and no model drifting? What vendor documentation evidence on AI/NLP policy transparency do you have which can be handed over to both internal parties, for example internal audit or risk and external parties such as regulators or exchanges?
• Operational reality. How do you validate capture completeness by channel? What capabilities do you offer to reconcile data feed from source to system ingestion? How do you manage data recovery and what are your data resilience service level agreements (SLAs) when data is found missing or incomplete? What management information (MI) reports do you provide to monitor and manage data resilience? How are you able to export data to other data models?

Third-party vendors are both enabling and stressing the framework. Banks report the benefits of third-party vendor solutions for capturing a wider set of channels, but also highlight outages, data reconciliation challenges, and inaccurate transcription.

The FCA is direct on accountability noting that firms cannot transfer their regulatory responsibilities under SYSC 10A to service providers. Firms must maintain vendor oversight and ensure data quality controls are in place when data is incomplete or missing.

MI is a key differentiator. The strongest MI suites include:

• Granular breach trend analysis, covering corporate titles, business areas, communication channels and severity gradings;
• Device activation and usage monitoring;
• Vendor KPIs;
• Training and attestation rates; and
• Second-line findings, all presented with clear RAG thresholds and commentary.

Where MI is narrow and breach-only, the FCA observed that oversight committees are stuck reacting to symptoms rather than diagnosing causes. In smaller firms, it noted that the best examples still achieve group-level visibility with UK-specific breakouts and SLA-based alert handling.

Consequence management is visible, but calibration varies. Firms use a spectrum of measures from reminders and refresher training through to formal warnings and impacts on bonuses or promotions where off-channel communications are identified. The review however did not see the most severe penalties applied.

Targeted training that uses real examples, and that promotes self-reporting and speaking up, is becoming increasingly common.

The FCA concludes its report with a set of questions for firms that reinforce expected board-level ownership, senior management accountability, vendor oversight, and alignment of surveillance models to the business as follows:

• Do employees fully understand their responsibility to record all relevant communications?
• Does leadership set a strong 'tone from the top' and encourage a 'speak up' culture for compliance with SYSC 10A?
• Are there any unreasonable barriers preventing staff from following the policy framework effectively?
• Does the firm effectively monitor third-party vendors to ensure expected performance and reliability?
• Is the firm's surveillance model well-aligned with its business model?
• Where a global framework is in place, do UK senior managers have sufficient oversight of its implementation and results?
• Do accountable executives receive the right MI to oversee compliance, and assess surveillance effectiveness?
• Where patterns of non-compliance emerge, do accountable Senior Management Functions (SMFs) take prompt corrective action?

We summarise a list of key findings and dive further into detail alongside compliance considerations below.