The way people communicate at work has changed beyond recognition in the past decade. The channels employees use day-to-day – WhatsApp, Microsoft Teams, generative AI tools – bear little resemblance to the systems compliance frameworks were originally built around. For banks, the gap between how people actually communicate and what surveillance infrastructure was designed to capture is becoming wider, especially with new communications channels emerging at pace and changing how we work and interact.
Generation generative
The numbers tell a clear story. Global Relay’s Data Insights: Communications Capture Trends 2025/26 Report, which draws on data from more than 12,000 financial institutions, found that Microsoft Teams is now the third most captured communications channel across financial services.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
Email remains dominant at 89% of firms – no surprise – but the more revealing shifts are happening around it. WhatsApp capture rose 36% year-on-year, driven largely by continued regulatory pressure in the US, including a run of FINRA enforcements against individuals over off-channel communications. Apple Messages capture surged 114%, perhaps explained by firms looking to find a “WhatsApp alternative”. And capture of ChatGPT – a channel that barely registered on compliance radars two years ago – increased by nearly 3,000%.
The ChatGPT figure is particularly telling. Generative AI tools are now embedded deeply enough in day-to-day financial and business workflows that firms are scrambling to archive and supervise their outputs. Firms are beginning to grapple with bringing GenAI and AI productivity tools into the scope of their capture, monitoring, and recordkeeping efforts, as legislation like) SEC rule 17-a 4 necessitate that firms keep records of anything that may be considered as “business communications”.
Enforcement hasn’t solved the problem
None of this is happening in a regulatory vacuum. Enforcement actions for off-channel communications have been a consistent feature of the landscape for years. The SEC, FINRA, and the CFTC have all made it clear, repeatedly, that using personal devices or unauthorised messaging apps for business communications is not a grey area. And yet the problem seems to persist.
An FCA survey into communications compliance policy breaches at major banks uncovered 178 WhatsApp violations in a single year – and found that senior staff were responsible for over 40% of them. These are not junior employees operating below the radar. These are people who know the rules, and should be setting an example. That suggests something more structural than problems with training or internal messaging.
Fire drills are a symptom, not a solution
In response, some banks have begun deploying what might generously be described as compliance “fire drills” – sending dummy messages to staff phones to test whether employees respond through unauthorised channels like WhatsApp or Telegram. It is a classic ‘phishing’ technique borrowed from well-worn IT and cybersecurity playbooks.
The instinct is understandable. Stress testing is a legitimate tool, and proactively identifying weaknesses in policy adherence is preferable to discovering them during a regulatory investigation. But the approach also reveals something uncomfortable about where banks currently stand. If the best available method for checking whether staff are complying with communications policies is to trick them into revealing that they are not, it suggests the underlying foundation of compliance might be lacking.
The deeper problem: recordkeeping and surveillance don’t talk to each other
There is a structural issue underneath this that rarely gets discussed openly. In most financial institutions, recordkeeping and surveillance operate as entirely separate functions – different teams, different reporting lines, and often different technology stacks. Recordkeeping holds what might be called the ‘gold copy’ of an organisation’s communications data: structured, clean, preserved across every channel and venue.
Surveillance teams need data to be high-quality and complete in order to function effectively. They “don’t know what they don’t know,” as in, if they receive a data set that is incomplete, they will not be working with a full, accurate picture of events and behaviours – and they may not realise. Complete data is the only way we can expect surveillance teams to be able to spot every risk, and in the current climate ‘close enough’ is simply not good enough.
The consequences of this misalignment become most visible when something goes wrong. When an investigation lands, the two teams are thrown together to share data and make sense of it using different systems, legacy tools, and mismatched processes – and regulators have shown little patience for gaps in coverage that stem from internal disorganisation. Dysfunction is rarely a matter of bad intent; it is simply that there is no natural incentive for these functions to stay aligned in normal times.
As the channel landscape grows more complex – more platforms, more data types, more regulatory scope – that misalignment becomes harder to sustain. Nobody in a bank applies more scrutiny to records than the surveillance team. Nobody in a bank holds cleaner, more comprehensive communications data than the recordkeeping team. Bridging the gap and bringing those two realities together, whether through organisational structure or technology, is arguably the most consequential step firms could take.
Compliance needs to be built in, not bolted on
The same logic applies to technology. For years, firms have relied on a patchwork of separate third-party archiving vendors and surveillance specialists – solutions that were designed independently and integrate imperfectly. Consolidated technology that manages both the quality of data capture and the intelligence applied to it mitigates third-party risk, reduces administrative burden, and allows a firm’s compliance stack to evolve as a whole rather than in disconnected parts.
Ultimately, the firms best placed to navigate what comes next are those that treat recordkeeping and surveillance not as separate obligations to be managed in parallel, but as two sides of the same function. As the number and variety of communications channels grows – including AI-adjacent ones – so too will regulatory requirements. Meeting them requires clean data, comprehensive capture, and surveillance built on top of both.
The goal was never to catch people out. It was always to ensure nothing was missed.
Rob Mason, Director of Regulatory Intelligence, Global Relay
